Outbound Spam Policy - Restrict the user from sending mail till the following day

%3CLINGO-SUB%20id%3D%22lingo-sub-1434154%22%20slang%3D%22en-US%22%3EOutbound%20Spam%20Policy%20-%20Restrict%20the%20user%20from%20sending%20mail%20till%20the%20following%20day%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434154%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20really%20a%20question%2C%20but%20found%20out%20the%20hard%20way%20that%20the%20default%20outbound%20spam%20policy%20setting%20of%20%22%3CSTRONG%3ERestrict%20the%20user%20from%20sending%20mail%20till%20the%20following%20day%22%3C%2FSTRONG%3E%20does%20NOT%20allow%20admin%20override%20when%20a%20user%20triggers%20the%20policy.%26nbsp%3B%20Nor%20does%20the%20affected%20user%20account%20show%20in%20the%20Restricted%20Users%20portal%20(nor%20powershell%20query%3A%26nbsp%3BGet-BlockedSenderAddress).%26nbsp%3B%20Which%20means%20the%20user%20is%20effectively%20blocked%20from%20sending%20email%20until%20the%20next%20day%20with%20no%20option%20to%20remove%20the%20restriction.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20seems%20like%20an%20undesirable%20outcome%20(not%20to%20mention%20default%20behavior).%26nbsp%3B%20It%20would%20seem%20like%20a%20better%20option%20would%20be%20to%20block%20for%20a%20day%2C%20but%20allow%20an%20admin%20to%20override%20and%20remove%20the%20restriction%20if%20desired.%26nbsp%3B%20Of%20course%20the%20other%20policy%20option%20(which%20I%20will%20universally%20recommend%20going%20forward)%20is%20to%20use%20%3CSTRONG%3E%22Restrict%20the%20user%20from%20sending%20mail%22%3C%2FSTRONG%3E%20instead%20which%20would%20always%20require%20manual%20intervention%20(but%20at%20least%20that's%20an%20option).%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProbably%20won't%20affect%20many%20orgs%20since%20I%20suspect%20most%20keep%20the%20service%20defaults%20of%2010000%20emails%20to%20trigger%20the%20policy%2C%20but%20for%20any%20orgs%20that%20fine%20tune%20to%20a%20more%20effective%20level%20it%20just%20seems%20weird%20and%20unexpected%20to%20me.%26nbsp%3B%26nbsp%3B%20Am%20I%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20the%20MS%20doc%20documenting%2Fverifying%20the%20behavior%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fconfigure-the-outbound-spam-policy%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fconfigure-the-outbound-spam-policy%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1434154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Not really a question, but found out the hard way that the default outbound spam policy setting of "Restrict the user from sending mail till the following day" does NOT allow admin override when a user triggers the policy.  Nor does the affected user account show in the Restricted Users portal (nor powershell query: Get-BlockedSenderAddress).  Which means the user is effectively blocked from sending email until the next day with no option to remove the restriction. 

 

This seems like an undesirable outcome (not to mention default behavior).  It would seem like a better option would be to block for a day, but allow an admin to override and remove the restriction if desired.  Of course the other policy option (which I will universally recommend going forward) is to use "Restrict the user from sending mail" instead which would always require manual intervention (but at least that's an option).  

 

Probably won't affect many orgs since I suspect most keep the service defaults of 10000 emails to trigger the policy, but for any orgs that fine tune to a more effective level it just seems weird and unexpected to me.   Am I missing something?

 

Here's the MS doc documenting/verifying the behavior: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-s...

 

 

0 Replies