Gary Admin Huber's avatar
Gary Admin Huber
Copper Contributor
Feb 14, 2026
Status:
New

Outbound Anti‑Spam Policy “Include/Exclude” Please Correct

Proposed Feedback to Microsoft: Outbound Anti‑Spam Policy UI Behavior Is Misleading and Needs Clarification

Title:

Outbound Anti‑Spam Policy “Include/Exclude” UI is Misleading — Policy Applies Globally Unless Exclusions Are Defined

Summary of the Issue

The Outbound Anti‑Spam Policy interface in the Microsoft 365 Defender portal presents an Include and Exclude user scope model that strongly implies modern scoping behavior:

  • Include = users the policy applies to
  • Exclude = users the policy does not apply to

However, this is not how the backend policy engine behaves.

In reality:

If the Exclude list is empty, the policy applies to all users unless they are explicitly excluded.

This is the opposite of what the UI suggests, and it leads to unexpected and incorrect assumptions by administrators.

Actual Behavior (Backend Logic)

The outbound anti‑spam engine still uses legacy logic:

  • A policy applies to a user unless the user is explicitly excluded
  • Being “not included” does not prevent the policy from applying
  • The highest‑priority policy that does not explicitly exclude a user is the one that applies

This means:

If the Exclude list is empty, the policy effectively becomes global.

This is not communicated anywhere in the UI.

Impact on Administrators

This behavior leads to:

  • Users unintentionally being governed by the wrong policy
  • External forwarding being allowed for users who were never intended to be included
  • Confusion when removing a user from the Include list does not remove them from the policy
  • Misinterpretation of policy priority and scope
  • Hours of troubleshooting because the UI does not reflect the actual evaluation logic

This is especially problematic when configuring forwarding exceptions, where security expectations are high.

Example Scenario Demonstrating the Problem

  1. Admin creates a Priority 1 policy allowing external forwarding for a small set of users.
  2. Admin adds those users to Include.
  3. Admin leaves Exclude empty, assuming the policy applies only to the included users.
  4. A user not in the Include list still has forwarding allowed because the policy applies globally unless excluded.
  5. Removing a user from Include does not remove them from the policy.
  6. The admin is misled because the UI suggests the opposite behavior.

This is counterintuitive and contradicts the scoping model used in other Microsoft 365 policies.

Requested Fix

Add a warning or informational banner when the Exclude list is empty.

Suggested wording:

Warning: No users or groups are excluded. This policy will apply to all users unless they are explicitly excluded. Users not listed in “Include” may still be affected by this policy.

This one clarification would prevent the majority of misconfigurations and support cases related to outbound forwarding exceptions.

Why This Matters

Outbound forwarding is a high‑risk vector for data exfiltration. Admins rely on the UI to understand policy scope. The current UI leads to incorrect assumptions and unintended exposure.

A simple warning would align the UI with the actual behavior of the policy engine and prevent misconfigurations.

End of Feedback

As you may have noticed, the above response is based on questions and answers I got from Copilot.  This is a valid improvement that needs to be made, but furthermore Microsoft is losing a great deal of information by not allowing a direct route from Copilot to the correct area of your company when a solution or a correction to a current method is discovered.

 

Best regards,

 

Gary Huber

ai integration
BUG Report
Forums
ideas
No CommentsBe the first to comment