Guide to the Exchange Online Best Practices Checklist

Alex Fields, ITProMentor.com

Updated: January 2023

This resource corresponds to the Exchange Online Best Practices Checklist and is intended to
be used as a baseline for provisioning new Microsoft 365 tenants according to best practices.

Disclaimers

The instructions described in this book have been prepared with the utmost care. Each IT
environment has its own needs and works with its individual settings and software
configurations. No liability can be accepted for any errors or data loss during the execution of
the described procedures, scripts, and commands. Please evaluate PowerShell scripts and
cmdlets before making any changes in a production environment.

Due to the nature of a modern cloud service, the screenshots depicted herein might be different
from the layout and information displayed when you access the service.

About the Author

Alex Fields
Having grown up in a family-owned small business, Alex started
adopting Microsoft technology to enhance business operations at
a young age. In his spare time after school, he gained experience
with Windows Server, Exchange Server, and the migration to Small
Business Server. After completing college (including a small detour to obtain a Master’s degree),
he returned to IT with a local Managed Services Provider, where he gained experience with more
modern Microsoft cloud solutions over the better part of a decade.

Today, Alex works independently helping Managed Services Providers and other IT Consultants
to adopt modern technologies and build Managed Services Practices on top of Microsoft cloud
services including Microsoft 365 and Azure. Alex currently lives in the Missouri Ozarks (USA). He
loves to write about technology topics, and shares his ideas, experiences, best practices, and
lessons learned with the community.

E-Mail Alex@itpromentor.com
LinkedIn https://www.linkedin.com/in/alexanderfields/
Twitter https://twitter.com/vanvfields
Blog https://www.itpromentor.com/

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 1

Scripts to assist with configuration

I describe the PowerShell commands required to change certain settings in this guide. I also
have some of these documented in my GitHub repository of scripts for Exchange Online.

• Install-EXOStandardProtection.ps1: Resets EOP & MDO policies to match the

recommended settings for Standard Protection.
• Advanced-TenantConfig.ps1: Run this after Install-EXOStandardProtection.ps1 to
further customize the tenant including items contained in the individual scripts:
• Block-ConsumerStorageOWA.ps1: This prevents end users from using external storage
locations with Outlook on the Web.
• Block-UnmanagedDownload.ps1: Configures the Conditional Access policy option to
block attachment downloads over the web. Note you must also configure a CA policy in
Azure AD to complete this set up.
• Configure-Auditing.ps1: Enables the Unified audit log and sets the audit log age limit
• Disable-SharedMbxSignOn.ps1: Finds and disables all shared mailboxes for sign-in
• Set-DeletedItemsRetention.ps1: Configures mailboxes to have maximum deleted
retention period (30 days)
• Setup-DKIM.ps1: This script helps with configuring DKIM; use: .\Setup-DKIM.ps1 -
Domain "yourdomainhere.com"

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 2

Table of Contents
Guide to the Exchange Online Best Practices Checklist ........................................................................ 1
Items of Critical Importance ...................................................................................................................... 4
☐ Enable the Unified Audit Log ........................................................................................................... 4
☐ Configure Alert policies ..................................................................................................................... 4
☐ Block legacy (basic) authentication ................................................................................................. 6
☐ Block sign-in for all shared mailboxes ................................................................................................. 7
Items of Recommended Importance ....................................................................................................... 9
☐ Implement the Preset security policies .............................................................................................. 9
☐ Configure outbound spam policy including block auto forward ...................................................... 11
☐ Configure Email Authentication ........................................................................................................ 11
☐ Deploy the Report Phishing add-in ................................................................................................... 16
☐ Modify the default Retain deleted items value ................................................................................ 17
☐ Migrate to Microsoft 365 Groups ...................................................................................................... 17
Items of Optional Importance................................................................................................................. 18
☐ Disable consumer storage locations ................................................................................................. 18
☐ Configure audit log retention ............................................................................................................ 18
☐ Email encryption branding ................................................................................................................ 19
☐ Customize other settings for Email encryption ................................................................................ 19
☐ Conditional access (Block attachment download) option ............................................................... 20
☐ Enable auto-expanding archive ........................................................................................................ 20
☐ Enable the Personal Archive mailbox ............................................................................................... 20
☐ Enable Litigation hold........................................................................................................................ 21
Conclusion .................................................................................................................................................. 23

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 3

Items of Critical Importance
☐ Enable the Unified Audit Log
From the Security center or Compliance center navigate Audit from the left nav and click Start
recording user and admin activity. Audit data is kept for 90 days by default (you can extend
this timeframe, but it requires additional licensing or an E5 plan).

Note that it can take several hours before the data is available for searching and for alert
policies to take effect. You can also achieve this by connecting to Exchange Online with
PowerShell and running:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

☐ Configure Alert policies

Alert Policies will generate email notifications when certain types of high-risk events happen in
Office 365. From the Security center under Email & collaboration choose Policies & rules >
Alert policy. From here, you should see at least a few basic policies which are created by
default:

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 4

Edit the default policies and change the recipients to people who will actually see the alerts and
be able to act on them. For example, if you are a service provider, this may be sent your
ticketing system.

Note: If you have Microsoft Defender for Office 365 plans, then this
screen will include many more default (a.k.a. System) alerts. Refer here
for more detail on the default policies included with each subscription.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 5

When an alert is triggered, you can expect an email notification like the one pictured below.

The person monitoring this alert feed will need to investigate each alert and find out whether it
was an expected activity, or if it was illegitimate, and whether it indicates a breach or insider risk
event.

Consider configuring additional alert policies for monitoring important Azure AD activities, such
as changes to Conditional Access policies and application consent requests. See this script to
install several such policies that I recommend.

☐ Block legacy (basic) authentication

Modern authentication is to be distinguished from legacy (or basic) authentication. Compare
prompts for legacy (left) and modern (right) below on Windows client devices:

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 6

With Modern authentication clients, credentials are never stored on the device like they are with
legacy clients (no option to “Remember my credentials”) and whenever something about the
connection or state changes, the client is required to reauthenticate. This makes it less
vulnerable to credential capture and replay attacks that target client devices.

Note: Legacy authentication for Exchange Online is now disabled by

default on all services except for SMTP. It is recommended to disable
even this service for the vast majority of deployments unless you have
a very specific requirement to keep it.

If you applied my Best Practices for Azure AD, then you should already have a Conditional
Access policy in place that will Block legacy authentication for all cloud apps, including SMTP.
Another option to disable SMTP auth globally is to run this command in Exchange Online
PowerShell:

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

See this article for more details on enabling or disabling SMTP auth per mailbox: Enable or
disable SMTP AUTH in Exchange Online.

☐ Block sign-in for all shared mailboxes

Shared mailboxes (including Resource mailboxes) should not require interactive login, and
where they exist, hardly anyone protects these accounts appropriately. Rather, users who are
delegated permission should access and interact with the contents of the shared mailbox from
their own account (not by signing in with shared credentials).

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 7

Therefore, you should be blocking sign-in for these accounts. Note that accounts which are
synced from on-premises Active Directory would need to be disabled on-premises. In the
Microsoft 365 admin center, select one or multiple accounts and Edit the sign-in status from
the ellipses.

I have a script called Disable-SharedMbxSignOn.ps1 in my GitHub repository which will find

and disable sign-in for all the shared mailboxes simultaneously. However, note that this requires
the accounts to be labeled accurately as shared or resource mailboxes. It is best to audit your
accounts to be positive that any “non-real-person” sign-ins are disabled.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 8

Items of Recommended Importance
☐ Implement the Preset security policies
Microsoft publishes two sets of recommended settings for Exchange Online Protection and
Microsoft Defender for Office 365: Standard and Strict. Preset security policies are the “easy
button,” allowing you to apply the “Standard protection” as well as the “Strict protection”
template to your tenant.

In the Defender portal under Policies & rules, find Threat policies > Preset Security Policies.

While it is still possible to manage all of your individual policies separately of course, I still
recommend most small and mid-sized customers stick with the Presets. Especially because
Microsoft may update their best practices over time. With the presets in place, you will be
automatically upgraded when Microsoft adds or removes features, or alters settings based on
threats that Microsoft is seeing in the wild.

If you do decide to manage custom policies, then please refer to this Microsoft article for
guidance (and revisit on a regular cadence). It contains the full description of settings in each
policy so that you can re-create them for yourself, and customize from there. I personally hope
that in the future, Microsoft just gives us another easy button to “copy” the Presets to a custom
set of policies.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 9

 Note: I find that ‘Strict protection’ leads to more false positives, while
‘Standard protection’ works well for most organizations.

Regarding policy precedence: Strict overrides Standard overrides Custom overrides Default.
So, what does that mean? It means if you deploy a Preset policy, it will take precedence over
any custom or default policies you have out there. Remember that Strict will always outstrip
Standard; so, if a user falls under the scope of two policies, now you know which one wins.

If you want to configure the existing policies rather than using the Presets, refer to my script
Install-EXOStandardProtection.ps1, which will apply the same settings found in Standard
Protection. Note that you should add custom protected users and domains to the Anti-phish
policy after you run the script.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 10

☐ Configure outbound spam policy including block auto forward
When attackers get a hold of a mailbox, they will often exfiltrate data by setting up mailbox
forwarding to an outside email address that they can then monitor without needing constant
access to the source mailbox. In fact, one of the default Alert policies (which we mentioned
earlier in this checklist) will notify you when new forwarding rules like this show up.

Always set Automatic

forwarding rules to
Off.

The Anti-spam outbound policy, which is not included in the Preset security policies, should be
set up to block this by default, but it is always a good idea to explicitly assign this setting value. I
suggest moving it from Automatic to Off (Forwarding is disabled).

☐ Configure Email Authentication

Email authentication is a means of using DNS records to validate or prove that your email is
coming from a trusted source. Therefore, it is important that you also protect access to your
DNS hosting provider, where these changes can be made. There are three record types in total
that we need to configure.

Sender Policy Framework (SPF)

An SPF record is a DNS “TXT” type record. It is one of the records that Office 365 has you

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 11

provision when you first setup and configure mail flow to Office 365. Navigate in the Microsoft
365 admin center to Settings > Domains.

The function of the SPF record is to advertise to the world who is allowed to send email on
behalf of your domain. When you build this TXT record, you should try to include as many
“legitimate” sources of email as you can. For example, for email that is hosted at Office 365, with
no other possible senders, then you only need the following:

Host name: @ <or your domain name>

TXT value: v=spf1 include:spf.protection.outlook.com -all

For third-party software such as Mail Chimp, Constant Contact, etc., you can usually find their
SPF information using a quick Google search, or by contacting their support. For your own on-
premises apps or scan to email devices, you may want to include an ip4 entry for your
company’s external IP addresses.

Let us assume you had a combination of Office 365 for hosted email, Constant Contact for bulk
mailing/marketing emails, and an on-premises copier/scanner internally, with your
organization’s external IP being 87.65.43.21. Then you would have this SPF to publish:

Host name: @ <or your domain name>

TXT value:
v=spf1 include:spf.protection.outlook.com include:spf.constantcontact.com ip4:87.65.43.21 -all

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 12

Domain Keys Identified Mail (DKIM)
DKIM is an authentication system based on an asymmetric cryptographic key pair–a private and
public key. When a message leaves Office 365, it is digitally signed with the private key. The
public key is published via a DNS CNAME record, so that recipient servers can validate the
signature. This proves to recipient servers that your messages really did come from the “right
place.”

By default, your “OnMicrosoft” domain already has DKIM configured and working. But if you are
bringing a “vanity” domain name such as contoso.com (most organizations are), then you will
need to setup DNS records for your domain(s), and then enable DKIM message signing in
Exchange Online.

You will need to build two CNAME records per domain for DKIM. The format is:

Host name: selector1._domainkey

Points to: selector1-CompanyDomainName-com._domainkey.TenantName.onmicrosoft.com

Host name: selector2._domainkey

Points to: selector2-CompanyDomainName-com._domainkey.TenantName.onmicrosoft.com

Note: Your domain is separated by a hyphen instead of a period; it should match

the domain as depicted in the MX record that is given to you by Office 365
(e.g.: contoso-com.mail.protection.outlook.com).

Also, the tenant name (TenantName.onmicrosoft.com) can be found under

Settings > Domains in the Microsoft 365 admin center.

