Set up Exchange Online Protection

What to expect.

  • Records . Configure Mail exchanger (MX) and Sender policy framework (SPF) record configuration.
  • Connectors. Enable mail flow between EOP and your on-premises servers, configure inbound port 25 SMTP access, and configure outbound access using transport routing.
  • Connection filters. Set the default connection filter policy for your IP allowlist, IP blocklist, and safe list.
  • Security. Configure your antimalware policy, create spam filters for inbound and outbound mail, and set up your find-and-release quarantine rules.
  • Reports. Check the functionality of spam and malware policies, and report spam to Microsoft.
  • Additional features. Configure Advanced Threat Protection (ATP) and Data loss prevention (DLP).

Exchange Online Protection – What you need to know

More than 40% of all emails sent are spam or potentially harmful, such as phishing or malware. So, to keep our inboxes clean and our systems free of viruses, we need to filter incoming emails. And this needs to be done before the malicious email reaches our end users.

This is where Exchange Online Protection (EOP) comes is in. EOP is the cloud-based mail filtering service from Microsoft 365. EOP is included in all Microsoft 365 plans that come with Exchange Online—and the good news is, it’s enabled by default.

So what exactly does EOP filter and how do you configure it? And what third-party options are available to protect your mail?

How does Exchange Online Protection work?

All incoming (and outgoing) mail is processed through EOP. All the mail undergoes four different steps to filter out any malicious mail that we don’t want to receive.

assign exchange online protection license

Connection Filtering

The first step is connection filtering. This will check the sender’s reputation, based on the sender’s IP address, to filter out most of the unwanted emails. You can use the connection filter in Exchange Online to block additional IP addresses.

Anti-Malware

The next step is to scan the emails for malware. EOP uses the anti-malware policy that we can configure in the security center to scan for potential harmful messages/attachments and quarantine the emails.

Mail flow rules

The mail is then processed through your mail flow rules. Mail flow rules can, for example, warn the recipient of potentially harmful messages based on keywords or block all attachments to the info mailbox.

Content Filtering

The last step is content filtering. Mail is evaluated based on the anti-spam and anti-phishing policies. Harmful messages are identified as spam, phishing, or spoofing with the appropriate confidence score.

You can configure what actions should be taken, such as quarantine, mark as junk mail, send an alert, etc., within the anti-spam and anti-phishing policies.

Setting up EOP

Securing your Office 365 tenant is important but often forgotten. To mitigate this, Microsoft has enabled many security features by default. This ensures that most Exchange Online environments are protected at a base level.

If you have a new tenant, then the best way to set up EOP is to start with one of the preset security policies:

  • Open the Microsoft 365 Security Center
  • Policies & Rules
  • Threat Policies
  • Preset Security Policies

assign exchange online protection license

  • Click Manage to enable the Standard Protection policies

assign exchange online protection license

  • You can test the policy to a select group of users or enable it for your entire domain. Type your domainname to apply the policy to the whole tenant and click Next.

assign exchange online protection license

  • If you have Defender for Office 365 (not included in every plan), then enable it as well for the entire domain.
  • Review your setting and click Confirm to apply the new policy.

assign exchange online protection license

Configuration Analyzer

If you don’t want to use the preset security policies, then another good starting point is the Configuration Analyzer. It identifies issues with your current policies and allows you to easily change/update your settings.

  • Select Policies & Rules > Threat Policies > Configuration analyzer
  • Choose between Standard and Strict recommendations
  • Select a recommendation to view either the policy or to apply it.

assign exchange online protection license

Filter common attachments

The preset policy is a good starting point, but we want to fine-tune the malware policy. You don’t want to receive emails with attachments that can contain malware, so we want to enable the common attachments filter.

This will filter out all emails with attachments like exe, docm (Word files with macro’s), reg, vbs, and more.

  • Open Policies & Rules > Threat Policies
  • Select Anti-Malware
  • Click on the Default Policy
  • Click Edit Protection Settings

assign exchange online protection license

  • Enable the common attachments filter
  • Click Customize file types

assign exchange online protection license

  • Enable the notifications for the recipient and internal sender. Make sure that you add a custom message to the recipient, about why the message is blocked.

assign exchange online protection license

  • Click save to apply the changes to the policy.

Mail flow rules allow you to apply specific rules to incoming or outgoing emails. For example, you can add a warning to potential phishing emails (based on words in the subject line or content) or warn users of potential impersonation emails .

Advanced Threat Protection

Exchange Online Protection offers good baseline protection for your mail. However, a lot of threats come from malicious links or unsafe attachments. Advanced Threat Protection (ATP) expands these security technologies and adds an extra detection tool.

ATP is part of the add-on Defender for Office 365 and is included in some Microsoft 365 plans, like Business Premium.

With Advanced Threat Protection, you get the following additional features to Exchange Online Protection.

Safe links offer extra protection against malicious links in emails. It scans the content of the email and rewrites all URLs so that they go through Office 365. This way, they can be examined in real-time when the user clicks on the link.

