Clarify exclusions for users lacking MDO licenses

Author: chrisda

defender-office-365/preset-security-policies.md

@@ -16,7 +16,7 @@ ms.custom:
 description: Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 01/29/2025
+ms.date: 03/21/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -106,14 +106,20 @@ The rest of this article how to configure preset security policies.
    > [!NOTE]
    > In organizations without Defender for Office 365, selecting **Next** takes you to the **Review** page (Step 9).
 
-4. On the **Apply Defender for Office 365 protection** page, identify the internal recipients that the [Defender for Office 365 protections](#policies-in-preset-security-policies) apply to (recipient conditions).
+4. On the **Apply Defender for Office 365 protection** page, identify the internal recipients that the [Defender for Office 365 protections](#policies-in-preset-security-policies) apply to (recipient conditions) or don't apply to (recipient exceptions)
 
    The settings and behavior are exactly like the **Apply Exchange Online Protection** page in the previous step.
 
    You can also select **Previously selected recipients** to use the same recipients that you selected for EOP protection on the previous page.
 
    When you're finished on the **Apply Defender for Office 365 protection** page, select **Next**.
 
+   > [!TIP]
+   > If not all users in your organization have Defender for Office 365 licenses, you can use the following methods to apply Defender for Office 365 protections to eligible users only:
+   >
+   > - Use **Specified recipients** to identify the users or groups who **are eligible** for Defender for Office 365 protections.
+   > - Use **Exclude these recipients** \> **Specified recipients** to identify the users or groups who **aren't eligible** for Defender for Office 365 protections.
+
 5. On the **Impersonation protection** page, select **Next**.
 
 6. On the **Add email addresses to flag when impersonated by attackers** page, add internal and external senders who are protected by [user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
@@ -182,9 +188,9 @@ To disable the **Standard protection** or **Strict protection** preset security
 ## Use the Microsoft Defender portal to add exclusions to the Built-in protection preset security policy
 
 > [!TIP]
-> The **Built-in protection** preset security policy is applied to all users in organizations with any amount of licenses for Defender for Microsoft 365. This application is in the spirit of securing the broadest set of users until admins specifically configure Defender for Office 365 protections. Because **Built-in protection** is enabled by default, customers don't need to worry about violating product licensing terms. However, we recommend purchasing enough Defender for Office 365 licenses to ensure **Built-in protection** continues for all users.
+> The **Built-in protection** preset security policy is applied to all users in organizations with any amount of licenses for Defender for Office 365. Application of this protection is in the spirit of securing the broadest set of users until admins specifically configure Defender for Office 365 protections. Because **Built-in protection** is enabled by default, customers don't need to worry about violating product licensing terms. However, we recommend purchasing enough Defender for Office 365 licenses to ensure **Built-in protection** continues for all users.
 >
-> The **Built-in protection** preset security policy doesn't affect recipients who are defined in the **Standard** or **Strict** preset security policies, or in custom Safe Links or Safe Attachments policies. Therefore, we typically don't recommend exceptions to the **Built-in protection** preset security policy.
+> The **Built-in protection** preset security policy doesn't affect recipients who are defined in the **Standard** or **Strict** preset security policies, or in custom Safe Links or Safe Attachments policies. Therefore, we typically don't recommend exceptions to the **Built-in protection** preset security policy, unless you want to exclude users who aren't eligible for Safe Links and Safe Attachments protections (users who lack Defender for Office 365 licenses).
 
 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Preset Security Policies** in the **Templated policies** section. Or, to go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.
 

defender-office-365/safe-attachments-policies-configure.md

@@ -18,7 +18,7 @@ ms.collection:
 description: Learn about how to define Safe Attachments policies to protect your organization from malicious files in email.
 ms.custom: seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 01/29/2025
+ms.date: 03/21/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -116,6 +116,9 @@ You configure Safe Attachments policies in the Microsoft Defender portal or in E
      - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
      - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
 
+     > [!TIP]
+     > If not all users in your organization have Defender for Office 365 licenses, you can use **User** or **Group** exceptions to exclude users who aren't eligible for Safe Attachments protections.
+
    When you're finished on the **Users and domains** page, select **Next**.
 
 5. On the **Settings** page, configure the following settings:

defender-office-365/safe-links-policies-configure.md

@@ -18,7 +18,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how to view, create, modify, and delete Safe Links policies in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 01/29/2025
+ms.date: 03/21/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -114,6 +114,9 @@ You configure Safe Links policies in the Microsoft Defender portal or in Exchang
      - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them.
      - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them.
 
+     > [!TIP]
+     > If not all users in your organization have Defender for Office 365 licenses, you can use **User** or **Group** exceptions to exclude users who aren't eligible for Safe Links protections.
+
    When you're finished on the **Users and domains** page, select **Next**.
 
 5. On the **URL & click protection settings** page, configure the following settings: