Tenant Allow/Block Lists

There are a couple of places in MDO where you can specify "allows" or "blocks".

• Trusted impersonated senders in anti-phishing
• Allowed and blocked senders in anti-spam
• Mail flow rules can skip spam filters and you can specify this for certain senders

None of these are the best way of allowing mail through filters, you should start with the tenant allow/block list.

The allow/block list allows for entries of the following types:

• Domains and email address
• Spoofed senders
• URLs
  • These entries will be wildcarded so no need to submit subpages on a website
  • Consider adding blocks to your EDR indicators, or MDCA unsanctioned cloud app list. This list will only apply to emails, Teams, and Microsoft files (OneDrive and SharePoint).
• Files
• IP addresses

You can always add blocks directly to these lists but only Spoofed senders and IP addresses allow you to directly add allows. For all other types you can get allow entries by submitting an email to Microsoft for analysis and reporting the message as clean. Microsoft will automatically determine based on the message detections what and where to add the allow entries to prevent the message from being quarantined in the future.

Microsoft will even add a trusted impersonated sender to your anti-phishing policy if necessary. This will not add the trusted sender to every anti-phish policy but instead the highest precedence anti-phish policy the email recipient is a member of.

Tip

Don't forget, if you are using any advanced spam filters you cannot report the message to Microsoft as clean if it was quarantined because of ASF

Just as you can submit quarantined emails as clean to Microsoft to get allow entries added, you can do the same with false negatives, messages you feel should be quarantined, to get block entries added.

Auditing Changes

Depending on what you are looking for you can audit changes to the tenant allow/block list by going to the unified audit log and searching for the following operations within the Activities - operation names field:

• Get-TenantAllowBlockListItems
• Set-TenantAllowBlockListItems
• New-TenantAllowBlockListItems
• Remove-TenantAllowBlockListItems
• Get-TenantAllowBlockListItemsSpoofItems
• Set-TenantAllowBlockListItemsSpoofItems
• New-TenantAllowBlockListItemsSpoofItems
• Remove-TenantAllowBlockListItemsSpoofItems

Note that you can search for all of these at once by adding commas like this Get-TenantAllowBlockListItems,Set-TenantAllowBlockListItems,New-TenantAllowBlockListItems,Remove-TenantAllowBlockListItems,Get-TenantAllowBlockListItemsSpoofItems,Set-TenantAllowBlockListItemsSpoofItems,New-TenantAllowBlockListItemsSpoofItems,Remove-TenantAllowBlockListItemsSpoofItems

Summary

• Avoid using anti-spam blocks and allows

  ---

  • Hard to maintain when using multiple policies
  • Skips most filtering including spoof checks

• Don't use the trusted impersonated senders list

  ---

  • Submitting an impersonation as clean will handle this for you

• Submit messages to Microsoft

  ---

  Microsoft will do the hard work for you adding blocks and allows, no guessing where to add the entry

• Start with the tenant allow/block list

  ---

  • Blocks also prevent sending to these emails
  • Microsoft will clean up entries for you as they learn from your submissions