The user is warned not to visit the site when the link is unsafe, and sometimes even the site is blocked altogether.

Safe attachments

With EOP, we can block attachments based on the file extension. This offers some form of protection, but Word or PDF documents can also contain unsafe content. With the safe attachments feature in Defender for Office 365, all suspicious attachments go through a real-time malware scanner.

The attachment is scanned with the use of machine learning and behavioral malware analysis for suspicious activity. Unsafe attachments are sandboxed before they are sent to recipients. This gives you better zero-day threat protection.

Reporting helps you to get insight into who is being targeted and with what kind of threats. With reporting and the help of message trace, you can track blocked messages and see which malicious links in the message have been clicked.

Defender for Office 365 Alternative

Defender for Office 365 Plan 1 can really help bring your mail protection to the next level. But it does require additional licenses for most users, and you need to keep up to date with the configuration options.

Microsoft often releases new features that are not enabled by default on existing tenants. That means that you will need to keep track of the changes and enable new features yourself or make the required policy changes.

365 Total Protection Enterprise from Hornetsecurity offers a complete solution for only a fraction more per month. It not only reliably filters your email, but also offers tools like 10-Year Email Retention, Discovery, Email Signatures and Disclaimers, Archiving, and much more.

Another advantage of these kinds of tools is that they are managed for you when it comes to security. You don’t need to optimize the policies yourself or enable new features. They take care of it for you.

Wrapping Up

Keeping your mail free of phishing emails and malware is important. Successful phishing attempts can lead to ransomware infection—and we all know the severe consequences of a ransomware attack.

So make sure that you keep your Exchange Online Protection policies up to date and secure enough to filter out malicious emails. If you don’t want to worry about policies then take a look at third-party alternatives, like 365 Total Protection .

You may also like the following articles

Backup Microsoft 365

How to set up Microsoft 365 Backup

Microsoft 365 Archive

How to Setup Microsoft 365 Archive

MFA Status Entra

How to get MFA Status from Microsoft Entra

Leave a comment cancel reply.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

assign exchange online protection license

assign exchange online protection license

Exchange Online Protection

Protect against spam and malware and maintain access to email during and after emergencies.

Exchange Online Protection is available with Exchange Online.  Learn more

Talk with a sales expert To speak with a sales expert, call 1-855-270-0615. Available Mon to Fri from 6:00 AM to 6:00 PM Pacific Time.

Originally starting from $1.00 now starting from $1.00

$1.00 $1.00

(Annual subscription–auto renews)

Get enterprise-class protection and reliability

Guard against spam and malware, maintain email access during and after emergencies, and simplify administration of messaging environments with help from Exchange Online Protection deployed across a global network of data centers.

Features included

assign exchange online protection license

Eliminate threats

Eliminate threats before they reach the corporate firewall with multilayered, real-time antispam, and multi-engine antimalware protection.

assign exchange online protection license

Protect your company's IP reputation by using separate outbound delivery pools for high-risk email.

assign exchange online protection license

Quality service

Five financially-backed SLAs attest to a high quality of service, including protection from 100% of known viruses and 99% of spam.

assign exchange online protection license

Reliability

Global network of redundant datacenters helps to ensure a 99.999% network uptime.

assign exchange online protection license

Exchange admin center

Manage and administer from the web-based Exchange admin center.

assign exchange online protection license

Near real-time reporting and message trace capabilities provide insight into email environments by retrieving the status of any message that Exchange Online Protection processes.

assign exchange online protection license

Content filtering

Active content, connection, and policy-based filtering enables compliance with corporate policies and government regulations.

assign exchange online protection license

IT-level phone support

IT-level phone support 24 hours a day, 7 days a week, 365 days a year at no additional cost.

assign exchange online protection license

No hardware required

assign exchange online protection license

Scheduled payments

assign exchange online protection license

Easy to maintain

Simplify IT environments by reducing the need for in-house email security servers and apps.

assign exchange online protection license

Easy to manage

Web and command line-based management makes it easy to get the most out of Exchange Online Protection features.

assign exchange online protection license

Easy deployment

Get up and running quickly with a simple DNS MX record change.

Related products

Person wearing glasses sitting in front of a large desktop monitor.

Microsoft Defender

Prevent, detect, and respond to attacks across devices, identities, apps, email, data, workloads, and clouds.

A person using a Surface device on public transportation

Exchange Server 2019

Work smarter, anywhere, with business email on your own servers.

Person seated at a desk, looking at a laptop screen.

Exchange Online Archiving

Leverage cloud-based archiving for Exchange Online and Exchange Server to address archiving, compliance, regulatory, and eDiscovery needs.

Exchange resources

Information for it pros, information for microsoft partners, follow microsoft 365.

linkedin logo

  • Chat with sales
  • Contact sales

Available Mon to Fri from 6:00 AM to 6:00 PM Pacific Time.

SMTP Relay with Office 365 - So Confusing!

