Manage email access in Microsoft 365

  • 9 minutes

Email is one of the most essential and widely used communication tools in the modern workplace. However, email also poses significant security risks, such as phishing, malware, spam, and data breaches. To protect your organization and its users from these threats, you must understand how Microsoft 365 manages email access through two key components: Exchange Online and Microsoft Defender for Office 365.

  • Exchange Online. This cloud-based email service powers Microsoft 365. It allows you to create and manage email accounts, groups, contacts, calendars, and more. Exchange Online also provides various features and settings to control who can access your email and how. One of these features is the Restrict Access list, which lets you block or allow specific IP addresses or ranges from accessing your email service. You can create mail flow rules the incorporate the Restrict Access list to help prevent unauthorized or malicious access from outside your network or from certain locations.
  • Microsoft Defender for Office 365. This Microsoft Defender XDR solution provides advanced threat protection that integrates with Exchange Online and other Microsoft 365 services. It helps you detect, prevent, and respond to email-based attacks, such as phishing, malware, spoofing, and impersonation. Microsoft Defender for Office 365 also enables you to block or allow email access for specific users, domains, or senders through the Tenant Allow/Block list. You can use the Tenant Allow/Block list to filter inbound email messages, which can reduce spam, false positives, and unwanted email traffic.

In this training module, you learn how to use Exchange Online and Microsoft Defender for Office 365 to manage email access in Microsoft 365. You also learn how these two components work together to provide a comprehensive and robust email protection for your organization.

Compare restricted and blocked email access

Restricting and blocking email access are two different methods of controlling the email flow in your organization. You should choose the appropriate method based on your security needs and the effect on the user experience.

Method Description How to implement When to use this method
Restrict email access Limits the ability of a user to send or receive emails from certain domains or addresses. For example, you can restrict a user from sending emails to a specific domain, or you can restrict a user from receiving emails from a specific address. You can create mail flow rules in the Exchange admin center or by using Exchange Online PowerShell. Restricting email access can be useful when you want to:

- Control the communication between your organization and external parties, such as partners, vendors, or customers.

- Prevent a compromised user account from sending spam or malicious emails to other domains.

- Protect a sensitive user account from receiving phishing or spoofing emails from certain addresses.
Block email access Completely prevents a user or a domain from sending or receiving any emails. For example, you can block a user from sending any emails, or you can block a domain from sending or receiving any emails. You can create blocklists in Microsoft Defender for Office 365. You can manually add users to the Blocklist in Microsoft Defender for Office 365. You can also create custom policies in the Microsoft Defender portal (such as outbound spam policies and anti-phishing policies) to manage email restrictions beyond mail flow rules. Blocking email access can be useful when you want to:

- Disable a user account that's no longer active or authorized to use email.

- Isolate a user account that's under investigation or suspected of malicious activity.

- Stop a domain that you know is a source of spam, malware, or phishing from contacting your organization.

Let’s explore the differences between blocking a user using the Restricted Access list in Exchange Online and blocking a domain or user email address in Microsoft Defender for Office 365:

  • Restricted Access list in mail flow rules in Exchange Online. Primarily used to prevent specific users from sending outbound emails. When you add a user to this list, they're restricted from sending emails but can still receive them. For example, suppose an employee is suspected of sending spam or malicious emails. By adding them to the Restricted Access list, you can prevent them from sending further emails while still allowing them to receive messages. The features of this method include:
    • Restricted users can't send emails externally, but internal communication within the organization remains unaffected.
    • This feature is useful when you want to limit a user’s outbound communication without completely blocking their account.
  • Blocking domains or user email addresses in Microsoft Defender for Office 365. Provides robust email filtering capabilities. Blocking domains or specific email addresses helps protect your organization from phishing, spam, and other threats. For example, if a domain consistently sends phishing emails, you can block it using the Tenant Allow/Block List. Similarly, if a specific user’s email address is a source of spam, you can prevent any communication with that address. The features of this method include:
    • It applies during mail flow for incoming messages from external senders (not internal messages).
    • You can create block entries for domains and email addresses that prevent users from sending emails to those blocked domains or addresses.
    • Block entries take precedence over allow entries in the list.
    • You can report false negatives and create block entries.

In summary, the Restricted Access list focuses on individual user restrictions within your organization. On the other hand, the Tenant Allow/Block List in Microsoft Defender for Office 365 deals with broader domain and email address blocking to enhance security and prevent threats.

Restrict user access using mail flow rules in Exchange

One way to restrict users from sending or receiving emails in Microsoft 365 is by configuring mail flow rules that include message delivery restrictions for individual mailboxes. Mail flow rules can be created in the New Exchange Admin Center (EAC) or through Exchange Online PowerShell.

