Recipient, domain, and company management in Exchange Online Protection

Microsoft Exchange Online Protection (EOP) offers several means of managing your recipient, domain, and company information. As an administrator, you can perform certain management tasks within the Exchange admin center (EAC), and verify other management tasks performed in the Microsoft 365 admin center.

Looking for information about all EOP features? See the Exchange Online Protection service description.

Mail recipients

Mail recipients are categorized as mail users or groups and can be managed through directory synchronization, directly in the EAC, or via remote Windows PowerShell. If you're managing your recipients on-premises, you must run directory synchronization in order for your mail recipients to be reflected in the EAC. Users managed solely in the Microsoft 365 admin center aren't viewable in the EAC, but they can be added to or removed from membership in an administrator role group in the EAC. For more information about recipients in EOP, see Recipients in EOP.

Admin role group permissions

In EOP, you can configure administrative roles only. Users can be added and removed from default admin role groups directly in the EAC. No RBAC customization is available. For more information, see Manage Admin Role Group Permissions in EOP.

Domain management

Managed domains are domains that are protected by EOP. Managed domains can be viewed and domain types can be edited in the EAC. Domain provisioning and management occurs in the Microsoft 365 admin center and changes are reflected in the EAC. For more information, see View or Edit Managed Domains in EOP.

Match subdomains

In EOP, you can enable mail flow to subdomains of a managed domain. For more information, see Enable Email Flow for Subdomains in EOP.

Directory Based Edge Blocking (DBEB)

The Directory Based Edge Blocking feature lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Microsoft and block all messages sent to email addresses that aren't present in Microsoft. If a message is sent to a valid email address present in Microsoft, the message continues through the rest of the service filtering layers (anti-malware, anti-spam, transport rules). If the address is not present, the service blocks the message before filtering even occurs, and a non-delivery report (NDR) is sent to the sender informing them that their message was not delivered.

Enabling DBEB requires some user and domain configuration. For more information, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.

Feature availability

To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online Protection service description.