Mastering Configuration in Defender for Office 365 - Part Three
Published Nov 01 2021 09:00 AM 169K Views

This blog is the final installment of a three-part series detailing the journey we’re on to simplify configuration of threat protection capabilities in Office 365 to enable best-in class protection for our customers.


In the previous blog in this series, we took a closer look at capabilities we have enabled to keep customers secure by addressing the legacy override problem. In this blog, we will share additional measures we are taking to prevent inadvertent gaps in protection coverage for your organization.

The Motivation: Inadvertent Configuration Gaps

As the threat landscape continues to evolve, Microsoft is focused on innovating and developing solutions to ensure users are protected. In email security, we regularly release new security controls and update existing controls that customers can enable, to keep their users secure.


However, we often find gaps in protection coverage within organizations. Some security controls are inadvertently overlooked, and as a result some or all users are left with incomplete protection. We have lots of great protection features available to customers in Microsoft Defender for Office 365 that we don’t want customers to miss out on. Not turning on these key protection features can lead to unintentionally allowing malicious messages, such as phishing messages, to be delivered to their inbox. And that in turn puts the organization at greater risk for breaches.


For this reason, we’ve been hard at work to help customers get and stay secure with maximal ease.

Introducing Built-In-Protection

A few months ago, we released preset security policies to make it easy for customers to get and stay secure on the latest policy recommendations for Defender for Office 365. To learn more about preset security policies, please check out our blog: Mastering Configuration Part One ( All customers had to do was specify the users to associate with the right template, and the users would be protected with current and new protection layers.


Today, we’re making things even easier by introducing a powerful default security preset: Built-In-Protection in Defender for Office 365.


Built-In-Protection is a third preset security policy (like the Standard and Strict preset policies), but it’s enabled by default for all new and existing customers and requires no security admin action. It will implement a version of Safe Links and Safe Attachments that results in low impact on the end-user. The goal is to provide organizations with an immediate bump in protection across their tenants and to ensure all Defender for Office 365 customers have the protection they need without having to think about it.




Maximizing default protections, with low impact risk

Built-In-Protection enables time-of-delivery detonation of files and URLs. Given our goal to be low impact to end users while enabling these key protections, Safe Links URL wrapping will be disabled. We are also enabling Safe Links protections for Teams and Office clients (Word, Excel, PowerPoint) in Built-In-Protection. To learn more about Safe Links for Teams, please check out our blog: Announcing General Availability of Safe Links for Microsoft Teams. Built-In-Protection does not impact users who already have a Safe Links or Safe Attachments policy in place. This means that if a user is already covered under the standard or strict preset; or under an explicit custom policy, the built-in preset will not have an impact on her, because this policy has the lowest priority.

The text above has been edited to reflect changes to product functionality since these capabilities were announced in November 2021.


Policies will be applied in the following order of precedence:

  1. Strict
  2. Standard
  3. Custom
  4. Built-in-Protection or default

This also means that if additional domains are added to your tenant, they will be automatically protected through Built-In-Protection with a base level of Safe Links and Safe Attachment. This reduces the administrative burden and time involved in getting around to protecting these users, as they get instant protection under the Built-in preset.


The role of Built-In-Protection

Built-In-Protection is intended to address gaps in protection coverage. It also gives an immediate uplift in the default level of protection for unprotected users, by automatically turning on some powerful low-impact features. And that’s a great step in improving the overall security posture of the organization, while reducing the potential of a breach.


That said, we definitely want administrators to proceed (hopefully quickly) to adopt one of the other security presets. These other presets (standard and strict) include coverage of other security features that bolster the level of protection even more.

Rollout of Built-In-Protection

We will gradually roll out Built-In-Protection worldwide starting in November and through the end of this year. We will also release the option to configure exceptions in the Microsoft 365 Defender portal ahead of enabling the Built-In-Protection policy. Although we do not recommend it, we recognize the need for some organizations to exclude certain users or groups from Built-In-Protection and admins will have the opportunity to configure these exceptions. We will communicate specific rollout dates for your tenant via Microsoft Admin Message Center Posts. Stay tuned!


Learn more:

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.


Version history
Last update:
‎Aug 18 2022 02:14 PM
Updated by: