Setup and configure Microsoft Defender for Office 365 : Step by step guide

I – What is Microsoft Defender for Office 365 ?

Microsoft Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection – ATP) is a cloud security service that is part of the Microsoft 365 suite, designed to protect Office 365 environments against cyber threats such as malware, phishing, zero-day attacks, and account compromise campaigns. It integrates advanced protection, detection, response and remediation features for e-mail, SharePoint, OneDrive, and Teams.

II – Key features :

1 – Email protection :
  • Safe Attachments : Scans e-mail attachments to detect and block malware and zero-day attacks before they are delivered to users.
  • Safe Links : Analyzes links in e-mails and documents in real time to ensure that they are not malicious the moment the user clicks on them.
  • Anti-phishing : Identifies and blocks phishing attacks, including those that imitate trusted addresses or attempt to impersonate senders.
  • Anti-spoofing : Protects against identity theft attempts by analyzing behavior and blocking malicious senders.
2 – Protection for collaborative applications :
  • OneDrive and SharePoint : Checks files uploaded to OneDrive and SharePoint for malicious content.
  • Teams : Analyzes files shared in Teams conversations to prevent malware distribution.
3- Automated Investigation and Response (AIR):
  • Automated Incident Response : When threats are detected, the system can automatically respond by isolating malicious e-mails, alerting administrators and taking corrective action.
  • Threat Explorer : A tool that enables administrators to view and investigate threats, and investigate security incidents in their environments.
4 – Advanced detection and remediation :
  • Real-time Threat Detection : Provides real-time monitoring to identify and block threats.
  • Attack Simulation : In version P2, companies can simulate phishing attacks to assess employee resilience and improve security training.
  • Post-breach Detection : post-intrusion analysis to identify threats that may have bypassed initial defenses.
5 – Reporting and analysis :
  • Detailed reporting : Dashboards provide information on detected threats, the performance of protection policies, and attack trends.
  • Threat Trackers : Track the evolution of global and local threats, and anticipate attacks based on current trends.
6 – Attack Simulations (available in P2) :
  • Allows you to create phishing and other attack simulation campaigns to test user awareness of cybersecurity.

III – Licensing :

Microsoft Defender for Office 365 is available in two main versions:

  • Microsoft Defender for Office 365 P1 : Provides protection against basic threats, including Safe Attachments, Safe Links, and anti-phishing tools.
  • Microsoft Defender for Office 365 P2 : Adds advanced features such as automated investigation, incident response, threat hunting, attack simulations, and post-compromise management.

Here is a diagram describing the types of license required for each plan :

  • Here is the pricing of Microsoft Defender for Office 365 Standalone License (You can check updated pricing from this link : Microsoft)

IV – Microsoft Defender for Office 365 P1 vs P2 Comparison:

1 – Real-time Protection :
2 – Detection and Investigation :
3 – Administration and Configuration :
4 – Training and Simulation :
5 – Response and Remediation :
6 – Integrations :
7 – Reports and Analytics :

V – Prerequisites :

  1. Appropriate license.
  2. Exchange Online administrator role or global administrator role.

VI – Setup Microsoft Defender for Office 365

There are two types of Microsoft Defender for Office 365 configuration :

  1. Using Preset Security Policies
  2. Granular configuration of individual policies

In my opinion, a system administrator should configure Microsoft Defender for Office 365 policies themselves for several reasons. Firstly, granular configuration allows security policies to be tailored to the specific needs of the organization, offering more targeted and effective protection against threats. Predefined policies may not cover all the specifics of a company’s environment, while custom configuration allows unique factors such as sensitive data types, user behaviors and compliance requirements to be taken into account. What’s more, by manually configuring policies, an administrator can adjust settings in line with evolving threats and new vulnerabilities, ensuring continuous, up-to-date protection.

1 – Create Quarantine Policy :

Creating an email quarantine policy in Microsoft 365 Exchange Online is essential for strengthening email security and management. These policies enable potentially dangerous messages, such as emails containing malware or phishing attempts, to be filtered and managed by quarantining them before they reach end users. They also give administrators granular control over the actions users can perform on these messages, such as displaying, releasing or deleting them. In general, quarantine policies help reduce false positives and maintain compliance with the organization’s security policies, while ensuring traceability and auditing of actions performed on quarantined messages.

So w’ll Create Quarantine Policy, let’s get started :

  1. Go to Microsoft Defender Portal : https://security.microsoft.com/
  2. Select “Email & collaboration” from left hand menu bar
  3. Select “Policies & rules
  4. Select “Quarantine Policy
  • Select “Add custom policy
  • Give a name to your Policy
  • Select “Recipient message access” type (Limited or you can specify access that you want to give to users) , In my case I select “Limited access
  • Select “Enable” quarantine notification.
  • Click “Submit

After creating Quarantine Policy (In yellow color), we will check global Quarantine settings :

  1. Select “Global Settings
  2. Add “Sender display name
  3. Specify Sender Address (Address that will be used to send notifications)
  4. Specify “Subject
  5. Choose message language
  6. Use company logo (Optional but I want to use this option for email credibility)
  7. specify notification cycle (Daily or Every 4 hours)
  8. Click “Save” to save changes.

2 – Create Anti-Phishing Policy :

Creating an anti-phishing policy is crucial to protecting sensitive information and company resources from cyberattacks.

Phishing is a common method used by cybercriminals to trick employees into divulging confidential information, such as passwords or financial data.

A well-defined anti-phishing policy makes employees aware of the various phishing techniques, teaches them to recognize the signs of a phishing attempt, and provides them with clear guidelines on how to react in the event of suspicion. By reinforcing vigilance and establishing security protocols, such a policy helps to reduce the risk of data compromise and maintain the company’s integrity and reputation.

So, let’s get get started :

  1. Go to Security admin center : https://security.microsoft.com/
  2. Select “Email & Collaboration” menu.
  3. Select “Policies & rules
  4. Select “Threat policies
  5. Select “Anti Phishing
  • Click “Create
  • Give a name to your Policy
  • Select Users, Groups or Domain you want to protect (In my case, I Select All domains)

In this window, you configure the detection threshold and anti-phishing protection settings in Microsoft Defender for Office 365. Here’s a description of the various options:

1. Phishing Email Threshold

This slider lets you set the sensitivity level of phishing detection, with values from 1 to 4:

  • 1 : Lowest sensitivity level, where only e-mails strongly suspected of phishing are flagged.
  • 4 : Highest sensitivity level (“Most Aggressive”), where even e-mails with a low degree of phishing suspicion are treated as malicious.

By choosing a more aggressive level, more suspicious e-mails will be blocked or quarantined, but this can also lead to false positives.

2. Enable users to protect (0/350)

This option enables impersonation protection for up to 350 internal and external users. Protected users will be monitored to prevent impersonation attacks.

You can select the specific users to be protected using the protected senders management option (see below).

  • In this window I’ll add users likely to be used for identity theft (CFO, CEO, Sales Director…etc)
  • Add trusted senders and domains (0) : You can add trusted senders and domains so that they are not flagged as impersonation attacks.
  • Enable mailbox intelligence (recommended) : This option uses artificial intelligence to identify user e-mail patterns and detect identity theft attempts.
  • Enable intelligence for identity theft protection (recommended) : This option provides enhanced impersonation results based on individual user sender matches.
  • Specify action for every protection :
  • Specify action for every protection :
  • Click “Submit

3 – Create Inbound anti-spam policy :

Creating an inbound anti-spam policy in Office 365 is essential for maintaining the security and efficiency of your organization’s email system. Such a policy helps to filter out unwanted and potentially harmful emails, reducing the risk of phishing attacks, malware, and other cyber threats. By blocking spam, you can ensure that employees spend less time dealing with junk mail and more time on productive tasks. Generally, a robust anti-spam policy helps protect sensitive information and maintain the integrity of your communication channels, ultimately safeguarding your organization’s reputation and data.

I’ve already written a detailed article on how to create an “Anti Spam Policy”, from this link :

Create and configure Inbound Anti-spam policy in Microsoft Office 365 | LinkedIn

4 – Create Anti-Malware Policy :

Creating an inbound anti-malware policy in Office 365 is vital for protecting your organization’s email system from malicious software. Such a policy helps to detect and block malware before it can reach your users’ inboxes, thereby preventing potential data breaches, system disruptions, and financial losses. By implementing this policy, you ensure that harmful attachments and links are filtered out, reducing the risk of infections that could compromise sensitive information. Generally, a strong anti-malware policy enhances overall cybersecurity posture, promotes a safer working environment, and helps maintain the trust and integrity of your organization’s digital communications.

So, let’s get get started :

  1. Go to Security admin center : https://security.microsoft.com/
  2. Select “Email & Collaboration” menu.
  3. Select “Policies & rules
  4. Select “Threat policies
  5. Select “Anti Malware
  • Click “Create
  • Give a name to your Policy
  • Select Users, Groups or Domain you want to protect (In my case, I Select All domains)

In Protection settings window :

  • Enable common attachments filter : This option enables filtering on a set of file types commonly used by malware. You can customize this list.
  • When these file types are detected : Reject the message with a non-receipt (NDR): The message is returned directly to the sender with an error message indicating that the message could not be delivered.
  • Quarantine message : The message is quarantined for later inspection by an administrator.
  • Enable automatic zero hour purge for malware (recommended) : This option automatically deletes messages infected by detected malware.
  • Quarantine policy : You can select an existing quarantine policy that will determine how quarantined messages are handled (retention time, restoreability, etc.).

Notifications

  • Notify an administrator about undelivered messages from internal servers : This option allows you to receive e-mail notification when an internal message is blocked by the policy. In my case I added System Ticket email address to open ticket automatically.
  • Notify an administrator about undelivered messages from external servers : The same applies to external messages.
  • Customize notifications : You can customize the text of notifications.
  • Click “Submit

5 – Create Safe Attachments Policy :

Creating an inbound Safe Attachments policy in Office 365 is essential for protecting your organization from malicious files that can be sent via email. This policy ensures that all email attachments are scanned for malware and other threats before they reach users’ inboxes. By implementing Safe Attachments, you can prevent the spread of harmful software that could compromise sensitive data, disrupt operations, or cause financial damage. This policy helps to maintain a secure email environment, reducing the risk of cyberattacks and enhancing overall trust in your organization’s digital communications.

