Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
To keep your organization secure by default, Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:
- Third-party phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization.
- Security operations (SecOps) mailboxes: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).
You use the advanced delivery policy in Microsoft 365 to prevent inbound messages in these specific scenarios from being filtered¹. The advanced delivery policy ensures that messages in these scenarios achieve the following results:
- Filters in EOP and Defender for Office 365 take no action on these messages.¹
- Zero-hour Purge (ZAP) for spam and phishing take no action on these messages².
- Default system alerts aren't triggered for these scenarios.
- AIR and clustering in Defender for Office 365 ignores these messages.
- Specifically for third-party phishing simulations:
- Admin submissions generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.
- When a user reports a phishing simulation message using the built-in Report button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins, the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the User reported tab of the Submissions page.
- Safe Links in Defender for Office 365 doesn't block or detonate the specified URLs in these messages at time of click. URLs are still wrapped, but they aren't blocked.
- Safe Attachments in Defender for Office 365 doesn't detonate attachments in these messages.
¹ You can't bypass malware filtering.
² You can bypass ZAP for malware by creating an anti-malware policy for the SecOps mailbox where ZAP for malware is turned off. For instructions, see Configure anti-malware policies in EOP.
Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as Phishing simulation or SecOps mailbox system overrides. Admins can filter and analyze on these system overrides in the following experiences:
- Threat Explorer/Real-time detections in Defender for Office 365 plan 2: Admin can filter on System override source and select either Phishing simulation or SecOps Mailbox.
- The Email entity Page in Threat Explorer/Real-time detections: Admin can view a message that was allowed by organization policy by either SecOps mailbox or Phishing simulation under Tenant override in the Override(s) section.
- The Threat protection status report: Admin can filter by view data by System override in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select chart breakdown by delivery location in the chart breakdown by reason dropdown list.
- Advanced hunting in Microsoft Defender for Endpoint: Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents.
- Campaign Views: Admin can filter on System override source and select either Phishing simulation or SecOps Mailbox.
What do you need to know before you begin?
You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, open https://security.microsoft.com/advanceddelivery.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
- Email & collaboration RBAC in the Microsoft 365 Defender portal and Exchange Online RBAC:
- Create, modify, or remove configured settings in the advanced delivery policy: Membership in the Security Administrator role groups in Email & collaboration RBAC and membership in the Organization Management role group in Exchange Online RBAC.
- Read-only access to the advanced delivery policy: Membership in the Global Reader or Security Reader role groups in Email & collaboration RBAC.
- View-Only Organization Management in Exchange Online RBAC.
- Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, verify that the SecOps mailbox tab is selected.
On the SecOps mailbox tab, select the Add button in the No SecOps mailboxes configured area of the page.
If there are already existing entries on the SecOps mailbox tab, select
Edit (the Add button isn't available).
In the Add SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:
Click in the box, let the list of mailboxes resolve, and then select the mailbox.
Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.
Repeat this step as many times as necessary. Distribution groups aren't allowed.
To remove an existing value, select remove
next to the value.
When you're finished in the Add SecOps mailboxes flyout, select Add..
Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.
Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are now listed:
- The Display name column contains display name of the mailboxes.
- The Email column contains the email address for each entry.
- To change the list of entries from normal to compact spacing, select
Change list spacing to compact or normal, and then select
Compact list.
Use the Microsoft 365 Defender portal to modify or remove SecOps mailboxes in the advanced delivery policy
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, verify that the SecOps mailbox tab is selected.
On the SecOps mailbox tab, select
Edit.
In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy section.
To remove all mailboxes, select remove
next to each value until there are no more mailboxes selected.
When you're finished in the Edit SecOps mailboxes flyout, select Save.
Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.
Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.
Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
Note
To configure a third-party phishing simulation, you need to provide the following information:
- At least one Domain.
- At least one Sending IP.
- For non-email phishing simulations (for example, Microsoft Teams messages, Word documents, or Excel spreadsheets), you can optionally identify the Simulation URLs to allow that shouldn't be treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated. The URLs are wrapped at time of click, but they aren't blocked.
There must be a match on at least one Domain and one Sending IP, but no association between values is maintained.
If your MX record doesn't point to Microsoft 365, the IP address in the Authentication-results
header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure Enhanced Filtering for Connectors so the correct IP address is detected.
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, select the Phishing simulation tab.
On the Phishing simulation tab, select the Add button in the No third party phishing simulations configured area of the page.
If there are already existing entries on the Phishing simulation tab, select
Edit (the Add button isn't available).
In the Add third party phishing simulations flyout that opens, configure the following settings:
Domain: Expand this setting and enter at least one email address domain by clicking in the box, entering a value (for example, contoso.com), and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 20 entries.
Note
Use the domain in the
5321.MailFrom
address (also known as the MAIL FROM address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message or a DKIM domain as specified by the phishing simulation vendor.Sending IP: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:
- Single IP: For example, 192.168.1.1.
- IP range: For example, 192.168.0.1-192.168.0.254.
- CIDR IP: For example, 192.168.0.1/25.
Simulation URLs to allow: This setting isn't required for links in email phishing simulations. Use this setting to optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.
Add URL entries by expanding this setting, clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see URL syntax for the Tenant Allow/Block List.
To remove an existing domain, IP, or URL value, select remove
next to the value.
When you're finished in the Add third party phishing simulations flyout, select Add.
Review the information in the Changes to phishing simulation override saved flyout, and then select Close.
Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are now listed:
- The Value column contains the domain, IP address or URL entry.
- The Type column contains the value Sending IP, Domain, or Allowed simulation URL for each entry.
- The Date column shows when the entry was created.
- To change the list of entries from normal to compact spacing, select
Change list spacing to compact or normal, and then select
Compact list.
Use the Microsoft 365 Defender portal to modify or remove third-party phishing simulations in the advanced delivery policy
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, select the Phishing simulation tab.
On the Phishing simulation tab, select
Edit.
In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy section.
To remove all entries, select remove
next to each value until there are no more domains, IPs, or URLs selected.
When you're finished in the Edit third-party phishing simulation flyout, select Save.
Review the information in the Changes to phishing simulation override saved flyout, and then select Close.
Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are displayed. If you removed all entries, the list is empty.
Additional scenarios that require filtering bypass
In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:
Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), secure by default isn't available. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.
False positives under review: You might want to temporarily allow good messages that are incorrectly identified as bad (false positives) that you reported via admin submissions, but the messages are still being analyzed by Microsoft. As with all overrides, we highly recommended that these allowances are temporary.
PowerShell procedures for SecOps mailboxes in the advanced delivery policy
In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:
- The SecOps override policy: Controlled by the *-SecOpsOverridePolicy cmdlets.
- The SecOps override rule: Controlled by the *-SecOpsOverrideRule cmdlets.
This behavior has the following results:
- You create the policy first, then you create the rule that identifies the policy that the rule applies to.
- When you remove a policy from PowerShell, the corresponding rule is also removed.
- When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.
Use PowerShell to configure SecOps mailboxes
Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-step process:
- Create the SecOps override policy.
- Create the SecOps override rule that specifies the policy that the rule applies to.
Step 1: Use PowerShell to create the SecOps override policy
In Exchange Online PowerShell, use the following syntax:
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>
Regardless of the Name value you specify, the policy name is SecOpsOverridePolicy, so you might as well use that value.
This example creates the SecOps mailbox policy.
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo secops@contoso.com
For detailed syntax and parameter information, see New-SecOpsOverridePolicy.
Step 2: Use PowerShell to create the SecOps override rule
In Exchange Online PowerShell, run the following command:
New-SecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy
Regardless of the Name value you specify, the rule name is SecOpsOverrideRule<GUID> where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).
For detailed syntax and parameter information, see New-SecOpsOverrideRule.
Use PowerShell to view the SecOps override policy
In Exchange Online PowerShell, this example returns detailed information about the one and only SecOps mailbox policy.
Get-SecOpsOverridePolicy
For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.
Use PowerShell to view SecOps override rules
In Exchange Online PowerShell, this example returns detailed information about SecOps override rules.
Get-SecOpsOverrideRule
Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
Get-SecOpsOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-SecOpsOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-SecOpsOverrideRule.
Use PowerShell to modify the SecOps override policy
In Exchange Online PowerShell, use the following syntax:
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]
This example adds secops2@contoso.com
to the SecOps override policy.
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo secops2@contoso.com
Note
If an associated, valid SecOps override rule exists, the email addresses in the rule is also updated.
For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.
Use PowerShell to modify a SecOps override rule
The Set-SecOpsOverrideRule cmdlet doesn't modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the Set-SecOpsOverridePolicy cmdlet.
For detailed syntax and parameter information, see Set-SecOpsOverrideRule.
Use PowerShell to remove the SecOps override policy
In Exchange Online PowerShell, this example removes the SecOps Mailbox policy and the corresponding rule.
Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy
For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.
Use PowerShell to remove SecOps override rules
In Exchange Online PowerShell, use the following syntax:
Remove-SecOpsOverrideRule -Identity <RuleIdentity>
This example removes the specified SecOps override rule.
Remove-SecOpsOverrideRule -Identity SecOpsOverrideRule6fed4b63-3563-495d-a481-b24a311f8329
For detailed syntax and parameter information, see Remove-SecOpsOverrideRule.
