Exchange Online Protection service description
Obtain information about features and requirements for Exchange Online Protection. Included is a list of plans that provide Exchange Online Protection, as well as a comparison of features across those plans.
Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.
The following list describes the primary ways you can use EOP for messaging protection:
In a standalone scenario: EOP provides cloud-based email protection for your on-premises email environment (Exchange Server or other on-premises SMTP email solutions).
As a part of Microsoft Exchange Online: By default, EOP protects Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online service description.
In a hybrid deployment: EOP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes.
The following table shows the plans that include Exchange Online Protection so you can choose the solution that best meets the needs of your organization. For detailed plan information, see Exchange Online Protection.
For detailed plan information on subscriptions that enable users for Exchange Online Protection, see the full subscription comparison table.
Exchange Enterprise CAL with Services features
Microsoft Exchange Enterprise CAL with Services provides the email protection features of EOP and the following additional cloud-based features:
For more information about Exchange Enterprise CAL with Services licensing, see Exchange licensing FAQs.
If you have Exchange Enterprise CAL with Services licenses and you want to provision EOP, follow the instructions in Set up your EOP service. The setup steps are the same as the steps for setting up EOP standalone.
New features for Exchange Enterprise CAL with Services are deployed at the same time as Exchange Online, not EOP standalone. Be advised that the deployment schedules for EOP standalone and Exchange Online/Exchange Enterprise CAL with Services may be slightly different.
Requirements for Exchange Online Protection (EOP)
EOP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by EOP, see the "Supported browsers" and "Supported languages" sections in Exchange admin center in Exchange Online Protection.
For limits in EOP, see Exchange Online Protection limits.
The following table lists the major Exchange Online Protection features available across plans. Certain caveats apply. See the footnotes for further information. This table may change without notice. For the most up-to-date, complete list of features, see Powerful tools to support your enterprise.
|Feature||Standalone EOP||EOP in EE CAL w/ Services||EOP features in Exchange Online|
|Anti-malware policies (built-in and custom)||Yes||Yes||Yes|
|Inbound anti-spam policies (built-in and custom)||Yes||Yes||Yes|
|Outbound anti-spam policies (built-in and custom)||Yes||Yes||Yes|
|Connection filtering (IP Allow list and IP Block list)||Yes||Yes||Yes|
|Anti-phishing policies (built-in and custom)||Yes||Yes||Yes|
|Anti-spoofing protection (built-in and custom)||Yes||Yes||Yes|
|Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages10||No||No||Yes|
|Preset security policies||Yes||Yes||Yes|
|Configuration analyzer for protection policies||Yes||Yes||Yes|
|Tenant Allow/Block List||Yes||Yes||Yes|
|Block lists for message senders||Yes||Yes||Yes|
|Allow lists for message senders||Yes||Yes||Yes|
|Directory Based Edge Blocking (DBEB) for nonexistent recipients||Yes||Yes||Yes|
|Quarantine and submissions|
|User submission (custom mailbox)10||No||No||Yes|
|Report Message add-in and Report Phishing add-in for Outlook||Yes||Yes||Yes|
|Mail flow rules (transport rules)4||Yes||Yes6||Yes|
|Enhanced Filtering for Connectors (skip listing)||Yes||Yes||Yes|
|Email and security reports in the Microsoft 365 admin center||Yes7||Yes7,8||Yes8|
|Security reports in the Microsoft 365 security center||Yes7||Yes7,8||Yes8|
|Email reports in the EAC||Yes7||Yes7,8||Yes8|
|Admin audit logging5||Yes||Yes||Yes|
|Mail users and mail contacts1||Yes||Yes||Yes|
|Role based access control (RBAC)2||Yes||Yes||Yes|
|Data Loss Prevention for email||No||Yes||Yes|
|Microsoft Purview Message Encryption||No9||No9||Yes|
|Microsoft 365 admin center||Yes||Yes||Yes|
|Exchange admin center||Yes||Yes||Yes|
|Microsoft 365 security center||Yes||Yes||Yes|
|Standalone Exchange Online Protection PowerShell||Yes||No||No|
|Exchange Online PowerShell||No||Yes||Yes|
1 You create, remove, and edit mail users and mail contacts in the EAC.
1a You create and remove mailboxes in the Microsoft 365 admin center. You can edit existing mailboxes in the EAC.
2 In standalone EOP and EE CAL with Services, there are no end-user roles or role assignment policies.
3 You add and remove domains in the Microsoft 365 admin center. In the EAC, you configure domains as Authoritative or Non-Authoritative.
4 A few rule conditions, exceptions, and actions are not available in standalone EOP or the EOP in EE CAL with Services. These differences are clearly noted in Exchange Online mail flow rule content.
5 In standalone EOP and EE CAL with Services:
- Mailbox auditing reports aren't available.
- The Administrator role group report and Admin audit log report are the only admin auditing reports in the EAC.
- Audit log export available only via PowerShell.
6 DLP policy tips are not available in EE CAL with Services.
7 Reports in standalone EOP and EE CAL with Services are a subset of Exchange Online reports (reports that deal with mailboxes).
8 Includes DLP reports.
9 You can purchase Azure Information Protection as an add-on subscription and use OME if you configure your on-premises email environment to route email to and from the internet through EOP.
10 This feature requires Exchange Online mailboxes.
For technical information about Exchange Online Protection, check out the following resources:
The Microsoft 365 roadmap is a good resource for finding out information about upcoming new features.
For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
To keep track of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message Center. For more information, see Message center.
Submit and view feedback for