Microsoft 365 Business security features

Microsoft 365 Business offers simplified security features to help safeguard your data on PCs, phones, and tablets.

In this topic:

Microsoft 365 Business admin center security features

Additional security features (announced on April 30, 2018)

Set up Advanced Threat Protection features

Set up DLP features

Set up email retention with Exchange Online Archiving

Set up Azure Information Protection features


Microsoft 365 Business admin center security features

You can manage many of the Microsoft 365 Business security features in the admin center, which gives you a simplified way to turn these features on or off. In the admin center you can do the following:

Screenshot of the Devices card in the admin center

Additional security features

Advanced features in Microsoft 365 Business are available to help you protect your business against cyber-threats and safeguard sensitive information.

  • Office 365 Advanced Threat Protection

    Advanced Threat Protection (ATP) helps guard your business against sophisticated phishing and ransomware attacks designed to compromise employee or customer information. Features include:

    • Sophisticated attachment scanning and AI-powered analysis to detect and discard dangerous messages.

    • Automatic checks of web links in email to assess if they are part of a phishing scheme. This keeps you safe from accessing unsafe websites.

  • Data Loss Prevention (DLP).

    You can set up DLP to automatically detect sensitive information, like credit card numbers, social security numbers, etc. to prevent their inadvertent sharing outside your company.

  • Exchange Online Archiving

    Exchange Online Archiving license enables messages to be easily archived with continuous data backup. It stores all of a user’s emails, including deleted items, in case they are needed later for discovery or restoration. Additionally, you can use different retention policies to preserve email data for litigation holds, eDiscovery, or to meet compliance requirements.

  • Azure Information Protection

    Information protection helps you control access to sensitive information in email and documents with controls like “Do not forward” and “Do not copy.” You can also classify sensitive information as “Confidential” and specify how classified information can be shared outside and inside the business. Enterprise-grade encryption is easy to apply to email and documents to keep your information private. Microsoft 365 Business includes all the features of Azure Information Protection Plan 1. You can also install the Azure Information Protection client add-in for Office apps. For more details, see Azure Information Protection client admininstrator guide.

  • The full capabilities of Intune in the Azure portal

    Accessing the Intune admin center in the Azure portal allows you to set up additional security features, such as the management of MacOS devices, iPhone, and Android devices along with advanced device management for Windows, that are not available through Microsoft 365 Business admin center.

The next sections describe how you can manage these features in the Security & Compliance center and the Intune admin center. Over time the simplified controls will be added to the Microsoft 365 Business admin center.

Set up Advanced Threat Protection features

  • Protect against unsafe attachments: ATP identifies malicious content by opening email attachments in a virtual environment and performing analysis of the resulting behavior. The content is evaluated to determine its intent (whether normal or malicious), and ATP blocks delivery of unsafe attachments, helping protect you against phishing schemes and ransomware infections. To activate attachment protection, see Set up Office 365 ATP safe attachments policies.

  • Protect your environment when users click malicious links: ATP also examines links in email at the time a user clicks them. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. This helps protect against phishing schemes. You can define an ATP Safe Links policy that applies to everyone or add a policy for specific email recipients.

Set up DLP features

See Create DLP policy from a template for an example on how to set up a policy to protect against personally identifiable information (PII).

DLP comes with many ready-to-use policy templates for many different locales. For example, Australia Financial Data, Canada Personal Information Act, U.S. Financial Data, etc. See What the DLP policy templates include for a full list. All of these templates can be enabled similar to the PII template example.

Set up email retention with Exchange Online Archiving

Exchange Online Archiving license features give you the ability to help maintain compliance and regulatory standards by preserving email content for the purposes of eDiscovery. It also helps reduce your risk in the event of litigation and provides a way to recover data after a security breach or when you need to recover deleted items. To activate these capabilities, you can use litigation hold to preserve all of a user’s content, or use retention policies for greater customization.

  • Litigation hold: You can preserve all mailbox content including deleted items by putting a user’s entire mailbox on litigation hold.

    • To place a mailbox on litigation hold, in the Admin center:

      1. In the left nav, go to Users > Active users.

      2. Select a user whose mailbox you want to place on litigation hold and in the user pane expand Mail settings and next to More settings choose Edit Exchange properties.

      3. On the mailbox page for the user, choose mailbox features on the left nav, and then choose the Enable link under Litigation hold.

      4. In the litigation hold dialog box you can specify the litigation hold duration in the Litigation hold duration field, leave field empty if you want to place an infinite hold. You can also add notes and direct the mail box owner to a website you might have to explain more about the litigation hold > Save.

  • Retention: You can enable customized retention policies, for example, to preserve for a specific amount of time or delete content permanently at the end of the retention period. To learn more, see Overview of retention policies.

Set up Azure Information Protection features

The ability to apply the following restrictions when sending emails in Outlook on the web is automatically enabled for all users:

  • Do Not Forward: Recipients can read the message, but they can't forward, print, or copy content

  • Encrypt: The entire message is encrypted. Recipients must take extra steps to confirm their identity before accessing encrypted content and can't remove encryption.

  • Confidential: Gives the employees in your organization full permissions to the email content and attachments, but not to people outside your organization. Data owners can track and revoke content at any point.

  • Highly Confidential: This restriction can be applied to highly confidential data, allowing employees to view, edit, and reply, but not forward, print, or copy the data. Data owners can track and revoke content at any point.

To install the Azure Information Protection client to add the Protect icon and the classification ribbon for your Office apps, see Install the Azure Information Protection client for users.

To see how to add custom setting to the Azure Information Protection client, see Create custom settings for AIP.

For guidance on how to use the Azure Information Protection client, for example to classify a file or email, protect or file or email, and so on, see the User guide.


Q: When will these new security features be available?

A: The following features were added to Microsoft 365 Business on April 30, 2018.

  • Office 365 Advanced Threat Protection for email

  • Information Protection in web clients

  • Exchange Online Archiving

  • Enforcement of Windows Exploit Guard and Bitlocker Encryption

Note: Many of the features in this list are available now, others are made available to new and existing customers over the course of a few weeks.

During the Summer 2018, Data Loss Prevention will become available and the Office desktop applications will be updated to support:

  • DLP Policy Tips in the Outlook, Word, Excel, and PowerPoint desktop applications.

  • Information Rights Management features in the Outlook Word, Excel, PowerPoint desktop applications.

  • Advanced Threat Protection for Word, Excel, and PowerPoint documents.

Q: Are these security features available in all markets?

A: Yes, these features are available in all markets where Microsoft 365 Business is sold.

Q: How do I find the Security & Compliance center?


  1. Sign in to Microsoft 365 Business by using your admin credentials.

  2. In the left nav, locate Admin centers and expand it.

    In the left nav in the Microsoft 365 admin center, choose Admin centers.
  3. Choose Security & Compliance to go to Security & compliance center.

Q: How do I find the Intune admin center?


  1. Sign in to Microsoft 365 Business by using your admin credentials.

  2. In the left nav, locate Admin centers and expand it.

  3. Choose Intune to go to Intune admin center.

See Also

Microsoft 365 Business documentation and resources

Get started with Microsoft 365 Business

Manage Microsoft 365 Business

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.