PowerShell procedures for third-party phishing simulations in the advanced delivery policy
In PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:
- The phishing simulation override policy: Controlled by the *-PhishSimOverridePolicy cmdlets.
- The phishing simulation override rule: Controlled by the *-PhishSimOverrideRule cmdlets.
- The allowed (unblocked) phishing simulation URLs: Controlled by the *-TenantAllowBlockListItems cmdlets.
Note
As previously described, identifying URLs isn't required for links in email-based phishing simulations. You can optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.
This behavior has the following results:
- You create the policy first, then you create the rule that identifies the policy that the rule applies to.
- You modify the settings in the policy and the rule separately.
- When you remove a policy from PowerShell, the corresponding rule is also removed.
- When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.
Use PowerShell to configure third-party phishing simulations
Configuring a third-party phishing simulation in PowerShell is a multi-step process:
- Create the phishing simulation override policy.
- Create the phishing simulation override rule that specifies:
- The policy that the rule applies to.
- The source IP address of the phishing simulation messages.
- Optionally, identity the phishing simulation URLs in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.
Step 1: Use PowerShell to create the phishing simulation override policy
In Security & Compliance PowerShell, this example creates the phishing simulation override policy.
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
Regardless of the Name value you specify, the policy name is PhishSimOverridePolicy, so you might as well use that value.
For detailed syntax and parameter information, see New-PhishSimOverridePolicy.
Step 2: Use PowerShell to create the phishing simulation override rule
In Security & Compliance PowerShell, use the following syntax:
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains <Domain1>,<Domain2>,...<Domain10> -SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntry10>
Regardless of the Name value you specify, the rule name is PhishSimOverrideRule<GUID> where <GUID> is a unique GUID value (for example, a0eae53e-d755-4a42-9320-b9c6b55c5011).
A valid IP address entry is one of the following values:
- Single IP: For example, 192.168.1.1.
- IP range: For example, 192.168.0.1-192.168.0.254.
- CIDR IP: For example, 192.168.0.1/25.
This example creates the phishing simulation override rule with the specified settings.
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains fabrikam.com,wingtiptoys.com -SenderIpRanges 192.168.1.55
For detailed syntax and parameter information, see New-PhishSimOverrideRule.
Step 3: (Optional) Use PowerShell to identify the phishing simulation URLs to allow
In Exchange Online PowerShell, use the following syntax:
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URL10>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>
For details about the URL syntax, see URL syntax for the Tenant Allow/Block List
This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration
For detailed syntax and parameter information, see New-TenantAllowBlockListItems.
Use PowerShell to view the phishing simulation override policy
In Security & Compliance PowerShell, this example returns detailed information about the one and only phishing simulation override policy.
Get-PhishSimOverridePolicy
For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.
Use PowerShell to view phishing simulation override rules
In Security & Compliance PowerShell, this example returns detailed information about phishing simulation override rules.
Get-PhishSimOverrideRule
Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
Get-PhishSimOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-PhishSimOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-PhishSimOverrideRule.
Use PowerShell to view the allowed phishing simulation URL entries
In Exchange Online PowerShell, run the following command:
Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.
Use PowerShell to modify the phishing simulation override policy
In Security & Compliance PowerShell, use the following syntax:
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]
This example disables the phishing simulation override policy.
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false
For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.
Use PowerShell to modify phishing simulation override rules
In Security & Compliance PowerShell, use the following syntax:
Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]
This example modifies the specified phishing simulation override rule with the following settings:
- Add the domain entry blueyonderairlines.com.
- Remove the IP address entry 192.168.1.55.
These changes don't affect existing entries.
Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 -AddSenderDomainIs blueyonderairlines.com -RemoveSenderIpRanges 192.168.1.55
For detailed syntax and parameter information, see Set-PhishSimOverrideRule.
Use PowerShell to modify the allowed phishing simulation URL entries
You can't modify the URL values directly. You can remove existing URL entries and add new URL entries as described in this article.
In Exchange Online PowerShell, to modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:
Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]
You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021
For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.
Use PowerShell to remove a phishing simulation override policy
In Security & Compliance PowerShell, this example removes the phishing simulation override policy and the corresponding rule.
Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy
For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.
Use PowerShell to remove phishing simulation override rules
In Security & Compliance PowerShell, use the following syntax:
Remove-PhishSimOverrideRule -Identity <RuleIdentity>
This example removes the specified phishing simulation override rule.
Remove-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011
For detailed syntax and parameter information, see Remove-PhishSimOverrideRule.
Use PowerShell to remove the allowed phishing simulation URL entries
In Exchange Online PowerShell, use the following syntax:
Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery
You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021
For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.
Feedback
Submit and view feedback for