🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Monitor ATP Configuration Changes in Microsoft 365

For tightened security, as an admin, you've undoubtedly configured Microsoft Defender for Office 365 (formerly ATP) settings in your organization. But what happens if these critical configurations are altered without your knowledge? Unauthorized changes can weaken your defenses and make your organization vulnerable to phishing attacks, malware infiltration, and data breaches. This guide helps admins track ATP configuration changes to maintain Microsoft 365 security.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Monitor ATP Configurations Using Microsoft Defender Portal

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
    • Open the Audit logs page in the Microsoft Defender portal.
    • Now, customize the date and time range as required.
    • Enter the desired ATP configuration-based operations in the Activities - Operation Names field to monitor changes. Refer to the operation names listed in the text file below.
    • Click Search to find ATP configuration changes based on the specified operation name.
  • The screenshot below shows an example of an Audit Search for the operations like ‘Set-MailboxJunkEmailConfiguration’ and ‘HostedContentFilterPolicy’.
Monitor ATP Configurations Using Microsoft Defender Portal
OperationNames.txt Note: You can also use the audit feature in the Microsoft Purview portal to track activities just like the steps outlined above.

Track Configurations Changes in ATP Using PowerShell

Microsoft 365 Permission Required
View-Only Audit Logs role Least Privilege
Global Admin Most Privilege
  • Establish a connection to the Exchange Online PowerShell module by executing the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to retrieve ATP configuration changes in Entra ID. Edit the start date, end date, and result size as needed to refine the results.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "MM-DD-YYYY" -EndDate "MM-DD-YYYY" -Operations <Operation cmdlets> -ResultSize 500
  • Replace <Operation cmdlets> with an operation name from the 'OperationNames.txt' file referenced in the previous section to customize data retrieval.
Track Configurations Changes in ATP Using PowerShell
  • The operations mentioned in the image retrieves data related to hosted content filter policy operations within the specified date range. This helps in tracking the content filtering changes and policy updates.
  • Additionally, you can explore the cmdlets in the below file to find records of when and who viewed threat protection rules, policies, insights, and other related settings: Get-Cmdlets.txt
AdminDroid ATP Monitoring and Reporting

Track Threat Protection Activities in Microsoft 365 with AdminDroid for Enhanced Security

With AdminDroid's Exchange Online ATP auditing tool, you can easily track MS Defender Advanced Threat Protection configuration changes and gain valuable security insights for your Office 365 tenant. Additionally, AdminDroid provides dedicated reports on phishing, malware, spam, and more for effective threat management.

Analyze Phishing Overrides and Bypassed Detections

Monitor the phishing overrides report to track policy changes related to override and assess potential risks. It also audits third-party phishing simulation overrides and rules that bypass EOP filtering.

Track the DKIM Configurations Changes in Microsoft 365

Monitor DKIM configuration changes to help admins prevent spoofing and reputational damage. It provides details on configuration time, user actions, and associated DKIM policies.

Detect Malware Emails in your Microsoft 365 Environment

Find all malware detected emails in Microsoft 365 to check if any malware emails have bypassed your tenant's ATP configurations and strengthen your settings.

Monitor Safe Links to Block Threats and Track Changes

Audit the safe link configurations changes made to block malicious URLs, prevent phishing attacks, and swiftly detect any unauthorized changes.

Strengthen Security with ATP & Compliance Insights

Regularly verify that your ATP configuration aligns with Office 365 regulatory compliance management to detect misconfigurations, policy gaps, or deviations from security best practices.

Improve Email Protection with AdminDroid Security Reports

Use mail protection reports in Microsoft 365 to monitor and optimize email security settings for enhanced detection against spam, phishing, and malware attacks.

In conclusion, AdminDroid’s Microsoft 365 auditing tool enables you to optimize security settings, enhance threat detection, and ensure your organization is well-protected against emerging risks.

Explore a full range of reporting options
Download Live Demo

Important Tips

Use advanced hunting in Microsoft 365 Defender to proactively detect threats, investigate suspicious activities, and identify threat indicators across your network.

Follow role-based access control (RBAC) model to ensure precise access control and a well-managed ATP configuration in Microsoft 365.

Optimize ATP configurations by fine-tuning settings such as anti-phishing, anti-spam, etc., using Secure Score recommendations to strengthen security and block threats effectively.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while managing Microsoft 365 ATP configurations.

Error Your attempt to connect to this Exchange server was denied because your account isn’t enabled for Remote PowerShell.

This error happens while connecting to the Exchange Online module because the Remote PowerShell functionality is disabled for you.

