Why Defender for Office 365 Licensing Decisions Go Wrong
Microsoft Defender for Office 365 (MDO) is one of the clearest cases in the Microsoft portfolio where the licensing decision should be straightforward — and yet we routinely find enterprises either underprotected (relying on Exchange Online Protection alone when MDO P1 would materially improve their security posture) or overspending (buying MDO P2 via E5 for user populations that will never use the investigation and hunting capabilities that justify the premium).
Part of the confusion stems from Microsoft's history of renaming this product. What was formerly known as Advanced Threat Protection (ATP) for Exchange Online became Office 365 ATP, then Microsoft Defender for Office 365, and is now often bundled into the broader "Microsoft Defender XDR" framing. The product has grown significantly in capability, but the core licensing model — Plan 1 for protection, Plan 2 for investigation — remains the same structure it has held since 2017.
This guide covers the licensing mechanics precisely: what Exchange Online Protection provides, what MDO Plan 1 adds, what Plan 2 adds beyond that, where each is included in the M365 suite tiers, and how to make the right decision for your organisation without paying for capabilities your security team will not use.
Exchange Online Protection vs MDO: The Baseline Distinction
Every Exchange Online mailbox — regardless of licence tier — includes Exchange Online Protection (EOP). EOP provides the foundational email security layer: connection filtering, anti-malware, anti-spam, anti-phishing (impersonation and spoof intelligence), and safe message handling. For the vast majority of commodity phishing and spam, EOP is effective and requires no additional licensing.
The limitation of EOP is its reliance on signature-based and reputation-based filtering. Against targeted attacks — zero-day malware delivered via email, sophisticated Business Email Compromise campaigns, weaponised URLs in legitimate-looking messages from compromised accounts — EOP's detection rates are materially lower than MDO's behavioural analysis and detonation chamber approach.
MDO Plan 1 adds the capabilities that address this gap: Safe Attachments (detonation chamber analysis of every attachment before delivery), Safe Links (URL rewrite and real-time click evaluation), anti-phishing policies with advanced impersonation detection, and spoof intelligence. These are not marginal improvements — they represent a fundamentally different approach to zero-day threat detection that reduces successful phishing delivery rates by 40–60% in empirical comparisons.
MDO Plan 1 vs Plan 2: Feature Comparison
| Capability | EOP (All Exchange) | MDO Plan 1 | MDO Plan 2 |
|---|---|---|---|
| Anti-spam and anti-malware | ✓ Included | ✓ Included | ✓ Included |
| Anti-phishing (basic spoof intelligence) | ✓ Included | ✓ Enhanced | ✓ Full |
| Safe Attachments | — Not available | ✓ Included | ✓ Included |
| Safe Links | — Not available | ✓ Included | ✓ Included |
| Advanced anti-phishing (user/domain impersonation) | — Not available | ✓ Included | ✓ Included |
| Real-time threat intelligence | — Not available | ✓ Basic | ✓ Full (Threat Explorer) |
| Automated Investigation and Response (AIR) | — Not available | — Not available | ✓ Included |
| Threat Explorer (threat hunting) | — Not available | — Not available | ✓ Included (30-day retention) |
| Attack Simulation Training | — Not available | — Limited (basic) | ✓ Full (200+ templates, detailed reporting) |
| Microsoft Secure Score integration | — Limited | ✓ Email recommendations | ✓ Full integration |
| Priority account protection | — Not available | — Not available | ✓ Included (enhanced scanning for exec accounts) |
Where MDO Is Included in M365 Suite Tiers
| M365 / O365 Plan | MDO Inclusion | Notes |
|---|---|---|
| Exchange Online Plan 1 / Plan 2 | EOP only | No MDO — must add separately |
| O365 E1 | EOP only | MDO not included at E1 |
| O365 E3 | EOP only | MDO not included — significant licensing gap |
| M365 Business Basic / Standard | EOP only | Business plans below Premium do not include MDO |
| M365 Business Premium | MDO Plan 1 | Full MDO P1 included — strong security value for sub-300 seat organisations |
| M365 F1 / F3 | EOP only | No MDO for frontline workers unless added separately |
| M365 E3 | MDO Plan 1 | MDO P1 included — key reason E3 is preferable to O365 E3 for email-heavy organisations |
| M365 E5 | MDO Plan 2 | Full MDO P2 included — part of E5 Security bundle value |
| M365 E5 Security add-on | MDO Plan 2 | Available as add-on for M365 E3 users needing P2 without full E5 |
Organisations on Office 365 E3 (not Microsoft 365 E3) have EOP but not MDO Plan 1. This is one of the most common security licensing gaps we find. The difference between O365 E3 (£17.60/user/month) and M365 E3 (£28.10/user/month) includes MDO P1, Intune, and Entra ID P1 — three capabilities that represent substantial security value. The O365 E3 → M365 E3 upgrade conversation is frequently worth having.
The Plan 1 vs Plan 2 Decision
The capability difference between MDO P1 and MDO P2 is significant in absolute terms — AIR, Threat Explorer, and full Attack Simulation Training are genuinely valuable — but the correct decision depends entirely on whether your security team will actually use the investigation and response capabilities that P2 adds.
When MDO Plan 1 Is the Right Answer
Plan 1 is the correct choice for organisations that need strong preventive email security without a dedicated threat hunting or email forensics workflow. This covers the majority of M365 E3 deployments: Safe Attachments and Safe Links provide the primary protection uplift over EOP, and the Advanced Anti-Phishing policies with user/domain impersonation protection address the most common threat vector for mid-market and enterprise targets.
If your security team is a lean 2–4 person operation without an analyst dedicated to email threat hunting, Plan 2 capabilities will go unused. Pay for P1 protection via M365 E3 and invest the cost difference in security operations processes rather than features that require specialist expertise to deploy.
When MDO Plan 2 Is Justified
Plan 2 is justified when two conditions are simultaneously true: your organisation faces targeted email-based threats where threat hunting provides meaningful detection improvement, and you have a security operations team with capacity to actively use Threat Explorer and AIR playbooks. The specific use cases that require P2:
- Post-incident investigation of email-based attack chains (Threat Explorer provides the investigative workflow)
- Proactive threat hunting for compromised accounts sending malicious mail from trusted senders
- Automated investigation and response playbooks that run automatically on user-reported phishing submissions
- Priority account protection for your executive team — enhanced scanning and alert prioritisation for CEO and CFO accounts
- Formal phishing simulation and security awareness training at scale (200+ template library, detailed user vulnerability reporting)
Before committing to MDO Plan 2 (via E5 upgrade or E5 Security add-on), ask your security team three questions: (1) Will we actively use Threat Explorer for email threat hunting at least weekly? (2) Do we want AIR to auto-remediate user-reported phish submissions? (3) Is attack simulation training a priority for security awareness this year? If the answer to all three is no, P1 is the correct tier for the vast majority of your user population.
Standalone Pricing and Add-On Scenarios
When MDO is not included in your current M365 plan, the standalone add-on options are:
| Option | List Price/User/Month | Notes |
|---|---|---|
| MDO Plan 1 standalone add-on | £2.40 | For O365 E1/E3 users; adds Safe Attachments, Safe Links, and advanced anti-phishing |
| MDO Plan 2 standalone add-on | £4.80 | Adds full P2 capabilities including AIR and Threat Explorer; requires qualifying base plan |
| M365 E3 upgrade (from O365 E3) | +£10.50 difference | Includes MDO P1 + Intune + Entra P1 — often better value than MDO P1 standalone if Intune and Entra P1 are also needed |
| M365 E5 Security add-on (for E3) | £13.60 | Includes MDO P2, Defender for Endpoint P2, Entra P2, Defender for Cloud Apps — full security suite |
The most common mistake in the standalone MDO market: buying MDO Plan 1 as a standalone add-on for O365 E3 users when upgrading to M365 E3 would be preferable. At £2.40/user/month for MDO P1 alone, versus £10.50/user/month for the O365 E3 → M365 E3 upgrade that includes MDO P1 plus Intune Plan 1 plus Entra ID P1 plus Windows 11 Enterprise rights, the upgrade is often the better commercial decision if you need more than one of those additional capabilities.
MDO vs Third-Party Email Security
Microsoft Defender for Office 365 competes primarily against Proofpoint Email Protection + TAP (Targeted Attack Protection) and Mimecast Email Security. The competitive picture has shifted significantly in MDO's favour over the last three years, primarily because of API-level integration advantages.
