Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Although all organizations with cloud mailboxes include default email protections, Microsoft Defender for Office 365 is the primary email and collaboration security solution for Microsoft 365.
This article explains the protection ladder for email and collaboration. The ladder starts with the default email protections for cloud mailboxes, and continues to Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2.
Tip
As a companion to this article, see our Microsoft Defender for Office 365 setup guide to review best practices and to protect against email, link, and collaboration threats. Features include Safe Links, Safe Attachments, and more. For a customized experience based on your environment, you can access the Microsoft Defender for Office 365 automated setup guide in the Microsoft 365 admin center.
This article is intended for Security Operations (SecOps) personnel, Microsoft 365 admins, or decisions makers who want to learn more about Defender for Office 365.
Tip
If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and need information about Safelinks or advanced attachment scanning, see Advanced Outlook.com security for Microsoft 365 subscribers.
If you're new to your Microsoft 365 subscription and would like to know your licenses before you begin, go the Your products page in the Microsoft 365 admin center at https://admin.microsoft.com/Adminportal/Home#/subscriptions.
The protection ladder in Defender for Office 365 contains the following elements:
- Default email protections for cloud mailboxes: Included in all Microsoft 365 subscriptions with cloud mailboxes.
- Defender for Office 365 365 Plan 1: Included in some Microsoft 365 subscriptions that cater to small to medium-sized businesses (for example, Microsoft 365 Business Premium).
- Defender for Office 365 365 Plan 2: Included in some Microsoft 365 subscriptions that cater to enterprise organizations (for example, Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 GCC G5).
Defender for Office 365 is also available as an add-on subscription to many Microsoft 365 subscriptions with cloud mailboxes.
Defender for Office 365 Plan 1 contains a subset of the features that are available in Plan 2. Defender for Office 365 Plan 2 contains many features that aren't available in Plan 1.
Tip
For information about subscriptions that contain Defender for Office 365, see the Microsoft 365 business plan comparison and the Microsoft 365 Enterprise plan comparison.
Use the following exhaustive reference to determine if Defender for Office 365 Plan 1 or Plan 2 licenses are included in a Microsoft 365 subscription: Product names and service plan identifiers for licensing.
Use the following interactive guide to see how Defender for Office 365 is able to protect your organization: Safeguard your organization with Microsoft Defender for Office 365.
Use this page to compare plans and purchase Defender for Office 365.
The following descriptions summarize the protection ladder in Defender for Office 365:
- Default email protections for cloud mailboxes prevent broad, volume-based, known email attacks.
- Defender for Office 365 Plan 1 protects email and collaboration features from zero-day malware, phishing, and business email compromise (BEC).
- Defender for Office 365 Plan 2 adds phishing simulations, post-breach investigation, hunting, and response, and automation.
However, you can also think about the architecture of protection in Defender for Office 365 as cumulative layers of security, where each layer has a different security emphasis. This architecture is shown in the following diagram:
All levels of the protection ladder are capable of protecting, detecting, investigating, and responding to threats. But as you move up the protection ladder, the available features and automation increase.
Whether you're using the onmicrosoft.com ___domain only or custom domains for email in Microsoft 365, it's important to configure email authentication for your used and unused domains. SPF, DKIM, and DMARC records in DNS allow Microsoft 365 to more accurately protect against spoofing attacks. For more information, see Email authentication.
The Defender for Office 365 security ladder
It can be difficult to identity the advantages of Defender for Office 365. The following subsections describe the capabilities of each product using the following security emphases:
- Preventing and detecting threats.
- Investigating threats.
- Responding to threats.
Default email protection capabilities
The default email protection capabilities included in all organizations with cloud mailboxes are summarized in the following table:
| Prevent/Detect | Investigate | Respond |
|---|---|---|
|
|
* The associated features are available in default threat policies, custom threat policies, and the Standard and Strict preset security policies. For help with deciding which method to use, see Determine your threat policy strategy.
For more information, see Default email protections for cloud mailboxes.
Defender for Office 365 Plan 1 capabilities
Defender for Office 365 Plan 1 adds more prevention and detection capabilities.
The extra features you get in Defender for Office 365 Plan 1 on top of the default email protections for cloud mailboxes are described in the following table:
| Prevent/Detect | Investigate | Respond |
|---|---|---|
|
|
|
* The presence of Email & collaboration > Real-time detections in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 1 and Plan 2.
Defender for Office 365 Plan 2 capabilities
Defender for Office 365 Plan 2 expands on the investigation and response capabilities of Plan 1 with the addition of automation.
The extra features that you get in Defender for Office 365 Plan 2 on top of Defender for Office 365 Plan 1 are described in the following table:
| Prevent/Detect | Investigate | Respond |
|---|---|---|
|
|
* The presence of Email & collaboration > Explorer in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 2 and Plan 1.
Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet
This quick-reference section summarizes the different capabilities between Defender for Office 365 Plan 1 and Plan 2 that aren't included in the default email protections for cloud mailboxes.
| Defender for Office 365 Plan 1 | Defender for Office 365 Plan 2 |
|---|---|
Prevent and detect capabilities:
Investigate and respond capabilities: |
Everything in Defender for Office 365 Plan 1 --- plus --- Prevent and detect capabilities: Investigate and respond capabilities: |
- For more information, see Feature availability across Defender for Office 365 plans.
- Safe Documents is available to users with the Microsoft 365 A5 or Microsoft 365 E5 Security licenses (not included in Defender for Office 365 plans).
- If your current subscription doesn't include Defender for Office 365 Plan 2, you can try Defender for Office 365 free for 90 days. Or, contact sales to start a trial.
- Defender for Office 365 Plan 2 organizations have access to Microsoft Defender Extended detection and response (XDR) integration to efficiently detect, review, and respond to incidents and alerts.
Where to go next
Get started with Microsoft Defender for Office 365
Microsoft Defender for Office 365 Security Operations Guide
Migrate from a non-Microsoft protection service or device to Microsoft Defender for Office 365
What's new in Microsoft Defender for Office 365
The Microsoft 365 Roadmap describes new features that are being added to Defender for Office 365.