Manage the Tenant Allow/Block List

  • Article
  • 10 minutes to read

Applies to

  • Exchange Online Protection
  • Microsoft Defender for Office 365 plan i and plan 2
  • Microsoft 365 Defender

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Substitution Online mailboxes, yous might disagree with the EOP filtering verdict. For example, a good message might be marked equally bad (a false positive), or a bad message might be allowed through (a false negative).

The Tenant Permit/Cake List in the Microsoft 365 Defender portal gives you lot a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages (does not employ to intra-org letters) and at the fourth dimension of user clicks. You can specify the post-obit types of overrides:

  • URLs to cake.
  • Files to cake.
  • Sender emails or domains to cake.
  • Spoofed senders to permit or block. If you lot override the allow or block verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or cake entry that only appears on the Spoof tab in the Tenant Allow/Block List. Y'all can also manually create permit or block entries for spoofed senders here before they're detected by spoof intelligence.
  • URLs to allow.
  • Files to allow.
  • Sender emails or domains to allow.

This commodity describes how to configure entries in the Tenant Allow/Block Listing in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know earlier you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go straight to the Tenant Permit/Block Lists folio, use https://security.microsoft.com/tenantAllowBlockList.

  • Y'all specify files past using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the post-obit control in a Command Prompt:

                      certutil.exe -hashfile "<Path>\<Filename>" SHA256

    An case value is 768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a. Perceptual hash (pHash) values are non supported.

  • The available URL values are described in the URL syntax for the Tenant Allow/Cake List section later in this article.

  • The Tenant Permit/Block List allows a maximum of 500 entries for senders, 500 entries for URLs, 500 entries for file hashes, and 1024 entries for spoofing (spoofed senders).

  • The maximum number of characters for each entry is:

    • File hashes = 64
    • URL = 250

  • An entry should be active within xxx minutes.

  • Past default, entries in the Tenant Allow/Block List will expire after 30 days. Y'all tin can specify a date or prepare them to never expire.

  • To connect to Exchange Online PowerShell, encounter Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, come across Connect to Exchange Online Protection PowerShell.

  • You need to exist assigned permissions in the Microsoft 365 Defender portal before yous can do the procedures in this article:

    • Senders, URLs and files:
      • To add and remove values from the Tenant Allow/Cake Listing, yous need to be a member of the Organization Management, Security Administrator, or Security Operator part groups or you are assigned the Tenant AllowBlockList Managing director part.
      • For read-merely access to the Tenant Allow/Block List, you lot need to be a member of the Global Reader or Security Reader part groups.
    • Spoofing: One of the following combinations:
      • System Direction
      • Security Administrator and View-Only Configuration or View-Merely System Direction.

    For more information, see Permissions in Exchange Online.

    Note

    • Adding users to the corresponding Azure Agile Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.

    • The View-Only Organisation Management role group in Substitution Online also gives read-only access to the feature.

Configure the Tenant Allow/Block Listing

Apply the Microsoft 365 Defender portal

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section. To get directly to the Tenant Allow/Cake Lists page, use https://security.microsoft.com/tenantAllowBlockList.

To add all blocks, see Add blocks in the Tenant Allow/Block List.

To add all allows, see Add allows in the Tenant Let/Block List.

To modify and remove all blocks and allows, see Alter and remove entries in the Tenant Allow/Cake Listing.

Use Exchange Online PowerShell or standalone EOP PowerShell

To manage all allows and blocks, run across Add blocks in the Tenant Allow/Cake List, Add allows in the Tenant Allow/Block Listing, and Modify and remove entries in the Tenant Allow/Block List.

View entries in the Tenant Allow/Cake Listing

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Tenant Permit/Block Lists in the Rules section. To go directly to the Tenant Let/Cake Lists page, use https://security.microsoft.com/tenantAllowBlockList.

  2. Select the tab you lot want. The columns that are bachelor depend on the tab you lot selected:

    • Senders:
      • Value: The sender domain or email address.
      • Action: The value Allow or Block.
      • Modified by
      • Concluding updated
      • Remove on
      • Notes
    • URLs:
      • Value: The URL.
      • Activeness: The value Allow or Cake.
      • Modified by
      • Terminal updated
      • Remove on
      • Notes
    • Files
      • Value: The file hash.
      • Activity: The value Allow or Block.
      • Modified by
      • Last updated
      • Remove on
      • Notes
    • Spoofing
      • Spoofed user
      • Sending infrastructure
      • Spoof type: The value Internal or External.
      • Action: The value Block or Allow.

    You can click on a column heading to sort in ascending or descending order.

    You tin can click Group to group the results. The values that are bachelor depend on the tab you lot selected:

    • Senders: You can group the results by Activity.
    • URLs: You tin grouping the results past Activeness.
    • Files: You lot can grouping the results past Action.
    • Spoofing: Y'all can group the results past Activeness or Spoof type.

    Click Search, enter all or part of a value, and and so press ENTER to find a specific value. When you lot're finished, click Clear search icon. Clear search.

    Click Filter to filter the results. The values that are available in Filter flyout that appears depend on the tab you lot selected:

    • Senders
      • Activeness
      • Never elapse
      • Last updated date
      • Remove on
    • URLs
      • Activeness
      • Never expire
      • Last updated date
      • Remove on
    • Files
      • Activity
      • Never expire
      • Last updated
      • Remove on
    • Spoofing
      • Action
      • Spoof blazon

    When you're finished, click Employ. To clear existing filters, click Filter, and in the Filter flyout that appears, click Clear filters.

  3. When you're finished, click Add.

View sender, file or URL entries in the Tenant Permit/Block Listing

To view block sender, file or URL entries in the Tenant Allow/Cake List, use the following syntax:

              Get-TenantAllowBlockListItems -ListType <Sender | FileHash | URL> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]

This example returns data for the specified file hash value.

              Get-TenantAllowBlockListItems -ListType FileHash -Entry "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"

This example returns all blocked URLs.

              Become-TenantAllowBlockListItems -ListType Url -Cake

For detailed syntax and parameter information, see Become-TenantAllowBlockListItems.

View spoofed sender entries

To view spoofed sender entries in the Tenant Permit/Block List, use the following syntax:

              Get-TenantAllowBlockListSpoofItems [-Action <Permit | Cake>] [-SpoofType <External | Internal>

This instance returns all spoofed sender entries in the Tenant Allow/Block List.

              Get-TenantAllowBlockListSpoofItems

This case returns all permit spoofed sender entries that are internal.

              Become-TenantAllowBlockListSpoofItems -Action Allow -SpoofType Internal

This example returns all blocked spoofed sender entries that are external.

              Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External

For detailed syntax and parameter information, come across Go-TenantAllowBlockListSpoofItems.

URL syntax for the Tenant Allow/Cake List

  • IPv4 and IPv6 addresses are allowed, only TCP/UDP ports are non.

  • Filename extensions are not allowed (for example, examination.pdf).

  • Unicode is not supported, but Punycode is.

  • Hostnames are allowed if all of the following statements are truthful:

    • The hostname contains a period.
    • There is at least ane graphic symbol to the left of the catamenia.
    • There are at least two characters to the right of the period.

    For example, t.co is allowed; .com or contoso. are not allowed.

  • Subpaths are not unsaid for allows.

    For instance, contoso.com does not include contoso.com/a.

  • Wildcards (*) are immune in the following scenarios:

    • A left wildcard must be followed by a flow to specify a subdomain.

      For case, *.contoso.com is allowed; *contoso.com is not allowed.

    • A correct wildcard must follow a forward slash (/) to specify a path.

      For example, contoso.com/* is immune; contoso.com* or contoso.com/ab* are non immune.

    • *.com* is invalid (not a resolvable domain and the right wildcard does not follow a forward slash).

    • Wildcards are not immune in IP addresses.

  • The tilde (~) character is available in the following scenarios:

    • A left tilde implies a domain and all subdomains.

      For example ~contoso.com includes contoso.com and *.contoso.com.

  • URL entries that contain protocols (for case, http://, https://, or ftp://) volition fail, because URL entries apply to all protocols.

  • A username or password isn't supported or required.

  • Quotes (' or ") are invalid characters.

  • A URL should include all redirects where possible.

URL entry scenarios

Valid URL entries and their results are described in the following sections.

Scenario: No wildcards

Entry: contoso.com

  • Allow match: contoso.com

  • Allow not matched:

    • abc-contoso.com
    • contoso.com/a
    • payroll.contoso.com
    • exam.com/contoso.com
    • test.com/q=contoso.com
    • world wide web.contoso.com
    • www.contoso.com/q=a@contoso.com

  • Block friction match:

    • contoso.com
    • contoso.com/a
    • payroll.contoso.com
    • test.com/contoso.com
    • test.com/q=contoso.com
    • www.contoso.com
    • world wide web.contoso.com/q=a@contoso.com

  • Block non matched: abc-contoso.com

Scenario: Left wildcard (subdomain)

Entry: *.contoso.com

  • Allow lucifer and Cake lucifer:

    • www.contoso.com
    • xyz.abc.contoso.com

  • Permit non matched and Block not matched:

    • 123contoso.com
    • contoso.com
    • examination.com/contoso.com
    • www.contoso.com/abc

Scenario: Correct wildcard at superlative of path

Entry: contoso.com/a/*

  • Allow match and Cake match:

    • contoso.com/a/b
    • contoso.com/a/b/c
    • contoso.com/a/?q=joe@t.com

  • Allow non matched and Block not matched:

    • contoso.com
    • contoso.com/a
    • www.contoso.com
    • www.contoso.com/q=a@contoso.com

Scenario: Left tilde

Entry: ~contoso.com

  • Let match and Cake match:

    • contoso.com
    • www.contoso.com
    • xyz.abc.contoso.com

  • Permit non matched and Block not matched:

    • 123contoso.com
    • contoso.com/abc
    • www.contoso.com/abc

Scenario: Right wildcard suffix

Entry: contoso.com/*

  • Let lucifer and Block friction match:

    • contoso.com/?q=whatever@fabrikam.com
    • contoso.com/a
    • contoso.com/a/b/c
    • contoso.com/ab
    • contoso.com/b
    • contoso.com/b/a/c
    • contoso.com/ba

  • Allow non matched and Block not matched: contoso.com

Scenario: Left wildcard subdomain and right wildcard suffix

Entry: *.contoso.com/*

  • Let match and Cake match:

    • abc.contoso.com/ab
    • abc.xyz.contoso.com/a/b/c
    • world wide web.contoso.com/a
    • world wide web.contoso.com/b/a/c
    • xyz.contoso.com/ba

  • Allow not matched and Block not matched: contoso.com/b

Scenario: Left and correct tilde

Entry: ~contoso.com~

  • Allow match and Cake match:

    • contoso.com
    • contoso.com/a
    • www.contoso.com
    • www.contoso.com/b
    • xyz.abc.contoso.com

  • Let not matched and Cake not matched:

    • 123contoso.com
    • contoso.org

Scenario: IP accost

Entry: 1.ii.3.4

  • Allow lucifer and Block match: i.2.three.4

  • Allow not matched and Block not matched:

    • ane.two.3.4/a
    • 11.two.3.four/a

IP address with right wildcard

Entry: 1.2.3.iv/*

  • Allow lucifer and Block match:

    • 1.two.iii.iv/b
    • 1.2.3.4/baaaa

Examples of invalid entries

The post-obit entries are invalid:

  • Missing or invalid domain values:

    • contoso
    • *.contoso.*
    • *.com
    • *.pdf

  • Wildcard on text or without spacing characters:

    • *contoso.com
    • contoso.com*
    • *1.two.3.4
    • 1.2.3.4*
    • contoso.com/a*
    • contoso.com/ab*

  • IP addresses with ports:

    • contoso.com:443
    • abc.contoso.com:25

  • Non-descriptive wildcards:

    • *
    • *.*

  • Middle wildcards:

    • conto*so.com
    • conto~so.com

  • Double wildcards

    • contoso.com/**
    • contoso.com/*/*

Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List

A domain pair for a spoofed sender in the Tenant Allow/Block Listing uses the following syntax: <Spoofed user>, <Sending infrastructure>.

  • Spoofed user: This value involves the email accost of the spoofed user that's displayed in the From box in email clients. This accost is likewise known every bit the 5322.From address. Valid values include:

    • An private email address (for example, chris@contoso.com).
    • An email domain (for example, contoso.com).
    • The wildcard character (for instance, *).

  • Sending infrastructure: This value indicates the source of messages from the spoofed user. Valid values include:

    • The domain constitute in a opposite DNS lookup (PTR record) of the source electronic mail server'south IP address (for example, fabrikam.com).
    • If the source IP address has no PTR record, then the sending infrastructure is identified as <source IP>/24 (for example, 192.168.100.100/24).

Here are some examples of valid domain pairs to identify spoofed senders:

  • contoso.com, 192.168.100.100/24
  • chris@contoso.com, fabrikam.com
  • *, contoso.internet

The maximum number of spoofed sender entries is chiliad.

Adding a domain pair only allows or blocks the combination of the spoofed user and the sending infrastructure. It does non let email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for whatever spoofed user.

For case, you add an permit entry for the following domain pair:

  • Domain: gmail.com
  • Infrastructure: tms.mx.com

Merely messages from that domain and sending infrastructure pair are immune to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.