Best practices for configuring standalone EOP

Follow these best-practice recommendations for standalone Exchange Online Protection (EOP) in order to set yourself up for success and avoid common configuration errors. This article assumes that you already completed the setup process. If your EOP setup isn't finished, see Set up your EOP service.

Use a test domain

We recommend that you use a test domain, subdomain, or low volume domain for trying out service features before implementing them on your higher-volume, production domains.

Synchronize recipients

If your organization has existing user accounts in an on-premises Active Directory environment, you can synchronize those accounts to Microsoft Entra ID in the cloud. Using directory synchronization is recommended. To learn more about the benefits of using directory synchronization, and the steps for setting it up, see Manage mail users in Exchange Online (and EOP).

Recommended settings

We empower admins to customize their security settings to satisfy the needs of their organization. Although, as a general rule, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. These settings are listed in the Recommended settings for EOP and Microsoft Defender for Office 365 security.

Although the article is focused on Microsoft Defender for Office 365, Get started with Microsoft Defender for Office 365 contains actions that also apply to standalone EOP:

• Step 1: Configure email authentication for your Microsoft 365 domains
• Step 2: Configure protection policies
• Step 3: Assign permissions to admins

Other settings

These settings cover a range of features that are outside of security policies.

Security feature name	Standard	Strict	Comment
Deploy the Report Message add-in or the Report Phishing add-in to improve end-user reporting of suspicious email.	Yes	Yes
Schedule Malware and Spam Reports.	Yes	Yes
Disable or monitor automatic email forwarding to external domains.	Yes	Yes
Verify that audit logging is enabled.	Yes	Yes
IMAP connectivity to mailbox	Disabled	Disabled
POP connectivity to mailbox	Disabled	Disabled
Authenticated SMTP submission	Disabled	Disabled	Authenticated client SMTP submission (also known as client SMTP submission or SMTP AUTH) is required for POP3 and IMAP4 clients and applications and devices that generate and send email. For instructions to enable and disable SMTP AUTH globally or selectively, see Enable or disable authenticated client SMTP submission in Exchange Online.
EWS connectivity to mailbox	Disabled	Disabled	Outlook uses Exchange Web Services for free/busy, out-of-office settings, and calendar sharing. If you can't disable EWS globally, you have the following options: Use Authentication policies to prevent EWS from using Basic authentication if your clients support modern authentication (modern auth). Use Client Access Rules to limit EWS to specific users or source IP addresses. Control EWS access to specific applications globally or per user. For instructions, see Control access to EWS in Exchange. The Report message add-in and the Report phishing add-in uses REST by default in supported environments, but will fall back to EWS if REST isn't available. The supported environments that use REST are: Exchange Online Exchange 2019 or Exchange 2016 Current Outlook for Windows from a Microsoft 365 subscription or one-time purchase Outlook 2019. Current Outlook for Mac from a Microsoft 365 subscription or one-time purchase Outlook for Mac 2016 or later. Outlook for iOS and Android Outlook on the web
PowerShell connectivity	Disabled	Disabled	Available for mailbox users or mail users (user objects returned by the Get-User cmdlet).
Use spoof intelligence to add senders to your allow list	Yes	Yes
Directory-Based Edge Blocking (DBEB)	Enabled	Enabled	Domain Type = Authoritative
Set up multifactor authentication for all admin accounts	Enabled	Enabled

Troubleshooting

Troubleshoot general issues and trends by using the reports in the admin centers. For more information, see View email security reports in the Microsoft Defender portal.

Find single point specific data about a message by using the message trace tool. For more information, see Message trace in Exchange Online.

Report false positives and false negatives to Microsoft

To help improve spam filtering in the service for everyone, you should report false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.

Create mail flow rules

Create mail flow rules (also known as transport rules) or custom filters to meet your business needs.

When you deploy a new rule to production, select one of the test modes first to see the effect of the rule. Once you're satisfied that the rule is working in the manner intended, change the rule mode to Enforce.

When you deploy new rules, consider adding the Generate Incident Report action to monitor the rule in action.

In hybrid environments where your organization includes both on-premises Exchange and Exchange Online, consider the conditions that you use in mail flow rules. If you want the rules to apply to the entire organization, be sure to use conditions that are available in both on-premises Exchange and in Exchange Online. While most conditions are available in both environments, there are a few that are only available in one environment or the other. Learn more at Mail flow rules (transport rules) in Exchange Online.