ASD's Blueprint for Secure Cloud

Exchange Online

This section describes the configuration of Exchange Online associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Automated Configuration Deployment and Assessment

Overview

Some of the Exchange Online configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).

Some of the Exchange Online configurations cannot be assessed using a DSC blueprint. Please refer to those configuration pages to conduct a manual assessment.

ConfigurationBlueprint automation provided
Mail Flow
- RulesYes (DSC)1
- Remote DomainsYes (DSC)
- ConnectorsNo
RolesYes (DSC)
SettingsNo

1: The words or phrases setting in the Require TLS for sensitive items rule must be configured manually. Refer to Rules for configuration guidance.

Desired State Configuration

Before using the below DSC file, please refer to the automated deployment page for instructions.

Desired State Configuration file
Download Exchange Online DSC (.ps1)
The linked .txt file must be renamed to .ps1
Configuration Data File:
The configuration data file can be found on the DSC setup page.

The downloaded DSC file requires the following parameters to be populated or you will be prompted for on import:

Parameter nameContents
JournallingReportMailboxName of an existing mailbox used for sending journalling reports1

1: This parameter is only required to import DSC, related journalling configuration settings are not provided.

Service Principal permissions

For organisations importing the DSC as per the instructions on the automated deployment page, the following permissions will need to be added to the Service Principal:

"EXOOwaMailboxPolicy", "EXORemoteDomain", "EXOTransportConfig", "EXOTransportRule"
Additional configuration

The following instructions must be completed before step 6 Deploy the configuration, on the automated deployment page:

  • Assign the Entra, Exchange Administrator role to the M365DSC service principal.

Mail Flow

This section describes the configuration of mail flow within Exchange Online associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

Roles

This section describes the configuration of roles within Exchange Online associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

Settings

This section describes the configuration of Exchange Online associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

External Configuration

This section describes the configuration of Exchange Online associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra