Office 365 Advanced Threat Protection


This article is intended for business customers who have Office 365 Advanced Threat Protection. If you are using, Office 365 Home, or Office 365 Personal, and you're looking for information about Safe Links in Outlook, see Advanced security.


Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. ATP includes:

Office 365 ATP Plan 1 and Plan 2

ATP is included in Office 365 E5; however, ATP Plan 1 and ATP Plan 2 are each available as an add-on for certain subscriptions. To learn more, see Feature availability across ATP plans.

Configure ATP policies

Office 365 ATP provides numerous tools to set an appropriate level of protection for your organization.

Your organization's security team must define policies for each ATP tool in the Office 365 Security & Compliance Center. Go to Threat management > Policy to access policy options. For more information, see Protect against threats.

The policies that are defined for your organization determine the behavior and protection level for predefined threats. Policy options are extremely flexible. For example, your organization's security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It is important to review your policies regularly because new threats and challenges emerge daily.

View ATP reports

Office 365 ATP includes an advanced reporting dashboard to monitor your ATP performance. You can access it at Reports > Dashboard in the Security & Compliance Center.

Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Predefined reports include the following:

Use threat investigation and response capabilities

Office 365 ATP Plan 2 includes best-of-class threat investigation and response tools that enable your organization's security team to anticipate, understand, and prevent malicious attacks.

Save time with automated investigation and response

(NEW!) When you are investigating a potential cyberattack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be. The subscriptions listed below now include automated investigation and response (AIR) capabilities. (If you don't have these capabilities yet, you'll have them soon if you have one of these subscriptions.)

Office 365 AIR is included in the following subscriptions:

  • Microsoft 365 E5
  • Microsoft 365 E5 Security
  • Office 365 E5
  • Office 365 Advanced Threat Protection Plan 2

AIR includes a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer. AIR can save your security operations team time and effort in mitigating threats effectively and efficiently. To learn more, see Automated Investigation and Response (AIR) with Office 365.

Permissions required to use ATP features

To access ATP features in the Security & Compliance Center, you must be assigned an appropriate role. The following table includes some examples:

Role or role group Resources to learn more
Office 365 Global Administrator About Office 365 admin roles
Security Administrator Administrator role permissions in Azure Active Directory
Exchange Online Organization Management Permissions in Exchange Online
Exchange Online PowerShell

For more information, see:

Get Office 365 ATP

Office 365 ATP Plan 2 is included in Office 365 Enterprise E5, Office 365 Education A5, and Microsoft 365 Business. If your subscription does not include Office 365 ATP, you can purchase ATP Plan 1 or ATP Plan 2 as an add-on to certain subscriptions. To learn more, see the following resources:

New features in Office 365 ATP

New features are added to Office 365 ATP continually. To learn more, see the following resources: