Exchange Online Protection service description

Obtain information about features and requirements for Exchange Online Protection. Included is a list of plans that provide Exchange Online Protection, as well as a comparison of features across those plans.

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.

The following list describes the primary ways you can use EOP for messaging protection:

  • In a standalone scenario: EOP provides cloud-based email protection for your on-premises email environment (Exchange Server or other on-premises SMTP email solutions).

  • As a part of Microsoft Exchange Online: By default, EOP protects Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online service description.

  • In a hybrid deployment: EOP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes.

Available plans

For detailed plan information on subscriptions that enable users for Exchange Online Protection, see the full subscription comparison table.

To buy Exchange Online Protection, see Exchange Online Protection.


EOP replaced Forefront Online Protection for Exchange (FOPE). All FOPE customers have been transitioned to EOP.

What's new in Exchange Online Protection (EOP)

The Microsoft 365 roadmap is a good resource for finding out information about upcoming new features.

Exchange Online Protection (EOP) plans

EOP is available through the following subscription plans:

Plan Description
EOP standalone A separate cloud-based service that protects your on-premises email organization.
EOP features in Exchange Online The built-in protection for your Exchange Online cloud-hosted mailboxes.
Exchange Enterprise CAL with Services Add-on licenses you purchase for your on-premises Exchange organization that include EOP and other cloud-based features (see the next section for details).

Exchange Enterprise CAL with Services features

Microsoft Exchange Enterprise CAL with Services provides the email protection features of EOP and the following additional cloud-based features:

For more information about Exchange Enterprise CAL with Services licensing, see Exchange licensing FAQs.

If you have Exchange Enterprise CAL with Services licenses and you want to provision EOP, follow the instructions in Set up your EOP service. The setup steps are the same as the steps for setting up EOP standalone.


New features for Exchange Enterprise CAL with Services are deployed at the same time as Exchange Online, not EOP standalone. Be advised that the deployment schedules for EOP standalone and Exchange Online/Exchange Enterprise CAL with Services may be slightly different.

Requirements for Exchange Online Protection (EOP)

EOP can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by EOP, see the "Supported browsers" and "Supported languages" sections in Exchange admin center in Exchange Online Protection.


For limits in EOP, see Exchange Online Protection limits.

Feature availability across Exchange Online Protection (EOP) plans

Each feature is listed below. For more detailed information about EOP features, click the links in the table. When Exchange Online is mentioned, it typically refers to the Office 365 Enterprise service family.

Feature EOP standalone EOP features in Exchange Online Exchange Enterprise CAL with Services
Mail recipients Yes1 Yes1 Yes
Admin role group permissions Yes2 Yes Yes
Domain management Yes3 Yes3 Yes3
Match subdomains Yes Yes No
Directory Based Edge Blocking (DBEB) Yes Yes Yes
Mail flow rules Yes4 Yes4, 6 Yes
Audit logging Yes5 Yes Yes
Data loss prevention (DLP) No Yes Yes6
Office 365 Message Encryption Yes12 Yes Yes12
Anti-spam protection (built-in) Yes Yes Yes
Customize anti-spam policies Yes7 Yes Yes
Anti-malware protection (built-in) Yes13 Yes Yes
Customize anti-malware policies Yes Yes Yes
Quarantine: administrator management Yes Yes Yes
Quarantine: end-user self-management Yes Yes Yes
Submission No Yes No
Report Message add-in for Outlook Yes Yes Yes
Junk email reporting in Outlook on the web Yes Yes Yes
Routing email between Microsoft and your own email servers Yes Yes Yes
Secure messaging with a trusted partner Yes Yes Yes
Safe listing a partner's IP address Yes Yes Yes
Conditional mail routing Yes Yes Yes
Hybrid mail routing Yes Yes Yes
Microsoft 365 admin center reports
Yes9 Yes10 Yes 9, 10
Reporting using web services No Yes Yes
Message trace Yes15 Yes15 Yes
Access to the Microsoft 365 admin center Yes Yes Yes
Access to the Exchange admin center Yes Yes Yes
Remote Windows PowerShell access Yes Yes Yes

1 Mail users are defined as "Mailboxes," and, along with external mail contacts, can be added, removed, and otherwise managed directly in the Exchange admin center (EAC).
2 No RBAC customization. Admin roles only.
3 Managed domains can be viewed and domain types can be edited in the EAC. All other domain management must be done in the Microsoft 365 admin center.
4 Mail flow rules (also known as transport rules) in EOP are described in Mail flow rules (transport rules) in Exchange Online Protection. The available mail flow rule conditions, exceptions, and actions differ slightly between EOP and Exchange Online. These differences are noted in Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule actions in Exchange Online.
5 EOP auditing reports are a subset of Exchange Online auditing reports that exclude information about mailboxes.
6 DLP policy tips are not available for Exchange Enterprise CAL with Services customers.
7 The default content filter action is to move spam messages to the recipients' Junk Email folder. For this to work with on-premises Exchange mailboxes, you also need to configure two transport rules in your on-premises Exchange organization to detect spam headers added by EOP. For more information, see Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.
9 EOP reports are a subset of Exchange Online reports that exclude information about mailboxes.
10 Includes DLP reports.
12 Supported for on-premises customers who purchase Azure Information Protection and use Exchange Online Protection to route email through Exchange Online.
13 Scans inbound and outbound messages, but does not scan internal messages sent from a sender in your organization to a recipient in your organization.
15 Hybrid setup is not available through Hybrid Wizard, but can be set up manually if you have Exchange SP1.