Service Upgrade Changes for Policy Rules
Applies to: Exchange Online Protection
Topic Last Modified: 2013-10-01
When your organization is upgraded from Microsoft Forefront Online Protection for Exchange (FOPE) to Microsoft Exchange Online Protection (EOP), policy migration happens after your domain settings and users are migrated. When your policy migration occurs, FOPE policy rules are changed to Exchange Transport rules.
There are differences to note between FOPE policy rules and Exchange Transport rules. Knowing these feature differences and best practices for creating Exchange Transport rules can help you create the most effective rules.
For more information about configuring custom policy filtering in EOP via Transport rules, see Transport Rules.
The following outlines some conditions that can appear during rule migration, depending on your rule configuration, and the action we take to ensure successful migration.
- Rule Count You can create up to 100 Exchange Transport rules to implement business-rule compliance.
If you currently have more than 100 FOPE policy rules, the FOPE to EOP transition includes automatic rule consolidation which will result in fewer than 100 Transport rules. If the automatic migration of the rule settings is unable to fit within the EOP limits, we will reach out to help you manually modify your rules to bring them within compliance for EOP.
- Pattern Matching and Regular Expressions FOPE provided basic regular-expression (Regex) support for policy-rule pattern matching. EOP uses the .NET regular-expression engine.
- Maximum Pattern-Match Length Transport Rules support up to 20KB of characters for all RegEx pattern and keyword matches. (This limit does not impact recipient and domain match conditions.)
- Dictionary Support Rule criteria must be entered directly. Uploading contents from a Dictionary file is only supported via Windows PowerShell (Exchange Online or Exchange Enterprise CAL with Services customers only).
- Case-Insensitive Matching Exchange Transport rules use case-insensitive matching.
- Subject and Body Matching Transport rules support match conditions within the subject and body of the message.
- Max Rule Size FOPE Policy rules that exceed the max rule size limit in Exchange are divided into multiple rules. These rules appear in the Exchange admin center user interface under mail flow as: “Divided FOPE Policy Rule ID###”
- Duplicate Filtering Requirements FOPE Policy rules that apply the same filtering requirements are consolidated into a single Transport rule. These rules appear in the Exchange admin center user interface under mail flow as: “Consolidated FOPE Policy rule (n)”. The rule comments and migration report includes the affected FOPE Policy rule IDs.
- HeaderName with NULL Value FOPE policy rules support matching a HeaderName against any HeaderValue, including a NULL value. Exchange Transport rules support matching a HeaderName against any HeaderValue, excluding a NULL value. After migration, these rules will only be matched if the HeaderValue is assigned a value; a NULL value is not supported.
- Recipient Notifications for Reject Rules Exchange Transport rules do not support recipient notifications for Reject rules. During transition, rules with a Reject action and recipient notifications enabled are converted to rules without recipient notifications.
The following list details items to note regarding policy rules in FOPE that are migrated to the Exchange admin center:
All FOPE domains configured with Policy Filtering set to inbound only are added to a Transport rule in the Exchange admin center called “Domains excluded from outbound Exchange Transport Rules.”
All FOPE domains configured with Policy Filtering set to disabled are added to two Transport rules. The first is called “Domains excluded from outbound Exchange Transport Rules” and the other is called “Domains excluded from inbound Exchange Transport Rules.”
FOPE Policy rules are not migrated to Transport rules if they are disabled, expired, or associated with a disabled domain.
Some ideas for cutting down on the number of rules you have include the following:
Removing rules you created for a specific one-day spam event.
Remove little-used rules and rules that are rarely triggered. If it has been a short duration since your migration, you may be able to access the FOPE Admin Center and run a policy-filtering report to determine rule-use metrics. For more information about signing in to the FOPE Admin Center, see Sign in to the FOPE Admin Center After Your Service Upgrade.
If you have a rule with many keywords, use a regular-expression pattern to search for similar terms.
The following are additional tips to help you choose rules to consolidate:
You may be able to combine rules with similar conditions, or multiple conditions, and rules that perform the same action.
FOPE rules were either inbound or outbound. In Exchange Transport rules, this is optional. Configure each rule to apply to both inbound and outbound messages, if possible.
If you have rules specific to individual domains, consider creating a company-wide rule and removing domain-specific rules.
If you had a FOPE policy rule with a dictionary, in EOP the dictionary is converted to a flat list. If you have rules that in FOPE shared a dictionary, consider consolidating those rules to reduce your rule count, or use a regular expression to optimize your search. Also, trim terms not needed to reduce the rule size.