Exam MS-102 topic 1 question 73 discussion

Looks correct to me. You want to add the CEO as a protected user for impersonation protection. You also want to add the other CEO as a trusted sender so as to ensure good email delivery to that person from your senders. proof: see 5. here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide "enable users to protect"

the suggested answers are correct: Enable uses to protect: Add the CEO display name and the email to avoid impersonation. Add trusted senders and domains: Add the CEO email to the trusted sender list. this will avoid to tag any email from this CEO as phishing if Display name and email match.

1. To ensure that malicious email impersonating the CEO of a partner company is blocked: You must modify: the Enable domains to protect setting. This ensures the policy actively identifies and protects against impersonation of specific domains. 2. To minimize disrupting users that frequently exchange legitimate email with the CEO of a partner company: You must configure the Add trusted senders and domains setting. This reduces false positives by allowing legitimate emails from trusted senders to pass through. _____________________________________________________________

First Box: Enable Users To Protect Second Box: Enable in... protection Enables enhanced impersonation results based on each user's individual sender map and allows you to define specific actions on impersonated messages

You should only add a sender to the trusted senders to bypass the user impersonation checks for that person. E.g., if the CEO sends email into the org from his personal email account, or the CEO of the other organisation happens to have the exact same name as another protected user. Mailbox Intelligence uses the users individual patterns of communication to help protect them against impersonation/spoofing, so this is the most relevant feature for the second part of the question in, my opinion. In the real world, ensuring smooth communication should never be at the expense of security, but who knows what Microsoft want us to answer here.

If the sender already communicated, you cannot set impersonation: User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt. https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide

The second option, For me, should be Impersonation protection. https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938

Would probably go for Phishing threshold as looking at the policy in security.microsoft.com / policies & rules / threat policies: Phishing threshold & protection -Phishing threshold 1 - Standard -User impersonation protection Off - 0 sender(s) specified -Domain impersonation protection Off for owned domains Off - 0 domain(s) specified Would most likely want to set Domain Impersonation Protection to On for owned domains and configure that. https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#domain-impersonation-protection