Preset security policies in EOP and Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Preset security policies allow you to apply protection features to users based on our recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on our observations in the datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.

Depending on your organization, preset security policies provide many of the protection features that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

The following preset security policies are available:

  • Standard preset security policy
  • Strict preset security policy
  • Built-in protection preset security policy (default policies for Safe Attachments and Safe Links protection in Defender for Office 365)

For details about these preset security policies, see the Appendix section at the end of this article.

The rest of this article how to configure preset security policies.

What do you need to know before you begin?

  • You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Preset security policies page, use https://security.microsoft.com/presetSecurityPolicies.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).

    • Exchange Online permissions:

      • Configure preset security policies: Membership in the Organization Management or Security Administrator role groups.
      • Read-only access to preset security policies: Membership in the Global Reader role group.
    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, or Global Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies in the Templated policies section. Or, to go directly to the Preset security policies page, use https://security.microsoft.com/presetSecurityPolicies.

  2. If this is your first time on the Preset security policies page, it's likely that Standard protection and Strict protection are turned off .

    Slide the toggle of the one you want to configure to , and then select Manage protection settings to start the configuration wizard.

  3. On the Apply Exchange Online Protection page, identify the internal recipients that the EOP protections apply to (recipient conditions):

    • All recipients

    • Specific recipients: Configure one of the following recipient conditions that appear:

      • Users: The specified mailboxes, mail users, or mail contacts.
      • Groups:
        • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
        • The specified Microsoft 365 Groups.
      • Domains: All recipients in the organization with a primary email address in the specified accepted domain.

    Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select next to the value.

    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (*) by itself to see all available values.

    You can use a condition only once, but the condition can contain multiple values:

    • Multiple values of the same condition use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy is applied to them.

    • Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:

      The policy is applied to [email protected] only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.

    • None

    • Exclude these recipients: If you selected All recipients or Specific recipients, select this option to configure recipient exceptions.

      You can use an exception only once, but the exception can contain multiple values:

      • Multiple values of the same exception use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy isn't applied to them.
      • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.

    When you're finished on the Apply Exchange Online Protection page, select Next.

    Note

    In organizations without Defender for Office 365, selecting Next takes you to the Review page (Step 9).

  4. On the Apply Defender for Office 365 protection page, identify the internal recipients that the Defender for Office 365 protections apply to (recipient conditions).

    The settings and behavior are exactly like the Apply Exchange Online Protection page in the previous step.

    You can also select Previously selected recipients to use the same recipients that you selected for EOP protection on the previous page.

    When you're finished on the Apply Defender for Office 365 protection page, select Next.

  5. On the Impersonation protection page, select Next.

  6. On the Add email addresses to flag when impersonated by attackers page, add internal and external senders who are protected by user impersonation protection.

    Note

    All recipients automatically receive impersonation protection from mailbox intelligence in preset security policies.

    You can specify a maximum of 350 users for user impersonation protection in the Standard or Strict preset security policy.

    User impersonation protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt.

    Each entry consists of a display name and an email address:

    • Internal users: Click in the Add a valid email box or start typing the user's email address. Select the email address in the Suggested contacts dropdown list that appears. The user's display name is added to the Add a name box (which you can change). When you're finished selecting the user, select Add.

    • External users: Type the external user's full email address in the Add a valid email box, and then select the email address in the Suggested contacts dropdown list that appears. The email address is also added in the Add a name box (which you can change to a display name).

    Repeat these steps as many times as necessary.

    The users you added are listed on the page by Display name and Sender email address. To remove a user, select next to the entry.

    Use the Search box to find entries on the page.

    When you're finished on the Apply Defender for Office 365 protection page, select Next.

  7. On the Add domains to flag when impersonated by attackers page, add internal and external domains that are protected by domain impersonation protection.

    Note

    All domains that you own (accepted domains) automatically receive domain impersonation protection in preset security policies.

    You can specify a maximum of 50 custom domains for domain impersonation protection in the Standard or Strict preset security policy.

    Click in the Add domains box, enter a domain value, press the ENTER key or select the value that's displayed below the box. To remove a domain from the box and start over, select next to the domain. When you're ready to add the domain, select Add. Repeat this step as many times as necessary.

    The domains you added are listed on the page. To remove the domain, select next to the value.

    The domains you added are listed on the page. To remove a domain, select next to the entry.

    To remove an existing entry from the list, select next to the entry.

    When you're finished on the Add domains to flag when impersonated by attackers, select Next.

