It's Time for Smart Allow Management
If you've set up allowed domains, emails, URLs, or files in the Microsoft 365 Defender Tenant Allow/Block List, Microsoft will now automatically remove entries from the allow list once the system has learned from these configurations. If the system is treating the entity as good, there is no reason to have a redundant allow entry. Alternatively, Microsoft will also extend the expiration time of the allows if the system has not updated yet. This will prevent your legitimate emails from being sent to junk or quarantine. Spoof allow entries do not expire, so the automatic extension and removal doesn't apply in this case. Smart allow management is now live worldwide, which means the Tenant Allow/Block list will be shorter and more useful to you & your security team.
Allows Will Be Automatically Extended
As a member of a security team, you’d create an allow entry in the Tenant Allow/Block List through the Submissions page if you found a legitimate email is getting junked or quarantined. Previously, the allow entry would typically expire after 30 days, leading to the same legitimate emails getting blocked again. Your options would be either to create another allow entry or try to open a support case to fix the underlying problem.
Now if Microsoft has not learned from the allow entry and the allow is going to expire, we’ll extend the removal date by an additional 30 calendar days. However, the allow entries will not be extended indefinitely. If the system has not learned that the value is good after 90 days from the date of creation, the allow entry will be removed and you’ll get an alert about it.
Please note, this feature only applies to allow entries that were originally created with a removal date after 7 days. If the original removal date was between 1 and 7 days after creation, the automatic extension will not apply.
See this example of automatic extension. The expiration date is getting closer, and Microsoft has still not learned that “email@example.com” is good.
The date is then extended from September 30, 2022 to October 30, 2022.
Allows will be removed once the system has learned an entry is safe
If Microsoft has learned from the allow and the system is automatically allowing the domain, email, URL, or file, the allow entry will be automatically removed and you’ll get an alert. Most importantly, emails will continue getting delivered to inboxes.
As a security professional, your job of managing the allow entries in the Tenant Allow/Block List just got easier. Everything will happen in the backend, and the user interface will not change.
Let Us Know What You Think!
We are excited for you to experience automatic Tenant Allow/Block List expiration management for allows. Let us know what you think by commenting below.
If you have other questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum.