Reply All Storm Protection Customizable Settings
Published May 05 2021 12:28 PM 20.6K Views

Last year we released the Reply-all Storm Protection feature to help protect your organization from unwanted reply-all storms. This feature uses global settings applicable to all Microsoft 365 customers for reply-all storm detection and for how long the feature will block subsequent reply-alls once a storm has been detected. Today we're pleased to announce you'll now have the ability to make these settings specific to your Microsoft 365 organization; email admins will have the flexibility to enable/disable the feature, and set customized detection thresholds and block duration time. This not only makes it more flexible to tailor for your organization, but it also  allows more Microsoft 365 customers to take advantage of the Reply-all Storm Protection feature since the minimum number of reply-all recipients for detection can now be as low as 1000 when previously it was hard-coded at 5000.

The current Reply-all Storm Protection settings for Microsoft 365 are as follows:

Setting

Default

Enabled/disabled

Enabled

Minimum number of recipients

5000

Minimum number of reply-alls

10

Detection time sliding window

60 minutes

Block duration (once detected)

4 hours

Based on our telemetry and customer feedback we're also taking this opportunity to update a few of the default settings.  Once this change has rolled out, the default settings for each Microsoft 365 organization will be the following:

Setting

Default

Enabled/disabled

Enabled

Minimum number of recipients

2500 (previously 5000)

Minimum number of reply-alls

10

Detection time sliding window

60 minutes

Block duration (once detected)

6 hours (previously 4 hours)

The customizations possible for each setting will be as follows:

Setting

Customizable options

Enabled/disabled

Enabled or Disabled

Minimum number of recipients

1000 to 5000

Minimum number of reply-alls

2 to 20

Detection time sliding window

60 minutes (not customizable)

Block duration (once detected)

1 to 24 hours

Admins will be able to use the Set-TransportConfig Remote PowerShell cmdlet to update the settings for their organization:

Setting

Cmdlet

Enabled/disabled

Set-TransportConfig -ReplyAllStormProtectionEnabled [$True:$False]

 

Number of recipients threshold

Set-TransportConfig  -ReplyAllStormDetectionMinimumRecipients [1000 – 5000]

 

Number of reply-alls threshold

Set-TransportConfig -ReplyAllStormDetectionMinimumReplies [2 – 20]

 

Block duration

Set-TransportConfig -ReplyAllStormBlockDuration [1 – 24]

 

These updates are rolling out now and should be fully available to all Microsoft 365 customers by mid-June. While this should come as a welcome update for customers wanting to better take advantage of the Reply-all Storm Protection feature, we are not done yet! In future updates we plan to provide an insight, report, and optional notifications for the feature as well. And if there's enough customer feedback for it, we'll consider also exposing the ability to customize these settings in the Exchange Admin Center. Let us know what you think!

The Exchange Transport Team

11 Comments
Brass Contributor

Nice addon and control to have. Do we have any reporting or tracking option so that we could know, if its working and who has been trying reply all, storming etc.

@Satyajit321 as noted in the last paragraph of the post we're working on an insight, notification, and report for the feature so you'll be able to see detected storms, how many reply-alls are blocked for it, and a list of those who replied all. We expect to release those later this summer. Thanks for your interest! Cheers!

 

Kevin Shaughnessy

Sr. Program Manager

M365 Exchange Transport 

Brass Contributor

Thank you @KevinShaughnessy , I did miss that part out. Looking forward for it.

Copper Contributor

Hey, 

Would like to know, what is the logic behind. Will that policy works if i have 1500 Recipients in "To" same as i have in "To" 1 recipient where is group and in this group is 2000 users? 

 

Thansk

@Kubho208 good question since DLs typically get counted as 1 recipient. But in the case of Reply All Storm Protection the count is based on the fully expanded list, so 2000 users in the group will get counted as 2000 recipients rather than just 1. 

 

Hope this helps!

 

Kevin Shaughnessy

Sr. Program Manager

Microsoft Exchange Online

Copper Contributor

@KevinShaughnessy thats great. 

 

Thank you for an asnwer,

 

Jakub

Copper Contributor

This is wonderful, thank you!

 

Out of curiosity, will Microsoft support lower or customized values for certain settings in the future, such as "Minimum number of recipients" or "Minimum number of reply-alls". As an example, there may be organizations with a contact group or Microsoft 365 group containing 400 recipients and would like the "Reply All Storm Protection" to take effect at 2 reply-alls. Hopefully, my scenario makes sense! ^_^

 

Thanks again for this awesome feature! :smile:

@MisterD3k Thanks for the feedback! Glad you like the feature - we hope it helps! :)

 

We will definitely be evaluating the possibility for lowering the minimum number of recipients at some point in the future - first we need to evaluate the actual performance and cost impact of logging so much data from all the threads in the service with 1000+ recipients (we have to log all such threads before we can evaluate whether it's a reply-all storm or not). We won't lower the number of replies though - at least not given how we currently detect reply all storms. The feature currently doesn't do any content analysis or pattern matching, so it's based solely on number of replies, recipient count, over an hour. So folks would likely end up with more false positives blocking *valid* threads if they set it below 5. Even at 5 organizations will likely hit more false positives than they'd prefer, and will probably find themselves raising it closer to the default of 10. 

 

Hope that makes sense!

 

Best wishes,

 

Kevin Shaughnessy

Sr. Program Manager

Exchange Online Transport

Copper Contributor

@KevinShaughnessy thank you very much for the response and makes perfect sense! :smile:

Copper Contributor

Any updates or link to the reporting of Reply to all Storm incidents?  Looking for a report.....thanks for any help!!

Co-Authors
Version history
Last update:
‎Mar 31 2023 12:10 PM
Updated by: