How to set up Microsoft 365 Advanced Threat Protection

Working out how to set up Microsoft 365 Advanced Threat Protection is one of the most effective ways to protect your business from email-based cyber attacks.

This is vital. Because phishing is the most common type of cyber crime. Email impersonation and spoofing, CEO fraud, malware delivered through dodgy links and the like – all types of email-based cyber attacks – are also on the rise.

If you’re not sure where to start with email security, here are some of the key ways Microsoft 365 ATP can help you:

What licenses do I need to enable Microsoft 365 ATP?

To be able to activate Microsoft 365 Advanced Threat Protection, you need to have

  • Microsoft Defender for Office 365
  • Microsoft 365 Business Premium (previously called Microsoft 365 Business)
  • Office 365 E5 or Microsoft 365 E5

If you don’t have one of these, you will need to talk it over with your Managed Service Provider or internal IT department.

How to set up Microsoft 365 Advanced Threat Protection

1) Sign in to your threat management policy

  1. Start a private or “incognito” browsing session
  2. Go to
  3. Use your global admin credentials to sign in
  4. Navigate to Threat Management > Policy

2) Turn on Microsoft 365 ATP Safe Attachments

  1. Navigate to ATP Safe Attachments
  2. Find the checkbox labelled Turn on ATP for SharePoint, OneDrive, and Microsoft Teams
  3. Tick it to enable it
  4. The create a new policy by clicking on the “+” symbol
  5. On your settings, you should see a list of options with options of “off”, “monitor”, “block”, “replace”, and “dynamic delivery”

You then need to decide how restrictive your policy is going to be. You have a couple of options

  1. Choose a restrictive policy – select block.
  2. OR choose a less restrictive policy – select replace. Then click Enable redirect and enter the email address of the person you want to receive the ticket (usually your IT team).
  3. Then, after you have chosen, find the checkbox labelled Apply the above selection if malware scanning for attachments times out or error occurs
  4. Tick it to enable it
  5. In the section that asks you to create a “recipient based rule”, choose If the recipient domain is
  6. Click Save.
  7. Wait for the changes to apply. This can be almost instant or take a few minutes.

2) Activate the Microsoft 365 ATP Safe Links feature

  1. Navigate to ATP Safe Links
  2. Double-click on Default
  3. A pop-up window should open

You should then be able to spot a line of checkboxes labelled:

  • Microsoft 365 Apps, Office for iOS and Android
  • Do not track when users click safe links
  • Do not let users click through safe links to original URL

Tick to enable all of those. Then click Save.

4) Enable ATP Anti-phishing

Finally, let’s enable some anti-phishing protection. This is quite a lot of actions, so buckle up!

  1. Navigate to Anti-phishing > Default policy > Impersonation
  2. Click Edit
  3. Turn the button to On
  4. Add all of your users. To do this, click Add user and enter the email address of an account you want to protect. You will need to do this individually for each user.
  5. Click Save

Next up, domains and actions:

  1. Navigate to Add domains to protect
  2. Spot the buttons labelled Automatically include the domains I own and Include custom domains
  3. Turn those both On
  4. Click Actions
  5. In the Actions section, spot the options labelled If email is sent by an impersonated user and If email is sent by an impersonated domain
  6. Set both of those drop-down lists to Move message to the recipients’ Junk Email folders
  7. Below those, you should see a link that says Turn on impersonation safety tips
  8. Click on it
  9. Spot the three switches labelled Show tip for impersonated users, Show tip for impersonated domains, and Show tip for unusual characters
  10. Turn all three of those On
  11. Click Save

Phew! Now we’re getting there. Just one thing still to do – Mailbox Intelligence:

  1. Navigate to Mailbox Intelligence
  2. Spot the buttons labelled Enable mailbox intelligence and Enable mailbox intelligence based impersonation protection
  3. Turn those both On
  4. Below that, you will see an option labelled If email is sent by an impersonated user
  5. Choose Move message to the recipients’ Junk Email folder in that drop-down list
  6. There should be an option to Review your settings. Go ahead and do that.
  7. If everything looks correct, click Save
  8. Then click Close

Get help setting up Microsoft 365 Advanced Threat Protection correctly

For many small and medium businesses, the technical know-how to understand exactly how Microsoft 365 Advanced Threat Protection works and why it’s so important to get right simply isn’t available in-house.

So if you’re not sure you’ve configured yours 100% correctly, why not talk to an expert about it?

Over 1000 businesses in Bristol and beyond have trusted Dial A Geek to ensure their systems are protected and they’re ready to grow.

Set up a cost and commitment-free consultation with Chief Geek Gildas Jones today to talk through your cybersecurity with no fee or obligation.