I've lost count of how many guides I've read (Microsoft's, SpiceWorks users, Blogs)... and I still can't get this working! I definitely need some clarification on some things that MS says because I feel like they're contradicting themselves.

Current configuration

  • Hosted exchange for company.com domain
  • Internal SMTP relay servers configured to send to smarthosts that we use for all alerting applications, scanner emails, etc.
  • Office 365 subscriptions without Mail right now (this is being migrated).

Everything is working fine - if I need to send myself a message using a PS script, I can just use our internal SMTP relay and it works. I can specify anything@anything as the From - it just works. If we have 1000 things relaying email from inside to inside - that's not an issue.

After moving to Office 365 and migrating email we want to have the same functionality. On Microsoft's " How to set up a multifunction device or application to send email using Office 365 Opens a new window " page it gives 3 options. We want to leverage the third because 1. that's how we're using it right now, 2. migration will be easier (I think.. was planning on using a CNAME of old SMTP pointing to new...) and 3. we may need to send external in the future.

So right now our MX records are still our hosted exchange ones so I can't change that (I know delivery to the Office 365 company.com inboxes won't work). We do however own a bunch of other domains that we're not using. I wanted to leverage one of these for a test. Here's what I've done so far.

1. Verified the domain in Office 365 portal - this is completed successfully

2. Created the connector for each SMTP Relay server (we have 2 sites) using the public external IP for each site as the identity verifier (according to above link document). I'm confused at the Port and Licensing aspect on that link. It says Port 25 is required yet on the SMTP Relay configuration it references 587 (will touch on that in a bit). With Licensing it says the following:

"SMTP relay doesn’t use a specific Office 365 mailbox to send email. This is why it’s important that only licensed users send email from devices or applications configured for SMTP relay. If you have senders using devices or LOB applications who don’t have an Office 365 mailbox license, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Office 365. "

I get parts of it - This does not need a mailbox, got it.

Only licensed users send email from devices or applications... Does this mean that if I have a multifunction device that can send email (say from [email protected] ), the person who goes up to the device and uses it needs to have a licensed account ( [email protected] has an Office 365 account licensed for all products). Even though the send from account is [email protected] .

But if [email protected] is doing some work at our company and uses the scanner, he doesn't have one of our company accounts but can manually use the scanner - he needs an "Exchange Online Protection" account (because it's the cheapest)? Did I get that right?

3. Using " How to configure IIS for relay with Office 365 Opens a new window " I configured SMTP but found some inconsistencies. They indicate using SMTP.office365.com but on the first page it talks about using company-com.mail.protection.outlook.com. What's the correct one? Why would you use one over the other? In addition this configuration also talks about using a user account to relay these emails. Can I not use anonymous access? Does this user account need a mailbox? If so, why do they say it doesn't?

I think this is where I'm losing understanding - Also, I found other guides that say you need to also add your domain as a remote domain under the SMTP Domains. The MS guide doesn't talk about it.

So confused.

The furthest along I've gotten is mail gets processed by SMTP but gets stuck in Queue folder.

  • local_offer Tagged Items

Tag by Office 365

Popular Topics in Microsoft Office 365

Author Marc Laflamme

Got it working finally. Turns out port 25 was NOT open.. facepalm... Anyway thanks for all the help!

Author Craig Austin

  • check 178 Best Answers
  • thumb_up 494 Helpful Votes

I'll touch on #2 for now -

You do not need a mailbox for the sending account, however, most SPAM filters check to see if the sender is valid and if that email address doesn't exist, it will fail SPAM checks.  You can avoid that by using a licensed account if you want or what I do is setup a shared mailbox (no license needed) for those and assign whatever SMTP addresses I want to that mailbox.

Even sending to internal recipients will be flagged as spam if that email address doesn't exist.  You can setup a transport rule to disable spam checks for those addresses if you wish.

Da_Schmoo wrote: I'll touch on #2 for now - You do not need a mailbox for the sending account, however, most SPAM filters check to see if the sender is valid and if that email address doesn't exist, it will fail SPAM checks.  You can avoid that by using a licensed account if you want or what I do is setup a shared mailbox (no license needed) for those and assign whatever SMTP addresses I want to that mailbox. Even sending to internal recipients will be flagged as spam if that email address doesn't exist.  You can setup a transport rule to disable spam checks for those addresses if you wish.

So what if I have a PS script that checks for xyz every morning and emails myself the results (from [email protected] ). Are you saying that I need to create an account for xyzscript even though it's sending through the relay?

You do not need to create an account but unless you put in a transport rule disabling spam checks, it will probably be marked as spam and will be delivered to your Junk folder.

Wow that sucks... I wonder how our hosted exchange is configured because I can send as anything and it comes through all the time. Okay that's good to know, thanks.

Author Evan 7191

When I set up SMTP relay through Office 365, I used option 3, because I needed the ability to send email to external clients.  I set up a mailbox with a license, and used its information to configure SMTP relay on one of our on-premises servers.  Then, I could point our multi-function copiers to the on-premises server for SMTP relay, and the server would send it through Office 365 as the mailbox that I created.

MarcLaflamme wrote: Wow that sucks... I wonder how our hosted exchange is configured because I can send as anything and it comes through all the time. Okay that's good to know, thanks.

All depends on what your spam filter is doing.  Most check to see if the email address is valid.  Don't know why it sucks - takes like two minutes to setup the rule.

Evan7191 wrote: When I set up SMTP relay through Office 365, I used option 3, because I needed the ability to send email to external clients.  I set up a mailbox with a license, and used its information to configure SMTP relay on one of our on-premises servers.  Then, I could point our multi-function copiers to the on-premises server for SMTP relay, and the server would send it through Office 365 as the mailbox that I created.

But does everything using the relay come from that one account? Or could you tell if it was copier A or copier B sending?

Da_Schmoo wrote: MarcLaflamme wrote: Wow that sucks... I wonder how our hosted exchange is configured because I can send as anything and it comes through all the time. Okay that's good to know, thanks.

I'm not familiar with Exchange in the least so i'm not sure if this rule is globally disabling spam checks or not or as an alternative I need to waste a license on everything using the relay. Both of these scenarios at first glance suck...Unless I'm really not understanding (which could quite possibly be the case).

You create a rule disabling spam checks for the email addresses you are using that don't have an account.  

If you plan on sending externally, your messages will almost surely be flagged as spam on the recipient end if the email address doesn't exist so in that case, create a shared mailbox (free) and assign all of the bogus addresses you use to that account so they will pass any possible spam checks the recipient does.

Da_Schmoo wrote: You create a rule disabling spam checks for the email addresses you are using that don't have an account.   If you plan on sending externally, your messages will almost surely be flagged as spam on the recipient end if the email address doesn't exist so in that case, create a shared mailbox (free) and assign all of the bogus addresses you use to that account so they will pass any possible spam checks the recipient does.

Ah okay I understand now, thanks for clearing it up. Most of these would be sent internally only but creating the rules for each email address shouldn't be too difficult. Will keep the shared mailbox solution in mind.

Author Jonathan Yergo

So using authenticated smtp with a license account gives you easier setup and the abilities the use an encrypted connection.

The smtp relay require setting up a connector that authorizes any public IPs in which the message will originate from, so your office, for example. Static public IPs are certainly recommended.

As for the spam aspect of the relay, messages will get flagged as spam because mail servers will think you're spoofing the email address. To combat this, simply. Please add the public IPs you are sending mail from (and should also be added to the connector) to your SPF record. This way, when a spam check takes place, it will see that your office ip is authorized to send a message with your domain and will let it through.

MarcLaflamme wrote: Evan7191 wrote: When I set up SMTP relay through Office 365, I used option 3, because I needed the ability to send email to external clients.  I set up a mailbox with a license, and used its information to configure SMTP relay on one of our on-premises servers.  Then, I could point our multi-function copiers to the on-premises server for SMTP relay, and the server would send it through Office 365 as the mailbox that I created.

Yes and no.  Everything relayed through that mailbox comes from that mailbox, but we create some empty distribution groups with addresses for SMTP devices and assigned Send As rights to the mailbox, so emails from a copier/scanner appear to come from that specific device.  Emails from a server that doesn't support TLS will appear to come from that server.  

Thanks Stabby and Evan7191. I have some better ideas of the process, just need to play around with this more.

Still can't get this to work...

I've tried more guides than I can remember and the mail either sits in the queue or goes to badmail with some obscure error that doesn't help at all...

I'm either extremely dense or this is way more complicated than it should be!

I find that all guides talk about different things (including the Microsoft documents which clearly leave out information).

Conflicting information I've read include:

  • Do you add your email domain here or do you leave it blank?
  • Do you configure the Outbound Security on the domain as Anonymous or Basic Authentication with TLS?
  • Do you route romain to smtp.office365.com or to the value in your MX record from your domain setup information

General Properties

  • Do you leave IP Address as (All Unassigned) Port 25 or do you add the actual IP of the SMTP server on port 25 or 587?
  • If you add an IP do you select it in the dropdown or do you leave it at (All Unassigned)?
  • Authentication seems to be Anonymous for all guides
  • Connection - Do you add the SMTP Relay IP here along with all devices leveraging the relay?
  • Relay - Same as above? Does Allow all computers which successfully authenticate to relay, regardless of list above get checked or not?
  • Outbound Security - Do you leave this at Anonymous or do you put an account in under Basic authentication? I've created a [email protected] account for this which is assigned an O365 license. Is that needed or can I use just a domain account? Conflicting information on this.
  • Outbound Connections - TCP Port changed to 587 or leave at 25?

Advanced Delivery

  • Masquerade domain - Can't actually see anyone using this.
  • Fully-qualified domain name - is this the FQDN of the SMTP Relay or the FQDN of the MX record for your domain? (I've seen both referenced)
  • Smart host: Again is this smtp.office365.com or the same above MX record?

I think I have the O365 environment correct - I have mail flow connectors created from "Your organization's email servers" To "Office 365" and the IP address is set to the external IP of each site (there are two connectors for two sites). That's all that any document talks about doing.

Ripping out the little hair I have left over this!

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question .

Read these next...

Curated Disable MFA for 1 user on one windows 10 computer.

Disable MFA for 1 user on one windows 10 computer.

Hi I have a user that is sometimes in a place where phone or fob or any other mfa azure managed device is allowed.The device is secured away and remote access to it is disabled.I dont want to disable MFA for that user on all devices just one of the device...

Curated Snap! -- Moon Landing Tomorrow, Overhearing Fingerprints, Million-Movie Discs

Snap! -- Moon Landing Tomorrow, Overhearing Fingerprints, Million-Movie Discs

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: February 21, 1986: The Legend of Zelda for the NES was first released. (Read more HERE.) Security News: • Redis Servers Targeted With New ‘Migo’ Malware (Read more...

Curated WANsdays - "AI movies"

WANsdays - "AI movies"

Hi, y'all - Chad here. Well, another Wednesday is upon us...try to contain your ecstatic joy, everyone. I was having a hard time coming up with a topic for this week, but since we're all contractually obligated to talk about artificial intelligence every ...

Curated HIPAA Help - Need some Guidance

HIPAA Help - Need some Guidance

I am embarking in a journey, that I really don't want to go on, but alas, here I am.We are contracting with a vendor to provide onsite medical services to our employees.  The vendor is HIPAA compliant/certified, but we are not.They require us to provide a...

Curated Spark! Pro series - 21st February 2024

Spark! Pro series - 21st February 2024

Today in History: 1804 - World’s first railway journeyOn 21 February 1804, the world’s first ever railway journey ran 9 miles from the ironworks at Penydarren to the Merthyr–Cardiff Canal, south Wales. It was to be several years before steam locomotion be...

assign exchange online protection license

Top Contributors in Outlook: Roady [MVP]  -  Ron6576  -  NoOneCan  -  Don Varnau   ✅

February 14, 2024

Top Contributors in Outlook:

Roady [MVP]  -  Ron6576  -  NoOneCan  -  Don Varnau   ✅

·         How to recover a hacked or compromised Microsoft account - Microsoft Support

February 9, 2024

Hello! Are you looking for help with the Account recovery? Please keep in mind that the account recovery process is automatic and neither Community users nor Microsoft Moderators can intervene in the process.

  • Search the community and support articles
  • Outlook.com
  • Search Community member

Ask a new question

Exchange Online Protection licencing

Hello - I've been trying to understand how EOP licences relate to users & mailboxes.

I have a client who has 8 active users, a number of group mailboxes, distribution lists and some mailboxes for people who left the organisation sometime ago (but may still receive emails).

I have purchased 8 licences, but don't have the opportunity to allocate these to the 8 users.

So, my question is - how many licences do I need, and what happens if an "unlicenced" SMTP address (eg group mailbox, DL or former employee) receives an email?

Report abuse

Replies (3) .

Is the client using an EOP standalone plan with the own on-premises email system? If yes, every on-premises user need to be assigned EOP licenses. Distribution groups don’t require licenses.

If the client is already using an Office 365 Business plan which contains EOP services, no addition EOP licenses are needed. All inbound emails will be filtered by EOP. 

Thanks, Henry Huang

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Hello Henry - thanks for this. What is meant by an "on-premise user" though? Yes, this is using EOP to protect an on-premise Exchange server. Directory is synced using AADConnect.

As I say in the original post, group mailboxes are seen under the console's "User" list, as are people who have left (their AD account is disabled, but the mailbox is retained to ensure anything sent to someone's address is picked up).

So, lets say I have 8 active users, 10 mailboxes of people who have left (disabled in AD) and 25 group mailboxes - does that mean I need 43 licences? What does EOP do if there are insufficient licences?

Hi Neil,   Thanks for the updates.

If my understanding is correct, all the group mailboxes and mailboxes of people who have left are all User Mailboxes. If this is the case, yes, you will need 43 licenses to make sure emails sent to these mailboxes are protected by EOP. If potential mail protection issues happen to a user mailbox which is not assigned a license, the EOP support may not be able to help.

Moreover, since this is a scenario about using EOP standalone for on-premises Exchange server, it might have some difference from the EOP in Office 365 for Business plans. For any further questions or problems, it’s suggested that you contact our dedicated support team by referring to the Support telephone numbers section in this article: Help and support for EOP .

Your understanding is appreciated. 

Best Regards, Henry Huang

Question Info

  • Norsk Bokmål
  • Ελληνικά
  • Русский
  • עברית
  • العربية
  • ไทย
  • 한국어
  • 中文(简体)
  • 中文(繁體)
  • 日本語

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Permissions in Exchange Online

  • 16 contributors

Exchange Online in Microsoft 365 and Office 365 includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your administrators and users. You can use the permissions features in Exchange Online so that you can get your new organization up and running quickly.

RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of the links in this topic refer to topics that reference Exchange Server. The concepts in those topics also apply to Exchange Online.

For information about permissions across Microsoft 365 or Office 365, see About admin roles

Several RBAC features and concepts aren't discussed in this topic because they're advanced features. If the functionality discussed in this topic doesn't meet your needs, and you want to further customize your permissions model, see Understanding Role Based Access Control .

Role-based permissions

In Exchange Online, the permissions that you grant to administrators and users are based on management roles. A management role defines the set of tasks that an administrator or user can perform. For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is granted the permissions provided by the management role.

Administrative roles and end-user roles are the two types of management roles. Following is a brief description of each type:

Administrative roles : These roles contain permissions that can be assigned to administrators or specialist users using role groups that manage a part of the Exchange Online organization, such as recipients or compliance management.

End-user roles : These roles, which are assigned using role assignment policies, enable users to manage aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix My .

Management roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are assigned the roles. Because the Exchange admin center (EAC) and Exchange Online PowerShell use cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to perform the task in each of the Exchange Online management interfaces.

Exchange Online includes role groups that you can use to grant permissions. For more information, see the next section.

Some management roles many be available only to on-premises Exchange Server installations and won't be available in Exchange Online.

Role groups and role assignment policies

Management roles grant permissions to perform tasks in Exchange Online, but you need an easy way to assign them to administrators and users. Exchange Online provides you with the following to help you make assignments:

Role groups : Role groups enable you to grant permissions to administrators and specialist users.

Role assignment policies : Role assignment policies enable you to grant permissions to end users to change settings on their own mailbox or distribution groups that they own.

The following sections provide more information about role groups and role assignment policies.

Role groups

Every administrator who manages Exchange Online must be assigned at least one or more roles. Administrators might have more than one role because they may perform job functions that span multiple areas in Exchange Online.

To make it easier to assign multiple roles to an administrator, Exchange Online includes role groups. When a role is assigned to a role group, the permissions granted by the role are granted to all the members of the role group. This enables you to assign many roles to many role group members at once. Role groups typically encompass broader management areas, such as recipient management. They're used only with administrative roles, and not end-user roles. Role group members can be Exchange Online users and other role groups.

It's possible to assign a role directly to a user without using a role group. However, that method of role assignment is an advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.

The following figure shows the relationship between users, role groups, and roles.

Role, role group and member relationship.

Exchange Online includes several built-in role groups, each one providing permissions to manage specific areas in Exchange Online. Some role groups may overlap with other role groups. The following table lists each role group with a description of its use.

If you work in a small organization that has only a few administrators, you might need to add those administrators to the Organization Management role group only, and you may never need to use the other role groups. If you work in a larger organization, you might have administrators who perform specific tasks administering Exchange Online, such as recipient configuration. In those cases, you might add one administrator to the Recipient Management role group, and another administrator to the Organization Management role group. Those administrators can then manage their specific areas of Exchange Online, but they won't have permissions to manage areas they're not responsible for.

If the built-in role groups in Exchange Online don't match the job function of your administrators, you can create role groups and add roles to them. For more information, see the Work with role groups section later in this topic.

Role assignment policies

Exchange Online provides role assignment policies so that you can control what settings your users can configure on their own mailboxes and on distribution groups they own. These settings include their display name, contact information, voice mail settings, and distribution group membership.

Your Exchange Online organization can have multiple role assignment policies that provide different levels of permissions for the different types of users in your organizations. Some users can be allowed to change their address or create distribution groups, while others can't, depending on the role assignment policy associated with their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated with one role assignment policy at a time.

Of the role assignment policies in your organization, one is marked as default. The default role assignment policy is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're created. The default role assignment policy should contain the permissions that should be applied to the majority of your mailboxes.

Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant permissions for users to manage only their mailbox or distribution groups they own. They can't be used to manage any other mailbox. Only end-user roles can be assigned to role assignment policies.

When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to sets of users without having to configure individual mailboxes. The following figure shows:

End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles. For details about the end-user roles that are available in Exchange Online, see Role assignment policies in Exchange Online .

Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy.

After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

Role, role assignment policy, mailbox relationship.

The Default Role Assignment Policy role assignment policy is included with Exchange Online. As the name implies, it's the default role assignment policy. If you want to change the permissions provided by this role assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic.

Microsoft 365 or Office 365 permissions in Exchange Online

When you create a user in Microsoft 365 or Office 365, you can choose whether to assign various administrative roles, such as Global administrator, Service administrator, Password administrator, and so on, to the user. Some, but not all, Microsoft 365 and Office 365 roles grant the user administrative permissions in Exchange Online.

The user that was used to create your Microsoft 365 or Office 365 organization is automatically assigned to the Global administrator Microsoft 365 or Office 365 role.

The following table lists the Microsoft 365 or Office 365 roles and the Exchange Online role group they correspond to.

For a description of the Exchange Online role groups, see the table "Built-in role groups" in Role groups .

In Microsoft 365 or Office 365, when you add a user to either the Global administrator or Password administrator roles, the user is granted the rights provided by the respective Exchange Online role group. Other Microsoft 365 or Office 365 roles don't have a corresponding Exchange Online role group and won't grant administrative permissions in Exchange Online. For more information about assigning a Microsoft 365 or Office 365 role to a user, see Assign admin roles .

Users can be granted administrative rights in Exchange Online without adding them to Microsoft 365 or Office 365 roles. This is done by adding the user as a member of an Exchange Online role group. When a user is added directly to an Exchange Online role group, they'll receive the permissions granted by that role group in Exchange Online. However, they won't be granted any permissions to other Microsoft 365 or Office 365 components. They'll have administrative permissions only in Exchange Online. Users can be added to any of the role groups listed in the "Built-in role groups table" in Role groups with the exception of the Company Administrator and Help Desk Administrators role groups. For more information about adding a user directly to an Exchange Online role group, see Work with role groups .

Work with role groups

To manage your permissions using role groups in Exchange Online, we recommend that you use the EAC. When you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the Add role group dialog box, shown in the following figure, to perform these tasks.

New role group dialog box in the EAC.

Exchange Online includes several role groups that separate permissions into specific administrative areas. If these existing role groups provide the permissions your administrators need to manage your Exchange Online organization, you need only add your administrators as members of the appropriate role groups. After you add administrators to a role group, they can administer the features that relate to that role group. To add or remove members to or from a role group, open the role group in the EAC, and then add or remove members from the membership list. For a list of built-in role groups, see the table "Built-in role groups" in Role groups .

If an administrator is a member of more than one role group, Exchange Online grants the administrator all of the permissions provided by the role groups he or she is a member of.

If none of the role groups included with Exchange Online have the permissions you need, you can use the EAC to create a role group and add the roles that have the permissions you need. For your new role group, you will:

Choose a name for your role group.

Select the roles you want to add to the role group.

Add members to the role group.

Save the role group.

After you create the role group, you manage it like any other role group.

If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then make changes to create a role group. You can copy an existing role group and make changes to it, without affecting the original role group. As part of copying the role group, you can add a new name and description, add and remove roles to and from the new role group, and add new members. When you create or copy a role group, you use the same dialog box that's shown in the preceding figure.

Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By adding and removing roles to and from role groups, you turn on and off administrative features for members of that role group.

Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role groups, modify the role group copy, and then add members to the role group copy. > The Company Administrator and Help Desk administrator role groups can't be copied or changed.

Work with role assignment policies

To manage the permissions that you grant end users to manage their own mailbox in Exchange Online, we recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles, remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.

Role assignment policy dialog box in the EAC.

Exchange Online includes a role assignment policy named Default Role Assignment Policy. This role assignment policy enables users whose mailboxes are associated with it to do the following:

  • Join or leave distribution groups that allow members to manage their own membership.
  • View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices.
  • Modify their contact information, such as work address and phone number, mobile phone number, and pager number.
  • Create, modify, or view text message settings.
  • View or modify voice mail settings.
  • View and modify their marketplace apps.
  • Create team mailboxes and connect them to Microsoft SharePoint lists.
  • Create, modify, or view email subscription settings, such as message format and protocol defaults.

If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment policy, you can use the EAC. The dialog box you use is similar to the one in the preceding figure. When you open the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to the role assignment policy is applied to every mailbox associated with it.

If you want to assign different end-user permissions to the various types of users in your organization, you can create role assignment policies. When you create a role assignment policy, you see a dialog box similar to the one in the preceding figure. You can specify a new name for the role assignment policy, and then select the roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with mailboxes using the EAC.

If you want to change which role assignment policy is the default, you must use Exchange Online PowerShell. When you change the default role assignment policy, any mailboxes that are created will be associated with the new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with existing mailboxes doesn't change when you select a new default role assignment policy.

If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the check box for a role with child roles, the check boxes for the child roles are also cleared.

For detailed role assignment policy procedures, see Role assignment policies in Exchange Online .

Permissions documentation

The following table contains links to topics that will help you learn about and manage permissions in Exchange Online.

Additional resources

assign exchange online protection license

IMAGES

  1. Exchange Online licensing explained

    assign exchange online protection license

  2. New to Exchange Online protection: Assign license

    assign exchange online protection license

  3. Exchange Online Protection

    assign exchange online protection license

  4. Exchange Online Protection

    assign exchange online protection license

  5. Exchange Online Protection

    assign exchange online protection license

  6. How to Set Up Exchange Online Protection

    assign exchange online protection license

VIDEO

  1. Licensing Usage

  2. Certificate Authority by Active Directory Certificate Service (ADCS) Part3

  3. how to re assign pisofi license under revocation period and is assigned to old device id

  4. Setup Anti Phishing policies

  5. ELL

  6. Tech Tip

COMMENTS

  1. Exchange Online Protection

    Exchange Online Protection - License assignment I am only using Exchange Online Protection and nothing else on Office 365. Office 365 portal: "This subscription does not require licenses to be individually assigned to users."

