Table of Contents
Changes to MDO P2 to Remove Requirements to License All Shared Mailboxes
Last August, I wrote about the issue of unexpected costs for Microsoft 365 customers when Microsoft Defender for Office 365 Plan 2 (MDO P2) was enabled in a tenant because MDO P2 is included as a service plan in Office 365/Microsoft 365 E5 licenses. No administrator action is required to use MDO P2; the presence of an E5 license is enough to activate its protection.
According to the MDO service description (August 2025), when MDO P2 is used by a tenant, “licenses must be acquired for users or mailboxes falling under one or more of the following scenarios:
- All Exchange Online users on the tenant. This is because Plan 2 features and capabilities protect all users in the tenant.
- All shared mailboxes on the tenant.”
In other words, the presence of just one E5 license automatically invokes the need for MDO P2 licenses for every Exchange Online user and shared mailbox. Buying MDO P2 at $5/user/month to remain compliant quickly racks up a substantial bill.
Group mailboxes also benefit from MDO P2 protection, but the service description makes no mention of a license requirement for these mailboxes, despite the efforts made by Microsoft over the years to give group mailboxes equivalent functionality to shared mailboxes.
Removing Inconsistency and Incoherence
In short, inconsistencies and incoherence abounded in the MDO P2 licensing requirements. The MDO team agreed to take the issue away to see what could be done to improve matters, and now they’ve come back with a revised licensing scheme.
The big change is the removal of the requirement for MDO P2 licenses for all user and shared mailboxes when E5 licenses are present. The previous position was indefensible and it’s good that Microsoft agreed.
Instead of a “MDO P2 licenses required for all mailboxes” approach, Microsoft uses the “if you benefit from a feature, you pay for a feature” rule that already applied to MDO P1 licensing. The new licensing terms are shown in FIgure 1:
Microsoft Defender for Office 365 P2 can be licensed through any of the following:
“Microsoft Defender for Office 365 Plan 2 standalone, Microsoft 365 E5/A5/G5, Office 365 E5/A5/G5, Microsoft Defender Suite/EDU/GOV/FLW, and Microsoft Defender + Purview Suite FLW provide the rights for a user to benefit from Microsoft Defender for Office 365 Plan 2.”
In other words, tenant administrators must decide which mailboxes should benefit from MDO P2 and then license those mailboxes accordingly. Licensing is automatic for accounts with E5 licenses because the MDO P2 service plan is already present. Shared mailboxes that tenants want to receive MDO protection will need to be licensed.
Custom Policies Required to Scope MDO Coverage
Unless a tenant licenses every user and shared mailbox, the new licensing arrangement means that administrators must create custom scoped policies to enable the MDO P2 safe links, safe attachments, and anti-phishing features for target groups rather than using the scope of the default policy to “cover everyone.” The target group can include user and shared mailboxes.
In large tenants, several custom policies will probably be required to cover different target groups. Dynamic distribution groups aren’t supported for scoped policies, but dynamic Microsoft 365 Groups are. Using dynamic Microsoft 365 Groups creates the requirement for Entra P1 licenses for all users that are members of a dynamic group.
One issue is that the membership rules for dynamic Microsoft 365 Groups don’t offer an off-the-shelf way to find shared mailboxes. Shared mailboxes will need to be marked in some manner such as a value in a custom attribute to allow a membership rule to find and include their accounts in group membership. On the upside, a dynamic Microsoft 365 Group to find shared mailboxes for MDO protection can also assign the MDO P2 license to the mailboxes.
I can see why Microsoft has gone down the path of using custom scoped policies to target the mailboxes to receive MDO protection. It’s a feature that already exists and works, but I’m not sure how much use custom scoped MDO policies get in the real world because I have never used these kinds of policies. I’m also unsure about the amount of administrative effort that will be necessary to set up and maintain the policies, especially in large tenants.
Group Mailboxes Don’t Need MDO Licenses
No mention is made about the group mailboxes used by Microsoft 365 Groups. This might be because Microsoft 365 Groups come about through the creation of other Microsoft 365 objects, like Teams and group-connected SharePoint Online sites. By contrast, creating a shared mailbox is a standalone operation to support the work of a team or to preserve a leaver mailbox, so it could be argued that it would be unfair to insist on licensing the automatic operation. In any case, I suspect that some debate will continue on this point.
Guiding Principles
The new licensing arrangement for MDO P2 can be broken down into four guiding principles:
- MDO licenses are required for any mailbox (or rather, the user account that the mailbox belongs to) that comes within the scope of an MDO policy to enable features like safe link and safe attachments.
- The majority of MDO processing happens during mail flow delivery to mailboxes. If a mailbox comes within the scope of an MDO policy (including a policy covering all mailboxes), it gets the benefit of the MDO features. If the account isn’t within the scope of an MDO policy, it doesn’t.
- When considering the protection of shared mailboxes, only include shared mailboxes that actively receive external email that require protection. Exclude shared mailboxes like those used to retain leaver data (use inactive mailboxes instead), defunct mailboxes (consider their removal), and mailboxes used exclusively to process internal email.
- MDO licenses don’t need to be assigned to the accounts that own shared mailboxes. All Microsoft requires is that the tenant has sufficient MDO licenses to cover the user and shared mailboxes that come within the scope of MDO policies.
- Accounts that benefit from MDO P2 features must be licensed for those features.
The new MDO licensing arrangement is better, but it requires more thought and action from tenant administrators, especially to configure and maintain policies to make MDO P2 features available to user accounts.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Thanks for digging into this, much appreciated.
After reading all your posts and all Microsoft docs, just to double check I understand correctly how things stand now:
Scenario 1) All real users in the tenant have M365 Business Premium license assigned, preset standard/strict policies are applied globally. Each shared mailbox should be assigned MDO P1 even if all users using the shared mailboxes already have BP.
Scenario 2) All real users in the tenant have M365 Business Premium + “Defender Suite for Business Premium” licenses assigned, present standard/strict policies are applied globally. Each shared mailbox should be assigned MDO P2 even if all users using the shared mailboxes already have BP + Defender Suite.
Am I right?
Thank you
The requirement arises from the mailbox, not users accessing the mailbox.
Shared mailboxes must be licensed if they benefit from MDO. For example, if the shared mailbox receives external email and that email is processed by MDO (Plan 1 or Plan 2), then the account owning the mailbox must be licensed appropriately. For instance, if email arriving into the shared mailbox goes through safe links and safe attachment processing, it needs MDO P2 because these are MDO P2 features that the mailbox benefits from.
MDO policies are used to identify which mailboxes are in scope for processing. The default is to process all mailboxes in a tenant, and that’s where a problem might arise. To solve the issue. create new policies to only process the set of target mailboxes that are licensed for MDO.
And many shared mailboxes do not need MDO because they don’t receive external email – so exclude these mailboxes from MDO policies to avoid creating a licensing requirement.
Hi Tony, i know how to scope them out but aren’t safe attachments and safe links features from plan 1?
https://blog.ciaops.com/2025/05/20/microsoft-defender-for-office-365-plan-1-vs-plan-2-comparison-and-smb-implementation-guide/
Yes, but MDO Plan 1 is only available to certain enterprises. In most cases, if you run with E5 licenses, you need MDO P2.
thank you for clarifying
Thank you very much for clarifying this with Microsoft. It’s great that Microsoft has now simplified this and made it clearer in MDO P2.
But what about the license prerequirements for shared mailboxes when they are assigned a MDO P1 or MDO P2? The product terms state that MDO P1/P2 prerequires a corresponding license:
This can be found in the Product Terms:
https://www.microsoft.com/licensing/terms/en-US/productoffering/ExchangeOnline/MCA#clause-2218-h3-1
License:
Microsoft Defender for Office 365 Plan 1/Plan 2
License Prerequisites:
Any Microsoft 365, Office 365, Exchange Online, SharePoint Online, or OneDrive for Business plan license
I’ll ask
Hi Tony,
is there any news on this yet? I’m also very interested to know whether the decision to make shared mailboxes, which are normally free, when using the MOD1/2 plan, no longer free, but requiring an Exchange Online plan as a basic license, will be upheld.
Best regards
Torben
https://office365itpros.com/2025/10/31/mdo-p2-licensing/
Hi Tony, thanks for the link. I had already read the content beforehand and then asked my question.
However, Claudio Stallone, J. C., and my questions are aimed at the prerequisite/basic license topic, which is not answered by the article.
Basic license? You mean MDO1? Same rules apply – if a shared mailbox receives benefit from MDO, it must be licensed.
I have asked Microsoft about the prequisite thing (Exchange license needed). I think this is an error and they will realize it soon. However, any licensing issue takes time to resolve.
We’re obviously talking at cross-purposes here :/
My question relates exclusively to shared mailboxes:
As is well known, a shared mailbox is free up to certain parameters:
Licenses: Your shared mailbox can store up to 50GB of data without you assigning a license to it. After that, you need to assign a license to the mailbox to store more data. For more details on shared mailbox licensing, please see Exchange Online Limits. When a shared mailbox reaches the storage limit, you’ll be able to receive email for a while, but you won’t be able to send new email. Then, after that, it will stop receiving email. Senders to the mailbox will get a non-delivery receipt.