  8. On the Add trusted email addresses and domains to not flag as impersonation page, enter the sender email addresses and domains that you to exclude from impersonation protection. Messages from these senders are never flagged as an impersonation attack, but the senders are still subject to scanning by other filters in EOP and Defender for Office 365.

    Note

    Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

    Enter the email address or domain in the box, and then press the ENTER key or select the value that's displayed below the box. To remove a value from the box and start over, select next to the value. When you're ready to add the user or domain, select Add. Repeat this step as many times as necessary.

    The users and domains you added are listed on the page by Name and Type. To remove an entry, select next to the entry.

    When you're finished on the Add trusted email addresses and domains to not flag as impersonation page, select Next.

  9. On the Review and confirm your changes page, review your settings. You can select Back or the specific page in the wizard to modify the settings.

    When you're finished on the Review and confirm your changes page, select Confirm.

  10. On the Standard protection updated or Strict protection updated page, select Done.

Use the Microsoft Defender portal to modify the assignments of Standard and Strict preset security policies

The steps to modify the assignment of the Standard protection or Strict protection preset security policy are the same as when you initially assigned the preset security policies to users.

To disable the Standard protection or Strict protection preset security policies while still preserving the existing conditions and exceptions, slide the toggle to . To enable the policies, slide the toggle to .

Use the Microsoft Defender portal to add exclusions to the Built-in protection preset security policy

Tip

The Built-in protection preset security policy is applied to all users in organizations with any amount of licenses for Defender for Microsoft 365. This application is in the spirit of securing the broadest set of users until admins specifically configure Defender for Office 365 protections. Because Built-in protection is enabled by default, customers don't need to worry about violating product licensing terms. However, we recommend purchasing enough Defender for Office 365 licenses to ensure Built-in protection continues for all users.

The Built-in protection preset security policy doesn't affect recipients who are defined in the Standard or Strict preset security policies, or in custom Safe Links or Safe Attachments policies. Therefore, we typically don't recommend exceptions to the Built-in protection preset security policy.

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies in the Templated policies section. Or, to go directly to the Preset security policies page, use https://security.microsoft.com/presetSecurityPolicies.

  2. On the Preset security policies page, select Add exclusions (not recommended) in the Built-in protection section.

  3. In the Exclude from Built-in protection flyout that opens, identify the internal recipients that are excluded from the built-in Safe Links and Safe Attachments protection:

    • Users
    • Groups:
      • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
      • The specified Microsoft 365 Groups.
    • Domains

    Click in the appropriate box, start typing a value, and then select the value that's displayed below the box. Repeat this process as many times as necessary. To remove an existing value, select next to the value.

    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (*) by itself to see all available values.

    You can use an exception only once, but the exception can contain multiple values:

    • Multiple values of the same exception use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy isn't applied to them.
    • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.
  4. When you're finished in the Exclude from Built-in protection flyout, select Save.

How do you know these procedures worked?

To verify that you've successfully assigned the Standard protection or Strict protection security policy to a user, use a protection setting where the default value is different than the Standard protection setting, which is different that the Strict protection setting.

For example, for email that's detected as spam (not high confidence spam) verify that the message is delivered to the Junk Email folder for Standard protection users, and quarantined for Strict protection users.

Or, for bulk mail, verify that the BCL value 6 or higher delivers the message to the Junk Email folder for Standard protection users, and the BCL value 5 or higher quarantines the message for Strict protection users.

Preset security policies in Exchange Online PowerShell

In PowerShell, preset security policies consist of the following elements:

The following sections describe how to use these cmdlets in supported scenarios.

To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

Use PowerShell to view individual security policies for preset security policies

Remember, if you never turned on the Standard preset security policy or the Strict preset security policy in the Microsoft Defender portal, the associated security policies for the preset security policy don't exist.

  • Built-in protection preset security policy: The associated policies are named Built-In Protection Policy. The IsBuiltInProtection property value is True for these policies.

    To view the individual security policies for the Built-in protection preset security policy, run the following command:

    Write-Output -InputObject ("`r`n"*3),"Built-in protection Safe Attachments policy",("-"*79);Get-SafeAttachmentPolicy -Identity "Built-In Protection Policy" | Format-List; Write-Output -InputObject ("`r`n"*3),"Built-in protection Safe Links policy",("-"*79);Get-SafeLinksPolicy -Identity "Built-In Protection Policy" | Format-List
    
  • Standard preset security policy: The associated policies are named Standard Preset Security Policy<13-digit number>. For example, Standard Preset Security Policy1622650008019. The RecommendPolicyType property value for the policies is Standard.

    • To view the individual security policies for the Standard preset security policy in organizations with EOP only, run the following command:

      Write-Output -InputObject ("`r`n"*3),"Standard anti-malware policy",("-"*79);Get-MalwareFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard anti-spam policy",("-"*79);Get-HostedContentFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"
      
    • To view the individual security policies for the Standard preset security policy in organizations with Defender for Office 365, run the following command:

      Write-Output -InputObject ("`r`n"*3),"Standard anti-malware policy",("-"*79);Get-MalwareFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard anti-spam policy",("-"*79);Get-HostedContentFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard Safe Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard Safe Links policy",("-"*79);Get-SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Standard"
      
  • Strict preset security policy: The associated policies are named Strict Preset Security Policy<13-digit number>. For example, Strict Preset Security Policy1642034872546. The RecommendPolicyType property value for the policies is Strict.

    • To view the individual security policies for the Strict preset security policy in organizations with EOP only, run the following command:

      Write-Output -InputObject ("`r`n"*3),"Strict anti-malware policy",("-"*79);Get-MalwareFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict anti-spam policy",("-"*79);Get-HostedContentFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"
      
    • To view the individual security policies for the Strict preset security policy in organizations with Defender for Office 365, run the following command:

      Write-Output -InputObject ("`r`n"*3),"Strict anti-malware policy",("-"*79);Get-MalwareFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict anti-spam policy",("-"*79);Get-HostedContentFilterPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict anti-phishing policy",("-"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict Safe Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject ("`r`n"*3),"Strict Safe Links policy",("-"*79);Get-SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value "Strict"
      

Use PowerShell to view rules for preset security policies

Remember, if you never turned on the Standard preset security policy or the Strict preset security policy in the Microsoft Defender portal, the associated rules for those policies don't exist.

  • Built-in protection preset security policy: There's only one rule named ATP Built-In Protection Rule.

    To view the rule that's associated with the Built-in protection preset security policy, run the following command:

    Get-ATPBuiltInProtectionRule
    
  • Standard preset security policy: The associated rules are named Standard Preset Security Policy.

    Use the following commands to view the rules that are associated with the Standard preset security policy:

    • To view the rule that's associated with EOP protections in the Standard preset security policy, run the following command:

      Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • To view the rule that's associated with Defender for Office 365 protections in the Standard preset security policy, run the following command:

      Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • To view both rules at the same time, run the following command:

      Write-Output -InputObject ("`r`n"*3),"EOP rule - Standard preset security policy",("-"*79);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Write-Output -InputObject ("`r`n"*3),"Defender for Office 365 rule - Standard preset security policy",("-"*79);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
  • Strict preset security policy: The associated rules are named Strict Preset Security Policy.

    Use the following commands to view the rules that are associated with the Strict preset security policy:

    • To view the rule that's associated with EOP protections in the Strict preset security policy, run the following command:

      Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      
    • To view the rule that's associated with Defender for Office 365 protections in the Strict preset security policy, run the following command:

      Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      
    • To view both rules at the same time, run the following command:

      Write-Output -InputObject ("`r`n"*3),"EOP rule - Strict preset security policy",("-"*79);Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Write-Output -InputObject ("`r`n"*3),"Defender for Office 365 rule - Strict preset security policy",("-"*79);Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      

Use PowerShell to turn on or turn off preset security policies

To turn on or turn off the Standard or Strict preset security policies in PowerShell, enable or disable the rules that are associated with policy. The State property value of the rule shows whether the rule is Enabled or Disabled.

If your organization has EOP only, you disable or enable the rule for EOP protections.

If your organization has Defender for Office 365, you enable or disable the rule for EOP protections and the rule for Defender for Office 365 protections (enable or disable both rules).

  • Organizations with EOP only:

    • Run the following command to determine whether the rules for the Standard and Strict preset security policies are currently enabled or disabled:

      Write-Output -InputObject ("`r`n"*3),"EOP protection rule",("-"*50); Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" | Format-Table Name,State; Write-Output -InputObject ("`r`n"*3),"EOP protection rule",("-"*50); Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" | Format-Table Name,State
      
    • Run the following command to turn off the Standard preset security policy if it's turned on:

      Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • Run the following command to turn off the Strict preset security policy if it's turned on:

      Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      
    • Run the following command to turn on the Standard preset security policy if it's turned off:

      Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • Run the following command to turn on the Strict preset security policy if it's turned off:

      Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      
  • Organizations with Defender for Office 365:

    • Run the following command to determine whether the rules for the Standard and Strict preset security policies are currently enabled or disabled:

