ETP Implementation - Deployment for M365

How to install ETP on a domain set up for email in M365

***Important: ETP for a new domain can only be implemented after confirmation from the Ostra Onboarding Team that prep is complete.

1. Log into the Microsoft admin portal (admin.microsoft.com/Adminportal/Home) and click on the burger next to Microsoft 365 admin center.

***Important: If the domain registrar is GoDaddy and the admin is logged in, you will be redirected to GoDaddy when attempting to navigate to the Microsoft admin portal. As a workaround, type in the URLs for the admin portals that are needed. More information below in the steps where this is applicable.

2. Click on All Apps.

3. Search or scroll down and click on Security.

***Important: If redirected to GoDaddy, type in this URL: security.microsoft.com.

4. In Microsoft 365 Defender, click on Policies & rules in the left menu, then click on Threat policies.

5. In Policies & rules > Threat policies, click on Anti-spam.

6. In Policies & rules > Threat policies > Anti-spam policies, click on Anti-spam inbound policy (Default).

7. In Anti-spam inbound policy (Default), scroll down and click on Edit allowed and blocked senders and domains.

8. In Allowed and blocked senders and domains, click on Allow domains.

9. In Manage allowed domains, click on + Add domains.

10. In Add custom domains, enter these domains in the Domain field to ensure deliverability: fireeyecloud.com, ostra.net, the Ostra partner domain, and the MSP domain if applicable. Click Add domains. Click OK/Save on the next few screens.

***Important: If these settings have never been previously accessed, this will trigger an organization customization error and will cause a delay in access to continue with the remaining steps. Click OK when this prompt comes up and the command will run automatically. It may take several hours before you can proceed.

11. In Anti-spam policies, check Connection filter policy (Default).

12. In Connection filter policy (Default), click Edit connection filter policy.

13. In Connection filter policy (Default), enter these IPs in the Always allow field: 34.223.36.0/24 and 3.93.93.0/24. Save.

14. Go back to the browser tab for Microsoft 365 admin center, click Show all, scroll down to Admin centers, and click on Exchange.

***Important: If redirected to GoDaddy, type in this URL: admin.exchange.microsoft.com.

15. In Exchange admin center, expand Mail flow, then click on Connectors.

16. In Connector, click on + Add a connector. In New connector, check Partner organization.

17. in Connector name, type ETP Connector in the Name field and save.

18. In Authenticating sent email, check the second option ("By verifying that the IP address..."), add the IP addresses 34.223.36.0/24 and 3.93.93.0/24. Click OK/Save through the next few options, verifying that the box is checked to Reject email messages if they aren't sent over TLS in the Security restrictions.

19. In the Mail flow menu, select Rules. In Rules, click on + Add a rule, then Create a new rule.

20. In Set rule conditions, type ETP Spam Bypass in the Name field, select The sender and IP address is in any of these ranges or exactly matches in the Apply this rule if drop-menus.

21. In specify IP address ranges, add 34.223.36.0/24 and 3.93.93.0/24 and save.

22. In Set rule conditions > Do the following, select Modify the message properties and set the spam confidence level (SCL) from the drop-menus, and click OK/Save through the next few steps.

23. Go back to the Microsoft 365 admin center tab in your browser, and click on Azure Active Directory in the left-menu.

***Important: If redirected to GoDaddy, type in this URL: portal.azure.com.

24. In Azure Active Directory admin center, select Azure Active Directory, then App registrations, and click on + New registration.

25. In Register an application, type ETP Remediation in the Name field and save.

26. In ETP Remediation, click on API permissions, then + Add a permission.

27. In Request API permissions, click on Application permissions, type directory.read.all in Select permissions, and check the box for Directory.Read.All in Directory.

28. Type group.read.all in Select permissions, and check the box for Group.Read.All in Group.

29. Type mail.readwrite in Select permissions, and check the box for Mail.ReadWrite in Mail.

30. Type user.read.all in Select permissions, and check the box for User.Read.All in User and save.

31. In Configured permissions, click on Grant admin consent for ..., then click Yes in the pop-up.

32. In the Manage left-menu, click on Certificates & secrets, then click on + New client secret.

33. In Add a client secret, type ETP Remediation Secret in the Description field, then select 24 months from the drop-menu in Expires and save.

34. Start an email draft to onboarding@ostra.net and enter the following subject: Values for [Domain] ETP. Enter the values from the following sub-steps in the email body. These values will be used by Ostra to set up remediation for this domain.

34a. In Certificates & secrets in the Client secrets tab, click the copy icon next to the the text in the Value column and paste it in the email body.

34b. Click on Overview in the left-menu, then left-click and drag your cursor to select the Application (client) ID, Object ID, and Directory (tenant) ID, right-click to Copy, then paste in the email body and send.

35. All changes in Microsoft 365 have been completed. To finalize ETP implementation, add the following MX records in the domain registrar. All other MX records should be removed.

MX Records (Scope: @)

Priority Record 10 primary.us.email.fireeyecloud.com 20 alt1.us.email.fireeyecloud.com 30 alt2.us.email.fireeyecloud.com 40 alt3.us.email.fireeyecloud.com

(See other Knowledge Base articles for instructions on changing MX records in GoDaddy or mydomain.com.)

36. Send a test email to an existing mailbox in the client domain and cc' onboarding@ostra.net. The subject should be Test email to (domain). The Onboarding Team will verify that inbound email is being filtered through ETP and reply all to confirm a successful deployment.

Troubleshooting:

- If the test email is not received in the client inbox, check the MX records. Enter the domain in mxtoolbox.com or another tool to verify that only the records above are listed.

- Review all the steps to ensure all policies were created according to this guide.

- Contact the Onboarding Team at onboarding@ostra.net or call (952) 521-8002.

Please report any errors or omissions in this guide to onboarding@ostra.net.