Configure and review priority account protection in Microsoft Defender for Office 365
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In Microsoft 365 organizations with Microsoft Defender for Office 365 Plan 2, priority account protection is a differentiated level of protection that's applied to accounts that have the Priority account tag applied to them. For more information about the Priority account tag and how to apply it to users, see Manage and monitor priority accounts.
Priority account protection offers additional heuristics that are tailored to company executives that don't benefit regular employees. Priority account protection is better suited to the mail flow patterns of company executives based on extensive data from the Microsoft datacenters.
By default, priority account protection is turned on in organizations with Defender for Office 365 Plan 2. This default behavior means an account that's tagged as a Priority account automatically receives priority account protection.
This article describes how to confirm that priority account protection is turned on, how to turn it on, and identifies the reporting features that allow you to see the results of priority account protection.
What do you need to know before you begin?
You open the Microsoft Defender portal at https://security.microsoft.com.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/System settings/Read and manage or Authorization and settings/System settings/Read-only.
Exchange Online permissions: Membership in the Organization Management or Security Administrator role groups.
Microsoft Entra permissions: Membership in the Global Administrator* or Security Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
As previously described, priority account protection is applied to accounts that have the Priority account tag applied to them. For instructions, see Manage and monitor priority accounts.
The Priority account tag is a type of user tag. You can create custom user tags to differentiate specific groups of users in reporting and other features. For more information about user tags, see User tags in Microsoft Defender for Office 365.
Review or turn on priority account protection in the Microsoft Defender portal
Note
We don't recommend turning off priority account protection.
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > Priority account protection. Or, to go directly to the Priority account protection page, use https://security.microsoft.com/securitysettings/priorityAccountProtection.
On the Priority account protection page, verify that Priority account protection is turned on ( ).
Review or turn on priority account protection in Exchange Online PowerShell
If you'd rather use PowerShell to verify that priority account protection is turned on, run the following command in Exchange Online PowerShell:
Get-EmailTenantSettings | Format-List Identity,EnablePriorityAccountProtection
The value True for the EnablePriorityAccountProtection property means priority account protection is turned on. The value False means priority account protection is turned off.
To turn on priority account protection, run the following command:
Set-EmailTenantSettings -EnablePriorityAccountProtection $true
For detailed syntax and parameter information, see Get-EmailTenantSettings and Set-EmailTenantSettings.
Review differentiated protection from priority account protection
The effects of priority account protection are visible in the following reporting features:
For information about where the Priority account tag and other user tags are available as filters, see User tags in reports and features.
Threat protection status report
The Threat protection status report brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection and Defender for Office 365. For more information, see Threat protection status report.
In the previously mentioned views in the report, the option Priority account protection and the value Yes is available when you select Filter. This option allows you to filter the data in the report by priority account protection detections.
Threat Explorer
For more information about Threat Explorer, see Threat Explorer and Real-time detections.
To view the results of priority account protection in Threat Explorer, do the following steps:
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Explorer. Or, to go directly to the Explorer page, use https://security.microsoft.com/threatexplorer.
On the Explorer page, on the All email, Malware, or Phish tabs, select Context > Equal any of > Priority account protection, and then select Refresh.
Email entity page
The Email entity page is available from many locations in the Defender portal, including Threat Explorer (also known as Explorer). For more information, see The Email entity page.
On the Email entity page, select the Analysis tab. Priority account protection is listed in the Threat detection details section.