      Write-Output -InputObject ("`r`n"*3),"EOP protection rule",("-"*50);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" | Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 protection rule",("-"*50);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" | Format-Table Name,State; Write-Output -InputObject ("`r`n"*3),"EOP protection rule",("-"*50);Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" | Format-Table Name,State; Write-Output -InputObject `r`n,"Defender for Office 365 protection rule",("-"*50);Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" | Format-Table Name,State
      
    • Run the following command to turn off the Standard preset security policy if it's turned on:

      Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • Run the following command to turn off the Strict preset security policy if it's turned on:

      Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      
    • Run the following command to turn on the Standard preset security policy if it's turned off:

      Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"
      
    • Run the following command to turn on the Strict preset security policy if it's turned off:

      Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"
      

Use PowerShell to specify recipient conditions and exceptions for preset security policies

You can use a recipient condition or exception only once, but the condition or exception can contain multiple values:

  • Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>):

    • Conditions: If the recipient matches any of the specified values, the policy is applied to them.
    • Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.
  • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.

  • Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:

    The policy is applied to [email protected] only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.

For the Built-in protection preset security policy, you can specify only recipient exceptions. If all exception parameter values are empty ($null), there are no exceptions to the policy.

For the Standard and Strict preset security policies, you can specify recipient conditions and exceptions for EOP protections and Defender for Office 365 protections. If all of conditions and exception parameter values are empty ($null), there are no recipient conditions or exceptions to the Standard or Strict preset security policies.

  • Built-in protection preset security policy:

    Use the following syntax:

    Set-ATPBuiltInProtectionRule -Identity "ATP Built-In Protection Rule" -ExceptIfRecipientDomainIs <"domain1","domain2",... | $null> -ExceptIfSentTo <"user1","user2",... | $null> -ExceptIfSentToMemberOf <"group1","group2",... | $null>
    

    This example removes all recipient exceptions from the Built-in protection preset security policy.

    Set-ATPBuiltInProtectionRule -Identity "ATP Built-In Protection Rule" -ExceptIfRecipientDomainIs $null -ExceptIfSentTo $null -ExceptIfSentToMemberOf $null
    

    For detailed syntax and parameter information, see Set-ATPBuiltInProtectionRule.

  • Standard or Strict preset security policies

    Use the following syntax:

    <Set-EOPProtectionPolicyRule | SetAtpProtectionPolicyRule> -Identity "<Standard Preset Security Policy | Strict Preset Security Policy>" -SentTo <"user1","user2",... | $null> -ExceptIfSentTo <"user1","user2",... | $null> -SentToMemberOf <"group1","group2",... | $null> -ExceptIfSentToMemberOf <"group1","group2",... | $null> -RecipientDomainIs <"domain1","domain2",... | $null> -ExceptIfRecipientDomainIs <"domain1","domain2",... | $null>
    

    This example configures exceptions from the EOP protections in the Standard preset security policy for members of the distribution group named Executives.

    Set-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" -ExceptIfSentToMemberOf Executives
    

    This example configures exceptions from the Defender for Office 365 protections in the Strict preset security policy for the specified security operations (SecOps) mailboxes.

    Set-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy" -ExceptIfSentTo "SecOps1","SecOps2"
    

    For detailed syntax and parameter information, see Set-EOPProtectionPolicyRule and Set-ATPProtectionPolicyRule.

Appendix

Preset security policies consist of the following elements:

These elements are described in the following sections.

In addition, it's important to understand how preset security policies fit in the order of precedence with other policies.

Profiles in preset security policies

A profile determines the level of protection. The following profiles are available for preset security policies:

  • Standard protection: A baseline profile that's suitable for most users.
  • Strict protection: A more aggressive profile for selected users (high value targets or priority users).
  • Built-in protection (Microsoft Defender for Office 365 only): Effectively provides default policies for Safe Links and Safe Attachments only.

In general, the Strict protection profile tends to quarantine less harmful email (for example, bulk and spam) than the Standard protection profile, but many of the settings in both profiles are the same (in particular, for unquestionably harmful email like malware or phishing). For a comparison of the setting differences, see the tables in the next section.

Until you turn on the profiles and assign users to them, the Standard and Strict preset security policies are assigned to no one. In contrast, the Built-in protection preset security policy is assigned to all recipients by default, but you can configure exceptions.

Important

Unless you configure exceptions to the Built-in protection preset security policy, all recipients in the organization receive Safe Links and Safe Attachments protection.

Policies in preset security policies

Preset security policies use special versions of the individual protection policies that are available in EOP and Microsoft Defender for Office 365. These policies are created after you assign the Standard protection or Strict protection preset security policies to users.

  • EOP policies: These policies are in all Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:

    Note

    Outbound spam policies aren't part of preset security policies. The default outbound spam policy automatically protects members of preset security policies. Or, you can create custom outbound spam policies to customize the protection for members of preset security policies. For more information, see Configure outbound spam filtering in EOP.

  • Microsoft Defender for Office 365 policies: These policies are in organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:

As previously described, you can apply EOP protections to different users than Defender for Office 365 protections, or you can apply EOP and Defender for Office 365 protections to the same recipients.

Policy settings in preset security policies

Fundamentally, you can't modify the individual policy settings in the protection profiles. Customizing the corresponding default policy or creating a new custom policy has no effect due to the order of precedence when the same user (recipient) is defined in multiple policies (the Standard and Strict preset security policies are always applied first).

But, you need to configure the individual users (senders) and domains to receive impersonation protection in Defender for Office 365. Otherwise, preset security policies automatically configure the following types of impersonation protection:

The differences in meaningful policy settings in the Standard preset security policy and the Strict preset security policy are summarized in the following table:

  Standard Strict
Anti-malware policy No difference No difference
Anti-spam policy
  Bulk compliant level (BCL) met or exceeded detection action (BulkSpamAction) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
  Bulk email threshold (BulkThreshold) 6 5
  Spam detection action (SpamAction) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
Anti-phishing policy
  If the message is detected as spoof by spoof intelligence (AuthenticationFailAction) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
Show first contact safety tip (EnableFirstContactSafetyTips) Selected ($true) Selected ($true)
  If mailbox intelligence detects an impersonated user (MailboxIntelligenceProtectionAction) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
  Phishing email threshold (PhishThresholdLevel) 3 - More aggressive (3) 4 - Most aggressive (4)
Safe Attachments policy No difference No difference
Safe Links policy No difference No difference

The differences in Safe Attachments and Safe Links policy settings in the Built-in protection preset security policy and in the Standard and Strict preset security policies are summarized in the following table:

  Built-in protection Standard and Strict
Safe Attachments policy No difference No difference
Safe Links policy
  Let users click through to the original URL (AllowClickThrough) Selected ($true) Not selected ($false)
  Do not rewrite URLs, do checks via Safe Links API only (DisableURLRewrite) Selected ($true) Not selected ($false)
  Apply Safe Links to email messages sent within the organization (EnableForInternalSenders) Not selected ($false) Selected ($true)

For details about these settings, see the feature tables in Recommended settings for EOP and Microsoft Defender for Office 365 security.

Order of precedence for preset security policies and other policies

When a recipient is defined in multiple policies, the policies are applied in the following order:

  1. The Strict preset security policy.
  2. The Standard preset security policy.
  3. Defender for Office 365 evaluation policies
  4. Custom policies based on the priority of the policy (a lower number indicates a higher priority).
  5. The Built-in protection preset security policy for Safe Links and Safe Attachments; the default policies for anti-malware, anti-spam, and anti-phishing.

In other words, the settings of the Strict preset security policy override the settings of the Standard preset security policy, which overrides the settings from any anti-phishing, Safe Links, or Safe Attachments evaluation policies, which override the settings from any custom policies, which override the settings of the Built-in protection preset security policy for Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware, and anti-phishing.

This order is shown on the pages of the individual security policies in the Defender portal (the policies are applied in the order they're shown on the page).

For example, an admin configures the Standard preset security policy and a custom anti-spam policy with the same recipient. The anti-spam policy settings from the Standard preset security policy are applied to the user instead of what's configured in the custom anti-spam policy or in the default anti-spam policy.

Consider applying the Standard or Strict preset security policies to a subset of users, and apply custom policies to other users in your organization to meet specific needs. To meet this requirement, consider the following methods:

  • Use unambiguous groups or lists of recipients in the Standard preset security policy, the Strict preset security, and in custom policies so exceptions aren't required. Using this method, you don't need to account for multiple policies applying to the same users and the effects of the order of precedence.
  • If you can't avoid multiple policies applying to the same users, use the following strategies:
    • Configure recipients who should get the settings of the Standard preset security policy and custom policies as exceptions in the Strict preset security policy.
    • Configure recipients who should get the settings of custom policies as exceptions in the Standard preset security policy.
    • Configure recipients who should get the settings of the Built-in protection preset security policy or default policies as exceptions to custom policies.

The Built-in protection preset security policy doesn't affect recipients in existing Safe Links or Safe Attachments policies. If you already configured Standard protection, Strict protection or custom Safe Links or Safe Attachments policies, those policies are always applied before Built-in protection, so there's no effect on the recipients who are already defined in those existing preset or custom policies.

For more information, see Order and precedence of email protection.