Indicator allow/block list not working over Web Content Filtering

Copper Contributor

Hi all,


We have Web Content Filtering to block selected categories.  WCF is working well as intended that browsing the selected categories is blocked on both Edge and Chrome browsers.


We also have a list of domains/URLs in Indicators to allow browsing some sites that are categorically blocked by WCF.  However, users are still blocked from browsing those domains/URLs.


For example:

We select streaming media to block in WCF.  Users are blocked from browsing Youtube and Vimeo sites on both Edge and Chrome browsers.

We then added the following domains/URLs in the Indicators with 'Allow' action.

(the reason we used different formats is to determine what works in case we were not using the correct format.)


However, users are still blocked from browsing the sites.

I understand it can take up to 2 hours before indicators work.  It's been days/weeks since they were added in.


To make sure the sites were not blocked by something else other than WCF, we also removed High Bandwidth category (that includes Streaming Media) from WCF selection.  Within 15 minutes the users can browse both Youtube and Vimeo.  When the category is re-selected, users are blocked from those sites within 15 minutes.  So I believe we can confidently say the behaviour is not caused by some other control than WCF.


We also have a URL with 'Block' settings in the Indicator where the URL is not categorically blocked by WCF.  Users can browse the website any issues.


So, it seems the entire Indicator URLs/Domains has no effect on the devices.


WCF is applied to a group of selected devices.  Indicators are set to apply to all devices in the organization. 





12 Replies
we run over this discussion last week , check below discussion it might help you with your issue

@eliekarkafy Thanks for your feedback.  However, it appears the discussion you mentioned is about WCF not working on 3rd party browsers due to lack of support on SSL inspection.  In our case, WCF works well with both Edge and Chrome browsers.  Our issue is the list of URLs/Domain in the indicators to override WCF settings are not being followed by the end devices on either Edge or Chrome browsers.


@IsaacPark did you had the chance to check web protection reports to see the streaming web categories and how the URL format that is being blocked? 








@eliekarkafy , yes I can see them in the report.



did you try to create Mutiple custom indicators to cover Mutiple format for youtube ? for example ind1 : , ind2 :, ind3 : , etc ... ? adding custom indicators will allow you to override the blocked category.

@eliekarkafy , yes but in a slight different approach.  I made one domain without https:// and another with http:// so we can narrow down what format works quicker.  




It's not there any more but we also tried with http:// prefix.  It did not make any difference.



@IsaacPark that's weird, with that in place you should be able to override the blocked category. I suggest you open a ticket with the Microsoft security team so they can check your tenant in the backend.  

We have multiple tenants showing the same problem. We even created a brand new tenant and clean setup the WCF and Indicator for testing (to eliminate the possible interference by other existing policies), same thing is happening. So, we thought it could be a global issue or at least across APAC region, hence the post to tech community to see if anyone else is also experiencing it.

Full disclaimer, this is first time we are using the indicator. Never needed to until now. So, it may just be a silly mistake of missing a tick box somewhere we didn't know we had to enable/disable to get the indicator working. I have gone over Microsoft documentations over and over on WCF and Indicators but could not find anything I missed. (another reason for posting to tech community, to get feedback from the experienced users to advise on tips Microsoft Docs may have overlooked).

Much appreciate your continued interests and suggestions. If it's not too much trouble can you check if the URLs/Domain based indicators are working in your tenant?

Yes, I logged a support call with Microsoft. Over the screen share session, the MS support confirmed all configurations are correct and it 'should' work. Asked me to blow away all indicators and recreate them (and wait a few hours for it to kick in). This did not make any changes. As a next step, they asked for Process Steps Recorder showing WCF & Indicator settings, then record browsing the allowed sites to show they are still being blocked. So it's pretty much repeating what I already showed them over screen share, but in recorded format. Hopefully they will come back with some good suggestions to try next.

best response confirmed by IsaacPark (Copper Contributor)
It ended up being such an obvious one. Sharing it here in case anyone struggle to get it working for the same reason.
Go to Microsoft 365 Defender Admin Portal > Settings > Endpoints > Advanced Features.
Enable "Custom Network Indicators".

that needs to be enabled for sure when you want to allow/block custom URLs , IP addresses , etc .... i though that you already enabled that in your initial configuration. thanks for sharing. Dont forget to enable network protection in block mode for better security towards malicious sites 

Thank you for this!!! I don't know if i missed reading about it in the articles for setting up webfiltering or if it's just missing but i've been banging my head for a week with this.

@Jakob_312 Thanks for sharing.  I, too, went over many MS articles on setting up indicators but did not find a single article that mentioned that there is a setting under Advanced Features that you need to turn on.  It's either never mentioned or very hard to find.  I am glad to hear this helped.