Configure connection filtering

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are:

  • IP Allow List: Skip spam filtering for all incoming messages from the specified source IP addresses or IP address ranges. All incoming messages are scanned for malware and high confidence phishing. For other scenarios where spam filtering still occurs on messages from servers in the IP Allow List, see the Scenarios where messages from sources in the IP Allow List are still filtered section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see Create safe sender lists in EOP.

  • IP Block List: Block all incoming messages from the specified source IP addresses or IP address ranges. The incoming messages are rejected, aren't marked as spam, and no other filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see Create block sender lists in EOP.

  • Safe list: The safe list in the connection filter policy is a dynamic allow list that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the servers in the list. Spam filtering is skipped on incoming messages from the email servers on the safe list.

This article describes how to configure the default connection filter policy in the Microsoft 365 Microsoft Defender portal or in Exchange Online PowerShell. For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see Anti-spam protection.

Note

The IP Allow List, safe list, and the IP Block List are one part of your overall strategy to allow or block email in your organization. For more information, see Create safe sender lists and Create blocked sender lists.

IPv6 ranges aren't supported.

Messages from blocked sources in the IP Block List aren't available in message trace.

What do you need to know before you begin?

  • You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).

    • Exchange Online permissions:

      • Modify policies: Membership in the Organization Management or Security Administrator role groups.
      • Read-only access to policies: Membership in the Global Reader, Security Reader, or View-Only Organization Management role groups.
    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  • To find the source IP addresses of the email servers (senders) that you want to allow or block, you can check the connecting IP (CIP) header field in the message header. To view a message header in various email clients, see View internet message headers in Outlook.

  • The IP Allow List takes precedence over the IP Block List (an address on both lists isn't blocked).

  • The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP.

Use the Microsoft Defender portal to modify the default connection filter policy

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.

  2. On the Anti-spam policies page, select Connection filter policy (Default) from the list by clicking anywhere in the row other than the check box next to the name.

  3. In the policy details flyout that opens, use the Edit links to modify the policy settings:

    • Description section: Select Edit description to enter a description for the policy in the Description box of the Edit name and description flyout that opens. You can't modify the name of the policy.

      When you're finished in the Edit name and description flyout, select Save.

    • Connection filtering section: Select Edit connection filter policy. In the flyout that opens, configure the following settings:

      • Always allow messages from the following IP addresses or address range: This setting is the IP Allow List. Click in the box, enter a value, and then press the ENTER key or select the complete value that's displayed below the box. Valid values are:

        Repeat this step as many times as necessary. To remove an existing entry, select next to the entry.

    • Always block messages from the following IP addresses or address range: This setting is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as previously described in the Always allow messages from the following IP addresses or address range setting.

    • Turn on safe list: Enable or disable the use of the safe list to identify known, good senders that skip spam filtering. To use the safe list, select the check box.

    When you're finished in the flyout, select Save.

  4. Back on the policy details flyout, select Close.

Use the Microsoft Defender portal to view the default connection filter policy

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.

On the Anti-spam policies page, the following properties are displayed in the list of policies:

  • Name: The default connection filter policy is named Connection filter policy (Default).
  • Status: The value is Always on for the default connection filter policy.
  • Priority: The value is Lowest for the default connection filter policy.
  • Type: The value is blank for the default connection filter policy.

To change the list of policies from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

Use the Search box and a corresponding value to find specific policies.

Select the default connection filter policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.

Use Exchange Online PowerShell or standalone EOP PowerShell to modify the default connection filter policy

Use the following syntax:

Set-HostedConnectionFilterPolicy -Identity Default [-AdminDisplayName <"Optional Comment">] [-EnableSafeList <$true | $false>] [-IPAllowList <IPAddressOrRange1,IPAddressOrRange2...>] [-IPBlockList <IPAddressOrRange1,IPAddressOrRange2...>]
  • Valid IP address or address range values are:
    • Single IP: For example, 192.168.1.1.
    • IP range: For example, 192.168.0.1-192.168.0.254.
    • CIDR IP: For example, 192.168.0.1/25. Valid network mask values are /24 through /32.
  • To overwrite any existing entries with the values you specify, use the following syntax: IPAddressOrRange1,IPAddressOrRange2,...,IPAddressOrRangeN.
  • To add or remove IP addresses or address ranges without affecting other existing entries, use the following syntax: @{Add="IPAddressOrRange1","IPAddressOrRange2",...,"IPAddressOrRangeN";Remove="IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"}.
  • To empty the IP Allow List or IP Block List, use the value $null.

This example configures the IP Allow List and the IP Block List with the specified IP addresses and address ranges.

Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList 192.168.1.10,192.168.1.23 -IPBlockList 10.10.10.0/25,172.17.17.0/24

This example adds and removes the specified IP addresses and address ranges from the IP Allow List.

Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{Add="192.168.2.10","192.169.3.0/24","192.168.4.1-192.168.4.5";Remove="192.168.1.10"}

For detailed syntax and parameter information, see Set-HostedConnectionFilterPolicy.

How do you know these procedures worked?

To verify that you've successfully modified the default connection filter policy, do any of the following steps:

  • On the Anti-spam policies page in the Microsoft Defender portal at https://security.microsoft.com/antispam, select Connection filter policy (Default) from the list by clicking anywhere in the row other than the check box next to the name, and verify the policy settings in the details flyout that opens.

  • In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings:

    Get-HostedConnectionFilterPolicy -Identity Default
    
  • Send a test message from an entry on the IP Allow List.

Additional considerations for the IP Allow List

The following sections identify additional items that you need to know about when you configure the IP Allow List.

Note

All incoming messages are scanned for malware and high confidence phishing, regardless of whether the message source is in the IP Allow List.

Skip spam filtering for a CIDR IP outside of the available range

As described earlier in this article, you can only use a CIDR IP with the network mask /24 to /32 in the IP Allow List. To skip spam filtering on messages from source email servers in the /1 to /23 range, you need to use Exchange mail flow rules (also known as transport rules). But, we recommend that you don't use the mail flow rule method, because the messages are blocked if an IP address in the /1 to /23 CIDR IP range appears on any of Microsoft's proprietary or third-party block lists.

Now that you're fully aware of the potential issues, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from these IP addresses skip spam filtering:

  • Rule condition: Apply this rule if > The sender > IP address is in any of these ranges or exactly matches > (enter your CIDR IP with a /1 to /23 network mask).
  • Rule action: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering.

You can audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. For more information, see Manage mail flow rules in Exchange Online.

Skip spam filtering on selective email domains from the same source

Typically, adding an IP address or address range to the IP Allow List means you trust all incoming messages from that email source. What if that source sends email from multiple domains, and you want to skip spam filtering for some of those domains, but not others? You can use the IP Allow List in combination with a mail flow rule.

For example, the source email server 192.168.1.25 sends email from the domains contoso.com, fabrikam.com, and tailspintoys.com, but you only want to skip spam filtering for messages from senders in fabrikam.com:

  1. Add 192.168.1.25 to the IP Allow List.

  2. Configure a mail flow rule with the following settings (at a minimum):

    • Rule condition: Apply this rule if > The sender > IP address is in any of these ranges or exactly matches > 192.168.1.25 (the same IP address or address range that you added to the IP Allow List in the previous step).
    • Rule action: Modify the message properties > Set the spam confidence level (SCL) > 0.
    • Rule exception: The sender > domain is > fabrikam.com (only the domain or domains that you want to skip spam filtering).

Scenarios where messages from sources in the IP Allow List are still filtered

Messages from an email server in your IP Allow List are still subject to spam filtering in the following scenarios:

  • An IP address in your IP Allow List is also configured in an on-premises, IP-based inbound connector in any tenant in Microsoft 365 (let's call this Tenant A), and Tenant A and the EOP server that first encounters the message both happen to be in the same Active Directory forest in the Microsoft datacenters. In this scenario, IPV:CAL is added to the message's anti-spam message headers (indicating the message bypassed spam filtering), but the message is still subject to spam filtering.

  • Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in different Active Directory forests in the Microsoft datacenters. In this scenario, IPV:CAL isn't added to the message headers, so the message is still subject to spam filtering.

If you encounter either of these scenarios, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from the problematic IP addresses skip spam filtering:

  • Rule condition: Apply this rule if > The sender > IP address is in any of these ranges or exactly matches > (your IP address or addresses).
  • Rule action: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering.

New to Microsoft 365?


The short icon for LinkedIn Learning. New to Microsoft 365? Discover free video courses for Microsoft 365 admins and IT pros, brought to you by LinkedIn Learning.