Third-party email security gateways sit in the mail flow path as MX-record intermediaries. MDO integrates at the API level with Exchange Online, giving it access to post-delivery telemetry, in-client URL evaluation (Safe Links rewrites URLs that have been clicked in Outlook), and cross-service correlation with Entra, Defender for Endpoint, and Sentinel. For a Microsoft-centric environment, these integration advantages are real and measurable.
The cases where Proofpoint or Mimecast are still preferred over MDO:
- Multi-cloud or hybrid email environments — where Exchange Online coexists with Gmail or on-premises Exchange. Proofpoint and Mimecast are vendor-neutral; MDO is Exchange Online-native.
- Advanced email encryption requirements — Mimecast's encryption gateway capabilities are more mature than MDO's Azure Information Protection-based email encryption for organisations with complex encryption policy requirements.
- Mature third-party investment — organisations that have invested heavily in Proofpoint TAP integration with their SIEM and SOC workflows may find the switching cost to MDO exceeds the licence savings, particularly if Proofpoint is already deeply integrated with incident response playbooks.
For organisations evaluating a switch from a third-party email security gateway to MDO, the correct analysis is not just licence cost comparison — it is total cost including migration, re-tuning MDO policies, security team retraining, and a period of reduced efficacy during the transition. The Microsoft vs third-party IT spend guide covers this analysis framework in detail.
Negotiating MDO in Your EA
MDO Plan 1 is included in M365 E3, so if you are negotiating an M365 E3 renewal, MDO P1 is part of the bundle negotiation rather than a separate line item. The specific MDO negotiation scenarios arise in two situations: upgrading users from O365 E3 to M365 E3 to gain MDO P1, and evaluating whether an E5 or E5 Security upgrade is justified to gain MDO P2.
For the E5 Security upgrade decision, position the MDO P2 capability against your current third-party email security spend. If you are paying £4–£6/user/month for Proofpoint or Mimecast, the E5 Security add-on at £13.60/user/month provides MDO P2 plus Defender for Endpoint P2 plus Entra P2 — a substantially broader security package. The negotiation involves framing the E5 Security upgrade as a consolidation that eliminates third-party security spend, which creates both a commercial justification and a Microsoft incentive to discount the upgrade.
See the Microsoft security licensing guide for the broader E5 security bundle analysis, and the security licensing rationalisation guide for the full consolidation framework.
Frequently Asked Questions
Is Defender for Office 365 included in M365 E3?
Yes — M365 E3 includes MDO Plan 1. This is one of the key differences between O365 E3 and M365 E3. If you are currently on Office 365 E3, you have only Exchange Online Protection (EOP) and would need to add MDO Plan 1 as a standalone add-on (£2.40/user/month) or upgrade to M365 E3 to gain MDO P1 protection.
Does MDO Plan 1 protect SharePoint and Teams as well as email?
Yes. Safe Attachments and Safe Links in MDO Plan 1 protect SharePoint Online, OneDrive for Business, and Microsoft Teams in addition to Exchange Online. When a file is uploaded to SharePoint or shared via Teams, it is scanned by Safe Attachments. URLs shared in Teams messages are rewritten and evaluated by Safe Links. This multi-workload protection is part of the value of MDO P1 versus a standalone email security gateway that protects only the mail flow.
Can MDO Plan 1 and Plan 2 be mixed in the same tenant?
Yes, with caveats. MDO Plan 1 licences can be assigned to the majority of users while MDO Plan 2 is reserved for security operations staff, executives, and high-value targets. The mixed assignment works for the user-specific features (priority account protection, attack simulation reporting). Some tenant-level features in P2 (such as Threat Explorer) are available to any user with a P2 licence who has the Security Reader or Security Administrator role — you do not need to licence every user at P2 to give your security team access to P2 investigation tools.
What is the relationship between MDO and Microsoft Defender XDR?
Microsoft Defender XDR is the umbrella brand for Microsoft's extended detection and response platform. MDO is one component of Defender XDR, alongside Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps. MDO Plan 2 licences include access to the Defender XDR portal for email-specific threat hunting. The full integrated XDR experience — correlating signals across email, endpoint, identity, and cloud apps — requires all four Defender products, which is the E5 Security bundle value proposition.