Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Reject policy for all email that are not a active user

Copper Contributor

Is there a policy or rule that reject all inbound email that are send to not active users.
As a dynamic rule / policy.
Or a way to allow emails to active users and the rest reject.
It could be a simple one, but i can not find it.
If this is not a option to create this, please see this as a feature request.





3 Replies
It depends on your definition of "not active". Not logging on for X days? Not sending for X days? Not on an internal list for your organisation (payroll, building access, anything?)

That activity or lack of activity feeds a static Azure group, and you reject, drop or quarantine messages to that group as per your requirement. I would use a mail flow rule but there might even be simpler solutions involving the group and mailbox permissions. If your user maintenance procedure is defining inactivity, assigning a private primary address and removing all the publicly deliverable aliases and distribution group memberships also shuts the mailbox down without removing the content. Beware of using an exemption (block all except to active users) as you will have fun with BCC or groups, depending on how the expansion works out.


Active users are all users in the domein that are enabled

and / or all users that have a active office licence

or you can make a option like all emails send to a non existing user can be dropped

for example....

email address removed for privacy reasons is a active user and continu true the rest of the email checks

email address removed for privacy reasons is not excist user and can be dropped directly




@XenoxNL are you familiar with DBEB/Directory-based Edge Blocking? Messages sent to non-existent addresses within authoritative domains are dropped: Use Directory-Based Edge Blocking to reject messages sent to invalid recipients in Exchange Online.

Additionally, you can always set a recipient (mailboxes, distribution lists, etc.) to require that a sender be "authenticated" (using the -RequireSenderAuthenticationEnabled paramter on the Set-* cmdlets).

Otherwise, you you can always get more granual with your needs by creating transport rules to block external senders to certain recipients/scenarios.