Microsoft Defender for Office 365 security comparison

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

This article introduces you to your new Microsoft Defender for Office 365 security properties in the cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.

Caution

If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and need Safe Links or Safe Attachments information, go here: Advanced Outlook.com security for Microsoft 365 subscribers.

What is Defender for Office 365 security

Every Microsoft 365 subscription comes with security capabilities. The goals and available actions depend on the focus of these different subscriptions. In Microsoft 365 security, there are three main security services (or products) tied to your subscription type:

  1. Exchange Online Protection (EOP).
  2. Microsoft Defender for Office 365 365 Plan 1 (Defender for Office 365 P1).
  3. Microsoft Defender for Office 365 365 Plan 2 (Defender for Office 365 P2).

Tip

If you're new to your subscription and would like to know your license before you begin, go the Your products page in the Microsoft 365 admin center at https://admin.microsoft.com/Adminportal/Home#/subscriptions.

Microsoft 365 security builds on the core protections offered by EOP. EOP is present in any subscription where Exchange Online mailboxes can be found (remember, all the security products discussed here are cloud-based).

You may be accustomed to seeing these three components discussed in this way:

EOP Defender for Office 365 P1 Defender for Office 365 P2
Prevents broad, volume-based, known attacks. Protects email and collaboration from zero-day malware, phish, and business email compromise. Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).

But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this:

EOP and Defender for Office 365 and their relationships to one another with service emphasis, including a note for email authentication.

Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, all the services can carry out any of the goals of protecting, detecting, investigating, and responding.

The core of Microsoft 365 security is EOP protection. Defender for Office 365 P1 contains EOP. Defender for Office 365 P2 contains P1 and EOP plus more features. The structure is cumulative. That's why, when configuring this product, you should start with EOP and work up to Defender for Office 365 Plan 2.

Though email authentication configuration takes place in public DNS, it's important to configure this feature to help defend against spoofing. If you have EOP, you should configure email authentication.

If you have a Microsoft 365 E3 or virtually any subscription with Exchange Online mailboxes, you definitely have EOP. You can most likely purchase Defender for Office 365 as an add-on subscription. If you have Microsoft 365 E5, you already have Defender for Office 365 P2.

Tip

If your subscription is neither Microsoft 365 E3 or E5, you can use this page to see if you can upgrade to Defender for Office 365 (check the end of the page for the fine-print).

The Microsoft 365 security ladder from EOP to Defender for Office 365

Important

Learn the details on these pages: Exchange Online Protection, and Defender for Office 365.

What makes adding Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To determine if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to:

  • Preventing and detecting threats
  • Investigating
  • Responding

The capabilities of Exchange Online Protection are summarized in the following table:

Prevent/Detect Investigate Respond
Technologies include:
  • Spam
  • Phishing
  • Malware
  • Bulk mail
  • Spoof intelligence
  • Quarantine
  • False positives and false negative reporting by admin submissions and user reported messages
  • Allow and block entries in the Tenant Allow/Block List for:
    • Domains and email addresses
    • Spoof
    • URLs
    • Files
  • Audit log search
  • Message Trace
  • Email security reports
  • Zero-hour auto purge (ZAP)
  • Refinement and testing of entries in the Tenant Allow/Block List

If you want to dig in to EOP, jump to this article.

If you evaluate and ultimately purchase Defender for Office 365 P1, you get these additional capabilities over EOP:

Prevent/Detect Investigate Respond
  • Safe Attachments in email
  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
  • Safe Links in email, Office clients, and Teams
  • Advanced anti-phishing thresholds in anti-phishing policies
  • User, domain, and mailbox intelligence impersonation protection in anti-phishing policies
  • Alerts, and SIEM integration API for alerts
  • SIEM integration API for detections
  • Real-time detections
  • URL trace
  • Specific Defender for Office 365 reports
  • Same
  • So, Defender for Office 365 P1 expands on the prevention side of the house, and adds extra forms of detection.

    Defender for Office 365 P1 also adds Real-time detections for investigations. The presence of Real-time detections as a selection in the Microsoft Defender portal means you have Defender for Office 365 P1.

    If you evaluate and ultimately purchase Defender for Office 365 P2, you get these additional capabilities over EOP and Defender for Office 365 P1:

    Prevent/Detect Investigate Respond
    • Attack simulation training
  • Threat Explorer
  • Threat Trackers
  • Campaign views
  • Automated Investigation and Response (AIR)
  • AIR from Threat Explorer
  • AIR for compromised users
  • SIEM Integration API for Automated Investigations
  • So, Defender for Office 365 P2 expands on the investigation and response side of the house, and adds a new hunting strength: Automation.

    In Defender for Office 365 P2, the primary hunting tool is called Threat Explorer rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft Defender portal, you're in Defender for Office 365 P2.

    To get into the details of Defender for Office 365 P1 and P2, jump to this article.

    Tip

    EOP and Defender for Office 365 are also different when it comes to users. In EOP and Defender for Office 365 P1, the focus is awareness. The Microsoft Report Message and Report Phishing add-ins are available for users to report messages that they find suspicious.

    In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to further training for end-users. The Security Operations Center has access to a powerful Threat Simulator tool, and the end-user metrics it provides.

    Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet

    This quick-reference helps you understand what capabilities come with each Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Defender for Office 365 is best for their needs.

    Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
    Prevent and detect capabilities: Everything in Defender for Office 365 Plan 1 capabilities

    --- plus ---

    Prevent and detect capabilities:
    Automate, investigate, and respond capabilities:
    • Defender for Office 365 Plan 2 is included in Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 E5.
    • Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.
    • Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, see Feature availability across Defender for Office 365 plans.
    • Safe Documents is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Defender for Office 365 plans).
    • If your current subscription doesn't include Defender for Office 365 Plan 2, you can try Defender for Office 365 free for 90 days. Or, contact sales to start a trial.
    • Defender for Office 365 P2 customers have access to Microsoft Defender XDR integration to efficiently detect, review, and respond to incidents and alerts.

    Tip

    Insider tip. You can use the Microsoft Learn table of contents to learn about EOP and Defender for Office 365. Navigate back to this page, Microsoft 365 Security overview, and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response.

    This structure is divided so that Security Administration topics are followed by Security Operations topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use feedback links and rate articles as you go. Feedback helps us improve what we offer you.

    Where to go next

    If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to use Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next:

    Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)

    See the specific recommended 'golden' configs and use their recommended presets to configure security policies quickly

    Catch up on what's new in Microsoft Defender for Office 365 (including EOP developments)

    Use Threat Explorer or Real-time detections

    Use Attack simulation training