Microsoft Defender for Email & Collaboration - "Whitelist"

Hey somaji! - hope you're well 🙂

I'd love to help you get this resolved.

Firstly, allowlisting (new terminology for whitelisting) domains / senders / IPs is not a decent solution, my personal analogy to explain why is that if the diagnostic fault light came on in your car, that's the car telling you something is wrong. - simply adding an allow-list entry is like putting a piece of tape over that light so you can't see it anymore, you're ignoring the issue which needs to be fixed.

An email being sent to the quarantine can be seen as Defender telling you theres something wrong with the email, so we need to fix the underlying issue, which usually is one of a few things:

- There is actually a problem with the email or its contents, for example it could be a URL inside that email which is malicious, or the authentication failed causing a DMARC failure.

- There isn't an issue with the email, and we've got our verdict wrong, in which case you should complete an admin submission (which will also allow you to temporarily allow whatever was causing the detection while we update the underlying reason the detection technology caught it. 

- However, this looks like a third possible problem the fact I see you posted "Blocked by user policy; Sender address list" indicates the recipient of the message has added the sender to their personal block list, aka they do not want to recieve emails from that sender / domain. - this in turn is setting the SCL to a level where the strict preset policy then quarantines it. (so all very by design) - I'd expect you to find "SFV:BLK" in the headers when viewed in quarantine.

To rectify this, the user(s) can remove the block entries from their personal allow / block list in OWA, but you can also view to be sure (or adminstratively control) using the Set-MailboxJunkEmailConfiguration cmdlet 

Hope that is of use! - please let me know if I've misunderstood the issue and you need more help.

Ben.