Configure and review priority account protection in Microsoft Defender for Office 365

• Applies to:

  ✅ Microsoft Defender for Office 365 2, ✅ Microsoft 365 Defender

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

In Microsoft 365 organizations with Microsoft Defender for Office 365 Plan 2, priority account protection is a differentiated level of protection that's applied to accounts that have the Priority account tag applied to them. For more information about the Priority account tag and how to apply it to users, see Manage and monitor priority accounts.

Priority account protection offers additional heuristics that are tailored to company executives that don't benefit regular employees. Priority account protection is better suited to the mail flow patterns of company executives based on extensive data from the Microsoft datacenters.

By default, priority account protection is turned on in organizations with Defender for Office 365 Plan 2. This default behavior means an account that's tagged as a Priority account automatically receives priority account protection.

This article describes how to confirm that priority account protection is turned on, how to turn it on, and identifies the reporting features that allow you to see the results of priority account protection.

What do you need to know before you begin?

• You open the Microsoft 365 Defender portal at https://security.microsoft.com.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Exchange Online RBAC: Membership in the Organization Management or Security Administrator role groups.
  • Azure AD RBAC: Membership in the Global Administrator or Security Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.

• As previously described, priority account protection is applied to accounts that have the Priority account tag applied to them. For instructions, see Manage and monitor priority accounts.

• The Priority account tag is a type of user tag. You can create custom user tags to differentiate specific groups of users in reporting and other features. For more information about user tags, see User tags in Microsoft Defender for Office 365.

Review or turn on priority account protection in the Microsoft 365 Defender portal

Note

We don't recommend turning off priority account protection.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > Priority account protection. Or, to go directly to the Priority account protection page, use https://security.microsoft.com/securitysettings/priorityAccountProtection.

2. On the Priority account protection page, verify that Priority account protection is turned on ( ).

   

Review or turn on priority account protection in Exchange Online PowerShell

If you'd rather use PowerShell to verify that priority account protection is turned on, run the following command in Exchange Online PowerShell:

Get-EmailTenantSettings | Format-List Identity,EnablePriorityAccountProtection

The value True for the EnablePriorityAccountProtection property means priority account protection is turned on. The value False means priority account protection is turned off.

To turn on priority account protection, run the following command:

Set-EmailTenantSettings -EnablePriorityAccountProtection $true

For detailed syntax and parameter information, see Get-EmailTenantSettings and Set-EmailTenantSettings.

Review differentiated protection from priority account protection

The effects of priority account protection are visible in the following reporting features:

• Threat protection status report
  • View data by Email > Phish and Chart breakdown by Detection Technology
  • View data by Email > Spam and Chart breakdown by Detection Technology
  • View data by Email > Malware and Chart breakdown by Detection Technology
  • Chart breakdown by Policy type
  • Chart breakdown by Delivery status
• Threat Explorer and real-time detections
• Email entity page

For information about where the Priority account tag and other user tags are available as filters, see User tags in reports and features.

Threat protection status report

The Threat protection status report brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection and Defender for Office 365. For more information, see Threat protection status report.

In the previously mentioned views in the report, the option Priority account protection and the value Yes is available when you select Filter. This option allows you to filter the data in the report by priority account protection detections.

Threat Explorer

For more information about Threat Explorer, see Threat Explorer and Real-time detections.

To view the results of priority account protection in Threat Explorer, do the following steps:

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer. Or, to go directly to the Explorer page, use https://security.microsoft.com/threatexplorer.

2. On the Explorer page, on the All email, Malware, or Phish tabs, select Context > Equal any of > Priority account protection, and then select Refresh.

   

Email entity page

The email entity page is available in Threat Explorer. For more information, see The Email entity page.

In the filtered results on the All email, Malware, or Phish tabs of the Explorer page, select the Subject of an email message in the results.

In the details flyout that opens, select Open email entity at the top of the flyout.

On the email entity page that opens, select the Analysis tab. Priority account protection is listed in the Threat detection details section.

More information

• User tags in Microsoft Defender for Office 365
• Manage and monitor priority accounts