Hello @Skipster311-1, Thanks for your feedback and question:

@pvanberlo is correct that precedence works in the following order from highest priority to lowest priority and it applies down to the security control level:

  1. Strict protection preset security policy
  2. Standard protection preset security policy
  3. Custom security policies
  4. Default security policies

That means, for example, if a security control/setting exists in Standard and admin has enabled it for a user, then it would be applied instead of what is configured for the setting in a custom policy or in the default policy if they are scoped to the same user. Note: you may have some portion of your org that you want to apply the standard/strict presets only and then for the others in your org you may apply a custom policy to meet specific use cases.


Today, we don't allow for customizations in the preset security policies (standard/strict) as the goal for presets is to require minimal admin effort to apply -- enable it and you've got all of the recommended security controls turned on. Any time we add any new controls, those will be automatically added in the preset security policies.


We will add this clarification to the MS doc page: Preset security policies - Office 365 | Microsoft DocsAlso, wanted to mention we are working on several improvements to make this configuration process easier. Thanks for the feedback!