Microsoft Defender for Office 365 comes in two tiers, and the gap between them is one of the more consequential licensing decisions an Australian business makes for email security. Plan 1 (often shortened to MDO P1) and Plan 2 (P2) protect the same mailboxes against the same threats — phishing, malicious links, weaponised attachments — but they answer two different questions. Plan 1 asks: did this email get blocked? Plan 2 asks: what happened, where did it spread, and can the platform clean it up on its own?
For most organisations the choice is not academic. It changes both the monthly bill and the amount of manual security work an internal IT team carries. This guide sets out what each plan actually includes, what the figures look like in Australian dollars, and a change landing in July 2026 that shifts the calculus for E3 and Business Standard customers.
What Plan 1 and Plan 2 share
Both plans deliver Defender for Office 365's prevention layer. That means Safe Attachments (detonating files in a sandbox before delivery), Safe Links (rewriting and checking URLs at click time, including in Teams and Office apps), anti-phishing policies with impersonation and spoof protection, and real-time detection of malicious content. This is the core that sits in front of every mailbox and stops the bulk of inbound threats before a user ever sees them.
If the requirement is simply better protection than Exchange Online Protection gives out of the box, Plan 1 covers it. The prevention engine is the same in both tiers — Microsoft does not hold back filtering quality for P2.
What Plan 2 adds
Plan 2 is the investigation, hunting and automation tier. It includes everything in Plan 1 and then adds the capabilities a security team reaches for after something gets through, or when they want to go looking before an alert fires.
- Automated Investigation and Response (AIR): when a threat is detected, Defender launches investigation playbooks, finds related evidence such as other copies of a phishing email across the tenant, and can quarantine them automatically without an admin touching each one.
- Threat Explorer and real-time detections: an interactive search across email and content so an admin can hunt for indicators of compromise rather than wait for an alert — for example, checking whether any user received an email tied to a breaking malware campaign.
- Advanced hunting: a query interface using Kusto Query Language (KQL) over roughly 30 days of data, correlating signals across email, identity and endpoints.
- Attack Simulation Training: running realistic phishing simulations against staff and tracking who clicks, then assigning targeted training.
- Campaign views and richer reporting that group related attacks together rather than showing them as isolated events.
The shorthand: Plan 1 prevents, Plan 2 investigates and remediates at machine speed. The value of P2 scales with how often an organisation is targeted and how thin its IT team is — automation matters most when there is nobody spare to manually chase a phishing email through 200 mailboxes.
Pricing in Australian dollars
Microsoft lists Defender for Office 365 globally at around USD 2 per user per month for Plan 1 and USD 5 per user per month for Plan 2 (verified across independent pricing trackers in 2026). Australian list pricing is set in AUD and excludes GST; the exact figure moves with Microsoft's local price book rather than a live exchange-rate conversion.
Add-on licences can usually be applied to the subset of users who need them rather than the whole tenant, though Microsoft's per-suite eligibility rules apply. Frontrow models this against headcount and risk profile before any commitment — licensing can be complex, and getting the seat count right is where most of the saving sits.
The July 2026 change every E3 and Business Standard customer should note
From July 2026, Microsoft is folding Defender for Office 365 Plan 1 into Office 365 E3 and Microsoft 365 E3 at no extra cost. The rollout begins in July and is expected to complete by 1 August 2026, with a 30-day notice arriving in each tenant's Message Center beforehand. Microsoft is also adding lighter URL-filtering protection to E1, Business Basic and Business Standard.
For an E3 customer who has been paying separately for Plan 1, that line item effectively disappears — the prevention layer becomes part of the baseline. This is a genuinely customer-helpful change, and it sharpens the real question for E3 organisations: the decision is no longer 'Plan 1 or nothing', it is 'is the Plan 2 uplift worth it on top of the Plan 1 we now get for free?'
Business Standard customers do not get full Plan 1 from this change — they get the lighter URL filtering — so the Plan 1 versus Plan 2 add-on decision still stands for them. The detail matters, and it is exactly the kind of distinction that gets missed when a renewal is rubber-stamped.
Is Plan 2 worth it?
Plan 2 earns its premium in three situations. First, where there is no dedicated security team and AIR's automated clean-up replaces hours of manual mailbox triage after each incident. Second, where the organisation is a frequent target — professional services, finance, anyone moving money — and Threat Explorer plus advanced hunting let an admin get ahead of a campaign. Third, where Attack Simulation Training is wanted to lift staff awareness as a measurable control rather than an annual slideshow.
Where email volume is low, the team is comfortable handling the occasional incident by hand, and there is no appetite for run-your-own phishing simulations, Plan 1 (or the bundled Plan 1 arriving in E3) is a defensible stopping point. The premium for P2 is small per seat but real across a few hundred users, and it should be tied to capability the organisation will actually use.
What Frontrow would actually do
Before recommending a tier, Frontrow checks what each user already holds. Many Australian businesses are entitled to Defender for Office 365 capability through E5, Business Premium or an existing add-on and are unknowingly paying twice — and from July 2026, E3 customers gain Plan 1 they may currently buy separately. Step one is always an entitlement audit, because the cheapest licence is the one already owned.
From there the call is straightforward: confirm Plan 1-level prevention is switched on and configured properly (Safe Links and Safe Attachments policies are frequently licensed but left at defaults), then decide whether the AIR, hunting and simulation features in Plan 2 map to work the team is currently doing by hand. If they do, P2 pays for itself in recovered time. If they don't, the money is better spent elsewhere in the security stack. Frontrow walks clients through that comparison so the licensing follows the requirement, not the other way around.