Thanks. I'll ask here as everyone wants to know anyway, but is the rule for 10 when over 5000 in the hour configurable or is this tuning something you look after in the service? 

Awesome addition folks!!!

A few things to think about moving forward

• Ability to adjust the limit (lower it in many cases)
• Ability to disable for some specific DLs, or at least if a single app sends the messages (and keeps the same subject)
• Admin ability to invoke it on emergency demand, when it hasn't hit the preset numbers
• Tool-Tip for when it feels like a storm.

Again, great job!

@Brian Reid - for now, no admin controls are available. We are using our knowledge of the service to set the thresholds. 

Thanks @Ed Woodrick for the feedback. 

@Greg Taylor - EXCHANGE How we can test this in office 365. whether we need to create any rule to accomdate

@Greg Taylor - EXCHANGE

Reply All Storm Protection in Exchange Online - how we can enable this on office 365 tenant

@Sankarasubramanian Parameswaran it's enabled for all tenants. There's nothing to configure. 

You don't need to 'test' or set up rules for it. You'll have to trust us on this, it is enabled, and it works when the threshold is met. If you want to kick off a mail storm in your tenant to prove it, make sure your resume is up to date. 

This is a great new feature addition and would personally want to drop the reply all limits lower [BEDLAM DL3!], but there is a need on occasion to allow an additional mail in the thread from a 'trusted party', so it would be nice if the Manager of a DL was not blocked by this - so that they can at least do a mail back in the thread to educate or update the members in relation to the content / issue.

@Greg Taylor - EXCHANGE  Thank you for the update. Before i prepared my resume, some other user prepared the resume and did the damage. 

Yesterday, one user send email to the group which has more than 2000 members and it created reply to all storm in our organization. the same question raised by management how to stop this even user did by mistake. we want to know if the limit can be decreased based on the situation and 5000 is higher number but we want to do it even for smaller number 

Can we implement for all the groups and change based on the condition. do you have any script to shows the number and the condition to view. we should have option to change the limit by user level or group level. 

Hi it is not working for us even in another thread they told it is enabled for all tenant. yesterday we had user who has replied to the group and everyone replied with reply to all and it created reply to all storm. nothing has been blocked and it has been delivered

Remember it is possible in Exchange Server and Exchange Online to set restrictions on groups so that this is avoided. For groups with large membership look at restrictions on who can send to the group and if everyone needs the ability to send then look at moderators for the group, with exceptions for those who should be allowed to send to all the members. This works for any size group and is not dependent upon the above feature with the result that you cannot have a reply all storm as either people cannot reply all to the group or their replies go to the moderator mailbox, who knows not to approve messages that look like they should be a reply and not a reply all. 

@Brian Reid  Yes. we have implemented for some groups not for all the groups. 

The feature was the most awaited one and finally its there! 

Are there plans to allow customization of these settings per Tenant  as well as exceptions for certain cases as commented by few others ? 

will there be any reporting on how well this is working and how much of reply all storms are blocked ? kind of some daily/weekly statistics ?

I think this is a nice addition, but I would also like the Outlook teams (note mobile OWA and Desktop) to offer native 'Do Not Reply All' capability in the clients that allow email senders to pre stipulate if users can click 'reply all' on the larger emails they send. This also addresses users sending messages to <5000 which can still have considerable impact to productivity if sent and reply all'd. We utilize AIP for this today but its not perfect as it adds tags to other inappropriate 365 apps like Office. 

That’s awesome 

With all due respect, but the number one reason for this to occur in the first place is the default 'reply all' function on the Outlook Mobile app and the OWA app. For OWA this is configurable using powershell to change it to 'Reply', but the Outlook Mobile app doesn't honour this setting and there's no way to change it to 'Reply'. So it's a bit strange to say the least, that the Exchange Team has to built new functionality to prevent a 'reply-all' storm, which is primarily caused by their colleagues of the Outlook team.

Does this cover users who are still on prem in a hybrid Exchange setup? Or does  this only cover users who are fully migrated?

This feature is really good but I am thinking it should not specific to work for large DL’s. How about if sender expand DL’s and reply to all, Will it still detect or block to reply all ?

To prevent mail storms we just created a simple mail flow rule that only allows BCC for specified large distribution lists.

@maheshsingh_it  Max recipient for Microsoft 365 is 1,000. Expanding a 5,000 recipient DL will stop the message from being sent.

https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/e...

Will everyone who receives the NDR know what NDR means?

@Brian Reid currently the thresholds and block duration are not customizable. We're exploring the possibility to make them customizable in the future. No promises nor guarantees at this time though. 

@Ed Woodrick love love love your suggestions! Noted! :)

@HaydonG great suggestion for a "trusted user" list of sorts or at least except the admins or group owner. Thanks! While it's not the same exactly, note that anyone (like an admin) can still reply to, or forward, the thread so long as they reduce the overall recipient list to < the recipient threshold (currently 5000). Not exactly useful to educate everyone, but useful to forward the thread to the IT group or some such. 

