Posted inUS_1

Unblocking Users from the Restricted Entities List in Microsoft 365

No Comments

In Microsoft 365 environments, ensuring seamless email communication is crucial for business operations. However, there are instances where user accounts may get restricted from sending emails. This typically occurs when a user exceeds the outbound sending limits of the service or violates the limits defined in outbound spam policies. When this happens, the affected user is added to the Restricted entities page within the Microsoft Defender portal, effectively preventing them from sending further emails, although they can still receive them.

A restricted entity, in this context, refers to a user account or even a connector that has been blocked from sending email due to potential compromise. This compromise is often indicated by activities such as exceeding message sending and receiving limits, which are red flags for spamming or phishing attempts. Users attempting to send emails while restricted will encounter a non-delivery report (NDR) with error code 5.1.8, accompanied by the message:

“Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance. Remote Server returned ‘550 5.1.8 Access denied, bad outbound sender.”

It’s important to address these restricted entities promptly to restore normal email functionality, while also ensuring the security of your Microsoft 365 environment. For a deeper understanding of compromised user accounts and the steps to regain control, refer to Responding to a compromised email account.

This guide will walk administrators through the process of removing user accounts from the Restricted entities page, using both the Microsoft Defender portal and Exchange Online PowerShell. For information on handling blocked connectors, please see Remove blocked connectors from the Restricted entities page.

Removing a User from the Restricted Entities Page in the Microsoft Defender Portal

The Microsoft Defender portal provides a user-friendly interface to manage restricted entities. Follow these steps to remove a user from the list:

  1. Access the Microsoft Defender portal by navigating to https://security.microsoft.com.

  2. In the left-hand navigation menu, go to Email & collaboration > Review > Restricted entities. Alternatively, you can directly access the page by using this link: https://security.microsoft.com/restrictedentities.

  3. On the Restricted entities page, you’ll see a list of entities. Identify the user account you wish to unblock. In the Entity column, the value will be Mailbox for user accounts. You can sort the list by clicking on column headers and use the Search function to quickly locate specific users.

  4. Select the user you want to unblock by checking the box next to their name. Once selected, the Unblock action will become visible on the page. Click on the Unblock button.

  5. An Unblock user flyout will appear. The Overview page provides details about the restricted account. It’s crucial to review the Recommendations section to ensure you’ve addressed potential account compromise issues before proceeding.

  6. After reviewing the Overview page, click Next to proceed to the Unblock user page. Here, you’ll find recommendations to enhance account security, such as enabling multi-factor authentication (MFA) and resetting the user’s password. If you haven’t already implemented these measures, it’s highly advisable to do so using the provided links. These steps are vital to prevent future account compromises.

  7. Once you have addressed the security recommendations, click Submit on the Unblock user page.

  8. A warning dialog box will appear to confirm your action. Click Yes to confirm the unblocking process.

    Typically, the restrictions are removed from the user account within an hour. However, in rare cases of transient technical issues, it might take up to 24 hours for the unblocking to fully propagate.

Verifying Alert Settings for Restricted Users

Microsoft 365 includes default alert policies to notify administrators about important events, including user restrictions. The default alert policy, named User restricted from sending email, automatically sends notifications when users are blocked from sending emails. It is essential to ensure these alerts are properly configured to stay informed about restricted users. For more information on alert policies, see Alert policies in the Microsoft Defender portal.

Important: For alert policies to function correctly, audit logging must be enabled in your Microsoft 365 environment. Audit logging is typically turned on by default. To verify its status or enable it, refer to Turn auditing on or off.

To verify the alert settings for restricted users, follow these steps:

  1. Go to the Microsoft Defender portal at https://security.microsoft.com.

  2. Navigate to Email & collaboration > Policies & rules > Alert policy, or use the direct link: https://security.microsoft.com/alertpoliciesv2.

  3. On the Alert policy page, locate the alert named User restricted from sending email. You can use the search box or sort by name to find it quickly.

  4. Click on the User restricted from sending email alert to open its settings flyout.

  5. In the flyout, review and configure the following settings:

    • Status: Ensure the alert is turned On (toggle switch is enabled).
    • Set your recipients section: Expand this section to verify the Recipients who will receive alerts and the Daily notification limit.

  6. To modify the recipient settings, click Edit recipient settings or Edit policy.

  7. In the configuration wizard, ensure Opt-in for email notifications is selected.

  8. Review and modify the Email recipients. The default recipient is the TenantAdmins group (Global Administrators). You can add more recipients by clicking in the recipient box and selecting users or groups. Remove recipients by clicking the remove icon next to their name.

  9. Verify or adjust the Daily notification limit. The default is No limit.

  10. Complete the wizard by clicking Next, reviewing settings, and clicking Submit and Done.

  11. Close the alert policy flyout.

Using Exchange Online PowerShell to Manage Restricted Users

For administrators who prefer command-line interfaces or need to automate tasks, Exchange Online PowerShell provides powerful tools to manage restricted entities.

To view the list of users restricted from sending email, execute the following command in Exchange Online PowerShell:

Get-BlockedSenderAddress

To get detailed information about a specific restricted user, replace <emailaddress> with the user’s email address and run:

Get-BlockedSenderAddress -SenderAddress <emailaddress> | Format-List

For comprehensive syntax and parameter details about this cmdlet, refer to Get-BlockedSenderAddress.

To remove a user from the Restricted users list, replace <emailaddress> with the user’s email address and execute:

Remove-BlockedSenderAddress -SenderAddress <emailaddress>

For detailed syntax and parameter information about removing blocked sender addresses, see Remove-BlockedSenderAddress.

More Information

Managing restricted entities is a critical aspect of maintaining a secure and efficient Microsoft 365 environment. By promptly addressing user restrictions and implementing security best practices like MFA and password resets, administrators can minimize disruptions and safeguard their organizations from potential email-borne threats. Remember to investigate the root cause of user restrictions to prevent recurrence and maintain a healthy email ecosystem.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *