365 Tenant Manager Release on March 20, 2025

Enhancements

• The following new predefined settings targeting Exchange and Microsoft 365 (General) have been introduced in the predefined settings library:
  • Exchange
    • HS-S0054 – Ensure Safe Attachments policy is enabled
      This setting ensures Exchange Safe Attachments are enabled, blocking harmful files and restricting quarantined items to admins for better security.
    • HS-S0056 – Ensure Outbound Spam Filter Policies Notify Admins
      This setting ensures Outbound Spam Filter policies notify administrators, helping detect and respond to potential email threats.
    • HS-S0057 – Ensure an Anti-Phishing policy is created
      This setting ensures the Anti-Phishing policy is configured with necessary security settings to protect against phishing attempts.
    • HS-S0061 – Ensure comprehensive attachment filtering is applied for the Default Policy
      This setting ensures comprehensive attachment filtering (Common Attachment Types Filter) is configured to block known and custom malicious file types in emails.
    • HS-S0062 – Ensure Priority account protection is enabled and configured
      This setting helps identify important accounts (e.g., executives or managers) and applies additional security protections, as these accounts often have access to sensitive information and are likely cyberattack targets.
    • HS-S0063 – Toggle MailTips for end user
      This setting ensures MailTips are enabled, providing users with real-time notifications when composing emails, including alerts for large groups or external recipients.
    • HS-S0068 – Connection filter policy Settings (IP Allowed List)
      This setting ensures allowed IP addresses in the Hosted Connection Filter Policy are properly configured, allowing emails only from trusted sources.
    • HS-S0069 – Connection filter policy (Safe List)
      This setting ensures the SafeList option is turned off in Connection Filter settings, preventing senders from bypassing security checks.
    • HS-S0074 – Ensure Mailbox Forwarding is Disabled
      This setting ensures mailbox forwarding is disabled for specified user mailboxes, preventing unauthorized email forwarding.
    • HS-S0075 – Ensure inbound anti-spam policies do not contain allowed domains
      This setting ensures the default inbound anti-spam policy does not contain allowed domains, minimizing risk from unwanted or harmful emails.
  • Microsoft 365 (General)
    • HS-S0055 – Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
      This setting ensures Advanced Threat Protection (Safe Attachments and SafeDocs) is enabled for SharePoint, OneDrive, and Teams, enhancing file security.
    • HS-S0072 – Ensure a Dynamic Group for Guest Users is created
      This setting ensures all guest users in Entra ID are automatically organized into a dynamic group for improved security and simplified management.
• The following new predefined policies for Entra – Conditional Access, Intune – Conditional Access, Intune – Device configurations, and Intune – Device compliance have been introduced in the predefined policies library:
  • Entra – Conditional Access
    • HS-P0023 – Block access for unknown or unsupported device platform
      This policy blocks sign-ins from unsupported device platforms, allowing access only from Windows, Linux, macOS, Android, iOS, and Windows Phone.
    • HS-P0024 – No persistent browser session for Unmanaged devices
      This policy ensures users on unmanaged devices are signed out upon closing their browsers and requires reauthentication every hour.
  • Intune – Conditional Access
    • HS-P0025 – Require MDM-enrolled and compliant device to access cloud apps for all users
      This policy ensures only company-approved and secure devices can access cloud apps, protecting organizational data.
    • HS-P0026 – Block Downloads for O365 apps if device is not compliant/corporate owned
      This policy blocks file downloads from Office 365 apps on unapproved or personal devices, preventing data leaks.
  • Intune – Device Configurations
    • HS-P0027 – Windows 10 Endpoint Protection Policy
      This policy ensures security on Windows devices by enabling BitLocker encryption, blocking unapproved applications, strengthening Defender protection, and enforcing firewall rules to prevent unauthorized access.
  • Intune – Device Compliance Policies
    • HS-P0028 – Windows 10 or later Advanced Security Device Compliance Policy
      This policy ensures Windows 10 and later devices remain secure by enabling BitLocker, Secure Boot, Firewall, TPM, Antivirus, and additional critical security features.