@Sankarasubramanian Parameswaran - no the thresholds cannot be customized at this time; see comment to Brian above.

@SopanWankhede I've touch on customization and exceptions above; about reports, as per the blog post it's something we know could be very useful to folks so we're looking into it, but no promises nor guarantees at this time.

More to come. . .

@M_Durbs - I'm not on the Outlook team but I believe this IRM capability would address your point about "Do Not Reply All" in Outlook, no? https://support.microsoft.com/en-us/office/preventing-reply-all-433041fe-0475-405a-b579-ddddf4951481...

@Jan_Rademan - this only applies to mailboxes in Office 365.

@maheshsingh_it - technically it's actually based on the number of fully expanded recipients, not based on the size of the DL. So you could have 100 DLs of 50 recipients each + 1 lone recipient and the fully expanded recipient count would be 5001. Such a thread would qualify because total recipients are > 5000. For simplicity the post describes the common scenario, rather than describing the underpinning technical mechanisms. We'll consider creating a technically oriented KB article in the near future.

@Bruce Roberts - Thanks for the input on the NDR text. I can see the headline ". . .too busy. . ." could use some work. I think the other elements will likely be understandable, e.g. "Do not use Reply All," and "Don't resend the mail" but we'll take another look at the whole thing. That said, in practice, understanding the NDR won't matter much - we'll still stop the reply-all storm whether people understand the NDR or not. :)

@ruxp Currently this feature is not configurable; I'd like to hear the scenario for which you'd want this feature disabled? Is it the # of users or # of replies within an hour that you are concerned with?

Will this work on Office 365 Groups (Now know as Microsoft 365 Groups , AKA unified groups) email distribution? If not, can you please do this there as well?

I had not seen a storm in years until these came along. The issue happens with Teams especially, as people don’t expect to get email from the group mailbox behind the Team. Actually in a lot of cases the email address for the Team mailbox is unrecognizable because the display name was long ago changed by one of the owners. 
Like with the requests to always allow the DL managers to send, owners probably should always be allowed to send as well. 
thanks

Good news !!!

@UW_Scott Yes it works with Groups. The detection is actually DL/Group agnostic - it's about the total number of expanded recipients regardless if they were members of a group, a DL, or just separate recipients that aren't a member of any group or DL.

How can i enable / disable this for a tenant? - are admins required to do anything for enabling/disabling the feature. 
Or it applies as a default setting for all tenants.

@ashish8549 - this is no on/off - it's just on by default. Admins need to do nothing. It's there to protect your tenant from these rare but damaging events. 

@Greg Taylor - EXCHANGE 

the notification sample thats show, would that be sent to the recipient sending the mail storm , the actual sender of the message or to tenant admins ?

@SopanWankhede it's an NDR / bounce message back to anyone who does a Reply All to the thread after the block has been initiated.

@KevinShaughnessy 

Which is why the top line should not use the relatively-obscure acronym "NDR" when there's plenty of space for "Non-Delivery Report".

@Bruce Roberts the top line in the screen capture is the title of the screen capture not the top line of the Non-Delivery Report. The bounce message that users would see begins with the Office 365 logo. Apologies for any confusion or obfuscation the screen capture and its title might have caused anyone. 

Excellent feature.looking forward to tweak the policy options.

Thanks

So my understanding is the feature is enabled?

But what about closing access to an email that is created when you create a TEAM?  I started a TEAM for a high school (3000 +) and an email chain was started with the TEAM email.  How do you shut down the chain and the availability for the email address to be located on TEAMS?

Teams uses Exchange. But since the minimum number of recipients is 5,000, you won't hit it with 3,000 recipients. 

I have a suggestion, if your rule can identify this prior to the e-mail being sent could the rule provide lesson's learned of best practice's?  For example in the company that I work for there could be several people or directories that would need to track the information.  I have learned that the people or the directories that need to track the information in the To: line, and the people that I need the response from I put the Distro-List in the BCC: Line.  That away when they do use the "Reply All" it only goes to the sender and the important people that need to track the responses.  From my experience I could see where this rule could hinder an operation, if the rule's criteria was met and the rule locked people out for 4 hours.  

If a company has over a million employee's 5,000 could be hit pretty easy.  Would this rule identify e-mail address that are redundant in different DITRO-List? or Would it just count total number of address?

1000's of internal reply all emails all from one phish attempt not detected by this tool?

Yes, this really is a awesome feature, but do you know that you can configure settings in Reply All Storm Protection.Want to know more about it? Check out our blog  https://m365scripts.com/exchange-online/stuck-in-an-email-storm-reply-all-storm-protection-is-here-t...