Manage your allows and blocks in the Tenant Allow/Block List

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages (does not apply to intra-org messages) and at the time of user clicks. You can specify the following types of overrides:

  • URLs to block.
  • Files to block.
  • Sender emails or domains to block.
  • Spoofed senders to allow or block. If you override the allow or block verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoof tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.
  • URLs to allow.
  • Files to allow.
  • Sender emails or domains to allow.

This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

  • In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section. To go directly to the Tenant Allow/Block Lists page, use https://security.microsoft.com/tenantAllowBlockList.

  • You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

    certutil.exe -hashfile "<Path>\<Filename>" SHA256
    

    An example value is 768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a. Perceptual hash (pHash) values are not supported.

  • For senders, URLs, and file hashes, the Tenant Allow/Block List allows 500 entries each for both allows and blocks, making it a total of 1000 entries. For spoofing (spoofed senders), the total number of entries allowed is 1024.

  • The maximum number of characters for each entry is:

    • File hashes = 64
    • URL = 250
  • An entry should be active within 30 minutes.

  • By default, entries in the Tenant Allow/Block List will expire after 30 days. You can specify a date or set them to never expire (for block type of entries).

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

  • You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

    • To add and remove values from the Tenant Allow/Block List, you need to be a member of
      • Organization Management or Security Administrator role group (Security admin role)
      • Security Operator role group (Tenant AllowBlockList Manager).
    • For read-only access to the Tenant Allow/Block List, you need to be a member of
      • Global Reader role group
      • Security Reader role group
      • View-Only configuration role group

    For more information, see Permissions in Exchange Online.

    Note

    • Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.
    • The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.

Configure the Tenant Allow/Block List

To allow or block emails, see Allow or block emails using the Tenant Allow/Block List.

To allow or block files, see Allow or block files using the Tenant Allow/Block List.

To allow or block URLs, see Allow or block URLs using the Tenant Allow/Block List.

These articles contain the instructions to add or remove or modify entries in Tenant Allow/Block List using both Microsoft 365 Defender Portal and Exchange Online PowerShell or standalone EOP PowerShell.

What to expect after you add an allow or block entry

After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately.

We recommend letting entries automatically expire after 30 days to see if the system has learned about the allow or block. If not, you should make another entry to give the system another 30 days to learn.

View entries in the Tenant Allow/Block List

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section. Or, to go directly to the Tenant Allow/Block Lists page, use https://security.microsoft.com/tenantAllowBlockList.

  2. Select the tab you want. The columns that are available depend on the tab you selected:

    • Senders:
      • Value: The sender domain or email address.
      • Action: The value Allow or Block.
      • Modified by
      • Last updated
      • Remove on
      • Notes
    • Spoofing
      • Spoofed user
      • Sending infrastructure
      • Spoof type: The value Internal or External.
      • Action: The value Block or Allow.
    • URLs:
      • Value: The URL.
      • Action: The value Allow or Block.
      • Modified by
      • Last updated
      • Remove on
      • Notes
    • Files
      • Value: The file hash.
      • Action: The value Allow or Block.
      • Modified by
      • Last updated
      • Remove on
      • Notes

    You can click on a column heading to sort in ascending or descending order.

    You can click Group to group the results. The values that are available depend on the tab you selected:

    • Senders: You can group the results by Action.
    • Spoofing: You can group the results by Action or Spoof type.
    • URLs: You can group the results by Action.
    • Files: You can group the results by Action.

    Click Search, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click Clear search icon. Clear search.

    Click Filter to filter the results. The values that are available in Filter flyout that appears depend on the tab you selected:

    • Senders
      • Action
      • Never expire
      • Last updated date
      • Remove on
    • Spoofing
      • Action
      • Spoof type
    • URLs
      • Action
      • Never expire
      • Last updated date
      • Remove on
    • Files
      • Action
      • Never expire
      • Last updated
      • Remove on

    When you're finished, click Apply. To clear existing filters, click Filter, and in the Filter flyout that appears, click Clear filters.

Modify entries in the Tenant Allow/Block List

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList.

  2. Select the tab that contains the type of entry that you want to modify:

    • Senders
    • Spoofing
    • URLs
    • Files
  3. Select the entry that you want to modify, and then click Edit icon. Edit. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:

    • Senders
      • Never expire and/or expiration date.
      • Optional note
    • Spoofing
      • Action: You can change the value to Allow or Block.
    • URLs
      • Never expire and/or expiration date.
      • Optional note
    • Files
      • Never expire and/or expiration date.
      • Optional note

    Note that the values for senders, URLs, and files never expire for blocked entries only.

  4. When you're finished, click Save.

Note

You can only extend allows for a maximum of 30 days after the creation date. Blocks can be extended for up to 90 days, but unlike allows, they can also be set to Never expire.

Remove entries from the Tenant Allow/Block List

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList.

  2. Select the tab that contains the type of entry that you want to remove:

    • Senders
    • Spoofing
    • URLs
    • Files
  3. Select the entry that you want to remove, and then click Delete icon. Delete.

  4. In the warning dialog that appears, click Delete.