  2. Exchange Online Protection setup guide

    Set up Exchange Online Protection You might need to sign in to the Microsoft 365 admin center at certain points during this guide to use built-in tools, assign tasks in this guide to other admins, track your progress, and configure Microsoft 365 settings, at which point you'll have to start over and lose any entries.

  3. New to Exchange Online protection: Assign license

    New to Exchange Online protection: Assign license Orddie1 Copper Contributor Mar 11 2021 01:23 PM - last edited on ‎Feb 07 2023 07:03 PM by TechCommunityAPIAdmin New to Exchange Online protection: Assign license Hi all! Trying to get some info on how to assign license? please see screen shot. The box to assign the Exchange online is grayed out.

  4. Exchange Online Protection service description

    Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware and includes features to safeguard your organization from messaging-policy violations.

  5. Exchange Online Protection (EOP) overview

    Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, phishing and other email threats. EOP is included in all Microsoft 365 organizations that have Exchange Online mailboxes. Tip

  6. Assign or unassign licenses for users in the Microsoft 365 admin center

    You can assign or unassign licenses for users in the Microsoft 365 admin center on either the Active users page, or on the Licenses page. The method you use depends on whether you want to assign or unassign licenses for specific users, or assign or unassign users for a specific product. Note

  7. Exchange Online Protection

    Setting up EOP Securing your Office 365 tenant is important but often forgotten. To mitigate this, Microsoft has enabled many security features by default. This ensures that most Exchange Online environments are protected at a base level. If you have a new tenant, then the best way to set up EOP is to start with one of the preset security policies:

  8. Microsoft Exchange pricing and licensing FAQs

    Get answers to common licensing questions about transitioning between Exchange Server versions, pricing and licensing, Exchange Online, and more.

  9. Email Security

    Exchange Online Protection. Protect against spam and malware and maintain access to email during and after emergencies. Exchange Online Protection is available with Exchange Online. Learn more. Talk with a sales expert. To speak with a sales expert, call 1-855-270-0615. Available Mon to Fri from 6:00 AM to 6:00 PM Pacific Time.

  10. How to decide on what Office 365 add-on licenses to use

    The standard cost of a Microsoft 365 Business Basic, Standard and Premium license ranges from $6 to $22 per user per month. In contrast, an Office 365 Enterprise license ranges from $23 to $38 for E3 and E5 per user per month. Microsoft 365 Enterprise licenses range from $36 to $57 for E3 and E5 per user per month.

  11. Microsoft recommendations for EOP and Defender for Office 365 security

    Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required.

  12. Set up your standalone EOP service

    Step 1: Use the Microsoft 365 admin center to add and verify your domain. Step 2: Add recipients and optionally enable DBEB. Step 3: Use the EAC to set up mail flow. Show 3 more. This article explains how to set up standalone Exchange Online Protection (EOP). If you landed here from the Office 365 domains wizard, go back to the Office 365 ...

  13. [SOLVED] SMTP Relay with Office 365

    If you have senders using devices or LOB applications who don't have an Office 365 mailbox license, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Office 365. "I get parts of it - This does not need a mailbox, got it. ...

  14. Why do I need Microsoft Defender for Office 365?

    You can assign this role in Azure Active Directory or in the Microsoft Defender portal. For more information, see Permissions in the Microsoft Defender portal. Organization Management in Exchange Online: Permissions in Exchange Online. Exchange Online PowerShell. Search and Purge

  15. Unable to assign Exchange Online Advanced Threat Protection trial

    However, if I try the same process with a user who does have Offce 365 A1 license (not Plus), there is no option to assign the license? The ATP safe attachments and ATP safe links policies are both showing in the Threat Management section of Security & Compliance, and I can edit the policies and assign to individual mailboxes (for testing at ...

  16. Exchange Online Protection licencing

    Exchange Online Protection licencing Hello - I've been trying to understand how EOP licences relate to users & mailboxes. I have a client who has 8 active users, a number of group mailboxes, distribution lists and some mailboxes for people who left the organisation sometime ago (but may still receive emails).

  17. Permissions in Exchange Online

    Following is a brief description of each type: Administrative roles: These roles contain permissions that can be assigned to administrators or specialist users using role groups that manage a part of the Exchange Online organization, such as recipients or compliance management.

  18. Unable to assign Exchange Online Advanced Threat Protection trial

    Unable to assign Exchange Online Advanced Threat Protection trial licenses to users? Discussion Options. Subscribe to RSS Feed; Mark Discussion as New; ... They are showing up under ATP_ENTERPRISE_FACULTY in Powershell but when trying to assign the licenses to a user, it says ''Set-MsolUserLicense : Unable to assign this license because it is ...