NOTE: This applies to customers with Microsoft Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans.
Soon, it will be possible to create IPv6 allow and block entries in the Tenant Allow/Block Lists.
This message is associated with Microsoft 365 Roadmap ID 406166.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late September 2024 and expect to complete by late October 2024.
[How this will affect your organization:]
Before this rollout: Admins cannot block or allow IPv6 addresses.
After this rollout, you can make IPv6 allow and block entries in these formats:
- Colon-hexadecimal notation single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334)
- Zero compression single IPv6 address (for example, 2001:db8::1)
- Classless inter-domain routing (CIDR) IPv6 (for example, 2001:0db8::/32). The range supported is 1-128.
The IP block entry will drop any email sent from that IP at the edge, whereas the IP allow will just override the IP filtering, allowing the rest of the Defender for Office 365 stack to evaluate threats. IP block has a higher priority over IP allow entries.
Admins can create entries in the Defender portal or with the Microsoft PowerShell New-TenantAllowBlockListItems cmdlet (ListType parameter with value IP) without need for submissions.
This change will not impact any of your current Tenant Allow/Block List entries or your IPv4 entries in the hosted connection filter policy or enhanced filtering connection policy
Last used date support for IPv6 allow and block will be added soon.
Entry limits for IPv6:
- Exchange Online Protection: The maximum number of allow entries is 500, and the maximum number of block entries is 500 (1000 entries in total).
- Defender for Office 365 Plan 1: The maximum number of allow entries is 1000, and the maximum number of block entries is 1000 (2000 entries in total).
- Defender for Office 365 Plan 2: The maximum number of allow entries is 5000, and the maximum number of block entries is 10000 (15000 entries in total).
Permissions:
The same existing set of permissions we have for Tenant Allow/Block List will also apply to this rollout.
[What you need to do to prepare:]
This rollout will happen automatically by the specified date with no admin action required before the rollout. If one wants to block emails from IPv6 addresses or allow email from IPv6 addresses, the admin need to create entries to do so.
Source: Microsoft
The upcoming update for Microsoft Defender for Office 365 will bring some exciting changes for admins and users alike! Soon, admins will be able to create IPv6 allow and block entries in the Tenant Allow/Block Lists, expanding the capabilities of email filtering.
This update will empower admins to better manage email traffic by allowing them to block or allow specific IPv6 addresses. Admins can create entries in different formats like colon-hexadecimal notation, zero compression, or CIDR IPv6. The IP block entry will drop emails from the specified IP address, while the IP allow entry will override IP filtering, letting the Defender for Office 365 stack evaluate threats.
Admins can easily create these entries through the Defender portal or using the Microsoft PowerShell cmdlet. The update will not impact existing entries or IPv4 entries, ensuring a smooth transition.
In terms of criticality, this update is significant for organizations using Microsoft Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. It enhances security measures and provides more control over email filtering, ultimately contributing to a safer email environment.
So, get ready to embrace the IPv6 era in email filtering with Microsoft Defender for Office 365! It’s time to block those pesky emails and allow the good ones through with a few clicks. Stay tuned for a smoother and more secure email experience!