Therefore, contoso.com, whose tenant name is “contoso.onmicrosoft.com” looks like this:

Host name: selector1._domainkey

Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

Host name: selector2._domainkey

Points to: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

Another example is myfavoritecharity.org with a tenant name of charityrocks.onmicrosoft.com:

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 13

 Host name: selector1._domainkey
Points to: selector1-myfavoritecharity-org._domainkey.charityrocks.onmicrosoft.com

Host name: selector2._domainkey

Points to: selector2- myfavoritecharity-org._domainkey.charityrocks.onmicrosoft.com

Next, in the Defender admin center, go to Policies & rules > Threat Policies and scroll down
under Rules to find DKIM. Pick the domain that you want to enable for DKIM signing.

In the right-hand flyout that appears, you can generate your DKIM keys for the selected domain;
you must publish these records via your DNS hosting provider.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 14

Give it at least a few minutes after publishing before you attempt to Enable signing. If you have
not configured your DNS records, this operation will fail out, so be sure to allow enough time for
DNS to propagate.

After DNS changes

are made, then
Enable here

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 15

You may also see the script entitled Setup-DKIM.ps1 in my GitHub repo for a quick way to
retrieve the “points to” values.

NOTE: You should also work with third-party authorized senders get their DKIM
information and enable signing as well.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC is a DNS record that tells recipient servers how to treat unauthenticated messages that
come from your domain, based on policy. It can also communicate where to send reports about
mail from your domain.

By way of example, here is what DMARC could look like for contoso.com:

TXT Name: _dmarc.contoso.com

Value: "v=DMARC1; p=quarantine; pct=100”

However, when you are first rolling DMARC out, it is best to start with the policy set
to p=none, because this will allow you to take time to find legitimate sources of email and
update SPF and DKIM before moving the DMARC policy up to a setting of quarantine, or even
reject (the strongest setting).

☐ Deploy the Report Phishing add-in

Not every bad thing will be caught by your security policies; some items might slip by.
Therefore, you should give end users the ability to self-report email messages that they believe
are junk or phishing, by providing them with the Report Message add-in.

From the Admin center, go to Settings > Integrated apps and click Get apps. From the store,
you can find the Report Phishing add-in here and click Get it now.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 16

 Just search for
“report” to filter
the list

Finish the wizard to deploy this add-in for all users but note that it can take up to 12 hours to
appear in Outlook.

☐ Modify the default Retain deleted items value

By default, deleted items will be purged after 14 days, but this is extendable to 30 days. We can
set on all mailboxes individually (existing mailboxes) and the mailbox plan (for future mailboxes).
Connect to Exchange Online PowerShell and run:
Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor 30

Or use the script Set-DeletedItemsRetention.ps1 from my GitHub repo.

☐ Migrate to Microsoft 365 Groups

Many organizations have legacy Distribution Lists and Public Folders which could be replaced
with Microsoft 365 Groups. It is recommended to look for opportunities to leverage Groups
where it makes sense. In fact, many times a business process that relied on Public Folders or
Distribution Lists in the past would make much more sense in an altogether different application
like Teams! (And remember that Teams is built on top of Microsoft 365 Groups).

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 17

Microsoft used to have a process for upgrading DL’s, but as of February 2023, this has been
deprecated, so the process ends up being a manual review and replace moving into the future.
See this article for more details.

Items of Optional Importance

☐ Disable consumer storage locations
By default, users can work with consumer storage locations such as DropBox, Gsuite and
OneDrive (personal) via Outlook on the Web. In some environments, this will be exposing the
organization to unnecessary risk—consumer storage locations are unmanaged and outside of
the compliance boundary of Microsoft 365. Connect to Exchange Online PowerShell and run:
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -
AdditionalStorageProvidersAvailable $False

Or use the script Block-ConsumerStorageOWA.ps1 in my GitHub repo.

☐ Configure audit log retention

By default, the audit log age limit is 90 days. If you have an E5 subscription, you can retain audit
logs for up to 365 days (1 year).

Constrain policy to
either Users or
Record types

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 18

In the Defender (security) or Purview (compliance) center portals, under Audit, check out the
Audit retention policies tab. Again, with E5 licensing being the prerequisite, you can define
policies that will retain audit events by user and/or record type.

You can also enable per-mailbox audit log retention values up to 365 days using Exchange
Online PowerShell:

$AuditLogAgeLimit = 365
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled
$true -AuditLogAgeLimit $AuditLogAgeLimit

Or use the script Configure-Auditing.ps1 from my GitHub repo.

☐ Email encryption branding

It is possible to configure custom branding elements for encrypted emails.