Fix Ask your Global Admin or a privileged admin to enable Remote PowerShell for you in Exchange Online using the following cmdlet. 
Set-User -Identity <UPN> -RemotePowerShellEnabled $true

Error Invalid DataSource value. Possible values are RealtimePipeline or Database.

This error occurs when an incorrect value is specified for the EventType parameter while using 'Get-MailDetailATPReport' cmdlet.

Fix Ensure to mention the valid values of the EventType parameter. Use double quotations when the values have space in between them. 
Get-MailDetailATPReport -EventType "Advanced Filter"

Error Admins are unable to view or edit anti-phishing policies in Microsoft 365 Defender.

This error in the Microsoft 365 Defender portal occurs when admins try to access or modify anti-phishing policies, preventing changes in EOP settings. It usually happens due to temporary issues or display restrictions in UI.

Fix Use the below PowerShell cmdlet to configure anti-phishing policies in Exchange Online Protection. 
//To retrieve the anti-phishing policy, use the Get cmdlet, and to modify it, use the Set cmdlet.
Get-AntiPhishPolicy or Set-AntiPhishPolicy
Exchange Online
Frequently Asked Questions

Audit Advanced Threat Protection configuration changes in Microsoft 365

What is Attack simulation training in Microsoft 365 and how does it strengthen ATP security?
How does the Configuration analyzer in Microsoft 365 Defender help optimize ATP settings?
How do SecOps Mailbox Overrides affect ATP in Microsoft 365?
How to check if an anti-phishing policy is disabled in Microsoft 365?

1. What is Attack simulation training in Microsoft 365 and how does it strengthen ATP security?

Instead of just monitoring and reacting to threats, Attack simulation training allows admins to assess user resilience by simulating real-world phishing attacks. This helps identify vulnerable users, educate them on recognizing threats, and reduce the risk of credential theft or malware infiltration.

It complements ATP by reinforcing security awareness and reducing the risk of attackers taking advantage of human errors. This ensures that protection strategies cover both technology and user behavior.

Simulate an Attack simulation training in Microsoft 365 Defender

  • Open the Attack simulation training page in the Microsoft Defender portal.
  • Click Launch a simulation under the Simulations tab and choose an attack technique such as credential harvesting or malware attachment. The list also includes techniques like Link in Attachment, Link to Malware, Drive-by URL and OAuth Consent Grant. Then, click Next.
  • Set a simulation name and description for the selected technique. Select Next to proceed to the Payload and Login Page to choose a payload. You can customize the email used in the Global payload template or create your own payload in Tenant payload section.
  • Select the target users or groups (either all or specific) for the simulated phishing email. You can also exclude specific users from the simulation.
  • Now, assign training courses to users who fall for the simulation to improve security awareness.
  • After adding the assessment, select a phishing landing page. You can customize it, choose one from the default list, or use tenant-specific landing pages.
  • Next, select the end-user notification and configure the launch details. The launch can be scheduled or triggered immediately, and you can configure the number of days to end the simulation.
  • Once done, review the details and launch the simulation.
attack-simulation-review

Note: The steps may vary based on the chosen attack technique.

Leverage the simulation results to uncover security gaps, refine Microsoft Defender ATP policies, and enhance user awareness for a more resilient Microsoft 365 security posture.

2. How does the Configuration analyzer in Microsoft 365 Defender help optimize ATP settings?

The Configuration analyzer in Microsoft 365 Defender is a centralized tool for monitoring and securing ATP configurations. It compares existing security policies with Microsoft's recommended settings to ensure optimal protection. This ensures that your organization's defenses are aligned with best practices, reducing vulnerabilities to threats.

Optimize and Correct settings with Configuration analyzer

  • Go to the Microsoft Defender portal.
  • Navigate to Email & collaboration»Policies & rules»Threat policies.
  • Select Configuration analyzer under "Templated policies".
  • Click on the listed recommendation to understand why it is suggested.
  • To apply it, select the Apply recommendation option. A confirmation dialog box will appear for final approval before implementation.
configuration-analyser-defender

Regularly reviewing ATP configurations using the Configuration analyzer helps identify issues in your current setup and improve security policies.

3. How do SecOps Mailbox Overrides affect ATP in Microsoft 365?

SecOps (Security Operations) is a comprehensive security practice focused on threat detection, investigation, and response. Security teams may use SecOps mailboxes (such as dedicated security mailboxes) to collect and analyze unfiltered emails, including both legitimate and malicious messages, for threat-hunting and forensic analysis.

SecOps mailbox override policies allow security teams to bypass Advanced Threat Protection and Exchange Online Protection (EOP) filtering for specific emails. While ATP scans emails for malware, phishing, and advanced threats, overrides ensure that important emails are not mistakenly blocked. However, improper use of these policies can weaken security defenses, so it is essential to audit override activities to prevent potential risks.

Track Modifications to SecOps Mailbox Override Policies

Use the following PowerShell cmdlet in Exchange Online to audit SecOps mailbox overrides and corresponding ATP policy changes.

Search-UnifiedAuditLog -Operations "Set-SecOpsOverridePolicy" -ResultSize 1000 | Where-Object {$_.AuditData -match "SecOps"}
#This cmdlet prompts you to enter the Start date and End date in the MM/DD/YYYY format.

secops-ps

Stay ahead of security risks with AdminDroid’s dedicated reports on SecOps mailbox overrides!

  • The SecOps mailbox overrides policies and rules report audits activities related to SecOps policies and rules that bypass EOP filtering along with details, such as who performed the operation, when, result status, etc.
  • By monitoring this report, you can ensure no significant mails are blocked while maintaining enhanced security.
secops-policies-rules

4. How to check if an anti-phishing policy is disabled in Microsoft 365?

An anti-phishing policy in Microsoft Defender for Office 365 is crucial for protecting your organization from phishing attacks. If a policy is disabled by accident or while investigating false positives, users face potential threats, so it is essential to verify its status and ensure continuous protection.

Verify the Status of an Anti-Phishing Policy Using Microsoft 365 Defender Portal

  • Go to the Microsoft Defender Portal.
  • Navigate to Email & collaboration» Policies & rules»Threat policies.
  • In the ‘Policies section’ select the Anti-phishing policy.
  • Utilize the filter option to display only the disabled anti-phishing policies.
anti-phishing-disabled-policies

Check Anti-Phishing Policy Status Using PowerShell

Instead of navigating multiple tabs and sections, you can use a single PowerShell cmdlet to check the anti-phishing policy status directly. To verify using Exchange Online PowerShell, run the following cmdlet.

Get-AntiPhishPolicy | Where-Object { $_.Enabled -eq $false } | Select Name, Enabled
anti-phising-policies-disabled

Configuring Anti-phishing policy strengthens an organization's security by detecting and blocking phishing attempts, preventing unauthorized access, and safeguarding sensitive information.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Monitor ATP Configuration Changes in Microsoft 365
Exchange Online Guides 39 Guides
1Export Mailbox Size Quota in Exchange2Check Non-owner Mailbox Access in Microsoft 3653Get Microsoft 365 Mail Traffic Statistics by User4Check if Forwarding Rules are Active in Microsoft 3655Get Shared Mailbox Permissions in Exchange Online6Get a List of Inactive Mailboxes in Exchange Online7Check External Auto Forwarding in Microsoft 3658Export List of Mailboxes in Exchange Online9Export Exchange Online Mailbox Permissions10Find Unused Distribution Lists in Microsoft 36511Get a List of Shared Mailboxes in Exchange Online12Audit Mailbox Permission Changes in Microsoft 36513Get Shared Mailbox Size Report in Microsoft 36514Get Send on Behalf Permissions in EXO15Audit Bulk Email Deletions in Microsoft 36516Monitor Mailbox Folder Permission Changes in Exchange Online17Monitor Spam Detection Reports in M36518Prevent Phishing Attacks in Microsoft 36519View All Inbox Rules in Microsoft 36520Get Email App Usage Report in Microsoft 36521Export Distribution Groups in Microsoft 36522Identify Holds Applied on EXO Mailboxes23Audit Transport Rule Changes in EXO24Get Mailbox Auto Reply Configurations in M36525Audit Quarantined Messages in Exchange Online26Monitor the Dynamic Distribution Groups in Exchange Online27Track Undelivered Emails in Microsoft 36528List All Email Addresses and Aliases in M36529Get Accepted Domains in Exchange Online30Audit Outbound External Emails in Microsoft 36531Export Microsoft 365 Malware Emails Report32Get ActiveSync Enabled Mailboxes in Exchange33Get DLP Email Matches in Exchange Online34Track Licensed Shared Mailboxes in Microsoft 36535Check Mailbox Retention Policy in M36536Track Guest Access to User Mailboxes in Microsoft 36537Identify Non-Compliant Shared Mailboxes in M36538List Archive Enabled Mailboxes in M36539Monitor Microsoft 365 Defender Configuration Changes
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo