Get-ConfigAnalyzerPolicyRecommendation

This cmdlet is available only in the cloud-based service.

Use the Get-ConfigAnalyzerPolicyRecommendation cmdlet to compare the settings in your existing security policies to the settings that are used in the Standard or Strict preset security policies. Settings that are below the recommend value are returned in the results.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Get-ConfigAnalyzerPolicyRecommendation
   -RecommendedPolicyType <RecommendedPolicyType>
   [[-Identity] <ConfigAnalyzerPolicyRecommendationIdParameter>]
   [-IsAppliedToDisabled]
   [<CommonParameters>]

Description

For information about the policies and their recommended Standard and Strict values, see Recommended settings for EOP and Microsoft Defender for Office 365 security.

The output of this cmdlet only returns settings that fall below the value that you've specified as a baseline (Standard or Strict).

The output contains the following information for each setting:

  • PolicyGroup: The type of policy. The value will be Anti-Spam, Anti-Phishing, Anti-Malware, ATP Safe Links, or ATP Safe Attachments
  • SettingName: The name of the setting in the policy.
  • SettingNameDescription: A description of the setting.
  • Policy: The name of the policy.
  • AppliedTo: The number of users or domains that the policy applies to. If the policy isn't applied to anyone (for example, it's disabled), this value will be blank.
  • CurrentConfiguration: The current value of the setting.
  • LastModified: When the policy was last modified.
  • Recommendation: The recommended Standard or Strict value for the setting.
  • SettingType: For example, Boolean, String, or Integer.

If a setting is configured at or better than the Standard or Strict protection profile that you're comparing to, those settings/policies aren't returned in the results

This cmdlet returns the following output for each setting in each policy that falls below the recommended value.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

Get-ConfigAnalyzerPolicyRecommendation -RecommendedPolicyType Strict

This example runs a comparison using the Strict preset security policy settings as a baseline.

Parameters

-Identity

This parameter is reserved for internal Microsoft use.

Type:ConfigAnalyzerPolicyRecommendationIdParameter
Position:0
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Exchange Online

-IsAppliedToDisabled

The IsAppliedToDisabled switch filters the results by policies that aren't applied to anyone (the AppliedTo property is blank). You don't need to specify a value with this switch.

If you don't use this switch, the results include policies that are applied to users and policies that aren't applied to anyone.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online

-RecommendedPolicyType

The RecommendedPolicyType parameter specifies the preset security policy that you want to use as a baseline. Valid values are:

  • Standard
  • Strict
Type:RecommendedPolicyType
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online