Source: https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide
Now I want to protect a shared mailbox with Defender for Office 365 and I decide to use the MDO P2 license. When I try to assign it to the shared mailbox, I get the following error message:
“Failed to assign license for ”Mailbox Name“ The assignment for this user requires a service plan that is not a part of this product.”
This means that the shared mailbox, which is actually free, first requires an Exchange Online Plan 1 before I can assign my desired MDO P2 license in addition.
If I want to assign an MDO P1 license to my shared mailbox, this works without any error messages. Based on this, I contacted Microsoft a few weeks ago and asked why, when I assign an MDO P2 license to the shared mailbox, I suddenly need an Exchange Online Plan 1 as a basis, whereas this is not necessary when assigning the MDO P1 license.
Microsoft replied that I always need a base plan for both the MDO P1 license and the MDO P2 license, even for shared mailboxes.
They referred to the following excerpt:
License: Microsoft Defender for Office 365 Plan 1/Plan 2
License Prerequisites: Any Microsoft 365, Office 365, Exchange Online, SharePoint Online, or OneDrive license
Source: https://www.microsoft.com/licensing/terms/productoffering/ExchangeOnline/MCA#clause-2218-h3-1
Now we are all interested in whether Microsoft will continue to insist that, if we want to protect shared mailboxes, we still need an Exchange Online Plan 1 license in addition to the MDO P1/2 license.
The current answer I have from the MDO team is that a shared mailbox only needs an MDO (1 or 2) license if the shared mailbox receives benefit from MDO (whatever’s available in the tenant; 1 for SME tenants, 2 for SME or enterprise tenants).
According to the Exchange team, an Exchange license is only needed if the shared mailbox uses one of the Exchange features that requires licensing, like an extended quota or archived mailbox. The text you cite falls between the two teams and seems to be a licensing lacuna (such a lovely word for a gap) that has opened up between Exchange and MDO. I’ve asked the MDO team (who impose the requirement) to validate that such a prerequisite is valid and justifable. It takes time to work through these issues and I cannot ask Microsoft to go any faster. It’s not as if I can storm into an office to demand answers…
If your Microsoft contacts can work the issue any faster, then please wait for an answer from them – and a documented change to the online policy.
The problem seems to be that MDO can’t work without something to protect, like Exchange, SharePoint, or Teams, so the license prerequisite is intended to say that Microsoft 365 tenants need to have licenses for the products for MDO to protect before MDO can be used. The text as written is “Any Microsoft 365, Office 365, Exchange Online, SharePoint Online or OneDrive license” and that applies at the tenant level. These products all include at least one service plan for a protectable application and that satisfies the prerequisite. There’s nothing about shared mailboxes in the licensing terms.
As I have pointed out to Microsoft, the way that the licensing terms are written is confusing and that view is being considered now. We’ll see what happens. I would push back on any Microsoft person who says that an EXO P2 license is needed for shared mailboxes to use MDO. Ask them for chapter and verse to prove the point and tell them to talk to MDO product management.
You can believe me, I corresponded with various Microsoft representatives over several weeks (email correspondence available) and requested exactly that (evidence/proof), but only ever received responses such as “that’s just how it is.”
In the end, I even contacted an independent SAM service provider because I was very disappointed with Microsoft’s statements (“that’s just how it is”). The SAM service provider corroborated Microsoft’s statements and also referred to this: https://www.microsoft.com/licensing/terms/productoffering/ExchangeOnline/MCA#clause-2218-h3-1
Ultimately, there must be some truth to the claim, otherwise the following error message would not appear in the context of MDO P2 when assigning a shared mailbox: “Failed to assign license for ‘Mailbox Name’. The assignment for this user requires a service plan that is not a part of this product.”
I am grateful to anyone who can help clarify the situation.
Especially for larger companies with a large number of exposed shared mailboxes that should at least be protected by MDO P1, significant additional costs would be incurred each month if MDO P1 is not sufficient and Exchange Online Plan 1 is also required as a basis.
I think the error with the MDO license assignment is due to some glitch somewhere. It’s being investigated.
Let’s wait and see what the MDO team says…
Hi Tony,
Any response from Microsoft regarding Claudio question? Is it required to assign a M365/Exchange Online to the shared mailbox as pre-requisite before assigning MDO to the mailbox?
Thanks
Hi Tony,
Thanks once again for your efforts to clarify this.
Do you have any update regarding the pre-requisites table for MDO P1/P2 in the Product Terms that seems to indicate other license is needed for the shared mailbox before assigning it MDO license?
