Skip to content

ASD Remote Domain Configuration Check

Jump to bottom
directorcia edited this page Nov 3, 2025 · 2 revisions

Version: 1.0
Last Updated: 11-04-2025
Author: CIAOPS

Table of Contents

Overview

Purpose

The ASD Remote Domain Check script validates Exchange Online Default Remote Domain configuration against the Australian Signals Directorate (ASD) Blueprint for Secure Cloud requirements. It helps organizations ensure their email security settings comply with government security standards.

What It Does

  • ✅ Connects to Exchange Online
  • ✅ Retrieves Default Remote Domain configuration
  • ✅ Compares settings against ASD Blueprint requirements
  • ✅ Generates detailed HTML compliance report
  • ✅ Optionally exports results to CSV
  • ✅ Optionally logs all operations to file
  • ✅ Downloads latest baseline from GitHub by default

Key Features

Feature Description
Automated Compliance Checking Validates 10 security settings automatically
Cloud-Based Baselines Downloads latest ASD requirements from GitHub
Professional Reports Generates beautiful HTML reports with compliance metrics
Progress Tracking Real-time progress indicators during execution
Permission Validation Checks user permissions before attempting operations
Detailed Logging Optional comprehensive logging for audit trails
Flexible Configuration Supports custom baselines and output locations

Important Note: This script checks the 'Default' remote domain which applies to all external domains unless specific remote domains are configured in Exchange Online.

System Requirements

PowerShell Environment

Component Requirement Notes
PowerShell Version 5.1 or PowerShell 7+ Windows PowerShell or PowerShell Core
Operating System Windows 10/11, Windows Server 2016+ Or any OS supporting PowerShell 7+
Internet Connection Required For GitHub baseline download and Exchange Online connection

PowerShell Modules

# Install ExchangeOnlineManagement module
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force

Exchange Online Permissions

The account running the script must have one of the following roles:

  • Exchange Administrator
  • Global Administrator
  • Global Reader
  • View-Only Organization Management
  • Compliance Administrator

Note: Read-only permissions are sufficient. The script does not make any changes to your Exchange Online configuration.

Installation

  1. Download the Script

    # Clone the repository
git clone https://github.com/directorcia/office365.git

# Or download directly
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/directorcia/office365/master/asd-remotedomain-get.ps1" -OutFile "asd-remotedomain-get.ps1"

  2. Install Required Module

    Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force

  3. Verify Installation

    Get-Module -ListAvailable -Name ExchangeOnlineManagement

Parameters

Parameter Reference

Parameter Type Required Default Description
-ExportToCSV Switch No False Export results to CSV file in addition to HTML report
-CSVPath String No Parent directory with timestamp Custom path for CSV export
-BaselinePath String No GitHub URL Path or URL to custom baseline JSON file
-DetailedLogging Switch No False Enable detailed logging to file for audit trails
-LogPath String No Parent directory with timestamp Custom path for log file

Parameter Details

-ExportToCSV

Enables CSV export of compliance check results alongside the HTML report.

.\asd-remotedomain-get.ps1 -ExportToCSV

-CSVPath

Specifies a custom location for the CSV export file.

.\asd-remotedomain-get.ps1 -ExportToCSV -CSVPath "C:\Reports\compliance.csv"

-BaselinePath

Specifies a custom baseline JSON file (local path or URL).

# Local file
.\asd-remotedomain-get.ps1 -BaselinePath "C:\Baselines\custom.json"

# URL
.\asd-remotedomain-get.ps1 -BaselinePath "https://example.com/baseline.json"

-DetailedLogging

Enables comprehensive logging of all operations to file.

.\asd-remotedomain-get.ps1 -DetailedLogging

-LogPath

Specifies a custom location for the log file.

.\asd-remotedomain-get.ps1 -DetailedLogging -LogPath "C:\Logs\audit.log"

Usage Examples

Example 1: Basic Usage

.\asd-remotedomain-get.ps1

Connects to Exchange Online, downloads latest baseline from GitHub, runs compliance check, and generates HTML report.

Example 2: Export to CSV

.\asd-remotedomain-get.ps1 -ExportToCSV

Runs the check and exports results to both HTML and CSV formats.

Example 3: Custom CSV Location

.\asd-remotedomain-get.ps1 -ExportToCSV -CSVPath "C:\Reports\compliance-report.csv"

Exports CSV to a specific location.

Example 4: Custom Baseline

.\asd-remotedomain-get.ps1 -BaselinePath "C:\Baselines\prod-remote-domains.json"

Uses a local custom baseline file instead of downloading from GitHub.

