Back to Documentation
Securing Office 365 with Defender

Using Preset Security Policies in Microsoft Defender for Office 365

Overview

Microsoft Defender for Office 365 provides Preset Security Policies (also known as Default Security Policies) to simplify deployment of recommended protection settings.

These presets automatically configure:

  • Anti-Phishing
  • Safe Links
  • Safe Attachments
  • Anti-Malware
  • Anti-Spam

Instead of manually tuning dozens of settings, administrators can apply Microsoft-recommended configurations using Standard or Strict protection levels.

If you are searching for:

  • Enable default security policies Office 365
  • Standard vs Strict Defender policy
  • Preset security policies Microsoft 365

This guide explains how they work, differences between Standard and Strict, when to use them, and common misconfigurations.

Why Preset Security Policies Are Important

Many organizations misconfigure security settings because:

  • Policies are overly customized
  • Defaults are left unchanged
  • Security is weakened to reduce user complaints
  • Administrators lack time for detailed tuning

Preset policies provide:

  • Microsoft-recommended baseline security
  • Consistent protection across users
  • Reduced configuration errors
  • Faster deployment

They are especially useful for organizations without a dedicated security team.

What Are Preset Security Policies?

Preset policies are pre-configured protection templates designed by Microsoft based on threat intelligence and best practices.

There are two primary levels:

  • Standard Protection
  • Strict Protection

Both automatically configure Safe Links, Safe Attachments, Anti-Phishing, and Anti-Malware settings.

Standard vs Strict Protection

Below is a high-level comparison.

FeatureStandard ProtectionStrict Protection
Target audienceGeneral usersHigh-risk users (Executives, Finance, Admins)
Anti-Phishing sensitivityModerateHigh
Impersonation protectionEnabledEnabled (More aggressive)
Safe Links enforcementEnabledEnabled (No user override recommended)
Safe AttachmentsBlock detected threatsBlock with stricter evaluation
User ability to bypass warningsSometimes allowedTypically blocked
False positive riskLowerHigher
Security postureBalancedMaximum protection

When to Use Standard Protection

Standard is appropriate when:

  • You want broad coverage for all users
  • You need a balanced security vs usability approach
  • You are starting Defender deployment
  • You want to reduce manual policy configuration

Recommended for:

  • Most general employees
  • Medium-risk departments

When to Use Strict Protection

Strict is recommended when:

  • Users are high-value targets
  • Executives are frequently impersonated
  • Organization has experienced phishing attacks
  • Compliance requires stronger enforcement

Recommended for:

  • CEO, CFO, CIO
  • Finance and payroll teams
  • IT administrators
  • HR leadership

Strict policies may increase false positives but provide stronger protection.

How to Enable Preset Security Policies

Step 1: Navigate to Preset Policies

  1. Go to Microsoft 365 Defender Portal
    https://security.microsoft.com

  2. Navigate to:
    Email & Collaboration → Policies & Rules → Threat Policies → Preset Security Policies

Step 2: Select Protection Level

Choose:

  • Standard protection
  • Strict protection

Click Manage protection settings

Step 3: Assign Users

Define:

  • All users
  • Specific groups
  • Individual users

Best practice:

  • Apply Standard to all users
  • Apply Strict to high-risk users

Policy Priority and Overriding Behavior

Preset policies have priority rules.

Important:

  • Preset policies override many custom configurations.
  • Strict has higher priority than Standard.
  • Custom policies with higher priority may override preset policies.

To verify priority:

  1. Review policy order.
  2. Check if custom anti-phishing or Safe Links policies are overriding presets.

Avoid creating weaker custom policies that reduce preset protections.

Common Areas Where Companies Fail

1. Not Enabling Preset Policies at All

Many tenants rely on default EOP settings without enabling Defender presets.

2. Applying Strict to Everyone

Strict may cause excessive false positives if applied to entire organization.

3. Overriding Presets with Custom Rules

Admins sometimes create custom policies that:

  • Lower phishing sensitivity
  • Allow user click-through
  • Disable impersonation checks

This weakens protection.

4. Not Reviewing After Activation

Preset policies still require:

  • Quarantine monitoring
  • Impersonation list tuning
  • Safe Links review

5. Ignoring High-Risk Users

Executives and finance staff should always receive stricter controls.

Best Practices

  • Start with Standard for all users.
  • Apply Strict to high-risk groups.
  • Avoid weakening presets unless justified.
  • Monitor quarantine regularly.
  • Combine with DKIM, SPF, and DMARC enforcement.
  • Review impersonation protection settings.

Preset policies simplify deployment but do not eliminate the need for monitoring.

Frequently Asked Questions

Are Preset Security Policies enabled by default?
No. Administrators must explicitly enable and assign them.

Can I customize Standard or Strict policies?
No. Presets cannot be edited. You can only assign them.

Do Preset Policies replace custom policies?
They may override certain custom policies depending on priority. Always review policy order.

Should I disable custom policies after enabling presets?
Not necessarily. Review them to ensure they do not weaken preset protections.

Does Strict significantly increase false positives?
It may increase sensitivity and result in more quarantined messages, especially in high-volume environments.

Are Preset Policies enough for complete protection?
They provide strong baseline protection but should be combined with proper authentication (SPF, DKIM, DMARC) and monitoring practices.