Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Exchange Online mailboxes come with built-in security features. These are focused on spam filtering and blocking common malware attacks in email traffic to protect against basic email threats. These features are included with every Exchange Online cloud mailbox and available as an add-on for Exchange on-premises mailboxes. For comprehensive email security, including phishing prevention, post-delivery remediation, threat investigation, and end-user resilience, learn more about Microsoft Defender for Office 365 Plan 1 and Plan 2.
Service details
Deployment: No setup required; protection is applied automatically.
Management: Administrators can view filtering reports and adjust basic settings via the Microsoft 365 admin center.
Integration: Works seamlessly with Exchange Online and other Microsoft 365 services.
Advanced email protection
For organizations seeking enhanced security beyond baseline protection, Microsoft Defender for Office 365 offers:
Defender for Office 365 Plan 1: Available in certain Microsoft 365 subscriptions for small to medium-sized businesses, such as Microsoft 365 Business Premium. This plan provides protection against advanced and zero-day phishing, malware, and other email-based threats, including features like Safe Links, Safe Attachments, and real-time threat detection.
Defender for Office 365 Plan 2: Included in enterprise-level Microsoft 365 subscriptions, such as Microsoft 365 E5, A5, and GCC G5. This plan offers all the capabilities of Plan 1, plus AST and SOC capabilities such as advanced threat hunting, automation, and investigation tools. It is designed for organizations needing greater visibility, response capabilities, and support for compliance.
Exchange Enterprise CAL with Services features
Microsoft Exchange Enterprise CAL with Services provides the email protection of built-in security features and the following additional cloud-based features:
For more information about Exchange Enterprise CAL with Services licensing, see Exchange licensing FAQs.
If you have Exchange Enterprise CAL with Services licenses and you want to provision built-in security features, follow the instructions in Set up your EOP service. The setup steps are the same as the steps for setting up built-in security features standalone.
Note
New features for Exchange Enterprise CAL with Services are deployed at the same time as Exchange Online, not EOP standalone. Be advised that the deployment schedules for EOP standalone and Exchange Online/Exchange Enterprise CAL with Services may be slightly different.
Feature availability
The following table lists built-in security features available for cloud mailboxes and across plans. See the footnotes for more information. For the most up-to-date, complete list of features, see Powerful tools to support your enterprise.
| Feature | Built-in security for on-premises mailboxes add-on | Built-in security features in EE CAL w/ Services | Built-in security features for cloud mailboxes |
|---|---|---|---|
| Protection | |||
| Anti-malware policies (built-in and custom) | Yes | Yes | Yes |
| Inbound anti-spam policies (built-in and custom) | Yes | Yes | Yes |
| Outbound anti-spam policies (built-in and custom) | Yes | Yes | Yes |
| Connection filtering (IP Allow list and IP Blocklist) | Yes | Yes | Yes |
| Anti-phishing policies (built-in and custom) | Yes | Yes | Yes |
| Anti-spoofing protection (built-in and custom) | Yes | Yes | Yes |
| Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages10 | No | No | Yes |
| Preset security policies | Yes | Yes | Yes |
| Configuration analyzer for protection policies | Yes | Yes | Yes |
| Tenant Allow/Blocklist | Yes | Yes | Yes |
| Blocklists for message senders | Yes | Yes | Yes |
| Allow lists for message senders | Yes | Yes | Yes |
| Edge blocking | Yes | Yes | Yes |
| Directory Based Edge Blocking (DBEB) for nonexistent recipients | Yes | Yes | Yes |
| Quarantine and submissions | |||
| Admin submission10 | No | No | Yes |
| User submission (custom mailbox)10 | No | No | Yes |
| Admin quarantine | Yes | Yes | Yes |
| End-user quarantine | Yes | Yes | Yes |
| Report Message add-in and Report Phishing add-in for Outlook | Yes | Yes | Yes |
| Mail flow | |||
| Mail flow rules (transport rules)4 | Yes | Yes6 | Yes |
| Accepted domains3 | Yes | Yes | Yes |
| Connectors | Yes | Yes | Yes |
| Enhanced Filtering for Connectors (skip listing) | Yes | Yes | Yes |
| Monitoring | |||
| Message trace | Yes | Yes | Yes |
| Email and security reports in the Microsoft 365 admin center | Yes7 | Yes7,8 | Yes8 |
| Security reports in the Microsoft 365 security center | Yes7 | Yes7,8 | Yes8 |
| Email reports in the EAC | Yes7 | Yes7,8 | Yes8 |
| Admin audit logging5 | Yes | Yes | Yes |
| Users | |||
| Mail users and mail contacts1 | Yes | Yes | Yes |
| Mailboxes | No | No | Yes1a |
| Role based access control (RBAC)2 | Yes | Yes | Yes |
| Compliance | |||
| Data Loss Prevention for email | No | Yes | Yes |
| Microsoft Purview Message Encryption | No9 | No9 | Yes |
| Administration | |||
| Microsoft 365 admin center | Yes | Yes | Yes |
| Exchange admin center | Yes | Yes | Yes |
| Microsoft 365 security center | Yes | Yes | Yes |
| Standalone Exchange Online Protection PowerShell | Yes | No | No |
| Exchange Online PowerShell | No | Yes | Yes |
1 You create, remove, and edit mail users and mail contacts in the EAC.
1a You create and remove mailboxes in the Microsoft 365 admin center. You can edit existing mailboxes in the EAC.
2 In standalone EOP and EE CAL with Services, there are no end-user roles or role assignment policies.
3 You add and remove domains in the Microsoft 365 admin center. In the EAC, you configure domains as Authoritative or Non-Authoritative.
4 A few rule conditions, exceptions, and actions are not available in standalone EOP or the EOP in EE CAL with Services. These differences are clearly noted in Exchange Online mail flow rule content.
5 In standalone EOP and EE CAL with Services:
- Mailbox auditing reports aren't available.
- The Administrator role group report and Admin audit log report are the only admin auditing reports in the EAC.
- Audit log export available only via PowerShell.
6 DLP policy tips are not available in EE CAL with Services.
7 Reports in standalone EOP and EE CAL with Services are a subset of Exchange Online reports (reports that deal with mailboxes).
8 Includes DLP reports.
9 You can purchase Azure Information Protection as an add-on subscription and use OME if you configure your on-premises email environment to route email to and from the internet through EOP.
10 This feature requires Exchange Online mailboxes.
Learn more
For technical information about built-in security features for cloud mailboxes, check out the following resources:
Licensing terms
For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
Messaging
To keep track of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message Center. For more information, see Message center.
Accessibility
Microsoft remains committed to the security of your data and the accessibility of our services. For more information, see the Microsoft Trust Center and the Office Accessibility Center.