Exchange Online Tenant Allow and Block List Management

As we know, Microsoft does not allow emails to hit the inbox that are identified as malware or high-confidence phishing in order to keep your organization safe. By default, Microsoft uses Exchange Online Protection (EOP) to protect your M365 environment against spam, malware, and more such email threats.  

EOP filtering verdicts may sometimes end in the wrong way causing the bad message (a false negative) to get through to the users while the good message (a false positive) doesn’t.  To overcome this, Microsoft came up with Tenant allow or block list to override the filtering verdicts. 

Where to Create Tenant Allow or Block List? 

There are two ways to create tenant allow or block lists, one via the Microsoft 365 Defender portal and one via PowerShell. 

To access the Tenant Allow/Block list from the Microsoft 365 Defender portal, 

  • Open the Microsoft 365 admin center. 
  • Select Security under the list of admin centers. 
  • Choose Policies and Rules under the Email & Collaboration section. 
  • Navigate to Threat Policies –> Tenant Allow/Block Lists under the Rules category. 

Note: Tenant Allow/Block entries can also be made on the Submissions page of the defender portal. 

In the tenant allow/block list, you can include 

Note As soon as an entry is created, it will get activated in 30 minutes. In rare cases, it may take up to 24 hours to get active. 

Who can create Tenant Allow/Block list?

You must be a member of one of the following role groups to add or remove values from the Tenant Allow/Block List. 

  • Organization Management role group 
  • Security Administrator role group 
  • Security Operator role group 

Members of the global reader, security reader, and view-only configuration role groups will have read access to the tenant allow/block list. 

Allow or Block Entries for Domains and Addresses

You can list 500 block entries, as well as 500 allow entries, making 1000 in total. You can add domains and email addresses, up to a maximum of 20 characters. Also, after adding domains and addresses, you can set when to remove the block entry. The default value is 30 days, whereas you can set it up to 90 days. However, domain and email address allowed entries will expire after 30 days.

Creating Block Entries

Using Defender Portal: 

  • Tenant Allow/Block List page – You can add the domains and email addresses that you want to block. 
  • Submissions page – Under the Email submission type, you can either add the valid email network message ID or can upload the email file in .msg or .eml format, and state the reason as ‘Should have been blocked’.   

Using PowerShell: 

Firstly, connect to the Exchange Online PowerShell, and run the below cmdlet.  

You can provide a valid domain name or email address to the ‘Entries’ parameter to create block entries.   

Creating Allow Entries 

  • You can use the submissions page to report the email addresses mentioning it should not have been blocked (False positive). 

You can’t create allow entries directly in the Tenant Allow/Block list portal or PowerShell. 

Tenant Allow/Block email address list

 

Allow or Block Entries for Spoofed Senders

It is possible to have 1024 entries for spoofed senders. You need to make sure that the added spoofed sender entries are in the proper syntax. 

Spoofed Sender Syntax: Domain pairs with wildcard include <Spoofed user>, <Sending infrastructure>. E.g., fakeuser@fakersdomain.com, psm.knowbe5.com 

By default, both allow and block entries for spoofed senders never expire. If the spoofed sender belongs to your organization, select the spoof type as Internal. Select External if the sender is from an external domain. 

Creating Block Entries

Using Defender Portal: 

  • Tenant Allow/Block List page – You can add the spoofed senders on this page, and specify a spoof type. Then choose the action as Block 
  • Submission page – You can block all emails from specific recipients to add a block entry for spoofed senders.

Using PowerShell: 

You can connect to the Exchange Online PowerShell and run the below cmdlet to create block entries for spoofed senders in the tenant allow/block list. 

Creating Allow Entries

Using Defender Portal: 

  • Tenant Allow/Block List Page – You can add the spoofed senders and specify a spoof type. Then choose the action as Allow 

Using PowerShell: 

After connecting to Exchange Online, run the below mentioned cmdlet to add an allow entry for spoofed senders. 

In the above syntax, replace the spoofed user, sending infrastructure with valid entries.  

Tenant Allow_BlockSpoofed Senders List - Microsoft 365 security

 

Allow or Block Entries for URLs 

URLs can have maximum allowed entries of 500 and blocked entries of 500, making 1000 as total. An URL entry can have a maximum of 250 characters.  Email messages that contain blocked URLs are considered high confidence phishing. 

URL Syntax: admindroid.com, xyz.abc.admindroid.com, admindroid.com/a, xyz.abc.admindroid.com/a/b/c, etc. 

As mentioned for domain & address entries, the block URL entries can be held for up to 90 days and the allowed entries can be held for up to 30 days.  

Creating Block Entries

Using Defender Portal:

  • Tenant Allow/Block List page – You can add the URLs you want to block anyone from accessing it. 
  • Submission page – Under the URL submission type, you can add the URL you want to block. State the reason as ‘Should have been blocked’, and do submit after categorizing. 

Using PowerShell: 

To add an URL block entry, run the following cmdlet after connecting to Exchange Online PowerShell. 

Creating Allow Entries 

  • On the Submissions page, you can add the URLs by reasoning that they should not have been blocked and do submit. 

It is not possible to create allowed URL entries directly in the tenant show/block list page or via PowerShell.  

Tenant Allow/Block URLs List

 

Allow or Block Entries for Files 

The maximum allowable entries for files are 500, while the maximum block entries are 500 making 1000 file entries in total.  A maximum of 64 characters are allowed in a file entry. Blocked files in email messages are referred to as Malware.  

You have to add file hash value per line, up to a maximum of 20. Additionally, you can limit the block entry after adding Files. The default value is 30 days, but it can be set up to 90 days. 

Creating Block Entries

Using Microsoft Defender Portal: 

  • Tenant Allow/Block List page – You can add files that should be blocked by separating each hash per line. 
  • Submission page – Under the Email Attachment submission type, you can upload the file you want to block. State the reason as ‘Should have been blocked’ and submit.

Using PowerShell: 

You can add a block entry for your specified files that will never expire using the syntax above. 

Creating Allow Entries

  • To report a false positive, upload the respective file in the Submissions portal. 

Here also, you can’t directly create allowed entries in the tenant allow/block list page or via PowerShell.   

Tenant Allow_Block File List - Microsoft 365 security

I hope this blog has provided you with some insights into the process of creating an Allow/Block list for tenants in Microsoft 365. For further queries, reach us in the comment section. We would be glad to assist you.