7 Microsoft 365 Security Features to Enable Before August

Between May and July 2026, Microsoft is rolling enterprise-grade security tools into existing Microsoft 365 Business and Enterprise licenses at no additional cost. Defender for Office 365 Plan 1, time-of-click URL scanning, and a suite of Intune device management capabilities are all landing in plans that previously required separate add-on purchases. The problem: most of these features require manual configuration. If nobody on your team has enabled them, you’re paying the July 1 price increase without getting the security improvements that come with it.

What Changed and When

The rollout splits into two waves. The first wave went live May 1 and includes Defender for Office 365 Plan 1 in E3, Safe Links for Business Basic and Standard, and Intune Remote Help and Advanced Analytics in core licenses. We covered those changes in detail in our M365 free security features guide.

The second wave hits July 1 with three more Intune capabilities: Endpoint Privilege Management, Enterprise Application Management, and Cloud PKI for E3 and E5 tenants. Everything completes by August 1.

This post covers the full picture. All seven features, what each one does in plain English, and what to verify in your tenant before the rollout window closes.

Feature 1: Safe Links

Plans: Business Basic, Business Standard, E1, E3, E5
Status: Available now

Safe Links rewrites URLs in emails and Teams messages, scanning them at the moment a user clicks rather than only at delivery. Attackers routinely weaponize links hours after an email passes initial scanning. A URL that was clean at 9 AM can redirect to a credential harvesting page by noon. Safe Links catches this because it checks the destination every time someone clicks.

What to verify: Open the Microsoft Defender portal at security.microsoft.com. Go to Policies & rules > Threat policies > Safe Links. Confirm that you have an active policy covering all user groups, including Business Basic and Standard users. Lower-tier users are eligible now but need to be explicitly added to the policy scope. Also confirm Safe Links is enabled for Microsoft Teams messages, not just email.

Feature 2: Safe Attachments

Plans: E3, E5
Status: Available now

Safe Attachments opens email attachments in an isolated sandbox before delivering them. If an attachment tries to execute malicious code, download additional payloads, or modify system files during detonation, it gets blocked. This catches malware variants that signature-based scanning misses because it evaluates behavior rather than matching known patterns.

For a 100-person company on E3, this capability previously cost roughly $2 per user per month as a standalone Defender add-on. It’s now included in the base license.

What to verify: In the Defender portal, go to Policies & rules > Threat policies > Safe Attachments. Confirm a policy exists and covers all E3/E5 users. Set the action to Dynamic Delivery if your team is sensitive to email delays. Dynamic Delivery sends the message body immediately and replaces the attachment with a placeholder until scanning completes, typically within 30 seconds.

Feature 3: Anti-Phishing with Mailbox Intelligence

Plans: E3, E5
Status: Available now

Defender for Office 365 Plan 1 includes anti-phishing policies that go beyond what Exchange Online Protection provides by default. Mailbox intelligence analyzes each user’s communication patterns to detect impersonation attempts. If someone outside your organization sends an email pretending to be your CFO, the system recognizes that the sender doesn’t match the established pattern for that identity and flags it.

The policy also catches domain impersonation, where an attacker registers a lookalike domain (inf0naligy.com instead of infonaligy.com) to spoof a trusted sender.

What to verify: In the Defender portal, go to Policies & rules > Threat policies > Anti-phishing. Check that mailbox intelligence is enabled. Add your executives’ names and email addresses to the impersonation protection list. Your CEO, CFO, and anyone who authorizes payments should be on this list at minimum. The feature can’t protect against impersonation of identities it doesn’t know to watch.

Feature 4: Endpoint Privilege Management

Plans: E3, E5
Status: July 1

This is one of the most impactful additions in the July wave. Endpoint Privilege Management lets IT teams remove local administrator rights from user workstations while still allowing specific applications to run with elevated permissions when needed. Users don’t need admin access for daily work, but some legacy applications or installers require it. This feature eliminates the choice between granting full admin rights and breaking application workflows.

Removing local admin rights from standard users is one of the most effective defenses against malware. When ransomware lands on a machine without admin access, it can’t install itself, modify system files, or disable security tools. This single configuration change blocks a wide range of attacks that depend on elevated privileges to do real damage.