Perform the following steps to create mail flow rules using the EAC:

  1. Sign in to the new EAC.
  2. Navigate to Recipients > Mailboxes.
  3. Select the user mailbox for which you want to establish a mail flow rule.
  4. In the user mailbox pane that appears, the General tab is displayed by default. Select the Mailbox tab.
  5. In the Message Delivery Restrictions section, select Manage message delivery restrictions.
  6. In the Message delivery restrictions pane that appears, you can specify who you want this mailbox to accept messages from and who you want it to block messages from.
    • Accept messages from:
      • All senders: This option allows messages from all senders (both within your Exchange organization and external senders). It’s the default option.
      • Selected senders. This option allows messages from selected senders within your Exchange organization only.
      • Require senders to be authenticated: Prevents anonymous users from sending messages to the user.
    • Block messages from:
      • None. This option doesn't block any people from sending messages to this user.
      • Selected senders. This option blocks messages from selected senders within your Exchange organization only.

You can also create mail flow rules using Exchange Online PowerShell. For example, to restrict a mailbox to accept messages only from your Exchange organization, you can use the following command (replace "UserEmailAddress" with the actual email address of the user):

Set-Mailbox -Identity "UserEmailAddress" -AcceptMessagesOnlyFromSendersOrMembers "Organization"

Note

Message delivery restrictions that you configure through mail flow rules don't affect mailbox permissions. Even if a user is restricted, someone with Full Access permissions on the mailbox can still update its contents. These restrictions apply to all recipient types, so you can control who sends messages to users within your organization.

Manage the Tenant Allow/Block list in the Microsoft Defender portal

The Tenant Allow/Block List is a feature in Microsoft Defender for Office 365 that allows you to customize the filtering of inbound email messages for your organization. You can use the Tenant Allow/Block List to override the default verdicts of Microsoft's anti-spam and anti-phishing engines, and specify how you want certain senders, domains, or IP addresses to be treated. The Tenant Allow/Block List has two components:

  • Allowlist. The Allowlist lets you specify the email sources that you trust and want to receive messages from, regardless of their spam or phishing score.
  • Blocklist. The Blocklist lets you specify the email sources that you don't trust and want to block messages from, regardless of their spam or phishing score.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP or Microsoft Defender for Office 365 filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders. The Tenant Allow/Block List doesn't apply to internal messages within the organization. However, block entries for domains and email addresses prevent users in the organization from sending email to those blocked domains and addresses.

The Tenant Allow/Block list is available in the Microsoft Defender portal > Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section.

Organizations should keep in mind the following considerations when managing allows and blocks in the Tenant Allow/Block list:

  • Entry limits for domains and email addresses:
    • Exchange Online Protection. The maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 domain and email address entries in total).
    • Defender for Office 365 Plan 1. The maximum number of allow entries is 1000, and the maximum number of block entries is 1000 (2000 domain and email address entries in total).
    • Defender for Office 365 Plan 2. The maximum number of allow entries is 5000, and the maximum number of block entries is 10000 (15000 domain and email address entries in total).
  • For spoofed senders, the maximum number of allow entries and block entries is 1024 (1024 allow entries and no block entries, 512 allow entries and 512 block entries, etc.).
  • Entries for spoofed senders never expire.
  • An entry should be active within 5 minutes.

Blocked users are potentially compromised users. They possibly exceeded one of their company's outbound sending limits as specified in the service limits. Or, they possibly exceeded the sending limits in their company's outbound spam policies. Sending limits apply to the number of recipients, number of messages, and number of recipients per message that a user can send from their Exchange Online account.

If a user exceeds a sending limit:

  • The system adds the user to the Restricted users page in the Microsoft Defender portal. Doing so blocks the user from sending email.
  • The user can still receive email.

When this scenario occurs and the user later tries to send email, the system returns the message in a nondelivery report (also known as an NDR, or bounce message) with the error code 5.1.8 and the following text:

Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender.

There are two ways in which an administrator can unblock a user so they can resume sending email:

  • Remove the user from the Restricted users page in the Microsoft Defender portal.
  • Through Exchange Online PowerShell.

Caution

A sender exceeding the outbound email limits is an indicator of a compromised account. Before you remove the user from the Restricted users portal, be sure to follow the required steps to regain control of their account. For more information, see Responding to a compromised email account in Office 365.

