[EXOAtpPolicyForO365] Using BlockUrls is giving a deprecated error

[ykuijs]

Details of the scenario you tried and the problem that is occurring

When using the BlockUrls parameter of the EXOAtpPolicyForO365 resource, I am getting the below error. These blocked urls are now being managed via the Tenant Allow/Block List in [Microsoft Defender)[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-tenant-allow-block-list?view=o365-worldwide].

This line is giving the error:

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_EXOAtpPolicyForO365/MSFT_EXOAtpPolicyForO365.psm1

Line 289 in d3bbe62

Set-AtpPolicyForO365 @AtpPolicyParams

Verbose logs showing the problem

2022-08-23T08:22:52.8920638Z ##[error]SafeLinks BlockURLs is being replaced by the Tenant Allow/Block List. Going forward all tenant blocks must be managed 
there. Deletes to BlockURLs are supported.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : [Server=VI1PR07MB6366,RequestId=bccaa3c2-1818-4665-9f6c-6ba25b09ffad,TimeStamp=8/23/2022 
    8:22:52 AM] [FailureCategory=Cmdlet-ValidationException] BE991DE7,Microsoft.Exchange.Management.SystemConfigurati  
  onTasks.SetAtpPolicyForO365
    + PSComputerName        : localhost

Suggested solution to the issue

Use the Microsoft Defender cmdlets to create these Blocked URL lists:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-worldwide#use-powershell-to-create-safe-links-policies

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

dev

[NikCharlebois]

Since we already have an EXOSafeLinksPolicy resource that uses this cmdlet, would the appropriate fix not be to remove these parameters from the EXOAtpPolicyForO365 resource altogether instead?

[ykuijs]

Didn't think of that one :-) Agree that for this resource, we should remove the property, but:

I did some further digging and unfortunately this Safe Links Policy resource is unable to configure the Tenant Allow/Block List. This (article)[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-worldwide#use-powershell-to-create-safe-links-policies] says:

Note: You configure the "Block the following URLs" list in the global settings for Safe Links protection outside of Safe Links policies.

We might need to create a new Defender resource that is able to manage these settings using these cmdlets:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/allow-block-urls?view=o365-worldwide#use-powershell-to-modify-allow-or-block-entries-for-urls-in-the-tenant-allowblock-list
Together with these settings:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links?view=o365-worldwide#configure-the-block-the-following-urls-list-in-powershell

[NikCharlebois]

Will be removing BlockedURLs alongside other deprecated parameters and will be included in breaking change release 1.22.1005.1. Defender resources will be addressed separately at a later time.