What to verify: Starting July 1, enable Endpoint Privilege Management in the Intune admin center. Create elevation rules for applications that legitimately need admin access, starting with your most common exception requests like software installers and printer drivers. If you’re not sure which applications your users run with elevated privileges today, your managed IT provider can audit this before the feature goes live.

Feature 5: Intune Advanced Analytics

Plans: E3, E5
Status: Available now

Advanced Analytics provides device health scoring, anomaly detection, and performance reporting across your managed endpoints. It identifies devices with degrading battery performance, high crash rates, or slow startup times before they generate help desk tickets. The anomaly detection feature is particularly useful for catching fleet-wide issues, such as a spike in app crashes after a Windows update or a group of laptops experiencing network connectivity problems in a specific office.

What to verify: In the Intune admin center, go to Reports > Endpoint analytics. Confirm that devices are enrolled and reporting. If you’re using Intune for device management but haven’t enabled the analytics features, turn on the endpoint analytics baseline. Health scores start populating within 24 to 48 hours.

Feature 6: Intune Remote Help

Plans: E3, E5
Status: Available now

Remote Help provides screen sharing and remote control for IT support sessions directly within the Intune portal. Unlike third-party remote access tools, it includes full session logging, role-based access controls, and audit trails that tie each session to a specific technician and device. For companies with compliance requirements around remote access documentation (HIPAA, CMMC, SOC 2), built-in audit logging is a meaningful improvement over standalone tools that may not provide the same level of traceability.

What to verify: Enable Remote Help in the Intune admin center under Tenant administration > Connectors and tokens > Remote Help. Configure role-based access so only authorized support staff can initiate sessions. If you’re paying for a standalone remote access tool primarily for help desk support, evaluate whether Remote Help covers your use case and the separate license can be retired.

Feature 7: Enterprise Application Management

Plans: E3, E5
Status: July 1

Enterprise Application Management provides a curated catalog of pre-packaged business applications that can be deployed through Intune without manual packaging. Instead of downloading an installer, building a deployment package, testing it, and pushing it to devices, your IT team selects the application from a Microsoft-managed catalog and assigns it to user groups. Updates flow through the same channel automatically.

Out-of-date applications are a common attack vector. Every unpatched version of a browser, PDF reader, or communication tool represents a known vulnerability. Automating deployment and updates through a managed catalog closes that gap without adding workload to your IT team.

What to verify: Starting July 1, the Enterprise App Management catalog becomes available in the Intune admin center under Apps. Review the catalog to identify applications your organization currently packages manually. Prioritize high-risk applications that receive frequent security patches, such as Chrome, Acrobat Reader, and Zoom.

What to Ask Your IT Team This Month

If you have an internal IT team or work with a Microsoft 365 consulting partner, bring these questions to your next conversation:

• Are Safe Links policies covering every user in the tenant? Business Basic and Standard users are eligible now but may need to be added manually to the policy scope.
• Is Safe Attachments configured with Dynamic Delivery? Confirm the policy exists, covers all E3/E5 users, and isn’t causing unnecessary email delays.
• Which executives are on the impersonation protection list? Anyone who authorizes payments or signs contracts should be protected.
• Do any users still have local admin rights on their workstations? Plan to address this with Endpoint Privilege Management starting July 1.
• Are we still paying for add-ons that are now included? Check for standalone Defender for Office 365, Intune Suite, or remote access subscriptions that duplicate capabilities in the base license.
• What’s our current Microsoft Secure Score? If it hasn’t improved since May, the new features probably aren’t configured.

These Features Raise Your Floor, Not Your Ceiling

These additions strengthen the security baseline of your M365 environment. Safe Links and Safe Attachments improve your email security posture. Endpoint Privilege Management hardens workstations. Analytics and Remote Help give your IT team better visibility and faster response.

They don’t replace endpoint detection and response, 24/7 SOC monitoring, backup and disaster recovery, or the broader set of tenant-level security configurations that every M365 environment needs. Microsoft is making the baseline stronger, which is genuinely valuable. Baseline security and comprehensive security are different things, and knowing where one ends and the other begins is what keeps your business protected.

The practical next step: verify these seven features are enabled, cancel any duplicate add-on subscriptions, and have an honest conversation with your IT provider about what gaps remain.