The Office 365 security ladder from EOP to Microsoft Defender for Office 365 Important Learn the details on these pages: Exchange Online Protection, and Defender for Office 365. What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To help sort out if an upgrade path is right for your organization, let's look at the capabilities of each product when it comes to: preventing and detecting threats investigating responding starting with Exchange Online Protection: TABLE 2 Prevent/Detect Investigate Respond Technologies include: spam phish malware bulk mail spoof intelligence impersonation detection Admin Quarantine Admin and user submissions of False Positives and False Negatives Allow/Block for URLs and Files Reports Audit log search Message Trace Zero-hour auto purge (ZAP) Refinement and testing of Allow and Block lists If you want to dig in to EOP, jump to this article. Because these products are cumulative, if you evaluate Microsoft Defender for Office 365 P1 and decide to subscribe to it, you'll add these abilities. Gains with Defender for Office 365, Plan 1 (to date): TABLE 3 Prevent/Detect Investigate Respond Technologies include everything in EOP plus: Safe attachments Safe links Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business) Time-of-click protection in email, Office clients, and Teams anti-phishing in Defender for Office 365 User and domain impersonation protection Alerts, and SIEM integration API for alerts SIEM integration API for detections Real-time detections tool URL trace Same So, Microsoft Defender for Office 365 P1 expands on the prevention side of the house, and adds extra forms of detection. Microsoft Defender for Office 365 P1 also adds Real-time detections for investigations. This threat hunting tool's name is in bold because having it is clear means of knowing you have Defender for Office 365 P1. It doesn't appear in Defender for Office 365 P2. Gains with Defender for Office 365, Plan 2 (to date): TABLE 4 Prevent/Detect Investigate Respond Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus: Same Threat Explorer Threat Trackers Campaign views Automated Investigation and Response (AIR) AIR from Threat Explorer AIR for compromised users SIEM Integration API for Automated Investigations So, Microsoft Defender for Office 365 P2 expands on the investigation and response side of the house, and adds a new hunting strength. Automation. In Microsoft Defender for Office 365 P2, the primary hunting tool is called Threat Explorer rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft 365 Defender portal, you're in Microsoft Defender for Office 365 P2. To get into the details of Microsoft Defender for Office 365 P1 and P2, jump to this article. Tip EOP and Microsoft Defender for Office 365 are also different when it comes to end-users. In EOP and Defender for Office 365 P1, the focus is awareness, and so those two services include the Report message Outlook add-in so users can report emails they find suspicious, for further analysis. In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to further training for end-users, and so the Security Operations Center has access to a powerful Threat Simulator tool, and the end-user metrics it provides. Microsoft Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet This quick-reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs. MICROSOFT DEFENDER FOR OFFICE 365 PLAN 1 VS. PLAN 2 CHEAT SHEET Defender for Office 365 Plan 1 Defender for Office 365 Plan 2 Configuration, protection, and detection capabilities: Safe Attachments Safe Links Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Anti-phishing protection in Defender for Office 365 Real-time detections Defender for Office 365 Plan 1 capabilities --- plus --- Automation, investigation, remediation, and education capabilities: Threat Trackers Threat Explorer Automated investigation and response Attack simulation training Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5. Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, here's another link Feature availability across Microsoft Defender for Office 365 plans. The Safe Documents feature is only available to users with the Microsoft 365 E5 or Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office 365 plans). If your current subscription doesn't include Microsoft Defender for Office 365 and you want it, contact sales to start a trial, and find out how Microsoft Defender for Office 365 can work for in your organization. Tip Insider tip. You can use the docs.microsoft.com table of contents to learn about EOP and Microsoft Defender for Office 365. Navigate back to this page, Office 365 Security overview, and you'll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response. This structure is divided so that Security Administration topics are followed by Security Operations topics. If you're a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use feedback links and rate articles as you go. Feedback helps us improve what we offer you. Where to go next If you're a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out 'Strict' security presets for your priority users, or look for what's new in the product. Or if you're with Security Ops, you may want to leverage Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next. Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three) See the specific recommended 'golden' configs and use their recommended presets to configure security policies quickly Catch up on what's new in Microsoft Defender for Office 365 (including EOP developments) Use Threat Explorer or Real-time detections Use Attack simulation training

The Office 365 security ladder from EOP to Microsoft Defender for Office 365
Important

Learn the details on these pages: Exchange Online Protection, and Defender for Office 365.

What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP threat management can be difficult to tell at first glance. To help sort out if an upgrade path is right for your organization, let’s look at the capabilities of each product when it comes to:

preventing and detecting threats
investigating
responding
starting with Exchange Online Protection:

TABLE 2
Prevent/Detect Investigate Respond
Technologies include:
spam
phish
malware
bulk mail
spoof intelligence
impersonation detection
Admin Quarantine
Admin and user submissions of False Positives and False Negatives
Allow/Block for URLs and Files
Reports
Audit log search
Message Trace
Zero-hour auto purge (ZAP)
Refinement and testing of Allow and Block lists
If you want to dig in to EOP, jump to this article.

Because these products are cumulative, if you evaluate Microsoft Defender for Office 365 P1 and decide to subscribe to it, you’ll add these abilities.

Gains with Defender for Office 365, Plan 1 (to date):

TABLE 3
Prevent/Detect Investigate Respond
Technologies include everything in EOP plus:
Safe attachments
Safe links
Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business)
Time-of-click protection in email, Office clients, and Teams
anti-phishing in Defender for Office 365
User and domain impersonation protection
Alerts, and SIEM integration API for alerts
SIEM integration API for detections
Real-time detections tool
URL trace
Same
So, Microsoft Defender for Office 365 P1 expands on the prevention side of the house, and adds extra forms of detection.

Microsoft Defender for Office 365 P1 also adds Real-time detections for investigations. This threat hunting tool’s name is in bold because having it is clear means of knowing you have Defender for Office 365 P1. It doesn’t appear in Defender for Office 365 P2.

Gains with Defender for Office 365, Plan 2 (to date):

TABLE 4
Prevent/Detect Investigate Respond
Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus:
Same
Threat Explorer
Threat Trackers
Campaign views
Automated Investigation and Response (AIR)
AIR from Threat Explorer
AIR for compromised users
SIEM Integration API for Automated Investigations
So, Microsoft Defender for Office 365 P2 expands on the investigation and response side of the house, and adds a new hunting strength. Automation.

In Microsoft Defender for Office 365 P2, the primary hunting tool is called Threat Explorer rather than Real-time detections. If you see Threat Explorer when you navigate to the Microsoft 365 Defender portal, you’re in Microsoft Defender for Office 365 P2.

To get into the details of Microsoft Defender for Office 365 P1 and P2, jump to this article.

Tip

EOP and Microsoft Defender for Office 365 are also different when it comes to end-users. In EOP and Defender for Office 365 P1, the focus is awareness, and so those two services include the Report message Outlook add-in so users can report emails they find suspicious, for further analysis.

In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus shifts to further training for end-users, and so the Security Operations Center has access to a powerful Threat Simulator tool, and the end-user metrics it provides.

Microsoft Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet
This quick-reference will help you understand what capabilities come with each Microsoft Defender for Office 365 subscription. When combined with your knowledge of EOP features, it can help business decision makers determine what Microsoft Defender for Office 365 is best for their needs.

MICROSOFT DEFENDER FOR OFFICE 365 PLAN 1 VS. PLAN 2 CHEAT SHEET
Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection capabilities:
Safe Attachments
Safe Links
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Anti-phishing protection in Defender for Office 365
Real-time detections
Defender for Office 365 Plan 1 capabilities
— plus —

Automation, investigation, remediation, and education capabilities:

Threat Trackers
Threat Explorer
Automated investigation and response
Attack simulation training
Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.

Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.

Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions. To learn more, here’s another link Feature availability across Microsoft Defender for Office 365 plans.

The Safe Documents feature is only available to users with the Microsoft 365 E5 or Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office 365 plans).

If your current subscription doesn’t include Microsoft Defender for Office 365 and you want it, contact sales to start a trial, and find out how Microsoft Defender for Office 365 can work for in your organization.

Tip

Insider tip. You can use the docs.microsoft.com table of contents to learn about EOP and Microsoft Defender for Office 365. Navigate back to this page, Office 365 Security overview, and you’ll notice that table of contents organization in the side-bar. It begins with Deployment (including migration) and then continues into prevention, detection, investigation, and response.

This structure is divided so that Security Administration topics are followed by Security Operations topics. If you’re a new member of either job role, use the link in this tip, and your knowledge of the table of contents, to help learn the space. Remember to use feedback links and rate articles as you go. Feedback helps us improve what we offer you.

Where to go next
If you’re a Security Admin, you may need to configure DKIM or DMARC for your mail. You may want to roll out ‘Strict’ security presets for your priority users, or look for what’s new in the product. Or if you’re with Security Ops, you may want to leverage Real-time detections or Threat Explorer to investigate and respond, or train end-user detection with Attack Simulator. Either way, here are some additional recommendations for what to look at next.

Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)

See the specific recommended ‘golden’ configs and use their recommended presets to configure security policies quickly

Catch up on what’s new in Microsoft Defender for Office 365 (including EOP developments)

Use Threat Explorer or Real-time detections

Use Attack simulation training