Query the tenant to determine all associated domains and have MS.DEFENDER.2.2 assess both the auto-defined domains as well as any custom agency domains specified by the user rather than just config provided agency domains.
Motivation and context
This work would make it easier for many organizations to more accurately assess impersonation protection of organizational domains without having to specify domains controlled by the tenant while still allowing for addition of other org domains via a custom variable.
Implementation notes
The implementation could use the existing ExchangeOnlineManagement powershell libraries to do Get-AcceptedDomain to find all domains in the tenant and add them to the provider output. Then, the Defender rego assessment would use these values to check that each is added to the Impersonation protection domains. Users could still add additional domains for this assessment check under a CustomAgencyDomains variable in the configuration files if the organization had other domains that weren't under the tenant's purview but should be trusted senders.
The result would be that many organizations would get more accurate results for MS.DEFENDER.2.2 without the need for a configuration file variable while still providing the option for those with more complex environments.
Acceptance criteria
The work is done when:
[ ] The Defender provider queries and captures tenant domains
Because of the current architecture with the Powershell provider export modules, it is too complex to pull 1 command cross products. Need further discussion on how to update architecture.
💡 Summary
Query the tenant to determine all associated domains and have MS.DEFENDER.2.2 assess both the auto-defined domains as well as any custom agency domains specified by the user rather than just config provided agency domains.
Motivation and context
This work would make it easier for many organizations to more accurately assess impersonation protection of organizational domains without having to specify domains controlled by the tenant while still allowing for addition of other org domains via a custom variable.
Implementation notes
The implementation could use the existing ExchangeOnlineManagement powershell libraries to do
Get-AcceptedDomain
to find all domains in the tenant and add them to the provider output. Then, the Defender rego assessment would use these values to check that each is added to the Impersonation protection domains. Users could still add additional domains for this assessment check under aCustomAgencyDomains
variable in the configuration files if the organization had other domains that weren't under the tenant's purview but should be trusted senders.The result would be that many organizations would get more accurate results for MS.DEFENDER.2.2 without the need for a configuration file variable while still providing the option for those with more complex environments.
Acceptance criteria
The work is done when:
CustomAgencyDomains
, if provided