In this guide, we'll explore effective strategies to enhance security in Exchange Online within Office 365. We'll utilize the Microsoft Defender for Office 365 Recommended Configuration Analyzer (ORCA) tool to generate a comprehensive ORCA report. Additionally, we'll delve into the configuration analyzer available in the Microsoft 365 Defender portal to ensure robust security settings.
ORCA
ORCA is a report you can run in your Microsoft 365 environment, highlighting known configuration issues and improvements that can impact your experience with Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection). The configuration analyzer evaluates the following types of policies:
- Exchange Online Protection (EOP) policies: This includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes.
- Microsoft Defender for Office 365 policies: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions.
You can run the ORCA report without Microsoft Defender for Office 365, but there will be fewer checks. Always verify the latest ORCA version from the PowerShell Gallery to ensure you have the most up-to-date information and capabilities.
Install ORCA module
Start Windows PowerShell as administrator.
Run the Install-Module ORCA cmdlet to install the ORCA PowerShell module.
![ORCA]()
Verify that you successfully installed the ORCA module with the Get-InstalledModule cmdlet.
![ORCA Module]()
Get ORCA report
Run the Get-ORCAReport cmdlet.
![ORCA report]()
Let it analyze the tenant and go through the recommendation checks.
![Recommendation]()
After the above checks, an HTML report is generated and exported to the AppData folder.
![HTML Report]()
ORCA report details
By default, the HTML report will open in your default browser. The first thing you might notice is a red block at the top. This indicates that you don’t have Microsoft Defender for Office 365 in your tenant. If you don’t see this red block, it means you have Microsoft Defender for Office 365, and ORCA performed additional checks to further enhance your security.
![Report Details]()
Scroll to one of the sections that need improvement. In this example, we will look at the Anti-Spam Policies.
![Anti-Spam]()
Under each section, you find more information about the recommended settings. Clicking the links will open the Microsoft technical documentation page. The last link will take you straight to the settings to configure, which is excellent.
Microsoft 365 Defender configuration analyzer
The configuration analyzer can help identify issues in your current configuration and help improve your policies for better security.
Go to the configuration analyzer in the Microsoft 365 Defender portal by following these steps.
- Sign in to the Microsoft 365 security center.
- Expand Email & Collaboration.
- Go to Policies & rules > Threat policies.
- Click on Configuration Analyzer.
![Analyzer]()
Standard recommendations
The standard recommendations show 18 recommendations. We can select each recommendation and click on Apply recommendation to improve the policy. standard recommendations aim to balance security and usability, ensuring that your organization remains protected without overly restricting user activities.
![Standard recommendations]()
Strict recommendations
The strict recommendations tab in the configuration analyzer offers more rigorous security settings to maximize the protection of your Microsoft 365 environment.
![Strict recommendations]()
Conclusion
The ORCA report offers different recommendations compared to the configuration analyzer in the Microsoft 365 portal. This discrepancy arises because ORCA is developed by Product Managers at Microsoft and is not an official Microsoft utility. For official, in-product configuration analysis, you should use the Microsoft 365 Defender configuration analyzer available in the portal.
In this guide, you learned how to check and configure Office 365 security recommendations using the configuration analyzer. The ORCA report provides more extensive recommendations than those found in the security portal and offers easier access to relevant Microsoft technical documentation.
I recommend using both configuration analyzers for now. If you prefer a straightforward approach, adopt the changes through the Microsoft 365 Defender portal. For more customized settings, follow the steps outlined in the Microsoft technical documentation, which are conveniently linked within the ORCA report under each section.