Organizations should keep in mind the following best practices when using the Tenant Allow/Block list:

  • Use the Tenant Allow/Block list sparingly and cautiously. It can increase the risk of spam or phishing messages reaching your users.
  • Only add entries to the Tenant Allow/Block list that you trust and verify. Avoid adding generic or broad entries that can cover multiple sources.
  • Review and update the Tenant Allow/Block list regularly. Remove any entries that are no longer needed or relevant.
  • Monitor and analyze the email traffic and reports in Microsoft Defender for Office 365. Adjust the Tenant Allow/Block list accordingly.
  • Educate and inform your users about the Tenant Allow/Block list. Encourage them to report any suspicious or unwanted messages they receive.

Block entries in the Tenant Allow/Block List

The Blocklist lets you specify the email sources that you don't trust and want to block messages from, regardless of their spam or phishing score. The Blocklist is useful when you want to protect your users from spam or phishing messages that might bypass Microsoft's engines.

Spam or phishing messages can pose security risks, waste your users' time and resources, and harm your organization's reputation. By adding untrusted senders, domains, or IP addresses to the Blocklist, you can prevent their messages from reaching your users' inboxes, and instead, divert them to the junk email folder or the quarantine.

Some examples of email sources that you might want to add to the Blocklist are:

  • Known spammers or phishers that target your organization.
  • Unsolicited or unwanted marketing or promotional messages.
  • Malicious or fraudulent messages that attempt to impersonate legitimate senders.
  • Messages that contain inappropriate or offensive content.

Use the Submissions page (also known as admin submission) to create block entries for the following types of items as you report them to Microsoft as false negatives:

  • Domains and email addresses. Email messages from these senders are marked as high confidence phishing and then moved to quarantine. Users in the organization can't send email to these blocked domains and addresses. They receive the following nondelivery report (also known as an NDR or bounce message): 550 5.7.703 Your message can't be delivered because messages to XXX, YYY are blocked by your organization using Tenant Allow Block List. The entire message is blocked for all internal and external recipients of the message, even if only one recipient email address or domain is defined in a block entry.

    Tip

    To block only spam from a specific sender, add the email address or domain to the Blocklist in anti-spam policies. To block all email from the sender, use Domains and email addresses in the Tenant Allow/Block List.

  • Files. Email messages that contain these blocked files are blocked as malware. Messages containing the blocked files are quarantined.

  • URLs. Email messages that contain these blocked URLs are blocked as high confidence phishing. Messages containing the blocked URLs are quarantined.

In the Tenant Allow/Block List, you can also directly create block entries for the following types of items:

  • Domains and email addresses, Files, and URLs.
  • Spoofed senders. If you manually override an existing allow verdict from spoof intelligence, the blocked spoofed sender becomes a manual block entry that appears only on the Spoofed senders tab in the Tenant Allow/Block List.

By default, block entries for domains and email addresses, files and URLs expire after 30 days. However, you can set them to either expire after 90 days, or never expire. Block entries for spoofed senders never expire.

Note

In the Tenant Allow/Block List, block entries take precedence over allow entries.

Allow entries in the Tenant Allow/Block List

The Allowlist is useful when you want to prevent false positives, or legitimate messages that are mistakenly marked as spam or phishing by Microsoft's engines. False positives can cause frustration and inconvenience for your users, and potentially disrupt your business operations or damage your reputation.

By adding trusted senders, domains, or IP addresses to the Allowlist, you can ensure that their messages are delivered to your users' inboxes without Microsoft Defender for Office 365 filtering or quarantining them. Some examples of email sources that you might want to add to the Allowlist are:

  • Internal or external partners that you collaborate with frequently.
  • Customers or vendors that you communicate with regularly.
  • Newsletters or subscriptions that you or your users signed up for.
  • Government agencies or regulatory bodies that you need to comply with.

The Allowlist is managed by the Global Administrators or Security Administrators of your organization. You can add up to 1,024 entries to the Allowlist. Each entry can be a sender, a domain, or an IP address. You can also specify the scope of the Allowlist entry, which determines who in your organization it affects. The scope can be one of the following settings:

  • Organization-wide. The entry applies to all users and groups in your organization.
  • Domain-wide. The entry applies to all users and groups in a specific domain in your organization.
  • User. The entry applies to a specific user or group in your organization.

You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email the system would normally filter. Instead, the Global or Security admin can submit messages on the Submissions page when they encounter false positives, such as legitimate emails that were incorrectly blocked. Similarly, if spoof intelligence already blocked a message as spoofing, use the Submissions page to report the email to Microsoft as Should not have been blocked (False positive). You can proactively create an allow entry for a spoofed sender on the Spoofed sender tab in the Tenant Allow/Block List before spoof intelligence identifies and blocks the message as spoofing.

The allow entry process is outlined in the following steps:

  1. Blocked message. A user receives an email that they believe shouldn't have been blocked (a false positive).
  2. Submit the message as a false positive. The user contacts the Global or Security admin, who in turn submit the blocked message as a Should not have been blocked (False positive) on the Submissions page. This action signals to Microsoft that the email was incorrectly flagged.
  3. Allow entry creation. When a blocked message is submitted as a false positive, Microsoft reviews the submission and determines whether it was incorrectly blocked. If Microsoft confirms the block was a false positive, an allow entry for the sender is automatically added to the Domains & email addresses tab on the Tenant Allow/Block Lists page. This entry allows future emails from the same sender to bypass filtering and be delivered to recipients.

Note

This process avoids administrators directly creating allowlist entries. Instead, it minimizes unnecessary allow entries because Microsoft validates each case.

By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious.

During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages are delivered. For example, if a message passes email authentication checks, URL filtering, and file filtering, the message is delivered if it's also from an allowed sender.

The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive on the Submissions page:

  • Email attachments and URLs. An allow entry is created and the entry appears on the Files or URLs tab in the Tenant Allow/Block List, respectively. For URLs reported as false positives, Microsoft allows subsequent messages that contain variations of the original URL. For example, let's assume you use the Submissions page to report the incorrectly blocked URL www.contoso.com/abc. If your organization later receives a message that contains the URL (for example but not limited to: www.contoso.com/abc, www.contoso.com/abc?id=1, www.contoso.com/abc/def/gty/uyt?id=5, or www.contoso.com/abc/whatever), the message isn't blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

  • Email. If the EOP or Defender for Office 365 filtering stack blocked a message, an allow entry might be automatically created in the Tenant Allow/Block List:

    • If spoof intelligence blocked the message, an allow entry for the sender is created, and the entry appears on the Spoofed senders tab in the Tenant Allow/Block List.
    • If user (or graph) impersonation protection in Defender for Office 365 blocked the message, an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the anti-phishing policy that detected the message.
    • If file-based filters blocked the message, an allow entry for the file is created, and the entry appears on the Files tab in the Tenant Allow/Block List.
    • If URL-based filters blocked the message, an allow entry for the URL is created, and the entry appears on the URL tab in the Tenant Allow/Block List.
    • If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the Domains & addresses tab in the Tenant Allow/Block List.
    • If the message wasn't blocked due to filtering, no allow entries are created anywhere.

After you add an allow entry on the Submissions page or a block entry in the Tenant Allow/Block List, the entry should start working immediately (within 5 minutes). If Microsoft learned from the allow entry, the entry is removed. You then receive an alert about the removal of the now unnecessary allow entry from the built-in alert policy named Removed an entry in Tenant Allow/Block List.

Create block entries for domains and email addresses

To create block entries for domains and email addresses, use either of the following methods:

  • From the Microsoft Defender portal. There are two methods you can use:
    • From the Emails tab on the Submissions page. When you submit a message as Should have been blocked (False negative), you can select Block all emails from this sender or domain to add a block entry to the Domains & email addresses tab on the Tenant Allow/Block Lists page. For more information on the Submissions page, see the next training unit, which examines how to submit messages, URLs, and attachments to Microsoft for analysis.
    • From the Tenant Allow/Block Lists page, which is examined in the next section.
  • From Exchange Online PowerShell, which is examined in a later section.

Use Microsoft Defender to create block entries

Perform the following steps to create block entries for domains and email addresses in the Tenant Allow/Block List using the Microsoft Defender portal:

  1. In the Microsoft Defender portal, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists.
  2. On the Tenant Allow/Block Lists page, verify that the Domains & addresses tab is selected.
  3. On the Domains & addresses tab, select +Block.
  4. In the Block domains & addresses window that appears, configure the following settings:
    • Domains & addresses. Enter one email address or domain per line. You can enter a maximum of 20 lines.
    • Remove block entry after. Select from the following values:
      • 1 day
      • 7 days
      • 30 days (default)
      • Never expire
      • Specific date: The maximum value is 90 days from today.
    • Optional note. Enter descriptive text for why you're blocking the email addresses or domains.
  5. When you're finished, select Add.

The entry that you created should now appear on the Domains & email addresses tab.

Use PowerShell to create block entries

Enter the following command to create a block entry for domains and email addresses in the Tenant Allow/Block List using Exchange Online PowerShell:

New-TenantAllowBlockListItems -ListType Sender -Block -Entries "DomainOrEmailAddress1","DomainOrEmailAddress1",..."DomainOrEmailAddressN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

The following example adds a block entry for the specified email address that expires on a specific date.

New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattackerdomain.com","test2@anotherattackerdomain.com" -ExpirationDate 12/31/2024

Verify the alert settings for blocked users

The default alert policy named User restricted from sending email automatically notifies administrators when it blocks users from sending outbound mail. You can verify these settings and add other users to notify. For more information about alert policies, see Alert policies in Microsoft 365.

For alerts to work, an organization must first turn on audit log search. For more information, see Turn the audit log search on or off.

Complete the following steps to verify the alert settings for blocked users.

  1. In the Microsoft Defender portal, go to Email & collaboration > Policies & rules > Alert policy.

  2. On the Alert policy page, find and select the alert named User restricted from sending email. You can sort the policies by name, or use the Search box to find the policy.

  3. In the User restricted from sending email pane that appears, verify or configure the following settings and then select Next:

    • Status. The status must be On. If necessary, set to On.
    • Email recipients. Select Edit and verify or configure the following settings in the Edit recipients pane that appears:
      • Send email notifications. The setting must be On. If necessary, set to On.
      • Email recipients. The default value is TenantAdmins (meaning, Global admin members). To add more recipients, select inside the box. A recipient list appears, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by selecting the X that appears next to their name.
      • Daily notification limit. The default value is No limit. However, you can select a limit for the maximum number of notifications per day.

  4. On the User restricted from sending email pane, select Close.

Unblock a user through the Microsoft Defender portal

You can unblock a blocked user. Doing so enables the user to resume sending email. To do so, you must remove the user from the Restricted users list in the Microsoft Defender portal. Complete the following steps to unblock a user:

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Restricted users.
  2. On the Restricted users page, find and select the user that you want to unblock by selecting the user.
  3. Select the Unblock action that appears.
  4. In the Unblock user pane that appears, read the details about the restricted account. You should review the recommendations to ensure you're taking the proper actions, especially with a compromised account. Select Next.
  5. The next screen has recommendations to help prevent future compromise. Enabling multifactor authentication and resetting the password are a good defense. Select Submit.
  6. Select Yes to confirm the change.

Warning

It can take up to one hour for the system to remove all restrictions from the user.

Unblock a user using Exchange Online PowerShell

To view the list of blocked users who can't send email, run the following command:

Get-BlockedSenderAddress

To view details about a specific user, replace [emailaddress] with their email address and run the following command:

Get-BlockedSenderAddress -SenderAddress [emailaddress]

To remove a user from the Restricted users list, replace [emailaddress] with their email address and run the following command:

Remove-BlockedSenderAddress -SenderAddress [emailaddress]

Troubleshoot common block/unblock issues

Blocking and unblocking users from sending and receiving email using Microsoft Defender for Office 365 is usually a straightforward and effective process. However, you might encounter some issues or errors that prevent you from performing the desired action or achieving the expected result. This section examines how to troubleshoot some of the common issues that can arise when using Microsoft Defender for Office 365 to block and unblock users from sending and receiving email.

Issue: The user can send or receive email after being blocked

In this scenario, the user can still send or receive email messages even though you used Microsoft Defender for Office 365 to block them from sending and receiving email. Some of the possible reasons and solutions include:

  • The user has an active session. You can force the user to sign out from all devices by resetting their password. You can also revoke their sign-in sessions from the Microsoft Entra ID admin center.
  • The user has a forwarding rule that redirects their email to another account. You can check and disable the forwarding rule from the Exchange admin center or the Outlook web app.
  • The user has a delegate or a shared mailbox that allows them to access their email. You can check and remove the delegate or the shared mailbox from the Exchange admin center or the Outlook web app.
  • The user has a cached copy of their email on their device. You can instruct the user to delete the cached copy or switch to online mode.

Issue: The user can't send or receive email after being unblocked

In this scenario, the user can’t send or receive email messages even though you used Microsoft Defender for Office 365 to unblock them from sending and receiving email. Some of the possible reasons and solutions include:

  • The user must sign in again to refresh their session. You can instruct the user to sign out and sign in again from all devices.
  • The user has a spam filter or a transport rule that blocks their email. You can check and disable the spam filter or the transport rule from the Microsoft 365 Defender portal or the Exchange admin center.
  • The user has a quota limit or a restriction that prevents them from sending or receiving email. You can check and adjust the quota limit or the restriction from the Exchange admin center or the Outlook web app.
  • The user has a network or a device issue that affects their email connectivity. You can instruct the user to check their network settings, update their device software, or contact their IT support.

Additional reading. For more information on modifying Allow/Block lists and creating Allow/Block lists for spoofed senders and impersonated senders, see Allow or block email using the Tenant Allow/Block List.