Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
Tenant Allow/Block Lists
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 41%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Marc
631
Reputation points
In Microsoft 365 Defender we have:
Allowed and blocked senders and domains
Connection filtering (IP Allow list - IP Block list)
It is not clear for me what exactly does "Tenant Allow/Block Lists" (senders, spoofing, URLs, Files).
Exchange | Exchange Server | Management
{count} votes
-
KyleXu-MSFT 26,396 Reputation points2022-01-18T01:44:46.077+00:00 @Marc
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 31%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Swanek, Douglas 0 Reputation points2023-09-26T19:58:30.5133333+00:00 If a specific user is listed in the tenant block/allow list (@domain.com), will that affect other users sending from that domain (@domain.com). Also having a user address or domain listed, does that affect users sending out to that domain? I'm seeing issues in which a single email address was listed in the tenant block/allow list and it's affecting other users sending from that domain and internal users sending out to that domain. Why does that happen?
Sign in to comment
7 answers
Sort by: Most helpful
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator2022-01-05T17:07:52.167+00:00 -
Marc 631 Reputation points
2022-01-05T19:02:07.96+00:00 What is the difference if I use "allow/block Sender emails or domains" in Tenant Allow/Block Lists or if I do it using "allowed and blocked senders and domains" in Antis-Spam?
In spoofing session I found a number of spoofed users. What criterion did the system use for detected and populated those users? They are marked with "allow". Allow, what exactly does it do?
If I try to edit one I have the option below:
What should I do?
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-05T19:31:12.057+00:00 Remember, Defender is a licensed product that offers additional protections and capabilities:
I agree it can get confusing however.
In pure terms, blocking or allowing email in anti-spam policies versus the the Tenant Allow there is not any real difference - EXCEPT the tenant Allow/Block list is org wide versus the anti-spam bloc/allow which would apply to that specific policy.
So the preference would be to use the Tenant List for simplicity unless you wanted to only apply to certain recipients, in which case use the anti-spam policy and set there. -
Marc 631 Reputation points
2022-01-05T22:58:36.417+00:00 In spoofing session I found a list of spoofed users.
Why are those users listed there?
Editing one spoofed user in the list I can see two options : allow or block. What is the difference?
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-06T12:58:17.04+00:00 Well, allow safelists the entry and block , blocks it :)
-
Marc 631 Reputation points
2022-01-07T15:57:40.407+00:00 The Tenant Allow / Block Lists has several users. Who added spoofed users there?
I have noticed all members of the list are allowed ? Why? If they are there; I beleieve they should be blocked and not Allowed.If I have a domain in "Allowed domains" in Anti-spam why do I find it in quarantine as spoofed?
-
Marc 631 Reputation points
2022-01-09T13:00:37.693+00:00 Any help?
Thanks -
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-09T13:53:23.823+00:00 Typically its because an admin has allowed them, either by adding the domain or through the submissions page:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-worldwide#add-allows-using-the-submissions-portal -
Marc 631 Reputation points
2022-01-09T17:03:18.68+00:00 Well, in my case only submission was used.
So, if I understood well what the submission does is fix "false positives" using a working arround solution by adding domains and/or spoofed users in "Tenant Allow / Block Lists"?
Another strange things. Although I have a domain in in Anti-spam "Allowed domains" I find it in quarantine as spoofed domain. Strange.
Maybe because the "spoof intelligence" in the EOP mail floow filter the email before the Anti-spam and then overwrite the allowdomain (avoiding Anti-Spam)?
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-09T17:41:58.163+00:00 If the message is considered high confidence phish then it will be blocked even if you have it set to allow in anti-spam:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide
-
Marc 631 Reputation points
2022-01-09T23:22:43.86+00:00 If a message is considered high confidence phish what can we do to prevent it from being blocked?
Should we add it in "Tenant Allow / Block Lists"?
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-09T23:49:41.13+00:00 No, that wont work, per that doc:
Secure by default is not a setting that can be turned on or off, but is the way our filtering works out of the box to keep potentially dangerous or unwanted messages out of your mailboxes. Malware and high confidence phishing messages should be quarantined. By default, only admins can manage messages that are quarantined as malware or high confidence phishing, and they can also report false positives to Microsoft from there. For more information, see Manage quarantined messages and files as an admin in EOP.
If these are to be allowed, you will need to release them as an admin and report to Microsoft as a false positive.
Sign in to comment -
-
KyleXu-MSFT 26,396 Reputation points
2022-01-06T08:04:30.873+00:00 The Allow/Block list could override the Microsoft 365 filtering verdicts.
Such as you add a mailbox to the allow list, this mailbox will bypass the filter of spam even though this mailbox sends spam. If you add this mailbox to the block list, emails sent from this mailbox will be blocked.
About the spoofing session, here is an example:
I don't want emails from "contoso.net" blocked by Office 365, so, I add it into the allow list. (In this way, all emails from that domain could be delivered to my tenant)
But now, I don't want to receive emails from that domain, I would edit this rule from allow to block. (In this way, non-junk emails also cannot be delivered)
If I remove this rule, all emails sent from "contoso.net" will be judged by Microsoft 365 filtering. (Junk email will be blocked, no-junk email could be delivered)
About the creating of filter rule, you could have a look about this part.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Marc 631 Reputation points
2022-01-12T21:32:06.397+00:00 If a message is considered high confidence phish/spoof or when we have the Spoof intelligence enabled then it takes precedence over other policies. In this case is it useless add the email to the Tenant Allow Lists, isn't it? Will allow list unlock the restrictive office 365 policies ?
What are the services that can be blocked by Office 365 and could be overwritten by "Tenant Allow / Block Lists"?
-
KyleXu-MSFT 26,396 Reputation points
2022-01-13T09:40:14.85+00:00 It is used to rewrite the judgment of EOP (configuration in your tenant). If email/sender is blocked by Microsoft (Configuration for all tenants), you need to report to Microsoft for removing email/sender from spam.
-
Marc 631 Reputation points
2022-01-13T12:01:51.987+00:00 Thanks. If I understand correctly:
everything configured in EOP such as:- antiphishing
- antispam (allow / block)
- connection filter
can be overwritten using "Tenant Allow/Block Lists".
But if this doesn't work (probably because the block is centrally settled by Micorosoft) then we have to report (submission) to Microsoft.
Am I right?
-
KyleXu-MSFT 26,396 Reputation points
2022-01-14T08:56:51.563+00:00 Yes, it is.
Sign in to comment -
-
Marc 631 Reputation points
2022-01-20T16:48:04.61+00:00 I need help to understand another thing.
In Senders we have "remove on".
What does this removal refer to? What is going to happen on 21-Jan-22?
Will it be deleted from the submission/quarantine list?
Thanks
-
Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
2022-01-20T18:41:01.55+00:00 Yes. The will expire by default:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-worldwide