Office 365 ORCA and Configuration analyzer

Posted by Harri Jaakkonen Posted on 20/09/2021 0 Comments on Office 365 ORCA and Configuration analyzer
Posted in Azure, Compliance, Defender, Identity, Microsoft 365, Security

I don’t how many of you ever used ORCA or Configuration analyzer? I have missed ORCA (Office 365 Advanced Threat Protection Recommended Configuration Analyzer) completely. I can see that it was introduced at Ignite 2019 but somehow I missed it.

So today I stumbled on it from a hint from my coworker and decided to dig a little bit deeper. There was couple of articles online, this one from Tony Redmond (@12Knocksinna)

Use ORCA to Check Office 365 Advanced Threat Protection Settings – Office 365 for IT Pros
ORCA is a project to help Office 365 tenant administrators validate their anti-spam and anti-malware settings against recommendations from Microsoft. ORCA is installed as a PowerShell module with just one cmdlet.

What is ORCA?

ORCA is a PowerShell module that you can run thru Exchange Online V2 PowerShell module. ORCA will gather your tenants security policy information and compare it against 61 policies from Microsoft best practices.

Then it will write a report saying how compliant your tenant is and what to do to get more compliant.

Installing ORCA

You can install ORCA from PowerShell Gallery.

https://www.powershellgallery.com/packages/ORCA/1.10.6

And you also need Exchange Online PowerShell module V2 as a pre-requisite.

More info from Github

orca/README.md at master · cammurray/orca
The Microsoft Defender for Office 365 Recommended Configuration Analyzer (ORCA) – orca/README.md at master · cammurray/orca

Running ORCA

Open PowerShell and run Get-ORCAReport

It will generate the HTML report in this destination:

$env:userprofile\AppData\Local\Microsoft\ORCA and absolute path C:\Users\UserProfileDirectory\AppData\Local\Microsoft\ORCA

Running ORCA against a tenant that doesn’t have Defender enabled.

And running against a tenant that has Defender enabled.

So comparing these two you will that Defender is preferred to be installed as it will cover the policies that this tool checks.

Configuration Analyzer

If you are not into PowerShell, you can make the same checks with Configuration Analyzer from Security Center.

But from here you cannot export the report. But on the other hand you can fix the security policies from the recommendations directly.

Conclusion

So in short, the PowerShell version is an assessment tool for remote auditors that don’t have eyes inside the machine (No Credentials) they could tell the customers admin to run the report and share the output.

And the Configuration Analyzer is a tool for admin who have access to the tenant and they can apply the policies directly from there. Always use common sense when applying changes as scout what happens in our environment.

Over and out,

Have a Nice Day - Free animation (animated gif)
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *