Exchange Online Protection vs. Forefront Online Protection for Exchange

There is no doubt that Exchange Online Protection (EOP) has appeared different, even lacking, when compared to its predecessor Forefront Online Protection for Exchange (FOPE).  But Microsoft is closing that gap fast, even going beyond features we had in FOPE.  It’s just a matter of keeping pace with development to see what’s new and improved (or in some cases, what’s returned to EOP from FOPE).

Exchange Online Protection vs. Forefront Online Protection for Exchange

Microsoft provides a nice FOPE vs. EOP feature comparison chart that initially showed how big of a gap there was between the two, but with each iteration of the chart we see improvement and they are quick to point out where EOP has surpassed its predecessor.  For example, with anti-phishing protection FOPE had 30,000 domains of known spammers in the block lists, while EOP blocks 750,000 domains of known spammers. Microsoft has also put together a FOPE to EOP transition guide that provides some additional information as well.

New Features in Exchange Online Protection

Some of the new features included in EOP — features that FOPE doesn’t offer — are useful ones, and I’ve listed some of the most noteworthy ones below.

  • International spam filtering:  You can configure EOP to block messages in up to 86 different languages and up to 250 different regions.
  • Blocked sender management in Outlook
  • Ability to search the quarantine
  • Ability to customize content filter policies per user, group or domain
  • Ability to view spam-quarantined message headers from the Exchange Admin Center
  • Ability to remove an attachment when malware is detected
  • Ability to customize malware filter policies per user, group or domain
  • Remote Windows PowerShell access
  • 90 days of message trace data (as opposed to 30 with FOPE)

What complaints do Exchange Administrators have about EOP?

It would appear as if EOP has finally trumped FOPE as a bolt-on solution to either on-premise Exchange (where you pay $1 per user) or Office 365 (where it is provided free of charge).  So why are there still complaints regarding EOP when compared back to FOPE?

I have 3 theories on why some Microsoft Exchange administrators might still complain about EOP:

1. FOPE administration was clear and focused

EOP is not clearly called out, especially if you are using the Office 365 dashboard.  You have to dive into one section for security features and another for reporting, it’s not all together, which I find odd. Here is a series of three screenshots that illustrate my point, starting with Office 365.

Exchange Online Protection vs. Forefront Online Protection for Exchange

The Office 365 Service Settings dashboard. (Image: J. Peter Bruzzese)

For example, if you are in the Office 365 dashboard, under SERVICE SETTINGS, under ‘Mail’ you are offered protection links (shown above).

The Office 365 Exchange admin center settings dashboard

The Office 365 Exchange admin center settings dashboard. (Image: J. Peter Bruzzese)

Clicking those links will actually take you over to the Exchange Admin Center settings (shown above).

The Office 365 Service Settings dashboard

The Office 365 Service Settings dashboard. (Image: J. Peter Bruzzese)

But if you want reports you have to go to the REPORTS option instead and look for the protection section (shown above). These three screengrabs visually demonstrate that Microsoft still has some work to do to make the EOP GUI experience more intuitive.

2. FOPE Speed of Development

A second reason for thinking FOPE is still better is the speed of development.  Some may not be aware that certain key features have been added in (or back in) in the last 3 months (give or take).  Microsoft is aggressively developing out EOP.  I had a fantastic chat this week with Shobhit Sahay, technical product manager on the Exchange Online team, and his team is focused on new EOP enhancements.  In conjunction with that the Office 365 team at Microsoft has blogged about enhancements already made and coming soon for EOP.  Both posts are worth a read, and I’ve linked them below.

3. Features that EOP is lacking

A third and final reason why some may feel FOPE was still a better option, even with all the new features and options, is that there are still a few features that EOP is missing or simply will not be providing.  For example, if your on-premises server cannot accept mail FOPE would queue it for 5 days, EOP for 2 days.  Not a huge difference, but a difference nonetheless.  In EOP there is no way to disable malware filtering (which you could do in FOPE).  Now in this case Microsoft is simply saying “we feel you need it and so don’t want you to be able to disable it” which makes sense to me, but it is a difference.  And there are lots of other little differences like that (some/most for the better).

So is EOP finally better than FOPE?

My personal opinion, administrative dashboard aside, is that EOP has surpassed FOPE with regard to features and capabilities.  Much of this is recent, including the ability for end-users to view their own quarantined emails, so it’s understandable if it wasn’t clear to folks that the line has been crossed from lame to fame but EOP has cleared it.

Now, what will it take to put EOP on par with some of the major players in the bolt-on security world?  Time and more aggressively development will tell.  It’s obvious the team knows where the gaps are between EOP and existing players, so they’ll have to focus on narrowing and eliminating those gaps going forward.  My personal recommendation is that they provide an EOP dashboard for folks like myself, who liked the FOPE admin dashboard and prefer to have all my tools in one spot.