Microsoftcan you elaborate on that? We normally add all active users for impersonation protection, does it mean not all of them are protected or the policy would not work as expected?
Great question—short version: the policy still works, and all users still get baseline anti-phishing, but the “Users to protect” list is a special VIP layer with a hard limit (around 350 names per policy), so it’s not designed to hold every active user; if your org has more users than that, only the entries that actually fit in the list get that extra “VIP” user-impersonation treatment, while everyone else still benefits from domain impersonation, mailbox intelligence, and standard phishing detection—this is why Microsoft’s own guidance is to reserve “Users to protect” for truly high-risk identities (executives, finance approvers, legal, etc.) instead of the whole directory. If your org has less than 350 users, there is nothing wrong with adding all your users to the "users to protect" list unless they have common names.
