Defender for O365 User Impersonation

Copper Contributor

Hi Everyone,


When adding users into Defender for O365 User Impersonation Anti-Phishing Policy is there a reason why I should not add all users. It suggests only adding VIP's. Why would I not just add all users?

4 Replies



You can add them, 350 users per policy, but the suggestion states the below:

All policy recipients of the messages will benefit from this protection, but only inbound messages that impersonate one of the users on this list will be marked as “User Impersonation”. We recommend adding high priority executives (such as CEO, CFO) to this list and other priority accounts such as key human resources or finance stakeholders, as well as external board members, more frequently targeted in such attacks. 

So, it's related to the more targeted users of an organization.

It makes sense as most of the VIP users use their enterprise email accounts in social media or other applications so it's easier to find the email addresses. Also, most of the users choose to open email addresses from VIP groups without challenging the sender or the email body itself!

Hope it helps!




It is give and take in terms of security, btw, I would rate to apply for all users as whole Ecosystem protection 

Thanks for your help. Are you saying that it is sensible to apply this protection to all users?
Thanks for your help. I understand that Microsoft recommend to apply the setting to VIP users. What I don't understand is why I wouldn't apply it to all users so everyone can benefit from the protection?