Microsoft Defender
      Back to home
      1. Sittadel Knowledge Base
      2. Management Guides
      3. Microsoft Defender

      Defender for Email Restricted Sender Re-Enable Action

      This guide will show an administrator how to create a temporary email restriction bypass for users that have exceeded their allowed daily external sending limit.

      Email Restricted Entity Methodology

      When an account exceeds its daily sending quota, it becomes a restricted entity. This can result from an account sending emails to a large list of CC’ed recipients in a chain, or in less benign cases, exporting of a mailbox to an external server. As such, precaution is taken for these situations, and approval from a technical contact is required before the account is allowed to resume typical behavior.

      It is best practice to not unblock the entity unless it has been identified as sanctioned activity, the technical contact for the affected organization will need to be notified and written consent will need to be granted before the actions listed below will be carried out. If no approval is given, do nothing.

      Removing a User as a Restricted Entity

      1. Navigate to the Restricted Entities – Microsoft Defender portal, any entries found within this portal indicates a User Account or a Connector that has been blocked from sending email due to possible indications of compromise, which typically includes exceeding message receiving and sending limits that have been defined within the Microsoft Defender Threat Policies.
      2. Prior to initiating the Unblock action on this entry, it is recommended to check in with the effected user or message management about the situation to get more information prior to carrying out the unblock.
        1.  When attempting to establish communication with the effected user it is important to note that this user will be able to receive email messages sent to their address however, they will not be able to send any form of email message in response until the restriction is lifted. As a result, if you can call or text this user to establish a line of communication this is recommended (utilizing a platform that is outside of email is preferred). 

        2. Mangement Template:

          We have detected a user, [USERNAME], that has exceeded the sending limit in Outlook via a security policy. At this moment, this user can receive mail as usual, but is unable to send emails for security purposes. Is this activity sanctioned, and if so, should this account be permitted to resume sending?”

      3. After the necessary steps have been taken to verify that this restriction was not caused due to a possible indicator of compromise, locate, and select the checkbox next to the entry followed by selecting the Unblock action this should initiate the removal of the restriction, and the user should be able to utilize their email again within the hour. If no approval is given, do nothing.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.