schrolla
commented
4 months ago @tkol2022 I see two possible approaches to addressing the circular reference. 1) We remove the alert policy from EXO and put it entirely within Defender. This means, however, tenants that may only use Exchange or leverage external capabilities rather than Defender would not have an EXO SCB policy item for this sort of alerting. So I believe this option leaves a gap. 2) We can just remove the need for "flipping" between the two SCBs for implementation by replicating the list of alerts directly in the Defender baseline. This means replication and a need to keep these lists in sync going forward, but for the purpose of making the documents easier to follow and stand on their own more easily. At least, Defender would be as EXO often references Defender if that is being used as the mechanism to secure Exchange Online.
So my initial thought is #2. It is straightforward in terms of implementation (just replicate the alert listing in Defender SCB). The downside being the need to keep these two documents synced. However, given how interlinked Defender and EXO are regardless, anyone editing either should really be comparing them together when making updates anyway. So I don't see this as a significant additional ask when the upside is better readability and easier implementation by readers.
You can see a candidate update in the associated branch here. Thoughts?
tkol2022
💡 Summary
When following the instructions for policy MS.EXO.16.1v1 I found myself in a circular reference which is bad for usability. The instruction links me to Defender and then the Defender instructions for 5.1 step 4 send me right back to the same EXO policy section to reference the list of alerts I'm supposed to configure. I'm wondering if we can improve the user experience here.
Implementation notes
Dependencies
This work is somewhat dependent on issue #401 which explores decoupling EXO and Defender. If those are decoupled then it would impact the need to perform this issue, which may become OBE.