Forum Discussion

Skipster311-1's avatar
Skipster311-1
Iron Contributor
Nov 15, 2021
Solved

add to whitelist or safe senders from quarantine

Hello all   I see its possible to block a sender from within the quarantine. Is it also possible to whitelist or add a sender to "safe senders" list from within the quarantine ? 
microsoft 365 defender
phishing
  • VasilMichev's avatar
    VasilMichev
    Nov 16, 2021
    Only from the admin quarantine, IIRC. Which in turn adds it to the org-wide allow list.
VasilMichev's avatar
VasilMichev
MVP
Nov 16, 2021
Only from the admin quarantine, IIRC. Which in turn adds it to the org-wide allow list.
JeffRyer's avatar
JeffRyer
Copper Contributor
Jan 05, 2023
I only see the option to Allow for up to 30 days. What if I want to permanently allow the sender?
  • Jakub_B1775's avatar
    Jakub_B1775
    Copper Contributor
    Jan 24, 2024

    Has anybody found out how to allow sender for more than 30 days please?

  • ppci19's avatar
    ppci19
    Copper Contributor
    May 31, 2023

    JeffRyer I would like to know this too, it shows only 30 days, I need it permanent.

    • caro_del_castillo's avatar
      caro_del_castillo
      Copper Contributor
      Jul 11, 2024

        

      It's a new MS Exchange feature. I am copying some of the data directly from Microsoft Community, Message center, and Learning pages. This should help with most of the questions I am reading. 

       

      Exchange EOP (Exchange Online Protection)

      Automatic tenant Allow/Block list expiration management.

       

      Defender new feature Whitelist auto remove

      Microsoft Defender for Office 365 will introduce a feature to automatically remove allow list entries 45 days after their last use, starting late June 2024. This applies to customers with Microsoft Exchange Online Protection and Defender for Office 365 Plan 1 or 2. Users are advised to update their allow entries to utilize this new feature. https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=372670

       

      If you've set up allowed domains, emails, URLs, or files in the Microsoft 365 Defender Tenant Allow/Block List, Microsoft will now automatically remove entries from the allow list once the system has learned from these configurations. If the system is treating the entity as good, there is no reason to have a redundant allow entry. Alternatively, Microsoft will also extend the expiration time of the allows if the system has not updated yet. This will prevent your legitimate emails from being sent to junk or quarantine. Spoof allow entries do not expire, so the automatic extension and removal doesn't apply in this case. Smart allow management is now live worldwide, which means the Tenant Allow/Block list will be shorter and more useful to you & your security team.

       

      Whitelist rules will now automatically get removed by Microsoft.

       

      Allows Will Be Automatically Extended


      As a member of a security team, you’d create an allow entry in the Tenant Allow/Block List through the Submissions page if you found a legitimate email is getting junked or quarantined. Previously, the allow entry would typically expire after 30 days, leading to the same legitimate emails getting blocked again. Your options would be either to create another allow entry or try to open a support case to fix the underlying problem.

       

      Now if Microsoft has not learned from the allow entry and the allow is going to expire, we’ll extend the removal date by an additional 30 calendar days. However, the allow entries will not be extended indefinitely. If the system has not learned that the value is good after 90 days from the date of creation, the allow entry will be removed and you’ll get an alert about it.

       

      Please note, this feature only applies to allow entries that were originally created with a removal date after 7 days. If the original removal date was between 1 and 7 days after creation, the automatic extension will not apply.

       

       

      ppci19

      • ExMSW4319's avatar
        ExMSW4319
        Iron Contributor
        Jul 12, 2024

        caro_del_castillo 

         

        That is potentially good, but I am not entirely clear about the alert. Are we talking about something entirely new, or is it the informational alert "Removed an entry in Tenant Allow/Block List" as seen in the Policies & Rules \ Alert Policy table?

         

        If it is something entirely new then an example of what to expect would be good.

         

        If it is the informational alert, does that trigger for any removal from the TABL or just for these automated weedings? I ask because I block lots of routine breached genuine M365 tenants (strangely enough, other providers don't seem to have the same volume of breaches) on a 7-day or 30-day basis or however long I think it will take them to clean up their act. I don't fancy the idea of receiving an alert when each one of those expires.

         

        I suppose the best option is to experiment and then get busy with a mail flow rule if there is enough leverage. 

    • Chris_Donabedian's avatar
      Chris_Donabedian
      Copper Contributor
      Jul 06, 2023

      ppci19   VasilMichev  ( added 2/12/24 )   no reply for 6 months.

        I have the need to email back and forth with my personal calendars and emails are sent back and forth.

       

      We should have a way to white list outside of the for the entire company ?  But, if so, can I white list my emails for the entire company  ?

       

      How ?


      Regards,

      Chris 

      • Chris_Donabedian's avatar
        Chris_Donabedian
        Copper Contributor
        Feb 12, 2024
        It would be nice if anyone could reply to this.

Resources