Example 5: Development Environment Baseline

.\asd-remotedomain-get.ps1 -BaselinePath ".\baselines\dev-environment.json" -ExportToCSV

Uses a development environment baseline and exports results to CSV.

Example 6: With Detailed Logging

.\asd-remotedomain-get.ps1 -DetailedLogging

Enables comprehensive logging to file for audit trail purposes.

Example 7: Custom Log Location

.\asd-remotedomain-get.ps1 -DetailedLogging -LogPath "C:\Logs\audit-$(Get-Date -Format 'yyyyMMdd').log"

Logs detailed operations to a custom file location with date in filename.

Example 8: Full Featured

.\asd-remotedomain-get.ps1 -ExportToCSV -DetailedLogging

Runs with all features enabled: HTML report, CSV export, and detailed logging.

How It Works

Execution Flow

┌─────────────────────────────────────┐
│  1. Initialization                  │
│  Validate parameters and setup      │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  2. Baseline Loading                │
│  Download from GitHub or load local │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  3. Module Check                    │
│  Verify ExchangeOnlineManagement    │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  4. Exchange Connection             │
│  Connect to Exchange Online         │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  5. Permission Validation           │
│  Check user has required roles      │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  6. Configuration Retrieval         │
│  Get Default Remote Domain settings │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  7. Compliance Checking             │
│  Compare 10 settings vs baseline    │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  8. Report Generation               │
│  Create HTML report                 │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  9. Optional Exports                │
│  CSV and/or log file                │
└────────────┬────────────────────────┘
             ↓
┌─────────────────────────────────────┐
│  10. Completion                     │
│  Open report and display summary    │
└─────────────────────────────────────┘

Step-by-Step Details

  1. Initialization (0%)

    • Validates command-line parameters
    • Sets up file paths for outputs
    • Initializes script-scope variables
    • Starts logging if enabled

  2. Baseline Loading (0-30%)

    • Detects if baseline is URL or local file
    • Downloads from GitHub (default) or reads local file
    • Validates JSON schema
    • Falls back to built-in defaults if needed

  3. Module Check

    • Checks if ExchangeOnlineManagement is installed
    • Loads module if available
    • Displays installation instructions if missing

  4. Exchange Connection (10%)

    • Tests existing connection
    • Initiates authentication if needed
    • Handles MFA prompts
    • Confirms successful connection

  5. Permission Validation

    • Attempts to read organization config
    • Tests access to remote domain settings
    • Displays helpful error message if insufficient permissions
    • Lists required roles

  6. Configuration Retrieval (10-20%)

    • Queries Exchange Online for Default remote domain
    • Validates domain exists
    • Retrieves all configuration properties

  7. Compliance Checking (20-60%)

    • Iterates through 10 security settings
    • Compares current values vs baseline requirements
    • Records PASS/FAIL for each check
    • Updates progress indicator for each setting

  8. Report Generation (80%)

    • Calculates compliance percentage
    • Generates professional HTML report
    • Includes summary dashboard
    • Creates detailed results table

  9. Optional Exports (70-80%)

    • Exports to CSV if requested
    • Writes detailed log file if enabled
    • Saves all files with timestamps

  10. Completion (90-100%)

    • Opens HTML report in default browser
    • Displays console summary
    • Shows file locations
    • Completes progress indicator

Output Files

HTML Report (Always Generated)

Location: {parent-directory}\asd-remotedomain-get-{timestamp}.html

Contents:

  • Compliance summary dashboard
    • Total checks
    • Passed checks
    • Failed checks
    • Compliance percentage
  • Domain information section
  • Detailed results table with:
    • Status badge (PASS/FAIL)
    • Setting name
    • Description
    • Current value
    • Required value
  • Overall compliance status
  • Baseline source information
  • Reference links

Features:

  • Professional gradient design
  • Color-coded results
  • Responsive layout
  • Print-friendly
  • Auto-opens in browser

CSV Export (Optional)

Location: {parent-directory}\asd-remotedomain-get-{timestamp}.csv

Format:

Setting,Description,CurrentValue,RequiredValue,Status
DomainName,Remote Domain (should be *),*,*,PASS
AllowedOOFType,Out of Office automatic reply types,External,External,PASS
AutoReplyEnabled,Allow automatic replies,False,False,PASS

Use Cases:

  • Import into Excel for analysis
  • Load into Power BI dashboards
  • Integrate with compliance tracking systems
  • Historical trend analysis

