Exchange Online Protection service description

Obtain information about features and requirements for Exchange Online Protection. Included is a list of plans that provide Exchange Online Protection, as well as a comparison of features across those plans.

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.

The following list describes the primary ways you can use EOP for messaging protection:

  • In a standalone scenario: EOP provides cloud-based email protection for your on-premises email environment (Exchange Server or other on-premises SMTP email solutions).

  • As a part of Microsoft Exchange Online: By default, EOP protects Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online service description.

  • In a hybrid deployment: EOP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes.

Available plans

The following table shows the plans that include Exchange Online Protection so you can choose the solution that best meets the needs of your organization. For detailed plan information, see Exchange Online Protection.

For detailed plan information on subscriptions that enable users for Exchange Online Protection, see the full subscription comparison table.

Exchange Enterprise CAL with Services features

Microsoft Exchange Enterprise CAL with Services provides the email protection features of EOP and the following additional cloud-based features:

For more information about Exchange Enterprise CAL with Services licensing, see Exchange licensing FAQs.

If you have Exchange Enterprise CAL with Services licenses and you want to provision EOP, follow the instructions in Set up your EOP service. The setup steps are the same as the steps for setting up EOP standalone.


New features for Exchange Enterprise CAL with Services are deployed at the same time as Exchange Online, not EOP standalone. Be advised that the deployment schedules for EOP standalone and Exchange Online/Exchange Enterprise CAL with Services may be slightly different.

Requirements for Exchange Online Protection (EOP)

EOP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by EOP, see the "Supported browsers" and "Supported languages" sections in Exchange admin center in Exchange Online Protection.


For limits in EOP, see Exchange Online Protection limits.

Feature availability

The following table lists the major Exchange Online Protection features available across plans. Certain caveats apply. See the footnotes for further information. This table may change without notice. For the most up-to-date, complete list of features, see Powerful tools to support your enterprise.

Feature Standalone EOP EOP in EE CAL w/ Services EOP features in Exchange Online
Anti-malware policies (built-in and custom) Yes Yes Yes
Inbound anti-spam policies (built-in and custom) Yes Yes Yes
Outbound anti-spam policies (built-in and custom) Yes Yes Yes
Connection filtering (IP Allow list and IP Block list) Yes Yes Yes
Anti-phishing policies (built-in and custom) Yes Yes Yes
Anti-spoofing protection (built-in and custom) Yes Yes Yes
Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages10 No No Yes
Preset security policies Yes Yes Yes
Configuration analyzer for protection policies Yes Yes Yes
Tenant Allow/Block List Yes Yes Yes
Block lists for message senders Yes Yes Yes
Allow lists for message senders Yes Yes Yes
Edge blocking Yes Yes Yes
Directory Based Edge Blocking (DBEB) for nonexistent recipients Yes Yes Yes
Quarantine and submissions
Admin submission10 No No Yes
User submission (custom mailbox)10 No No Yes
Admin quarantine Yes Yes Yes
End-user quarantine Yes Yes Yes
Report Message add-in and Report Phishing add-in for Outlook Yes Yes Yes
Mail flow
Mail flow rules (transport rules)4 Yes Yes6 Yes
Accepted domains3 Yes Yes Yes
Connectors Yes Yes Yes
Enhanced Filtering for Connectors (skip listing) Yes Yes Yes
Message trace Yes Yes Yes
Email and security reports in the Microsoft 365 admin center Yes7 Yes7,8 Yes8
Security reports in the Microsoft 365 security center Yes7 Yes7,8 Yes8
Email reports in the EAC Yes7 Yes7,8 Yes8
Admin audit logging5 Yes Yes Yes
Mail users and mail contacts1 Yes Yes Yes
Mailboxes No No Yes1a
Role based access control (RBAC)2 Yes Yes Yes
Data Loss Prevention for email No Yes Yes
Microsoft Purview Message Encryption No9 No9 Yes
Microsoft 365 admin center Yes Yes Yes
Exchange admin center Yes Yes Yes
Microsoft 365 security center Yes Yes Yes
Standalone Exchange Online Protection PowerShell Yes No No
Exchange Online PowerShell No Yes Yes

1 You create, remove, and edit mail users and mail contacts in the EAC.
1a You create and remove mailboxes in the Microsoft 365 admin center. You can edit existing mailboxes in the EAC.
2 In standalone EOP and EE CAL with Services, there are no end-user roles or role assignment policies.
3 You add and remove domains in the Microsoft 365 admin center. In the EAC, you configure domains as Authoritative or Non-Authoritative.
4 A few rule conditions, exceptions, and actions are not available in standalone EOP or the EOP in EE CAL with Services. These differences are clearly noted in Exchange Online mail flow rule content.
5 In standalone EOP and EE CAL with Services:

  • Mailbox auditing reports aren't available.
  • The Administrator role group report and Admin audit log report are the only admin auditing reports in the EAC.
  • Audit log export available only via PowerShell.

6 DLP policy tips are not available in EE CAL with Services.
7 Reports in standalone EOP and EE CAL with Services are a subset of Exchange Online reports (reports that deal with mailboxes).
8 Includes DLP reports.
9 You can purchase Azure Information Protection as an add-on subscription and use OME if you configure your on-premises email environment to route email to and from the internet through EOP.
10 This feature requires Exchange Online mailboxes.

Learn more

For technical information about Exchange Online Protection, check out the following resources:

The Microsoft 365 roadmap is a good resource for finding out information about upcoming new features.

Licensing terms

For licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.


To keep track of upcoming changes, including new and changed features, planned maintenance, or other important announcements, visit the Message Center. For more information, see Message center.


Microsoft remains committed to the security of your data and the accessibility of our services. For more information, see the Microsoft Trust Center and the Office Accessibility Center.