See this article for more details.

☐ Customize other settings for Email encryption

See my Advanced-TenantConfig.ps1 script for quick modifications including:

• Encrypt PDF attachments (they are not encrypted by default)

• Auto decryption for copies of messages sent to third-party journal providers
• Auto decryption for download of attachments on protected messages
© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 19
☐ Conditional access (Block attachment download) option
We have the option to block download and printing for messages and attachments in Outlook
web app on unmanaged devices. This is recommended in sensitive environments where
compliance and data leakage are major concerns.

In order to enable these “application enforced restrictions,” you must first enable the
Conditional Access policy in Read-only mode via Exchange Online PowerShell:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -ConditionalAccessPolicy ReadOnly

Once that setting is in place, you must set up a corresponding Conditional Access policy in
Azure AD. Use the templates to deploy the policy called Use application enforced restrictions
for unmanaged devices. This is also described in the Intune Best Practices Checklist.

☐ Enable auto-expanding archive

The archive mailbox can be automatically expanded when it reaches its capacity. At the time of
this writing, it will continue to auto-expand up to a maximum limit of 1 TB. Connect to Exchange
Online PowerShell and run:

Set-OrganizationConfig -AutoExpandingArchive

☐ Enable the Personal Archive mailbox

This is simply another mailbox that can be used to store old items, and act as additional storage
space which will relieve pressure on the storage quotas that you have by default on the primary

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 20

mailbox. You can enable the archive mailbox for any user right from the Microsoft Purview
portal (https://compliance.microsoft.com): Go to Data Lifecycle Management > Microsoft 365
in the left nav and click the Archive tab along the top.

Select the user and click Enable archive.

To enable the archive mailbox for all users, connect to Exchange Online PowerShell and run:

Get-Mailbox -ResultSize Unlimited -Filter {ArchiveStatus -Eq "None" -AND

RecipientTypeDetails -eq "UserMailbox"} | Enable-Mailbox -Archive

☐ Enable Litigation hold

I generally recommend using Microsoft 365 retention policies rather than litigation hold on
mailboxes for “general” purposes. While the two serve similar goals, note that a retention policy
can manage deletion as well as retention of mailbox items. However, litigation hold can be
combined with retention policies as well. For example, if you have a general retention policy in
place covering all mailboxes, but you want to place an additional hold on a specific mailbox or
set of mailboxes during active litigation that may span several months or more, you can go
ahead and do so. Whereas there may be old data falling off each day during normal retention
periods (e.g., only keep 3 years of data), your litigation hold can help preserve records in spite of
another blanket policy which may be set up to remove records.

Be aware that keeping too much data can be a risk as well for some organizations. I do not
recommend placing mailboxes on hold without an expiration date (or a policy that says: “keep
all items forever”) unless the organization has explicitly signed off on it.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 21

Inactive mailboxes
Once you have a mailbox on hold or you have applied a general retention policy to Exchange
Online, then you also get Inactive mailboxes—these are just deleted mailboxes that are still
available for recovery, throughout the period of the hold or retention.

See the Inactive mailboxes

From the Microsoft Purview Compliance center navigate to Data Lifecycle Management >
Microsoft 365. Go to the Retention policies tab and click Inactive mailbox.

Or view them via PowerShell:

Get-Mailbox -SoftDeletedMailbox | Select-Object Name,ExchangeGuid

When an employee leaves the company, they are typically replaced by a new hire. But when we
remove licenses from user accounts in Microsoft 365, the mailbox is also removed. While it is
possible to recover on short time horizons (e.g., 30 days), retention policies and legal holds will

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 22

ensure that mailboxes remain recoverable for the duration of the preservation period. Therefore,
mailboxes become “inactive” rather than deleted.

Microsoft supports two methods for pulling these mailboxes back from the grave:

1. Recover the inactive mailbox (e.g., if the departed user returns to the organization) or

2. Restore the inactive mailbox to an alternate location (merge it into another mailbox)

Conclusion
Thank you for reading this guide! Again, this resource is meant as a baseline for best practices,
and it is not intended to be a comprehensive overview of every setting. Please test and confirm
anything you read here or on ITProMentor.com before implementing in real life.

© Copyright 2019-2023, ITProMentor.com, LLC ITPROMENTOR.COM 23