param ( [parameter()] [System.Management.Automation.PSCredential] $GlobalAdminAccount, [parameter()] [array]$GatewayIP, [parameter()] [string]$agency, [parameter()] [string]$technicalcontactemail ) Configuration M365TenantConfig { param ( [parameter()] [System.Management.Automation.PSCredential] $GlobalAdminAccount, [parameter(Mandatory)] [array]$GatewayIP, [parameter(Mandatory)] [string]$agency, [parameter()] [string]$agencyprefix, [parameter()] [string]$technicalcontactemail ) if ($null -eq $GlobalAdminAccount) { <# Credentials #> $Credsglobaladmin = Get-Credential -Message "Global Admin credentials" } else { $Credsglobaladmin = $GlobalAdminAccount } if ($null -eq $technicalcontactemail) { $technicalcontactemail = "IT.Security" } $OrganizationName = $Credsglobaladmin.UserName.Split('@')[1] # match the module version to that installed on your machine using "Get-Module -Name Microsoft365DSC -ListAvailable | select version" Import-DscResource -ModuleName 'Microsoft365DSC' -Moduleversion "1.21.1027.1" #Connect to EXO to grab the CASMailboxPlan GUIDs Identity attribute Connect-ExchangeOnline -UserPrincipalName $Credsglobaladmin.UserName $_ExchangeOnlineEssentials = Get-CASMailboxPlan | where {$_.displayname -eq "ExchangeOnlineEssentials"} $_ExchangeOnlineEssentialsID = $_ExchangeOnlineEssentials.Identity $_ExchangeOnlineDeskless = Get-CASMailboxPlan | where {$_.displayname -eq "ExchangeOnlineDeskless"} $_ExchangeOnlineDesklessID = $_ExchangeOnlineDeskless.Identity $_ExchangeOnline = Get-CASMailboxPlan | where {$_.displayname -eq "ExchangeOnline"} $_ExchangeOnlineID = $_ExchangeOnline.Identity $_ExchangeOnlineEnterprise = Get-CASMailboxPlan | where {$_.displayname -eq "ExchangeOnlineEnterprise"} $_ExchangeOnlineEnterpriseID = $_ExchangeOnlineEnterprise.Identity $agencyfqdn = $agency + ".gov.au" Node localhost { EXOAntiPhishPolicy AntiPhishPolicyDefault { AdminDisplayName = ""; AuthenticationFailAction = "Quarantine"; Credential = $Credsglobaladmin; Enabled = $True; EnableFirstContactSafetyTips = $True; EnableMailboxIntelligence = $True; EnableMailboxIntelligenceProtection = $True; EnableOrganizationDomainsProtection = $True; EnableSimilarDomainsSafetyTips = $True; EnableSimilarUsersSafetyTips = $False; EnableSpoofIntelligence = $True; EnableTargetedDomainsProtection = $False; EnableTargetedUserProtection = $False; EnableUnauthenticatedSender = $True; EnableUnusualCharactersSafetyTips = $True; EnableViaTag = $True; Ensure = "Present"; ExcludedDomains = @(); ExcludedSenders = @(); Identity = "Office365 AntiPhish Default"; ImpersonationProtectionState = "Automatic"; MailboxIntelligenceProtectionAction = "Quarantine"; MailboxIntelligenceProtectionActionRecipients = @(); PhishThresholdLevel = 2; TargetedDomainActionRecipients = @(); TargetedDomainProtectionAction = "Quarantine"; TargetedDomainsToProtect = @(); TargetedUserActionRecipients = @(); TargetedUserProtectionAction = "NoAction"; TargetedUsersToProtect = @(); } EXOAtpPolicyForO365 O365ATPPolicySafeLinks { AllowClickThrough = $False; AllowSafeDocsOpen = $False; BlockUrls = @(); Credential = $Credsglobaladmin; EnableATPForSPOTeamsODB = $True; EnableSafeDocs = $True; EnableSafeLinksForO365Clients = $True; Ensure = "Present"; Identity = "Default"; IsSingleInstance = "Yes"; TrackClicks = $False; } EXOCASMailboxPlan CASMailboxPlan-Essentials { ActiveSyncEnabled = $False; Credential = $Credsglobaladmin; Ensure = "Present"; Identity = $_ExchangeOnlineEssentialsID; ImapEnabled = $False; OwaMailboxPolicy = "OwaMailboxPolicy-Default"; PopEnabled = $False; } EXOCASMailboxPlan CASMailboxPlan-Deskless { ActiveSyncEnabled = $False; Credential = $Credsglobaladmin; Ensure = "Present"; Identity = $_ExchangeOnlineDesklessID; ImapEnabled = $False; OwaMailboxPolicy = "OwaMailboxPolicy-Default"; PopEnabled = $False; } EXOCASMailboxPlan CASMailboxPlan-ExchangeOnline { ActiveSyncEnabled = $False; Credential = $Credsglobaladmin; Ensure = "Present"; Identity = $_ExchangeOnlineID; ImapEnabled = $True; OwaMailboxPolicy = "OwaMailboxPolicy-Default"; PopEnabled = $True; } EXOCASMailboxPlan CASMailboxPlan-Enterprise { ActiveSyncEnabled = $False; Credential = $Credsglobaladmin; Ensure = "Present"; Identity = $_ExchangeOnlineEnterpriseID; ImapEnabled = $False; OwaMailboxPolicy = "OwaMailboxPolicy-Default"; PopEnabled = $False; } EXOHostedConnectionFilterPolicy ConnectionFilterPolicy { AdminDisplayName = ""; Credential = $Credsglobaladmin; EnableSafeList = $True; Ensure = "Present"; Identity = "Default"; IPAllowList = $GatewayIP; IPBlockList = @(); MakeDefault = $False; } EXOHostedContentFilterPolicy AntiSpamFilterPolicy { AddXHeaderValue = ""; AdminDisplayName = ""; BulkSpamAction = "MoveToJmf"; BulkThreshold = 6; Credential = $Credsglobaladmin; DownloadLink = $False; EnableEndUserSpamNotifications = $False; EnableLanguageBlockList = $False; EnableRegionBlockList = $False; EndUserSpamNotificationCustomSubject = ""; EndUserSpamNotificationFrequency = 3; EndUserSpamNotificationLanguage = "Default"; Ensure = "Present"; HighConfidencePhishAction = "Quarantine"; HighConfidenceSpamAction = "Quarantine"; Identity = "Default"; IncreaseScoreWithBizOrInfoUrls = "On"; IncreaseScoreWithImageLinks = "On"; IncreaseScoreWithNumericIps = "On"; IncreaseScoreWithRedirectToOtherPort = "On"; InlineSafetyTipsEnabled = $True; LanguageBlockList = @(); MakeDefault = $True; MarkAsSpamBulkMail = "On"; MarkAsSpamEmbedTagsInHtml = "Off"; MarkAsSpamEmptyMessages = "On"; MarkAsSpamFormTagsInHtml = "Off"; MarkAsSpamFramesInHtml = "Off"; MarkAsSpamFromAddressAuthFail = "On"; MarkAsSpamJavaScriptInHtml = "On"; MarkAsSpamNdrBackscatter = "On"; MarkAsSpamObjectTagsInHtml = "On"; MarkAsSpamSensitiveWordList = "On"; MarkAsSpamSpfRecordHardFail = "On"; MarkAsSpamWebBugsInHtml = "On"; ModifySubjectValue = ""; PhishSpamAction = "Quarantine"; PhishZapEnabled = $True; QuarantineRetentionPeriod = 15; RedirectToRecipients = @(); RegionBlockList = @(); SpamAction = "MoveToJmf"; SpamZapEnabled = $True; TestModeAction = "None"; TestModeBccToRecipients = @(); } EXOHostedOutboundSpamFilterPolicy OutboundSpamFilter { ActionWhenThresholdReached = "BlockUserForToday"; AdminDisplayName = ""; AutoForwardingMode = "Automatic"; BccSuspiciousOutboundAdditionalRecipients = @(); BccSuspiciousOutboundMail = $False; Credential = $Credsglobaladmin; Ensure = "Present"; Identity = "Default"; NotifyOutboundSpam = $False; NotifyOutboundSpamRecipients = @(); RecipientLimitExternalPerHour = 0; RecipientLimitInternalPerHour = 0; RecipientLimitPerDay = 0; } EXOMalwareFilterPolicy MalwareFilter { Action = "DeleteMessage"; Credential = $Credsglobaladmin; CustomNotifications = $False; EnableExternalSenderAdminNotifications = $True; EnableExternalSenderNotifications = $False; EnableFileFilter = $True; EnableInternalSenderAdminNotifications = $True; EnableInternalSenderNotifications = $False; Ensure = "Present"; ExternalSenderAdminAddress = $technicalcontactemail+"@"+$agency+".gov.au"; FileTypes = @("ace","ani","app","exe","jar","reg","scr","vbe","vbs"); Identity = "Default"; InternalSenderAdminAddress = $technicalcontactemail+"@"+$agency+".gov.au"; ZapEnabled = $True; } EXOOwaMailboxPolicy DefaultOwaPolicy { ActionForUnknownFileAndMIMETypes = "Allow"; ActiveSyncIntegrationEnabled = $False; AdditionalStorageProvidersAvailable = $False; AllAddressListsEnabled = $True; AllowCopyContactsToDeviceAddressBook = $True; AllowedFileTypes = @(".rpmsg",".xlsx",".xlsm",".xlsb",".vstx",".vstm",".vssx",".vssm",".vsdx",".vsdm",".tiff",".pptx",".pptm",".ppsx",".ppsm",".docx",".docm",".zip",".xls",".wmv",".wma",".wav",".vtx",".vsx",".vst",".vss",".vsd",".vdx",".txt",".tif",".rtf",".pub",".ppt",".png",".pdf",".one",".mp3",".jpg",".gif",".doc",".csv",".bmp",".avi"); AllowedMimeTypes = @("image/jpeg","image/png","image/gif","image/bmp"); BlockedFileTypes = @(".settingcontent-ms",".printerexport",".appcontent-ms",".appref-ms",".vsmacros",".website",".msh2xml",".msh1xml",".diagcab",".webpnp",".ps2xml",".ps1xml",".mshxml",".gadget",".theme",".psdm1",".mhtml",".cdxml",".xbap",".vhdx",".pyzw",".pssc",".psd1",".psc2",".psc1",".msh2",".msh1",".jnlp",".aspx",".appx",".xnk",".xll",".wsh",".wsf",".wsc",".wsb",".vsw",".vhd",".vbs",".vbp",".vbe",".url",".udl",".tmp",".shs",".shb",".sct",".scr",".scf",".reg",".pyz",".pyw",".pyo",".pyc",".pst",".ps2",".ps1",".prg",".prf",".plg",".pif",".pcd",".osd",".ops",".msu",".mst",".msp",".msi",".msh",".msc",".mht",".mdz",".mdw",".mdt",".mde",".mdb",".mda",".mcf",".maw",".mav",".mau",".mat",".mas",".mar",".maq",".mam",".mag",".maf",".mad",".lnk",".ksh",".jse",".jar",".its",".isp",".ins",".inf",".htc",".hta",".hpj",".hlp",".grp",".fxp",".exe",".der",".csh",".crt",".cpl",".com",".cnt",".cmd",".chm",".cer",".bat",".bas",".asx",".asp",".app",".apk",".adp",".ade",".ws",".vb",".py",".pl",".js"); BlockedMimeTypes = @("application/x-javascript","application/javascript","application/msaccess","x-internet-signup","text/javascript","application/prg","application/hta","text/scriplet"); ClassicAttachmentsEnabled = $True; ConditionalAccessPolicy = "ReadOnly"; Credential = $Credsglobaladmin; DefaultTheme = ""; DirectFileAccessOnPrivateComputersEnabled = $True; DirectFileAccessOnPublicComputersEnabled = $False; DisplayPhotosEnabled = $True; Ensure = "Present"; ExplicitLogonEnabled = $True; ExternalImageProxyEnabled = $True; ForceSaveAttachmentFilteringEnabled = $False; ForceSaveFileTypes = @(".svgz",".html",".xml",".swf",".svg",".spl",".htm",".dir",".dcr"); ForceSaveMimeTypes = @("Application/x-shockwave-flash","Application/octet-stream","Application/futuresplash","Application/x-director","application/xml","image/svg+xml","text/html","text/xml"); ForceWacViewingFirstOnPrivateComputers = $False; ForceWacViewingFirstOnPublicComputers = $False; FreCardsEnabled = $True; GlobalAddressListEnabled = $True; GroupCreationEnabled = $False; InstantMessagingEnabled = $True; InstantMessagingType = "Ocs"; InterestingCalendarsEnabled = $False; IRMEnabled = $True; IsDefault = $True; JournalEnabled = $False; LocalEventsEnabled = $False; LogonAndErrorLanguage = 0; Name = "OwaMailboxPolicy-Default"; NotesEnabled = $True; NpsSurveysEnabled = $False; OnSendAddinsEnabled = $True; OrganizationEnabled = $True; OutboundCharset = "AutoDetect"; OutlookBetaToggleEnabled = $False; OWALightEnabled = $True; PersonalAccountCalendarsEnabled = $False; PhoneticSupportEnabled = $False; PlacesEnabled = $False; PremiumClientEnabled = $True; PrintWithoutDownloadEnabled = $True; PublicFoldersEnabled = $False; RecoverDeletedItemsEnabled = $True; ReferenceAttachmentsEnabled = $True; RemindersAndNotificationsEnabled = $True; ReportJunkEmailEnabled = $True; RulesEnabled = $True; SatisfactionEnabled = $False; SaveAttachmentsToCloudEnabled = $True; SearchFoldersEnabled = $True; SetPhotoEnabled = $True; SetPhotoURL = ""; SignaturesEnabled = $True; SkipCreateUnifiedGroupCustomSharepointClassification = $True; TeamSnapCalendarsEnabled = $False; TextMessagingEnabled = $True; ThemeSelectionEnabled = $True; UMIntegrationEnabled = $True; UseGB18030 = $False; UseISO885915 = $False; UserVoiceEnabled = $False; WacEditingEnabled = $True; WacExternalServicesEnabled = $True; WacOMEXEnabled = $False; WacViewingOnPrivateComputersEnabled = $True; WacViewingOnPublicComputersEnabled = $True; WeatherEnabled = $True; WebPartsFrameOptionsType = "None"; } EXORemoteDomain DefaultRemoteDomain { AllowedOOFType = "External"; AutoForwardEnabled = $False; AutoReplyEnabled = $False; ByteEncoderTypeFor7BitCharsets = "Undefined"; CharacterSet = ""; ContentType = "MimeHtmlText"; Credential = $Credsglobaladmin; DeliveryReportEnabled = $False; DisplaySenderName = $True; DomainName = "*"; Ensure = "Present"; Identity = "Default"; IsInternal = $False; LineWrapSize = "Unlimited"; MeetingForwardNotificationEnabled = $False; Name = "Default"; NonMimeCharacterSet = ""; PreferredInternetCodePageForShiftJis = "Undefined"; TargetDeliveryDomain = $False; TrustedMailInboundEnabled = $False; TrustedMailOutboundEnabled = $False; UseSimpleDisplayName = $False; } EXOSafeAttachmentPolicy DefaultSafeAttachmentsPolicy { Action = "Block"; ActionOnError = $True; AdminDisplayName = ""; Credential = $Credsglobaladmin; Enable = $True; Ensure = "Present"; Identity = "Default Safe Attachments Policy"; Redirect = $False; RedirectAddress = ""; } EXOSafeAttachmentRule DefaultSafeAttachmentsPolicy { Credential = $Credsglobaladmin; Enabled = $True; Ensure = "Present"; Identity = "Default Safe Attachments Policy"; Priority = 0; RecipientDomainIs = @("$OrganizationName","$agencyfqdn"); SafeAttachmentPolicy = "Default Safe Attachments Policy"; } EXOSafeLinksPolicy DefaultSafeLinksPolicy { AdminDisplayName = ""; Credential = $Credsglobaladmin; CustomNotificationText = ""; DeliverMessageAfterScan = $True; DoNotAllowClickThrough = $True; DoNotRewriteUrls = @(); DoNotTrackUserClicks = $False; EnableForInternalSenders = $True; EnableOrganizationBranding = $False; EnableSafeLinksForTeams = $True; Ensure = "Present"; Identity = "Default Safe Links Policy"; IsEnabled = $True; ScanUrls = $True; } EXOSafeLinksRule DefaultSafeLinksRule { Credential = $Credsglobaladmin; Enabled = $True; Ensure = "Present"; Identity = "Default Safe Links Policy"; Priority = 0; RecipientDomainIs = @("$OrganizationName","$agencyfqdn"); SafeLinksPolicy = "Default Safe Links Policy"; } } } M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -GlobalAdminAccount $GlobalAdminAccount -GatewayIP $GatewayIP -agency $agency