Preset security policies in EOP and Office 365 ATP

Important

Welcome to Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Read more about this and other updates in Microsoft delivers unified SIEM and XDR to modernize security operations. We'll be updating names in products and in the docs in the near future.

Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users without disrupting their work.

The rest of this topic describes preset security policies and how to configure them.

What preset security policies are made of

Preset security policies consist of the following elements:

  • Profiles
  • Policies
  • Policy settings

In addition, the order of precedence is important if multiple preset security policies and other policies apply to the same person.

Profiles in preset security policies

A profile determines the level of protection. The following profiles are available:

  • Standard protection: A baseline protection profile that's suitable for most users.
  • Strict protection: A more aggressive protection profile for selected users (high value targets or priority users).

You use rules with conditions and exceptions that determine who the profiles are or are not applied to.

You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

The available conditions and exceptions are:

  • The recipients are: Mailboxes, mail users, or mail contacts in your organization.
  • The recipients are members of: Groups in your organization.
  • The recipient domains are: Accepted domains that are configured in Microsoft 365.

Policies in preset security policies

Preset security policies use the corresponding policies from the various protection features in EOP and Office 365 ATP. These policies are created after you assign the Standard protection or Strict protection preset security policies to users. You can't modify these policies.

  • Exchange Online Protection (EOP) policies: This includes Microsoft 365 organizations with Exchange Online mailboxes and standalone EOP organizations without Exchange Online mailboxes:

  • Office 365 Advanced Threat Protection (ATP) policies: This includes organizations with Microsoft 365 E5 or Office 365 ATP add-on subscriptions:

Note that you can apply EOP protections to different users than ATP protections.

Policy settings in preset security policies

You can't modify the policy settings in the protection profiles. The Standard and Strict policy setting values are described in Recommended settings for EOP and Office 365 ATP security.

Order of precedence for preset security policies and other policies

When multiple policies are applied to a user, the following order is applied from highest priority to lowest priority:

  1. Strict protection preset security policy
  2. Standard protection preset security policy
  3. Custom security policies
  4. Default security policies

In other words, the settings of the Strict protection policy override the settings of the Standard protection policy, which overrides the settings from a custom policy, which overrides the settings from the default policy.

Assign preset security policies to users

What do you need to know before you begin?

Use the Security & Compliance Center to assign preset security policies to users

  1. In the Security & Compliance Center, go to Threat management > Policy > Preset security policies.

  2. Under Standard protection or Strict protection, click Edit.

  3. The Apply Standard protection or Apply Strict protection wizard starts. On the EOP protections apply to step, identify the internal recipients that the EOP protections apply to:

    1. Click Add a condition. In the dropdown that appears, select a condition under Applied if:

      • The recipients are
      • The recipients are members of
      • The recipient domains are

      You can only use a condition once, but you can specify multiple values for the condition. Multiple values of the same condition use OR logic (for example, <recipient1> or <recipient2>).

    2. The condition that you selected appears in a shaded section. In that section, click in the Any of these box. If you wait a moment, a list will appear so you can select a value. Or, you can start typing a value to filter the list and select a value. Repeat this step as many times as necessary. To remove an individual value, click Remove Remove icon on the value. To remove the entire condition, click Remove Remove icon on the condition.

    3. To add another condition, click Add a condition and select from the remaining conditions. Different conditions use AND logic (for example, <recipient1> and <member of group 1>).

      Repeat the previous step to add values to the condition, and repeat this step as many times as necessary or until you run out of conditions.

    4. To add an exception, click Add a condition. In the dropdown that appears, select a condition under Except when. The settings and behavior are exactly like the conditions.

    When you're finished, click Next.

  4. If your organization has Office 365 ATP, you're taken to the ATP protections apply to step to identify the internal recipients that the Office 365 ATP protections apply to.

    The settings and behavior are exactly like the EOP protections apply to step.

    When you're finished, click Next.

  5. On the Confirm step, verify your selections, and then click Confirm.

Use the Security & Compliance Center to modify the assignments of preset security policies

The steps to modify the assignment of the Standard protection or Strict protection security policy are the same as when you initially assigned the preset security policies to users.

To disable the Standard protection or Strict protection security policies while still preserving the existing conditions and exceptions, slide the toggle to Disabled. To enable the policies, slide the toggle to Enabled.

How do you know these procedures worked?

To verify that you've successfully assigned the Standard protection or Strict protection security policy to a user, use a protection setting where the default value is different than the Standard protection setting, which is different that the Strict protection setting.

For example, for email that's detected as spam (not high confidence spam) verify that the message is delivered to the Junk Email folder for Standard protection users, and quarantined for Strict protection users.

Or, for bulk email, verify that the BCL value 6 or higher delivers the message to the Junk Email folder for Standard protection users, and the BCL value 4 or higher quarantines the message for Strict protection users.