Configurable impersonation protection and scope for Preset Security policies
Published May 17 2022 09:00 AM 14.6K Views

We're making enhancements to Microsoft Defender for Office 365 preset security policies (namely, Strict and Standard policies)!


Preset security policies allow customers to apply recommended settings to their environments in a simple, templatized fashion. To learn more about preset security policies, view our documentation here. The recommended settings that comprise preset security policy setting values are also available on Microsoft Docs.


Apply preset Strict and Standard security policies to all users of the entire organization

SecOps teams will now be able to apply the preset security policy to all users in the entire organization. It will no longer be cumbersome to select the individual users when you want to protect all the recipients of your organization (but you can still select specific recipients)!


Currently in preset security policies, you separately select the recipients who receive protection by Exchange Online Protection (EOP) features and the recipients who receive protection by Defender for Office 365 features. With these updates, you can still apply the protections to separate groups of recipients, but you will also be able to simply choose an option to apply the recipients from the EOP protections to the Defender for Office 365 protections.


Although we don’t recommend it, you’ll still be able to exclude specific recipients from receiving the protections in preset policies.


Figure 1. Preset Security PoliciesFigure 1. Preset Security Policies


Figure 2. Exchange Online Protection (all recipients)Figure 2. Exchange Online Protection (all recipients)


Figure 3. Defender for Office 365 (previously selected recipients/ all recipients)Figure 3. Defender for Office 365 (previously selected recipients/ all recipients)



Use preset security policies to configure impersonation protection sender and domain lists


In order to protect customers against impersonation attacks and provide stronger anti-phishing posture, preset security policies (Standard and Strict) will provide a way to configure the lists for targeted custom users and domains to protect in impersonation protection. Specific impersonation settings available in preset security policies are described here.



You’ll no longer need to disable preset security policies and create custom anti-phishing policies when all you want is Microsoft’s recommended settings and impersonation protection. This update will not only cover customers who are unknowingly missing out on impersonation protection of their key custom domains and senders, but also makes it easier for tenant admins and security operations teams to configure their anti-phishing settings using preset security policies without the need to explicitly use a custom policy.


Protected custom users

Add internal or external email addresses of top-level executives, board members, and other people in key roles who might be impersonated by attackers.


Figure 4. Impersonation protection - custom usersFigure 4. Impersonation protection - custom users


Protected custom domains

Add custom domains owned by your organization or domains that belong to your key suppliers and partners to be detected when impersonated by attackers.

Figure 5. Impersonation protection - custom domainsFigure 5. Impersonation protection - custom domains


Trusted senders and domains

List individual senders and all senders in entire domains that you wish to exclude from impersonation protection and never flag them as impersonation attack. These senders will still be subject to scanning by filters other than impersonation.

Figure 6. Impersonation protection - trusted senders and domainsFigure 6. Impersonation protection - trusted senders and domains


Additional information

With these enhancements, you will not be able to turn off the impersonation protection settings (for example, EnableTargetedUserProtection or EnableTargetedDomainsProtection).

Similarly, you still can’t modify the action that’s taken on messages detected as impersonation. See the actions here. (for example, TargetedUserProtectionAction, TargetedDomainProtectionAction). This behavior is similar to other protection settings in preset security policies that are currently enabled and can’t be modified. For more information, see here.


Impersonation protection applies to

With these latest enhancements, you’ll quickly and easily be able to use preset security policies with protection settings recommended by Microsoft.


Figure 7. Preset Security policy (Standard)Figure 7. Preset Security policy (Standard)


Check out these enhancements in your environment!

Well gradually roll out these capabilities starting between June and August 2022. Well communicate specific rollout dates for your tenant via Microsoft Message Center Posts. Stay tuned! We’re excited for you to try this out and give us your feedback.



Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.


Version history
Last update:
‎May 16 2022 01:01 PM
Updated by: