Last Updated on March 14, 2024 by Michael Morten Sonne

Introduction

ORCA is a report that you can run in your environment which can highlight known configuration issues and improvements which can impact your experience with Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection).

What’s in scope

• Configuration Health Index
• Configuration in EOP which can impact ATP
• SafeLinks configuration
• SafeAttachments configuration
• Antiphish and antispoof policies.

What is Configuration Health Index

The configuration health index is a weighted value representing your configuration. Not all configuration is considered and some configuration is weighted higher than others. The index is represented as a percentage. How the configuration impacts the configuration health index is shown next to the recommendation in the report below as a positive or negative number. The impact to your security posture is a large consideration factor when rating the configuration.

Sounds good! How do I run it?

You will need the Exchange Online Management Shell first.

Exchange Online PowerShell V3 module is availible via the PowerShell gallery:

Install-Module -Name ExchangeOnlineManagement

or get Exchange Online PowerShell module here: http://aka.ms/exopsmodule

We use these modules to connect to Exchange Online and look at your configuration in your tenant.

Then, you’ll need ORCA. ORCA is published via the PowerShell gallery to make it easy and accessible for everyone.

To install, run PowerShell as an administrator and run the following command:

Install-Module ORCA

Connect to Exchange Online and then run:

Get-ORCAReport

To Run ORCA you need to have necessary permissions. The “View-Only Configuration” Exchange Online role is needed to run the tool.

For example you can use the following:

Global Reader – Azure Active Directory role

View-Only Organization Management – built in role group in Exchange Online

It’s that simple! At the conclusion, your default browser will open with a report detailing the recommendations!

Looks like this when running after connected:

And the report look like this:

Outputs

We support outputting to different formats (which can be useful for different purposes, such as tracking trending over time).

If the following isn’t good enough for your purpose, don’t despair, the output is fully modular. You can create your own output type by creating your own “output-name.ps1” file in the outputs directory. You’ll need to create a class that extends the “ORCAOutput” class, and you’ll need to implement an override for the RunOutput function. Easiest way is just to copy one of the exsting ps1’s to make your own (if you need to, that is..)

Running specifying an alternative output

To run specifying an alternative output module, instead of using the Get-ORCAReport command, use the Invoke-ORCA command.

Example outputting to JSON:

Invoke-ORCA -Output JSON

Supported outputs

HTML is the output format that you’ll get when you run Get-ORCAReport.

Example 1 – this is the equivelant of running Get-ORCAReport:

Invoke-ORCA -Output HTML

Example 2 – output to HTML but don’t load the HTML:

Invoke-ORCA -Output HTML -OutputOptions @{HTML=@{DisplayReport=$False}}

Supported Params:
DisplayReport, Optional, Boolean – load the report at the conclusion of running ORCA
OutputDirectory, Optional, String – path to store the outputted html file, default is an appdata directory created automatically

File with JSON formatted results.

Example:

Invoke-ORCA -Output JSON

Output flatted in to two CSV files, one for an overview, one for detail on each config item.

Example:

Invoke-ORCA -Output CSV

Supported Params:
OutputDirectory, Optional, String – path to store the outputted json file, default is an appdata directory created automatically