Skip to Content
EmailExchangeEmail SecurityRestricted Users

Restricted Users

Monitor and manage users who have been restricted from sending email due to suspicious activity, outbound spam, or compromised account indicators. When Exchange Online detects anomalous sending patterns, it blocks the user from sending to protect your organization’s reputation.

Warning: A restricted user often indicates a compromised account. Investigate the account before unblocking to prevent further abuse.

Restricted User List

ColumnDescription
UserBlocked user display name and email
Restriction DateWhen the user was restricted
ReasonWhy the user was blocked (spam, compromise, limit exceeded)
StatusRestricted or Unblocked
Action RequiredSteps needed before unblocking

Restriction Reasons

Outbound Spam

User sent messages identified as spam by outbound spam filtering. Common causes:

  • Compromised account sending spam
  • Misconfigured application sending bulk email
  • Mailbox rules forwarding spam externally

Sending Limit Exceeded

User exceeded the daily or hourly sending limits:

  • 10,000 recipients per day
  • 30 messages per minute
  • Limits apply across all sending methods

Suspicious Activity

Anomalous sending patterns detected by Microsoft’s threat intelligence:

  • Unusual volume from the account
  • Sending to known spam traps
  • Messages matching spam patterns

Investigating a Restricted User

Before unblocking, investigate the root cause:

  1. Check sign-in logs — Review recent sign-ins for unfamiliar locations or devices
  2. Review Inbox rules — Look for malicious forwarding or deletion rules
  3. Check connected apps — Review OAuth app permissions for unauthorized access
  4. Review sent messages — Examine recent sent items for spam content
  5. Verify MFA status — Ensure multi-factor authentication is enabled

Unblocking a User

After completing investigation and remediation:

  1. Reset password — Force a password change on the compromised account
  2. Enable MFA — Require multi-factor authentication
  3. Remove malicious rules — Delete any forwarding or deletion rules
  4. Revoke app consent — Remove unauthorized OAuth app permissions
  5. Unblock in portal — Remove the user from the restricted users list
  6. Monitor — Watch for recurring issues over the next 7 days

Prevention

  • Enable MFA for all users — Prevents most account compromises
  • Block external forwarding — Limits data exfiltration from compromised accounts
  • Use conditional access — Block sign-ins from risky locations
  • Monitor outbound spam alerts — Get notified when users are restricted

Best Practices

  • Investigate before unblocking — Always determine root cause before removing restrictions.
  • Reset credentials — Change password and enable MFA as standard remediation.
  • Monitor after unblocking — Watch the account for recurrence within 7 days.
  • Automate alerts — Set up email notifications when users are restricted.

API Reference

GET /api/exchange/restricted-users List all restricted users

GET /api/exchange/restricted-users/:id Get restriction details

POST /api/exchange/restricted-users/:id/unblock Unblock restricted user

GET /api/exchange/restricted-users/history Get restriction history

Last updated on
Quarantine PoliciesSafe Attachments