Log File (Optional)

Location: {parent-directory}\asd-remotedomain-get-{timestamp}.log

Format:

[2025-04-11 14:30:45] [INFO] === ASD Remote Domain Configuration Check Started ===
[2025-04-11 14:30:45] [INFO] Script Version: 1.0
[2025-04-11 14:30:45] [INFO] PowerShell Version: 7.4.0
[2025-04-11 14:30:45] [INFO] Detailed Logging: Enabled
[2025-04-11 14:30:46] [INFO] Starting baseline settings load from: https://...
[2025-04-11 14:30:47] [INFO] Baseline loaded successfully from GitHub
[2025-04-11 14:30:48] [INFO] Check: DomainName - Current: *, Required: *, Status: PASS
[2025-04-11 14:30:48] [WARN] Check: AutoForwardEnabled - Current: True, Required: False, Status: FAIL
[2025-04-11 14:30:50] [INFO] Script completed successfully

Log Levels:

  • [INFO] - Normal operations and successful actions
  • [WARN] - Non-critical issues and failed compliance checks
  • [ERROR] - Critical errors and failures

Baseline Configuration

Baseline Sources Hierarchy

The script uses the following precedence for baseline settings:

  1. Custom Path - If -BaselinePath parameter is specified
  2. GitHub (Default) - Downloads from official repository
  3. Built-in Defaults - Hard-coded ASD Blueprint values

Default GitHub URL

https://raw.githubusercontent.com/directorcia/bp/main/ASD/Exchange-Online/Mail-flow/remote-domains.json

Baseline JSON Schema

{
  "RemoteDomain": {
    "Name": "Default",
    "DomainName": "*",
    "EmailReplyTypes": {
      "AllowedOOFType": "External",
      "AutoReplyEnabled": false,
      "AutoForwardEnabled": false
    },
    "MessageReporting": {
      "DeliveryReportEnabled": false,
      "NDREnabled": false,
      "MeetingForwardNotificationEnabled": false
    },
    "TextAndCharacterSet": {
      "TNEFEnabled": null,
      "CharacterSet": null,
      "NonMimeCharacterSet": null
    }
  }
}

Schema Validation

The script validates that the baseline JSON contains all required fields:

Field Path Type Description
RemoteDomain Object Root RemoteDomain object
RemoteDomain.Name String Remote domain name
RemoteDomain.DomainName String Domain name pattern
RemoteDomain.EmailReplyTypes Object Email reply types configuration
RemoteDomain.MessageReporting Object Message reporting configuration
RemoteDomain.TextAndCharacterSet Object Text and character set configuration

If validation fails, the script falls back to built-in defaults with a warning message.

Creating Custom Baselines

  1. Copy the schema above to a new JSON file
  2. Modify values according to your requirements: 
    {
  "RemoteDomain": {
    "Name": "Default",
    "DomainName": "*",
    "EmailReplyTypes": {
      "AllowedOOFType": "External",
      "AutoReplyEnabled": false,
      "AutoForwardEnabled": true  // Custom: Allow auto-forward
    },
    "MessageReporting": {
      "DeliveryReportEnabled": false,
      "NDREnabled": false,
      "MeetingForwardNotificationEnabled": false
    },
    "TextAndCharacterSet": {
      "TNEFEnabled": null,
      "CharacterSet": null,
      "NonMimeCharacterSet": null
    }
  }
}
  3. Save with a descriptive name (e.g., production-baseline.json)
  4. Run script with custom baseline: 
    .\asd-remotedomain-get.ps1 -BaselinePath ".\production-baseline.json"

Compliance Checks

Settings Validated

# Setting Category ASD Default Security Impact
1 DomainName General * Applies settings to all external domains
2 AllowedOOFType Email Reply External Controls Out of Office reply types
3 AutoReplyEnabled Email Reply False Prevents information leakage via auto-replies
4 AutoForwardEnabled Email Reply False Critical: Blocks automatic email forwarding (data exfiltration risk)
5 DeliveryReportEnabled Message Reporting False Prevents delivery confirmation to external senders
6 NDREnabled Message Reporting False Blocks non-delivery reports to external senders
7 MeetingForwardNotificationEnabled Message Reporting False Prevents meeting forward notifications
8 TNEFEnabled Text & Character Null Rich-text format control (follow user settings)
9 CharacterSet Text & Character Null MIME character encoding (system default)
10 NonMimeCharacterSet Text & Character Null Non-MIME character encoding (system default)

Security Impact Details

AutoForwardEnabled = False (Critical)

