Use ORCA to Check Office 365 Advanced Threat Protection Settings

Run Report to Check Anti-Spam and Anti-Malware Settings in an Office 365 Tenant

ORCA is the “Office 365 Advanced Threat Protection Recommended Configuration Analyzer.” It’s a PowerShell module written by Cam Murray, a Microsoft Senior Premier Field Engineer based in Sydney, with lots of help from Daniel Mozes and other people in Microsoft.

The idea behind ORCA is that you can run a simple PowerShell cmdlet (Get-ORCAReport) to generate an assessment of the anti-malware, anti-spam, and other message hygiene settings used by Exchange Online Protection (EOP) in an Office 365 tenant. Most value is gained if you have licenses for Advanced Threat Protection (ATP) because more settings exist to be checked against best practice. Or at least, best practice as it exists in the minds of the ORCA team.

Module in PowerShell Gallery

I found out about ORCA at the Microsoft Ignite 2019 conference. At first, the cmdlet wouldn’t run because I had the new REST-based Exchange Online management module loaded. Developing ORCA is not Cam’s daytime job, but some conversations moved things forward to make ORCA happy to run. You can download the latest module from the PowerShell gallery.

December 23: The latest version of ORCA is 1.3.2, accessible from the link above.

Running ORCA

Running ORCA is simple. Install the module, start a PowerShell session logged in with an administrator account and run the Get-ORCAReport cmdlet. Because Exchange Online uses Remote PowerShell rather than a module, the cmdlet checks for the presence of the Connect-EXOPSSession command, which means that you need to have either the REST module installed or connect to Exchange Online with MFA. All Office 365 administrator accounts should use MFA, but you don’t need to use MFA to use ORCA.

When it starts, the cmdlet makes some checks, connects to Exchange Online, and then starts to fetch details of the various anti-malware policies configured in the tenant (Figure 1).

Running the Get-ORCAReport cmdlet
Figure 1: Running the Get-ORCAReport cmdlet

There’s no magic here in retrieving policy settings as they are all easily accessed with PowerShell cmdlets or by going to the Threat Management section of the Security and Compliance Center and then selecting Policy.

The ORCA Report

The magic is in the report generated by ORCA because it’s here that comparisons and checks are made against the settings in a tenant and the values recommended by the Advanced Threat Protection developers and other experts inside Microsoft. You can agree or disagree with their conclusions, but it’s good to have a baseline to argue from.

After ORCA finishes, it opens the HTML report in a tab in your default browse (Figure 2). The report is divided up into an overall summary plus different sections of mail hygiene such as Spam Action and Domain Whitelisting where recommendations are offered.

 The ORCA Report
Figure 2: The ORCA Report

After perusing the recommendations, it’s up to you decide if any of them make sense in your environment and modify the relevant policy through the Security and Compliance Center. Figure 3 shows the settings for the anti-malware policy in my tenant.

Figure 3: Reviewing the Office 365 Anti-malware policy settings

Nice Addition to the Toolkit

ORCA is a nice addition to the Office 365 administration toolkit. It can be hard to keep up to date with all the changes made by Microsoft to enhance and expand the various policies used to defend Exchange Online against malware and spam, and being able to run a check every so often just to make sure that everything is as it should be makes a heap of sense.

Chapter 17 of the Office 365 for IT Pros eBook explains the anti-malware and anti-spam policies used by EOP and ATP in great detail. Subscribe now to make sure you understand what all the settings mean.

9 Replies to “Use ORCA to Check Office 365 Advanced Threat Protection Settings”

  1. PS C:\Windows\system32> Get-ORCAReport
    11/15/2019 21:32:35 Performing ORCA Version check…
    ORCA requires either the Exchange Online PowerShell Module ( loaded or the Exchange Online
    PowerShell module from the PowerShell Gallery installed.
    At C:\Program Files\WindowsPowerShell\Modules\ORCA\1.1\ORCA.psm1:1308 char:9
    + Throw “ORCA requires either the Exchange Online PowerShell Mo …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (ORCA requires e…lery installed.:String) [], RuntimeException
    + FullyQualifiedErrorId : ORCA requires either the Exchange Online PowerShell Module ( loaded o
    r the Exchange Online PowerShell module from the PowerShell Gallery installed.

    1. From the developer:

      The code that checks if the ‘module’ is installed is just purely looking for the presence of the ‘Connect-EXOPSSession’ command. This is a little ‘work around’ that has to be done as the traditional ‘Exchange Online PS Module’ isn’t a real PowerShell module per se. E.g we can’t do a “Import-Module” or a “Get-Module” to determine if its installed.

      I knew this but imagined that most Office 365 admins now use MFA and connect to EXO with Connect-EXOPSSession. I will update the post.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.