Skip to content

Defender for Office365 policies in new tenants

Published by Andreas Rogge on 12. February 2023

Recently, I was having a problem creating Defender for Office365 threat policies in new M365 tenants. Every time I tried to create an anti-spam policy, for example, I got the following message: Graphical user interface, text, application Description automatically generated

Security

Your organization settings need to be updated. Do you want to continue?

I had the Azure AD role ‘Security Administrator’ and clicked ‘Yes’. I received the following message: Graphical user interface, text Description automatically generated

Client Error

An error occurred when creating the policy. Please review your settings and try again.

Creating a quarantine policy had a different image. I was able to go through the process of creating the quarantine policy and even submit it. A green checkmark appeared with my policy name in the background. As soon as I clicked OK, the policy disappeared. When I tried to use the same policy name again, an error occurred. I tried using PowerShell… No error message on creation, but the “Get-QuarantinePolicy” didn’t show my policy. A new PowerShell with my previous request to create the policy said that my policy already existed.

My next attempt was to ask a colleague of mine to try to create the things I was doing as he had the Global Administrator role. He went to the same settings as me and was able to enable this setting. He also pointed me to the following Microsoft article: Enable-OrganizationCustomization (ExchangePowerShell) | Microsoft Learn

This article documents that this can happen in the following cases, for example:

  • Creating a new role group or creating a new management role assignment.
  • Creating a new role assignment policy or modifying a built-in role assignment policy.
  • Creating a new Outlook on the web mailbox policy or modifying a built-in Outlook on the web mailbox policy.
  • Creating a new sharing policy or modifying a built-in sharing policy.
  • Creating a new retention policy or modifying a built-in retention policy.
  • Enabling preset security policies in the Microsoft 365 Defender portal.

To verify, if the feature is enabled in your Exchange Online tenant, you can utilize the “ExchangeOnlineManagement” module and connect to your tenant using the “Connect-ExchangeOnline” command. Then, simply perform a check on the following:

Get-OrganizationConfig | Select IsDehydrated

Whether or not this command has been previously run in an organization is available in the IsDehydrated property of the Get-OrganizationConfig cmdlet:

False ($false) = the command has already been run
True ($true) = the command has never been run.

To activate it, run the following:

Enable-OrganizationCustomization

I hope this information is helpful in guiding you through the process of checking the activation of the feature in your Exchange Online tenant and the corresponding error message. If you have any additional questions or concerns, please don’t hesitate to reach out for further assistance. It’s always a pleasure to help and support my readers in their technical endeavors. Until next time, take care and happy computing!

You can connect with me on LinkedIn, Twitter and Mastodon. Thanks for reading and sharing.

Published inDefenderM365MDOSecurity

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *