LATEST NEWS
Newsletter

Comprehensive Guide to Managing Exchange Online Tenant Allow and Block Lists

MS Cloud Explorers > Blogs > Microsoft 365 > Security & Compliance > Comprehensive Guide to Managing Exchange Online Tenant Allow and Block Lists
DALL·E 2024 12 13 01.05.34 A detailed flowchart representing a Microsoft 365 Defender workflow. It starts with Start leading to Log in to Microsoft 365 Defender then to Na

Efficient management of the Tenant Allow/Block List (TABL) in Exchange Online is crucial for maintaining email security and ensuring optimal communication flow. This guide provides detailed steps and best practices to manage the TABL effectively within your Microsoft 365 environment.

What is the Tenant Allow/Block List in Exchange Online?

The Tenant Allow/Block List is a critical component of email protection in Exchange Online. It allows administrators to control the delivery of emails by managing sender domains, email addresses, and attachments through allow or block actions. This granular control helps prevent phishing, spam, and malware attacks.

Key Features of the Tenant Allow/Block List

  1. Sender Management:
    • Block malicious senders by adding their domains or email addresses to the block list.
    • Ensure trusted communication by allowing specific senders.
  2. File Type Management:
    • Block specific file types or extensions commonly associated with malware.
  3. Automatic Blocking:
    • Leverage Microsoft Defender for Office 365 to auto-block malicious senders detected in phishing or spam campaigns.
  4. Spoofing Protection:
    • Use the TABL to mitigate spoofing attempts and protect organizational domains.

How to Manage the Tenant Allow/Block List

Accessing the Tenant Allow/Block List

  1. Log in to the Microsoft 365 Defender portal.
  2. Navigate to Threat Management > Policy > Tenant Allow/Block List.

Adding Entries to the Allow/Block List

Adding a Sender to the Block List:

  1. Select + Add under the Blocked Senders tab.
  2. Enter the email address or domain to be blocked.
  3. Specify a reason or notes for reference.
  4. Click Save to apply.

Adding a Sender to the Allow List:

  1. Select + Add under the Allowed Senders tab.
  2. Enter the trusted sender’s email address or domain.
  3. Provide a reason or additional details.
  4. Save the changes.

Blocking File Types

  1. Go to the Blocked File Types section in the Tenant Allow/Block List.
  2. Add extensions or specific file types to the list.
  3. Save the configuration.

Best Practice: Regularly review and update the blocked file types to align with evolving threats.

Managing Spoofed Senders

  1. Navigate to the Spoofed Senders tab.
  2. Review spoofing detection reports.
  3. Add trusted domains or email addresses if false positives are identified.

Integration with Threat Explorer

  • Use Threat Explorer to investigate malicious email activity.
  • From Threat Explorer, directly block or allow specific senders to update the Tenant Allow/Block List.

Best Practices for Tenant Allow/Block List Management

  1. Regular Audits:
    • Periodically review entries in the allow and block lists to remove outdated or unnecessary records.
  2. Leverage Automation:
    • Use automated threat intelligence feeds from Microsoft Defender to keep the list updated.
  3. Monitor Spoofing Activity:
    • Regularly check spoofing reports and adjust the TABL to reduce false positives and negatives.
  4. Employee Training:
    • Educate staff to recognize phishing and spam, reducing reliance on allow/block rules.
  5. Advanced Threat Protection:
    • Combine TABL with other security measures, such as anti-phishing policies and multi-factor authentication (MFA).

Troubleshooting Common Issues

Blocked Legitimate Emails

  • Cause: Trusted senders mistakenly added to the block list.
  • Solution: Check and update the allow/block lists to include the correct sender information.

Ineffective Blocking

  • Cause: Inadequate configuration or outdated entries.
  • Solution: Regularly review and refine the blocked file types and sender entries.

Spoofed Domain Alerts

  • Cause: Misconfigured domain authentication protocols (SPF, DKIM, DMARC).
  • Solution: Ensure these protocols are properly set up and monitor spoofing reports.

Conclusion Effectively managing the Tenant Allow/Block List in Exchange Online is a foundational step in securing your organization against email-based threats. By following the best practices outlined above and leveraging integrated tools like Threat Explorer, administrators can ensure a robust defense against malicious actors while maintaining seamless communication.

FAQs

1. What is the Tenant Allow/Block List in Exchange Online?

The Tenant Allow/Block List is a tool in Exchange Online used to manage email security by controlling which senders, domains, or file types are allowed or blocked. It helps prevent phishing, spam, and malware attacks.

2. How do I access the Tenant Allow/Block List?

You can access the list by logging into the Microsoft 365 Defender portal and navigating to Threat Management > Policy > Tenant Allow/Block List.

3. Can I block specific file types using the Tenant Allow/Block List?

Yes, you can block specific file types or extensions commonly associated with malware by adding them to the Blocked File Types section.

4. What happens if a legitimate email is blocked?

If a legitimate email is blocked, you should check the Blocked Senders list in the Tenant Allow/Block List and add the sender’s email or domain to the allow list if necessary.

5. How does the Tenant Allow/Block List help with spoofing protection? The Tenant Allow/Block List includes a Spoofed Senders section where you can identify and block spoofing attempts. You can also add trusted domains or senders to reduce false positives.

1 comment on “Comprehensive Guide to Managing Exchange Online Tenant Allow and Block Lists

  1. Pingback: Microsoft Defender for Office 365: Your Shield Against Cyber Threats - MS Cloud Explorers

Leave a Reply