Hey Microsoft, why limit Exchange Online filtering services?

A warning to never daisy-chain services is bad advice meant to avoid a Microsoft product's weakness; there are better options you can use

chain rope links

I was irked by the Microsoft TechNet article “Best Practice: Don't Daisy-Chain Filtering Services,” which was completely off base. Admins routinely daisy-chain with on-premise email where email enters the organization and can quickly move through a security service, an archive service, and so on until that mail reaches its ultimate destination, the user's mailbox.

Sure, trying the same in the cloud should not be encouraged because of the number of hops the email would have to make from one daisy-chained cloud to another. But does that mean you shouldn't daisy-chain ever? I don't think so.

UPDATED 12/23/14: Microsoft contacted me after reading this post and agreed the advice was inappropriate. It has pulled the original post and replaced it with a revised one that is more in line with the recommendations that follow in this post.

The article includes a scenario where a person wanted to test Exchange Online Protection (EOP) by simply turning off third-party services in their daisy-chained filter. Because EOP can evaluate only the connecting IP address, it won't see the originating IP address, so it will miss spam from those outside IP addresses.

But if your intent is to test EOP (which is built into Exchange Online), it would not make sense to continue using a daisy-chained service in front of it. You're better off moving your MX records to perform a proper test, rather than turning off your third-party filter but still allowing mail to flow through it.

The article says "daisy-chaining is always discouraged as it will not show a complete picture of EOP's spam-detection capabilities." I believe the article should have said “is always discouraged if you are trying to legitimately evaluate EOP."

To say it's always discouraged, then conclude with the direct command “don't daisy-chain” as an ostensible best practice shows a real lack of real-world experience.

The fact is that EOP isn't the only protection option available, and it lacks enterprise-grade features like link protection to protect against spear phishing. Yes, Microsoft says "time of click" and "zero-day" protection functionality is on the release road map for a year or so from now to protect you from spear phishing.

But if spear phishing is a concern for you today (as it should be), you need a better option than EOP in place. A non-EOP solution -- such as antimalware filtering -- requires daisy-chaining at least one service in front of Exchange Online.

Although I don't encourage that you daisy-chain multiple filtering services, it's not only common to have one service bolted onto Exchange, it's actually necessary in many real-world situations.

Exchange MVP Steve Goodman concurs: "Some proponents of an Office 365-only option might suggest otherwise, but it is perfectly fine to front Exchange Online with another service.”

At a time when IT admins are leery to jump all in with Office 365, they need more options and greater flexibility available to them, not fewer.