Risk if Enabled:

  • Malicious actors can automatically forward emails to external addresses
  • Data exfiltration through compromised accounts
  • Bypasses DLP and compliance controls

ASD Recommendation: Must be disabled for external domains

AutoReplyEnabled = False

Risk if Enabled:

  • Automatic replies can leak information about:
    • User availability
    • Email address validity
    • Internal processes
  • Can be used for reconnaissance

Delivery/NDR Reports = False

Risk if Enabled:

  • External actors can validate email addresses
  • Information disclosure about mail system
  • Can be used for phishing campaigns

Compliance Calculation

Compliance % = (Passed Checks / Total Checks) × 100

Status:

  • 100% = COMPLIANT ✓ - All checks passed
  • <100% = NON-COMPLIANT ✗ - One or more checks failed

Progress Indicators

The script displays real-time progress throughout execution:

Progress Stage Description
0% Initialization Script startup and parameter validation
10% Connection Retrieving Default remote domain configuration
20% Preparation Starting compliance checks
20-60% Checking Running 10 individual compliance checks (4% per check)
60% Analysis Analyzing results and calculating compliance
70% CSV Export Exporting to CSV (if requested)
80% Report Generating HTML report
90% Browser Opening report in browser
100% Complete All operations finished

Progress Format

Activity: ASD Remote Domain Check
Status: Checking AutoForwardEnabled (4 of 10)
Progress: [████████░░░░░░░░░░░░] 36%

Detailed Logging

Enabling Logging

# Basic logging (default location)
.\asd-remotedomain-get.ps1 -DetailedLogging

# Custom log location
.\asd-remotedomain-get.ps1 -DetailedLogging -LogPath "C:\Logs\compliance.log"

# With date in filename
.\asd-remotedomain-get.ps1 -DetailedLogging -LogPath "C:\Logs\audit-$(Get-Date -Format 'yyyyMMdd').log"

Log Entry Format

[YYYY-MM-DD HH:MM:SS] [LEVEL] Message

What Gets Logged

  1. Script Initialization

    • Script version
    • PowerShell version
    • Parameter values
    • File paths

  2. Baseline Loading

    • Source type (URL/Local)
    • Download/read status
    • Schema validation results
    • Success/failure messages

  3. Module and Connection

    • Module availability
    • Connection attempts
    • Authentication events
    • Permission checks

  4. Compliance Checks

    • Each setting checked
    • Current value
    • Required value
    • Pass/fail status

  5. Report Generation

    • HTML generation status
    • CSV export status
    • File locations

  6. Errors and Exceptions

    • Error messages
    • Stack traces
    • Line numbers
    • Command details

Log Analysis

# View entire log
Get-Content .\asd-remotedomain-get-20250411-143045.log

# View only errors
Get-Content .\asd-remotedomain-get-20250411-143045.log | Select-String -Pattern "\[ERROR\]"

# View failed checks
Get-Content .\asd-remotedomain-get-20250411-143045.log | Select-String -Pattern "Status: FAIL"

# Count log entries by level
Get-Content .\asd-remotedomain-get-20250411-143045.log | 
    ForEach-Object { ($_ -split '\[')[2] -split '\]' | Select-Object -First 1 } | 
    Group-Object | 
    Select-Object Name, Count

Troubleshooting

Common Issues and Solutions

1. Module Not Found

Error Message:

ExchangeOnlineManagement module not found!
Install it with: Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

Solution:

Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force

Verification:

Get-Module -ListAvailable -Name ExchangeOnlineManagement

2. Insufficient Permissions

Error Message:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ INSUFFICIENT PERMISSIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This script requires Exchange Online read permissions.

Required Roles (one of the following):
  • Exchange Administrator
  • Global Administrator
  • Global Reader
  • View-Only Organization Management
  • Compliance Administrator

Solution:

  1. Contact your Exchange Online administrator
  2. Request one of the required roles
  3. Wait for role assignment to propagate (5-30 minutes)
  4. Re-run the script

Check Current Roles:

Get-ManagementRoleAssignment -RoleAssignee "user@domain.com" | 
    Select-Object Role, RoleAssigneeType | 
    Sort-Object Role

3. GitHub Baseline Download Failed

Error Message:

Failed to download or parse baseline from URL: ...
⚠️  Using built-in ASD Blueprint defaults instead

Causes:

  • No internet connectivity
  • Firewall/proxy blocking GitHub
  • GitHub service outage
  • Invalid URL

Solutions:

