[pull] dev from KelvinTegelaar:dev#867
Merged
Merged
Conversation
This script creates and manages Exchange Online transport rules for colleague impersonation alerts, handling sender display names and exemptions. Signed-off-by: Chris Dewey <142454021+chris-dewey-1991@users.noreply.github.com>
This script creates and manages Exchange Online transport rules for colleague impersonation alerts, handling sender display names and exemptions. Relates to the following KelvinTegelaar/CIPP#5138 KelvinTegelaar/CIPP#5725 **Details of Standards** **Rule Structure** This standard creates five rules, split alphabetically by the first letter of the user’s display name: • (A–E) Colleague Impersonation Alert • (F–J) Colleague Impersonation Alert • (K–O) Colleague Impersonation Alert • (P–T) Colleague Impersonation Alert • (U–Z) Colleague Impersonation Alert Example: A user named Lexi Jones would be included in the (K–O) rule. **User Management** • Only active User Mailboxes and Shared Mailboxes are included • Disabled accounts are automatically removed during the next remediation run • New users are added automatically **Domain Exemptions** The standard automatically detects the tenant’s accepted domains and adds them as exemptions. This ensures internal emails never trigger the warning banner. **Keyword Exclusions** Mailboxes can be excluded using keyword matching against the display name. Example: Adding the keyword “Leaver” will exclude any mailbox containing that word. This is useful for organisations that rename or archive accounts (e.g. using a prefix like “Leaver:” instead of deleting them). **Exempt Senders** Specific external sender addresses can be whitelisted to prevent the banner from being applied. Example: no-reply@teams.mail.microsoft can be added if Microsoft service notifications are incorrectly flagged. • These exemptions are global, not per client • Manually added exempt senders are preserved and not overwritten by the standard **Drift Detection** The standard validates that: • All five rules exist • Each rule’s user list matches the current set of active mailboxes If discrepancies are found (e.g. users added or removed), the standard is marked as non-compliant and will re-sync during remediation. **Example of Alert Banner (HTML) to use** Simple copy and paste into the Alert Banner section and tweak to your liking. <table border=0 cellspacing=0 cellpadding=0 align="left" width="100%"> <tr><td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td><td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word"><div style="color:#222222;"><span style="color:#222; font-weight:bold;">Warning:</span>This email was sent from outside the company, and it has the same display name as someone inside our organization. This is probably a phishing mail. Do not click on links or open attachments unless you are certain that this email is safe. </div></td></tr> </table> <br/> **Recommendation** It is recommended to enable auto-remediation, as frequent user changes will otherwise cause ongoing drift and require manual intervention. <img width="652" height="626" alt="image" src="https://github.com/user-attachments/assets/c94de3f8-1d6b-4646-aa4e-5fa0ddd4baaf" /> <img width="1340" height="854" alt="image" src="https://github.com/user-attachments/assets/f789e136-5084-400d-a981-d10e403bac54" /> PS I wont lie :) I had help with AI to validate my code and help me out in certain areas. Testing was on my own tenant using Classic Standards, Drifts Standards. Auto Remedation and Manual Remedation. Confirmed logs showing in each stage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )