Defender for Office 365 Plan 1 Is Coming to M365 E3
If you manage Exchange Online for an E3 tenant, you are getting more bang for your buck. Microsoft has started rolling out Defender for Office 365 (MDO) Plan 1 to Microsoft 365 E3/G3 and Office 365 E3/G3 licenses, with completion expected by August 2026. This doesn’t requiere any purchase, or separate provisioning, it just show up automatically for licensed users as the rollout reaches your tenant.
What you had vs. what you’re getting
Up to now, E3 mailboxes were protected by Exchange Online Protection (EOP) — spam filtering, basic anti-malware, and standard anti-phishing. That’s table stakes, and it stays in place.
| Capability | EOP (already in E3) | New with MDO Plan 1 | Still requires Plan 2 |
|---|---|---|---|
| Spam / bulk mail filtering | ✅ | — | — |
| Signature-based anti-malware | ✅ | — | — |
| Basic anti-phishing / spoof intelligence | ✅ | — | — |
| Safe Links (time-of-click URL scanning, Teams + Office docs) | — | ✅ | — |
| Safe Attachments (sandbox detonation, incl. SharePoint/OneDrive/Teams) | — | ✅ | — |
| Zero-day malware protection | — | ✅ | — |
| Real-time detections reporting | — | ✅ | — |
| Anti-phishing enhancements (impersonation insight, mailbox intelligence) | — | Partial | ✅ Full |
| Attack Simulation Training | — | — | ✅ |
| Automated Investigation and Response (AIR) | — | — | ✅ |
| Threat Explorer / advanced hunting | — | — | ✅ |
The SOC-facing tooling like simulation, automation or hunting stays E5-exclusive or a Plan 2 add-on. What you’re getting is the prevention layer, not the investigation layer.
Why this matters for you
Because protections turn on automatically, this isn’t a “review when convenient” item but closer to an unannounced policy change landing in your tenant. A few things worth checking now, before it hits:
- Preset security policies: if you’re not already on Standard or Strict preset policies, now’s the time to evaluate them rather than let default settings apply blind.
- Mail flow impact: Safe Links rewriting and Safe Attachments detonation can introduce latency or interact with existing transport rules; review connectors and any third-party security layers (Cisco SES, Mimecast, Proofpoint, etc.) for redundancy or conflict.
- End-user experience: clicked-link warning pages and quarantine notifications are new touchpoints; a short heads-up to your user base avoids a spike in help desk tickets.
- Exclusions: if you have legitimate reasons to exempt certain users or domains, build those into custom policies now rather than reactively.
The takeaway
For E3 tenants currently relying solely on EOP or paying for a third-party bolt-on, this is a meaningful entitlement bump at no extra licensing cost. The catch is timing: because it auto-enables, your window to shape how it behaves in your environment is now — before rollout reaches your tenant, not after users start asking why a link got blocked.
If you’re running E3 today, this is worth treating as a mini-project or a checkup: confirm your current mail flow baseline, decide on Standard vs. Strict, and document exclusions before the toggle flips for you automatically.
Sources
Microsoft Defender for Office 365 Plan 1 is now rolling out to Microsoft 365 E3 and Office 365 E3