Option 1: Check Connectivity

Test-NetConnection -ComputerName raw.githubusercontent.com -Port 443

Option 2: Download Manually

$url = "https://raw.githubusercontent.com/directorcia/bp/main/ASD/Exchange-Online/Mail-flow/remote-domains.json"
Invoke-WebRequest -Uri $url -OutFile "baseline.json"
.\asd-remotedomain-get.ps1 -BaselinePath ".\baseline.json"

Option 3: Use Built-in Defaults

  • Script automatically falls back to built-in ASD Blueprint defaults
  • No action required, script continues normally

4. Connection Timeout

Error Message:

Failed to connect to Exchange Online: The operation has timed out

Solutions:

Check Network:

Test-NetConnection -ComputerName outlook.office365.com -Port 443

Check Service Health:

Retry with Proxy:

$ProxyOptions = New-PSSessionOption -ProxyAccessType IEConfig
Connect-ExchangeOnline -PSSessionOption $ProxyOptions

5. HTML Report Not Opening

Error Message:

Could not automatically open browser: ...
Please open the report manually: C:\path\to\report.html

Solution:

  • Report is successfully generated
  • Manually open the HTML file from the displayed path
  • Use Windows Explorer or:
Start-Process "C:\path\to\asd-remotedomain-get-20250411-143045.html"

6. Authentication Prompts Repeatedly

Symptoms:

  • Script asks for credentials multiple times
  • "Not connected" message after authentication

Solutions:

Clear Cached Credentials:

Disconnect-ExchangeOnline -Confirm:$false
Connect-ExchangeOnline

Check MFA:

  • Ensure MFA app is working
  • Approve any pending authentication requests
  • Check conditional access policies

7. Baseline Schema Validation Failed

Error Message:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ BASELINE JSON SCHEMA VALIDATION FAILED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Missing required fields:
  • RemoteDomain.EmailReplyTypes
    └─ Email reply types configuration

Solution:

  1. Verify JSON file format
  2. Check for missing fields
  3. Validate JSON syntax:
$json = Get-Content "baseline.json" -Raw | ConvertFrom-Json
$json | ConvertTo-Json -Depth 5
  1. Use default baseline or fix custom baseline

Debugging Tips

Enable Detailed Logging

.\asd-remotedomain-get.ps1 -DetailedLogging -LogPath "C:\Temp\debug.log"

Check PowerShell Version

$PSVersionTable

Verify Module Version

Get-Module -ListAvailable -Name ExchangeOnlineManagement | Select-Object Version

Test Exchange Connectivity Manually

Connect-ExchangeOnline
Get-RemoteDomain -Identity "Default"
Disconnect-ExchangeOnline -Confirm:$false

Review Execution Policy

Get-ExecutionPolicy -List
# If needed:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Reference

Official Documentation

Microsoft Documentation

Australian Cyber Security Centre

Script Information

Property Value
Script Name asd-remotedomain-get.ps1
Author CIAOPS
Version 1.0
Date 11-04-2025
PowerShell 5.1+ / 7+
License Open Source
Repository https://github.com/directorcia/office365

Support and Contributions

Report Issues:

Documentation:

Contributions:

  • Fork the repository
  • Create a feature branch
  • Submit a pull request

Version History

Version Date Changes
1.0 11-04-2025 Initial release with all features

Related Scripts

  • asd-mailflow-get.ps1 - Mail flow rule compliance check
  • asd-atp-get.ps1 - Advanced Threat Protection check
  • o365-exo-fwd-chk.ps1 - Email forwarding audit

Quick Reference Card

Common Commands

# Basic run
.\asd-remotedomain-get.ps1

# Full audit
.\asd-remotedomain-get.ps1 -ExportToCSV -DetailedLogging

# Custom baseline
.\asd-remotedomain-get.ps1 -BaselinePath ".\custom-baseline.json"

# Custom outputs
.\asd-remotedomain-get.ps1 -ExportToCSV -CSVPath "C:\Reports\audit.csv" -DetailedLogging -LogPath "C:\Logs\audit.log"

File Locations

File Default Location
HTML Report {parent-dir}\asd-remotedomain-get-{timestamp}.html
CSV Export {parent-dir}\asd-remotedomain-get-{timestamp}.csv
Log File {parent-dir}\asd-remotedomain-get-{timestamp}.log

Exit Codes

Code Meaning
0 Success
1 Error (module, connection, permissions, or execution)

Document Version: 1.0
Last Updated: 11-04-2025
Maintained By: CIAOPS

Clone this wiki locally