Migrate from a third-party protection service or device to Microsoft Defender for Office 365

Applies to

If you already have an existing third-party protection service or device that sits in front of Microsoft 365, you can use this guide to migrate your protection to Microsoft Defender for Office 365 to get the benefits of a consolidated management experience, potentially reduced cost (using products that you already pay for), and a mature product with integrated security protection. For more information, see Microsoft Defender for Office.

This guide provides specific and actionable steps for your migration, and assumes the following facts:

  • You already have Microsoft 365 mailboxes, but you're currently using a third-party service or device for email protection. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization, and Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).

    Mail flows from the internet through the third-party protection service or device before delivery into Microsoft 365.

  • You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend that you consider Evaluation Mode.

  • You've already purchased Defender for Office 365 licenses.

  • You need to retire your existing third-party protection service, which means you'll ultimately need to point the MX records for your email domains to Microsoft 365. When you're done, mail from the internet will flow directly into Microsoft 365 and will be protected exclusively by Exchange Online Protection (EOP) and Defender for Office 365.

    Your existing protection service or devices is eliminated, so mail flows from the internet into Microsoft 365, with full protection from Microsoft Defender for Office 365.

Eliminating your existing protection service in favor of Defender for Office 365 is a big step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide will help you transition your protection in an orderly manner with minimal disruption to your users.

The very high-level migration steps are illustrated in the following diagram. The actual steps are listed in the section named The migration process later in this article.

Migrate from a third-party protection solution or device to Defender for Office 365.

Why use the steps in this guide?

In the IT industry, surprises are generally bad. Simply flipping your MX records to point to Microsoft 365 without prior and thoughtful testing will result in many surprises. For example:

  • You or your predecessors have likely spent a lot of time and effort customizing your existing protection service for optimal mail delivery (in other words, blocking what needs to be blocked, and allowing what needs to be allowed). It's almost a guaranteed certainty that not every customization in your current protection service is required in Defender for Office 365. It's also very possible that Defender for Office 365 will introduce new issues (allows or blocks) that didn't happen or weren't required in your current protection service.
  • Your help desk and security personnel need to know what to do in Defender for Office 365. For example, if a user complains about a missing message, does your help desk know where or how to look for it? They're likely verify familiar with the tools in your existing protection service, but what about the tools in Defender for Office 365?

In contrast, if you follow the steps in this migration guide, you'll get the following tangible benefits for your migration:

  • Minimal disruption to users.
  • Objective data from Defender for Office 365 that you can use as you report on the progress and success of the migration to management.
  • Early involvement and instruction for help desk and security personnel.

The more you familiarize yourself with how Defender for Office 365 will affect your organization, the better the transition will be for users, help desk personnel, security personnel, and management.

This migration guide gives you a plan for gradually "turning the dial" so you can monitor and test how Defender for Office 365 affects your users and their email so you can react quickly to any issues that you encounter.

The migration process

The process of migrating from a third-party protection service to Defender for Office 365 can be divided into three phases as described in the following table:

The process for migrating to Defender for Office 365.


Phase Description
Prepare for your migration
  1. Inventory the settings at your existing protection service
  2. Check your existing protection configuration in Microsoft 365
  3. Check your mail routing configuration
  4. Move features that modify messages into Microsoft 365
  5. Define spam and bulk user experiences
  6. Identify and designate priority accounts
Set up Defender for Office 365
  1. Create distribution groups for pilot users
  2. Configure user submission for user message reporting
  3. Maintain or create the SCL=-1 mail flow rule
  4. Configure Enhanced Filtering for Connectors
  5. Create pilot protection policies
Onboard to Defender for Office 365
  1. Begin onboarding Security Teams
  2. (Optional) Exempt pilot users from filtering by your existing protection service
  3. Tune spoof intelligence
  4. Tune impersonation protection and mailbox intelligence
  5. Use data from user submissions to measure and adjust
  6. (Optional) Add more users to your pilot and iterate
  7. Extend Microsoft 365 protection to all users and turn off the SCL=-1 mail flow rule
  8. Switch your MX records

Next step