AIR features showing for G3 users as well

Question

AIR features showing for G3 users as well

Amruth Sai 0

Hello Team,

We’ve noticed that when our G3 users report phishing emails using the built‑in “Report Phishing” button, those messages appear in the Investigations (AIR) section of the Microsoft Security portal. Based on Microsoft’s documentation, AIR is a feature of Defender for Office 365 Plan 2, which is included with G5/E5 licenses. Because of that, I’m trying to understand why G3‑licensed users’ submissions are showing up in the AIR blade.

My questions are:

Are these messages being processed according to the user’s license tier? For example, are G3 users’ reported emails are appearing with limited AIR functionality under investigations tab, while G5 users’ reports receive the full AIR experience?
Or is this behavior the result of a trial version of Defender for Office 365 Plan 2 being active?

Is there any kind of pay‑as‑you‑go feature that could have been enabled?

Or are these simply basic EOP/Defender for Office 365 Plan 1 features that still surface in the Investigations tab, even without full AIR capabilities?

Additionally, I’d like clarification on preset security policies: With a G3 license, can we still apply the Standard Protection preset under Security Admin Center → Email & Collaboration → Policies & Rules → Threat Policies → Preset Security Policies?

Thank you.

0 comments

3 answers

Your answer

Answer 1

Hi @Amruth Sai,

Thank you for the follow up and for summarizing your understanding so clearly.

Your licensing baseline is generally aligned with Microsoft guidance. Microsoft Defender for Office 365 Plan 2 is included with enterprise subscriptions such as G5, while G3 does not typically include Plan 2 by default. In addition, Microsoft notes that some online services can be activated at the tenant level, and at the same time the appropriate licenses are still required for the users or mailboxes that benefit from the service.

With that context, it is expected that AIR investigations can appear in the tenant when Plan 2 is present, because user submissions are a documented trigger for Automated investigation and response when AIR is available. From a licensing and entitlement perspective, Plan 2 capabilities should be treated as applicable to the users who are licensed for Plan 2, even if the tenant has Plan 2 functionality available.

Regarding the Standard Protection preset, it can be enabled in a tenant that has both G3 and G5 users, as long as the recipients you assign to the Standard preset have Microsoft Defender for Office 365 Plan 1 or higher available. Microsoft also confirms that preset security policies apply to Defender for Office 365 Plan 1 and Plan 2, and that Standard is one of the available preset options. In a mixed licensing setup, the cleanest approach is to scope the Standard preset to the users or groups that have the required Defender for Office 365 entitlement, and allow other users to remain under the protections that apply when they are not included in Standard or Strict presets.

For reference, these Microsoft articles summarize the requirements and behavior clearly: Preset security policies and Set up the Standard or Strict preset security policies.

I hope this response has helped address your question and clarify the behavior you're experiencing. Please feel free to reply if you have any further questions, I would be happy to assist further.

Looking forward to your response and wishing you a great day ahead.

Amruth Sai 0 Reputation points

2026-03-18T16:14:45.91+00:00

Hello Nguyen,

That helped me to understand the licensing structure. Thanks a lot
Vy Nguyen 10,130 Reputation points Microsoft External Staff Moderator

2026-03-18T16:17:51.9933333+00:00

Hi @Amruth Sai,

Thank you very much for your kinds words.

If you have any concerns or questions in the future, please don’t hesitate to reach out. Not only will I be happy to assist you, but all moderators in the Q&A forum will also do their best to provide support and guidance.

If you found the answer helpful, I truly appreciate that you can marking it as accepted. This helps highlight the solution for others who may be searching for similar information in the community. Your contribution not only supports fellow users in finding the right guidance more quickly, but also helps build a more resourceful and collaborative space for everyone.

I truly appreciate your time and cooperation throughout the resolution of this matter.

Thank you for being a valued customer and for contacting us on the Microsoft Q&A forum.

Answer 2

Hello Vy Nguyen,

Thanks for checking on this

1.) Correct my understanding if i am wrong; (from your comment)

G3 users doesn't have p1 or p2 for office 365 ; whereas g5 users have p2 for office 365

When a tenant has any active Plan 2 entitlement—such as at least one G5 user or any user licensed with Office 365 Plan 2—the Plan 2 feature set becomes enabled at the tenant level. I also verified that no Plan 2 trial is active under the Trials tab, so the entitlement is coming solely from the existing G5/P2‑licensed users.

Because of this tenant‑level activation, even though G3 users do not have Plan 2 rights, the presence of a G5 user enables the backend Plan 2 capabilities across the environment.

This leads to the following behavior:

G3 users’ reported messages still get processed by the AIR (Automated Investigation & Response) blade, but only with limited functionality, since they are not individually licensed for Plan 2.

G5 users’ reported messages are processed with the full AIR blade capabilities, because they do hold the required Plan 2 license.

In short: Plan 2 activates at the tenant level, but full AIR processing only applies to users who actually hold a Plan 2 license.

3.) So, with some g3 users and few g5 users present in a tenant; can i enable preset standard protection template ?

Vy Nguyen 10,130 Reputation points Microsoft External Staff Moderator

2026-03-18T15:08:22.4766667+00:00

Hi @Amruth Sai,

I hope everything is going well on your end.

I’m following up on the support thread we've been working through together. I wanted to check in and see if the information I shared in my previous answer helped resolve the issue you were experiencing.

If you're still experiencing any issues or have further questions, please feel free to reach out at any time. I’m always happy to help if you need anything else.

I want to ensure everything is functioning smoothly and that your experience remains seamless.

Thank you again for your collaboration throughout the troubleshooting process.

I look forward to hearing from you soon.

Answer 3

Hi @Amruth Sai,

Thank you for taking the time to describe the behavior clearly and to include the licensing context in your questions.

From your description, you have noticed that when G3 users report phishing using the built in Report Phishing button, the submitted messages appear under Investigations in the Microsoft Defender portal.

This can occur when the tenant has Microsoft Defender for Office 365 Plan 2 capabilities enabled, either through an active Plan 2 entitlement or through a Plan 2 trial or evaluation. In Plan 2 organizations, when a user reports a message as phishing, an investigation can be created automatically in Automated investigation and response and surfaced in the Investigations experience.

Regarding your questions, here is the most accurate way to interpret what you are seeing.

License tier processing and the impact of a Plan 2 trial or evaluation

Automated investigation and response is a Plan 2 capability, and Microsoft documentation explains that when a user reports a message as phishing, an investigation can be created automatically in AIR when Plan 2 is available.
As a result, seeing G3 user submissions listed in Investigations is a strong indicator that Plan 2 functionality is currently enabled at the tenant level, either through an active Plan 2 entitlement or through a Plan 2 trial or evaluation.
For a definitive confirmation in your environment, the most direct check is whether Microsoft Defender for Office 365 Plan 2 is currently enabled as a subscription, trial, or evaluation in the tenant.

Pay as you go versus features surfaced from EOP or Defender for Office 365

Microsoft documentation describes AIR as part of Microsoft Defender for Office 365 Plan 2 and points to subscription and trial or evaluation as the ways Plan 2 becomes available.
It also clarifies that when a Plan 2 trial ends, the Plan 2 automation and investigation capabilities are what stop, which aligns with the idea that this behavior is tied to Plan 2 enablement rather than a separate pay as you go toggle.

Standard Protection preset availability when users have a G3 base license

Preset security policies are documented as applicable across built in security features and Microsoft Defender for Office 365 Plan 1 and Plan 2, and Standard protection is one of the available preset options.
The step by step guidance also states that Defender for Office 365 Plan 1 or higher is required for Standard and Strict presets.
Therefore, Standard protection can be applied when the tenant has Defender for Office 365 Plan 1 or higher available for the scope you want to protect, even if the base suite for those users is G3, because eligibility depends on the Defender for Office 365 entitlement rather than only the suite name.

I hope this information is helpful. Please follow these steps and let me know if it works for you. If you have any updates regarding the issue, please feel free to share them with me.

Thank you for your patience and your understanding. I look forward to continuing the conversation.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment”.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

AIR features showing for G3 users as well

3 answers

Your answer