Dhairyya_Agarwal Thank you for the reply, but can we still clarify? The DFO features are licensed by user and mailbox (see https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms) and there are environments with mixed licensing. In the settings it states that "Built-in protection is enabled only for paid Microsoft Defender for Office 365 tenants." and that it is not recommended to configure exclusions. Since Build-in protection is on by default, would this mean customers with paid DFO tenants can leave the baseline protection on for all users that are not covered by a license and a preset or custom policy? We also advise customers to license DFO for all users/mailboxes, but would it be required to turn baseline protection off for unlicensed accounts/mailboxes (aka scoping) or is it a real baseline protection for all unlicensed users (like Azure AD Security Defaults)?