Allow or block files using the Tenant Allow/Block List

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

This article describes how to manage file allow and block entries that are available in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see Manage allows and blocks in the Tenant Allow/Block List.

You manage allow and block entries for files in the Microsoft 365 Defender Portal or in Exchange Online PowerShell.

What do you need to know before you begin?

• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

  certutil.exe -hashfile "<Path>\<Filename>" SHA256
  

  An example value is 768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a. Perceptual hash (pHash) values are not supported.

• For files, the maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 file entries in total).

• You can enter a maximum of 64 characters in a file entry.

• An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Exchange Online RBAC:
    • Add and remove entries from the Tenant Allow/Block List: Membership in one of the following role groups:
      • Organization Management or Security Administrator (Security admin role).
      • Security Operator (Tenant AllowBlockList Manager).
    • Read-only access to the Tenant Allow/Block List: Membership in one of the following role groups:
      • Global Reader
      • Security Reader
      • View-Only Configuration
      • View-Only Organization Management
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

Create block entries for files

Email messages that contain these blocked files are blocked as malware. Messages containing the blocked files are quarantined.

You have the following options to create block entries for files:

• The Submissions page in the Microsoft 365 Defender portal
• The Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell

Use the Microsoft 365 Defender portal to create block entries for files on the Submissions page

When you use the Submissions page at https://security.microsoft.com/reportsubmission to submit files as Should have been blocked (False negative), you can select Block this file to add a block entry on the Files tab in the Tenant Allow/Block List.

For instructions, see Submit questionable email attachments to Microsoft.

Use the Microsoft 365 Defender portal to create block entries for files in the Tenant Allow/Block List

You can create block entries for files directly in the Tenant Allow/Block List.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList.

2. On the Tenant Allow/Block List page, select the Files tab.

3. On the Files tab, click Block.

4. In the Block files flyout that appears, configure the following settings:

   • Add file hashes: Enter one SHA256 hash value per line, up to a maximum of 20.

   • Remove block entry after: The default value is 30 days, but you can select from the following values:

     • 1 day
     • 7 days
     • 30 days
     • Never expire
     • Specific date: The maximum value is 90 days from today.

   • Optional note: Enter descriptive text for why you're blocking the files.

5. When you're finished, click Add.

Use PowerShell to create block entries for files in the Tenant Allow/Block List

In Exchange Online PowerShell, use the following syntax:

New-TenantAllowBlockListItems -ListType <FileHash> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

This example adds a block entry for the specified files that never expires.

New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration

For detailed syntax and parameter information, see New-TenantAllowBlockListItems.

Use the Microsoft 365 Defender portal to create allow entries for files on the Submissions page

You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you use the Submissions page at https://security.microsoft.com/reportsubmission to submit the message attachment as a false positive, which also adds an allow entry on the Files tab in the Tenant Allow/Block List.

For instructions, see Submit good email attachments to Microsoft.

Important

Microsoft does not allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email which could have been filtered by the system.

Microsoft manages the creation of allow entries from the Submissions page. Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a file in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the file.

When that entity is encountered again, all filters associated with that entity are overridden.

By default, allow entries for files exist for 30 days. During those 30 days, Microsoft will learn from the allow entries and remove them or automatically extend them. After Microsoft learns from the removed allow entries, messages that contain those files will be delivered, unless something else in the message is detected as malicious.

During mail flow, if messages containing the allowed file pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes email authentication checks, a message containing an allowed file will be delivered.

During time of click, the file allow overrides all filters associated with the file entity, allowing the end user to access the file.

Use the Microsoft 365 Defender portal to view existing allow or block entries for files in the Tenant Allow/Block List

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use https://security.microsoft.com/tenantAllowBlockList.

2. Select the Files tab. The following columns are available:

   • Value: The file hash.
   • Action: The values are Allow or Block.
   • Modified by
   • Last updated
   • Remove on: The expiration date.
   • Notes

   You can click on a column heading to sort in ascending or descending order.

   Click Group to group the results by None or Action.

   Click Search, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click Clear search.

   Click Filter to filter the results. The following values are available in the Filter flyout that appears:

   • Action: The values are Allow and Block.
   • Never expire: or
   • Last updated: Select From and To dates.
   • Remove on: Select From and To dates.

   When you're finished, click Apply. To clear existing filters, click Clear filters in the Filter flyout.

Use PowerShell to view existing allow or block entries for files in the Tenant Allow/Block List

In Exchange Online PowerShell, use the following syntax:

Get-TenantAllowBlockListItems -ListType FileHash [-Allow] [-Block] [-Entry <FileHashValue>] [<-ExpirationDate Date | -NoExpiration>]

This example returns all allowed and blocked files.

Get-TenantAllowBlockListItems -ListType FileHash

This example returns information for the specified file hash value.

Get-TenantAllowBlockListItems -ListType FileHash -Entry "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"

This example filters the results by blocked files.

Get-TenantAllowBlockListItems -ListType FileHash -Block

For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.

Use the Microsoft 365 Defender portal to modify existing allow or block entries for files in the Tenant Allow/Block List

You can make the following modifications to entries for files in the Tenant Allow/Block list:

• Block entries: The expiration date and notes.
• Allow entries: The expiration date and notes.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList.

2. Select the Files tab

3. On the Files tab, select the check box of the entry that you want to modify, and then click the Edit button that appears.

4. The following settings are available in the Edit file flyout that appears:

   • Remove block entry after: You can extend block entries for a maximum of 90 days from the system date or set them to Never expire.
   • Remove allow entry after: You can extend allow entries for a maximum of 30 days from the system date.
   • Optional note

   When you're finished, click Save.

Tip

For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select View submission in the details flyout that opens, which takes you to the submission details that added the entry.

Use PowerShell to modify existing allow or block entries for files in the Tenant Allow/Block List

In Exchange Online PowerShell, use the following syntax:

Set-TenantAllowBlockListItems -ListType <FileHash> <-Ids <Identity value> | -Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

This example changes the expiration date of the specified file block entry.

Set-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214" -ExpirationDate "9/1/2022"

For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.

Use the Microsoft 365 Defender portal to remove existing allow or block entries for files from the Tenant Allow/Block List

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList.

2. Select the Files tab.

3. On the Files tab, do one of the following steps:

   • Select the check box of the entry that you want to remove, and then click the Delete icon that appears.
   • Select the entry that you want to remove by clicking anywhere in the row other than the check box. In the details flyout that appears, click Delete.

4. In the warning dialog that appears, click Delete.

Tip

You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the Value column header.

Use PowerShell to remove existing allow or block entries for files from the Tenant Allow/Block List

In Exchange Online PowerShell, use the following syntax:

Remove-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> | -Entries <Value value>>

This example removes the specified file block from the Tenant Allow/Block List.

Remove-TenantAllowBlockListItems -ListType FileHash -Entries "27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214"

For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.

Related articles

• Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft
• Report false positives and false negatives
• Manage allows and blocks in the Tenant Allow/Block List
• Allow or block emails in the Tenant Allow/Block List
• Allow or block URLs in the Tenant Allow/Block List