Microsoft Defender for Office 365 Plan 1 Is Now in E3: What You Actually Get

E3 has always had anti-spam, anti-malware, and Exchange Online Protection. What it has not had — until now — is the layer on top of that: the detonation chamber that opens suspicious attachments before they reach users, the time-of-click URL verification that catches links that were clean when they were sent but malicious when clicked, and the anti-phishing intelligence that looks beyond known signatures to detect impersonation and spoofing.

Microsoft is adding Defender for Office 365 Plan 1 to Office 365 E3 and Microsoft 365 E3 as part of the July 2026 licensing update. If you are already on E3 and paying for MDO Plan 1 as a separate add-on, that add-on becomes redundant from July 2026. If you have not had MDO Plan 1, you are getting a meaningful security layer — but only if you configure it.

Getting the licence is not the same as being protected. MDO Plan 1 ships with a Built-in Protection preset that provides a baseline — but it is minimal by design. This article covers what you are actually getting, what is different from Plan 2, what the Built-in Protection baseline does and does not cover, and the configuration you should apply before calling the deployment done.

What you are actually getting

MDO Plan 1 adds four distinct protection layers on top of Exchange Online Protection. Each one addresses a threat class that EOP's signature-based scanning does not fully cover.

Plan 1 vs Plan 2 — what you still do not have

MDO Plan 2 (included in M365 E5) builds on Plan 1 with tools aimed at security operations teams. If you are on E3 with the new Plan 1 inclusion, you have the protection layer — you do not have the investigation and response layer.

What Built-in Protection does — and does not do

When MDO Plan 1 is provisioned in a tenant, the Built-in Protection preset security policy activates automatically. It applies Safe Links and Safe Attachments protection to all recipients who are not already covered by a Standard, Strict, or custom policy. This is the baseline — it is active without any admin action.

But Built-in Protection is deliberately minimal. It is designed as a safety net for organisations that have not configured anything else, not as a production security posture. Specifically:

• Built-in Protection does not configure impersonation protection. Impersonation protection for users and domains is part of the anti-phishing policy scope in the Standard and Strict presets — it is not part of the Built-in baseline at all. You must apply a Standard, Strict, or custom anti-phishing policy to get this protection.
• Built-in Protection does not configure quarantine notification policies. Users will not receive notifications about quarantined messages unless you configure quarantine policies explicitly.
• Built-in Protection applies to users not covered by other policies. If you apply a Standard or Strict policy to all users, Built-in Protection becomes redundant for those users.
• Built-in Protection settings cannot be modified. To customise behaviour, you must create a Standard, Strict, or custom policy that overrides it.

What to configure after the licence is active

Three things to do immediately. In order of impact.

What Exchange Online Protection already covers

Understanding what EOP provides — and where it stops — helps you understand the gap that MDO Plan 1 fills. EOP is not basic protection. It is a mature, multi-layer filtering system that handles the overwhelming majority of email threats by volume.

• Anti-spam: Connection filtering, content filtering, backscatter protection, bulk mail handling. EOP blocks the vast majority of spam before it reaches mailboxes.
• Anti-malware: Multi-engine signature scanning of email attachments for known malware. Catches known threats — but not zero-day or polymorphic malware that changes signatures to evade detection.
• Spoof intelligence: Detects spoofed sender domains using DMARC, DKIM, and SPF alignment. Handles the most common spoofing patterns.
• Zero-hour auto purge (ZAP): Retrospectively removes messages from mailboxes after delivery if they are later identified as spam, phishing, or malware. ZAP for all three categories is part of EOP in organisations with cloud mailboxes. MDO Plan 1 adds stronger pre-delivery and time-of-click protection — not ZAP itself, which is already present.

What EOP does not cover: unknown/zero-day attachment threats (no detonation), time-of-click URL verification, impersonation detection beyond basic spoof checks, and real-time detection reporting. These are the gaps MDO Plan 1 closes.

If you already have MDO Plan 1 as a standalone add-on

If your E3 tenant is already protected by a separate MDO Plan 1 add-on licence, verify the following once the bundled version is confirmed active in your tenant:

• Do not remove the add-on before confirming the bundle is active. The bundled MDO Plan 1 rolls out with the July 2026 pricing update, but tenant provisioning timing may vary. Removing the standalone add-on before the bundle is confirmed active leaves users unprotected.
• Your existing policies are not affected. Safe Links, Safe Attachments, and anti-phishing policies are tenant-level configurations — they persist regardless of which licence is providing the entitlement. You do not need to reconfigure anything when transitioning from add-on to bundled.
• Remove the standalone add-on licence after confirming the bundle. Keeping both results in paying for the same capability twice. Verify in the Microsoft 365 admin center that MDO Plan 1 appears as an included feature of E3, then remove the standalone add-on.

Post-activation checklist

• Confirm MDO Plan 1 is active in the tenantCheck your licence assignment in the Microsoft 365 admin center to confirm the bundled MDO Plan 1 entitlement is active. Then validate in the Microsoft Defender portal (security.microsoft.com) that Defender for Office 365 threat policies are available and assignable. Verify after July 1, 2026 — rollout timing varies by tenant.
• Apply Standard preset security policy to all usersThreat policies → Preset security policies → Standard protection → assign to all users. This is the single highest-impact configuration action — it activates Safe Links, Safe Attachments, and anti-phishing with recommended settings in one step.
• Add impersonation protection for executives and key domainsIn the anti-phishing policy, configure protected users (executives, IT admins, finance) and protected domains (your primary domain, partner domains). This is the most targeted defence against BEC attacks.
• Verify SPF, DKIM, and DMARC for all sending domainsBefore enabling enforcement-mode anti-phishing, confirm email authentication is correctly configured for every domain. Use the Microsoft Defender portal → Email authentication settings, or check with an external DMARC analyser tool.
• Configure quarantine notifications for end usersThreat policies → Quarantine policies. Enable notifications so users receive alerts about quarantined messages. Keep admin-only access for malware quarantine — users cannot release these, but notifications reduce helpdesk tickets.
• Run the Configuration Analyzer and review gapsMicrosoft Defender portal → Email & Collaboration → Policies & Rules → Threat policies → Configuration analyzer. This tool compares your current policy settings against Standard and Strict recommendations and lists specific settings that need attention.
• If you had a standalone MDO Plan 1 add-on — remove it after confirming the bundleDo not remove the standalone add-on until the bundled entitlement is confirmed active. Once confirmed, remove the add-on to avoid double-licensing. Existing policies are not affected by the licence change.
• If running a third-party email gateway — review your architectureRunning MDO enforcement-mode policies alongside a third-party gateway can create policy conflicts. Review routing, SCL overrides, and advanced delivery policies before enabling MDO in blocking mode.