We’ve also been working on this with our Microsoft contact at TPD but they are not providing any clarity, I honestly think they don’t know how to escalate this properly.
I’m trying to get a definitive statement from Microsoft but am bogged down in their internal structures.
It seems like the situation is simple: Defender for Office 365 cannot work unless a tenant has prerequisites licenses for it to know what workloads to protect. That’s the reason for the requisite statement – Defender needs Exchange, SharePoint, or Teams to be present in a tenant. It is a tenant prerequisite, not an account preprequisite.
But getting Microsoft to say that in plain English is proving more difficult than you’d expect.
Just in case its useful and were not aware: we have discovered that trying to assign an MDO P2 license to a shared mailbox shows an error saying an Exchange Online license is required. But interestingly this doesn’t happen with MDO P1.
That’s interesting. What error was reported?
“To assign a license that contains Microsoft Defender for Office 365 (Plan 2), you must also assign one of the following service plans: Exchange Online Archiving, Exchange Online Kiosk, Exchange Online (Plan 1).”
Another topic to discuss with my MDO friends…
I opened a support case regarding the error when assigning MDO P2 to a shared mailbox without EXO license (but not receiving error when assigning MDO P1). Not sure it makes sense (I still don’t get why it would be different in P2 vs P1), but sharing for anyone interested:
“Thank you for your patience while we completed the internal review.
Engineering team has now clarified the licensing interpretation for Microsoft Defender for Office 365 (MDO) as it applies to shared mailboxes:
✔ Licensing Requirement — “Acquire” vs “Assign”
The Microsoft 365 Service Descriptions use the term “acquire” when describing MDO licensing requirements for mailboxes, including shared mailboxes.
The guidance has been validated internally, and the clarification is:
MDO P2 licenses must be acquired for every mailbox (user or shared) that benefits from MDO P2 features.
The license does not need to be explicitly assigned to the shared mailbox in the Microsoft 365 admin center for compliance purposes.
This means the licensing obligation is fulfilled once the tenant owns sufficient MDO P2 licenses covering all the mailboxes that use the protection features — regardless of whether the license is technically assigned to the shared mailbox object.
✔ Assignment Behavior in the Admin Center
Although explicit assignment is not required for licensing compliance, the admin center may still enforce Exchange Online dependencies during manual assignment attempts (for example, when assigning MDO P2 directly to a shared mailbox).
This enforcement relates to the product’s assignment logic, not licensing rules.
✔ Documentation Update Request
Supportability has already raised a documentation enhancement request to add the clarification:
“Licenses must be acquired (but not necessarily assigned).”
Because Service Description documents are owned by a separate Microsoft content team, we cannot guarantee the timeline of that update, but the request is in place.
Summary
You must acquire the MDO P2 licenses for shared mailboxes using MDO P2 protection.
You do not need to assign the license directly to the shared mailbox.
The observed assignment error relates to product behavior, not licensing non‑compliance.
Could you please test the MDO P2 protection features on the shared mailbox and confirm whether any specific capability is not working as expected? For example:
AIR (Automated Investigation & Response)
Threat investigation insights
Attack simulation visibility
Safe Links / Safe Attachments behavior
If you observe any feature not applying or working differently than on user mailboxes, let us know. We will engage our engineering team immediately with those findings so they can investigate the behavior further.
This will help ensure that you receive accurate guidance based on real functional impact rather than assignment‑UI behavior.”
Hello J.C.,
Thank you for the information.
However, this question remains unanswered:
What are the licensing requirements for shared mailboxes when they benefit from MDO P1 or MDO P2 (considering “Acquire” vs. “Assign”)?
The product terms state that a corresponding license is required for MDO P1/P2:
You can find this in the product terms:
https://www.microsoft.com/licensing/terms/en-US/productoffering/ExchangeOnline/MCA#clause-2218-h3-1
License:
Microsoft Defender for Office 365 Plan 1/Plan 2
License requirements:
Any license for Microsoft 365, Office 365, Exchange Online, SharePoint Online, or OneDrive for Business
A lacuna (legal gap) exists between what the product terms and the service description. The information reported by JC is correct in that a) acquisition of licenses is sufficient. You only need to have sufficient licenses to cover the shared mailboxes that benefit from MDO, and b) it takes time for Microsoft to align everything internally. The MDO team made the change to their service description. We just need the other team to change their text in the product terms to say that MDO can only work when a licensed product that uses MDO is already present in the tenant (Exchange Online, SharePoint Online, Teams, or OneDrive for Business).
If anyone has a problem with a Microsoft software audit, tell the local Microsoft team to contact the MDO team (I won’t publish the name here, but I know who the DRI is). They can sort this out internally and leave customers in peace.