Manage allows and blocks in the Tenant Allow/Block List

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Important

To allow phishing URLs that are part of third-party attack simulation training, use the advanced delivery configuration to specify the URLs. Don't use the Tenant Allow/Block List.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP or Microsoft Defender for Office 365 filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders.

The Tenant Allow/Block List doesn't apply to internal messages within the organization. However, block entries for Domains and email addresses prevent users in the organization from sending email to those blocked domains and addresses.

The Tenant Allow/Block list is available in the Microsoft Defender portal at https://security.microsoft.com > Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section. To go directly to the Tenant Allow/Block Lists page, use https://security.microsoft.com/tenantAllowBlockList.

For usage and configuration instructions, see the following articles:

These articles contain procedures in the Microsoft Defender portal and in PowerShell.

Block entries in the Tenant Allow/Block List

Note

In the Tenant Allow/Block List, block entries take precedence over allow entries.

Use the Submissions page (also known as admin submission) at https://security.microsoft.com/reportsubmission to create block entries for the following types of items as you report them as false negatives to Microsoft:

  • Domains and email addresses:

    • Email messages from these senders are marked as high confidence phishing and then moved to quarantine.
    • Users in the organization can't send email to these blocked domains and addresses. They receive the following non-delivery report (also known as an NDR or bounce message): 550 5.7.703 Your message can't be delivered because messages to XXX, YYY are blocked by your organization using Tenant Allow Block List. The entire message is blocked for all internal and external recipients of the message, even if only one recipient email address or domain is defined in a block entry.

    Tip

    To block only spam from a specific sender, add the email address or domain to the block list in anti-spam policies. To block all email from the sender, use Domains and email addresses in the Tenant Allow/Block List.

  • Files: Email messages that contain these blocked files are blocked as malware. Messages containing the blocked files are quarantined.

  • URLs: Email messages that contain these blocked URLs are blocked as high confidence phishing. Messages containing the blocked URLs are quarantined.

In the Tenant Allow/Block List, you can also directly create block entries for the following types of items:

  • Domains and email addresses, Files, and URLs.

  • Spoofed senders: If you manually override an existing allow verdict from spoof intelligence, the blocked spoofed sender becomes a manual block entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List.

By default, block entries for domains and email addresses, files and URLs expire after 30 days, but you can set them to expire up 90 days or to never expire. Block entries for spoofed senders never expire.

Allow entries in the Tenant Allow/Block List

In most cases, you can't directly create allow entries in the Tenant Allow/Block List:

  • Domains and email addresses, files, and URLs: You can't create allow entries directly in the Tenant Allow/Block List. Instead you use the Submissions page at https://security.microsoft.com/reportsubmission to report the email, email attachment, or URL to Microsoft as Should not have been blocked (False positive).

  • Spoofed senders:

    • If spoof intelligence has already blocked the message as spoofing, use the Submissions page at https://security.microsoft.com/reportsubmission to report the email to Microsoft as Should not have been blocked (False positive).
    • You can proactively create an allow entry for a spoofed sender on the Spoofed sender tab in the Tenant Allow/Block List before spoof intelligence identifies and blocks the message as spoofing.

The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive on the Submissions page:

  • Email attachments and URLs: An allow entry is created and the entry appears on the Files or URLs tab in the Tenant Allow/Block List respectively.

    For URLs reported as false positives, we'll allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL www.contoso.com/abc. If your organization later receives a message that contains the URL (for example but not limited to: www.contoso.com/abc, www.contoso.com/abc?id=1, www.contoso.com/abc/def/gty/uyt?id=5, or www.contoso.com/abc/whatever), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

  • Email: If a message was blocked by the EOP or Defender for Office 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List:

    • If the message was blocked by spoof intelligence, an allow entry for the sender is created, and the entry appears on the Spoofed senders tab in the Tenant Allow/Block List.
    • If the message was blocked by user (or graph) impersonation protection in Defender for Office 365, an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the anti-phishing policy that detected the message.
    • If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the Files tab in the Tenant Allow/Block List.
    • If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the URL tab in the Tenant Allow/Block List.
    • If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the Domains & addresses tab in the Tenant Allow/Block List.
    • If the message wasn't blocked due to filtering, no allow entries are created anywhere.

By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages that contain those entities will be delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.

Important

Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system.

Microsoft manages the creation of allow entries from the Submissions page at https://security.microsoft.com/reportsubmission. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.

When the entity is encountered again (during mail flow or time of click), all filters associated with that entity are skipped.

During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes email authentication checks, URL filtering, and file filtering, a message from an allowed sender email address will be delivered.

What to expect after you add an allow or block entry

After you add an allow entry on the Submissions page or a block entry in the Tenant Allow/Block List, the entry should start working immediately (within 5 minutes).

If Microsoft has learned from the allow entry, the entry is removed. You'll get an alert about the removal of the now unnecessary allow entry from the built-in alert policy named Removed an entry in Tenant Allow/Block List.