Forum Discussion
Unexpected Microsoft Defender for Office 365 License Requirement for Shared Mailboxes
Good news: the broad "every shared mailbox and every user mailbox needs an MDO license" reading from mid-2025 was walked back. Microsoft revised the Defender for Office 365 service description and licensing terms in late October 2025. The rule is now the same "if a mailbox benefits from the protection, license it" logic that always applied to Plan 1, not a blanket tenant-wide requirement.
The current Defender service description lists exactly these scenarios that require an MDO license:
- Any user that accesses a mailbox that benefits from Defender for Office 365 protections.
- Shared mailboxes that benefit from Defender for Office 365 protections.
- If Safe Attachments for SharePoint/OneDrive/Teams is on, all users that access those.
- Any user that uses Microsoft 365 apps or Teams when Safe Links is enabled.
The key word is "benefits." MDO is enabled tenant-wide by default, so out of the box every mailbox (including shared) benefits and would need a license. But you are not forced to protect everything: the same doc states admins can scope MDO deployments to licensed users via the policy assignment capabilities. So in practice:
- Create custom-scoped MDO policies (anti-phishing, Safe Links, Safe Attachments) that target only the mailboxes that actually need protection.
- License only those. For shared mailboxes that usually means the ones actively receiving external mail worth protecting; scope the rest out.
- E5 / Office 365 E5 users already include MDO Plan 2, so they're covered. You only need to think about mailboxes and users not covered by an E5-type license, and only where they benefit.
So it isn't the automatic "$5 x every shared mailbox" bill the original reports implied. It's "license the mailboxes you choose to protect," and scoping the policies is how you keep that list (and the cost) small.
Source: Microsoft Defender service description, section "Licensing terms" for Defender for Office 365, plus "How can the service be applied only to users in the tenant who are licensed for the service?" (policy scoping):
https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description