So let’s get started :

  1. Go to Security admin center : https://security.microsoft.com/
  2. Select “Email & Collaboration” menu.
  3. Select “Policies & rules
  4. Select “Threat policies
  5. Select “Safe Attachments
  • Click “Create
  • Give a name to your Policy
  • Select Users, Groups or Domain you want to protect (In my case, I Select All domains)

In this windows you can select one of this options :

  • Off : This option disables Safe Attachments functionality. Attachments are not scanned for threats.
  • Monitor : With this option, attachments are scanned, but delivered to recipients without any blocking action. Administrators can monitor scan results to assess potential threats.
  • Block : This option blocks attachments detected as malicious. Users do not receive dangerous attachments, thus protecting the organization from threats.
  • Dynamic Delivery : Attachments are scanned in real time. During the scan, recipients receive the email without the attachment, which is replaced by a temporary link. Once the scan is complete, if the attachment is deemed safe, it is automatically reintegrated into the email.

These options enable administrators to choose the level of protection best suited to their organization’s needs.

I personally think the dynamic delivery option is the best choice.

  • Click “Submit

6 – Create Safe Link Policy :

Creating an inbound Safe Links policy in Office 365 is crucial for protecting your organization from malicious URLs that can be embedded in emails. This policy helps to scan and verify links in real-time, ensuring that users are not exposed to phishing sites or malware when they click on a link. By implementing Safe Links, you can prevent cyberattacks that exploit deceptive URLs, thereby safeguarding sensitive information and maintaining the integrity of your network. This proactive measure enhances user confidence in email communications and contributes to a more secure and resilient digital environment for your organization.

So let’s get started :

  1. Go to Security admin center : https://security.microsoft.com/
  2. Select “Email & Collaboration” menu.
  3. Select “Policies & rules
  4. Select “Threat policies
  5. Select “Safe Links
  • Click “Create
  • Give a name to your Policy
  • Select Users, Groups or Domain you want to protect (In my case, I Select All domains)

In this window, you configure a Safe Links policy in Microsoft Defender for Office 365. The available options let you define how links in emails and other services are scanned and protected against threats.

Section Email

  • On: Safe Links checks a list of known, malicious links when users click links in email : Enables Safe Links functionality to check links in email and detect malicious links every time they are clicked. URLs are rewritten to direct users to a security portal before allowing them to access the link.
  • Apply Safe Links to email messages sent within the organization : Apply Safe Links to internal e-mail messages. This also protects links in messages sent between users within the same organization, not just in incoming messages.
  • Apply real-time URL scanning for suspicious links and links that point to files : Apply real-time URL scanning for suspicious links and links that point to files. This adds a layer of protection for links that point to potentially malicious files.
  • Wait for URL scanning to complete before delivering the message : Delays email delivery until URL scanning is complete. Although this may cause a slight delay, it ensures that all links are scanned before being made available to users.
  • Do not rewrite URLs, do checks via Safe Links API only : Prevents URLs from being rewritten. Instead, Safe Links uses the API to check links without modifying them. This can be useful if you prefer the original URLs to remain visible to users.
  • Do not rewrite the following URLs in email : You can manage exceptions here by defining URLs that will not be rewritten, even if Safe Links is enabled. This allows you to exclude certain trusted links from being rewritten.

Teams section

  • On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams : Enables Safe Links protection for messages in Microsoft Teams. This checks links every time a user clicks on them, without rewriting them.

Office 365 Apps section

  • On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps : Activate Safe Links to check links in Office applications (such as Word, Excel, etc.) every time a user clicks on a link, without rewriting them.

Section Click protection settings

  • Track user clicks : Enables tracking of user clicks on links. This makes it possible to see which links are clicked and to obtain additional information for security reports and analysis.
  • Let users click through to the original URL : Allows users to continue to the original URL even if it is considered suspicious, after being warned. This option may be useful for advanced users who wish to ignore warnings.
  • Display the organization branding on notification and warning pages : Display your organization’s branding (such as logo) on Safe Links notification and warning pages. This reinforces user confidence in the security system by displaying the organization branding.

These settings allow you to customize the level of protection and user experience for each service. A well-balanced configuration can provide strong security while minimizing disruption to users.

  • You can specify your own notification text, or just keep the default text, the click “Next
  • Click “Submit

VII – Conclusion :

In conclusion, configuring and setting up Microsoft Defender for Office 365 are crucial steps in strengthening the security of your digital environment. By following this step-by-step guide, you’ve learned how to deploy customized security policies that effectively protect against common threats such as phishing, malware and dangerous links. By adopting these proactive measures, you’re not only ensuring the protection of your organization’s sensitive data, but also helping to create a safer, more resilient working environment. As security is an ongoing process, it’s essential to remain vigilant and regularly update your policies to deal with new threats.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance