Learn Exchange the Guru way !!!


EOP / Office 365: Block or Allow IP Address in Connection Filtering

This blog is explaining the steps to block or allow the IP connection in Exchange Online Protection Connection Filtering


The Following steps will help in configuring the connection filtering:


  1. Expand the protection and click on “Connection Filter” then click on pencil sign



  2. Now click on Connection Filtering and you will see the below screen to add the allow and block IPs . You can enable Safe Sender which will ensure safe sender domains are not mistakenly marked as spam.

3. Click on the + sign to add an IP or range in allow or block IP address. If you will type wrong IP or subnet then you will get error.

        4. Now configuration will look like the below screen.

      5. Now let us enable safe sender.


Microsoft subscribes to various third-party sources of trusted senders. Selecting this check box skips spam filtering on messages sent from these senders, ensuring that they are never mistakenly marked as spam.


6. Now Click on save and we done. This will take some time to update the ORG.


To test this rule send an email one of the blocked and allowed IP. Blocked IP email should be block and allowed IP email should be delivered.

Note: This might not be working in the trial mode but it should work in the production mode. If this is not working in the production mode then please contact the Microsoft representative if this is not working and you are facing the below error.

“Sorry! We couldn’t update your organization settings. Please try again. Click here for help….”

Click here for help brings the below page:

There is no open fix but Microsoft supposed to fix it internally.

The above issue was fixed by Microsoft for my customer.

Let us see some powershell commands

1. Following powershell command can be used to extract the configuration of the Connection Filtering

Get-HostedConnectionFilterPolicy | select | Export-csv C:MYDocsAllowIP.csv


2. Following powershell command can be used to allow or block the IP or IP Range.

Set-HostedConnectionFilterPolicy “Default” -IPAllowList, -IPBlockList,


Set-HostedConnectionFilterPolicy “Default” –IPAllowList @{Add=”″,”″,”″;Remove=”″}

More commands can be reviewed here.

Prabhat Nigam

Microsoft MVP | Exchange Server


2 Responses to “EOP / Office 365: Block or Allow IP Address in Connection Filtering”

  1. Ahmed Says:

    Hi Team,

    We have run in to an issue with mailflow in a hybrid configuration.

    The setup is we have Exchange 2013 on premise and we are moving our users to office 365. All the configurations are complete including the single sign on.

    The issue is we have moved a test user to office 365 and when we send an email to on premise user the emails get delivered just fine. When office 365 user sends an email to any external domain we receive an NDR. The configuration is centralized mail flow in the hybrid configuration wizard.

    Error :

    Diagnostic information for administrators:
    Generating server:
    Remote Server returned ‘550 Relay not permitted’
    Original message headers:

    Received: from ( by ( with Microsoft SMTP
    Server (TLS) id 15.0.944.11; Tue, 20 May 2014 08:07:42 +0000
    Received: from ([]) by ([]) with mapi id
    15.00.0944.000; Tue, 20 May 2014 08:07:42 +0000
    From: exch2
    To: “”
    Subject: test
    Thread-Topic: test
    Thread-Index: AQHPdAKSMm+5uk5YjEKJ7lNXW53nMw==
    Date: Tue, 20 May 2014 08:07:42 +0000
    Accept-Language: en-US
    Content-Language: en-US
    x-originating-ip: []
    x-forefront-prvs: 02176E2458
    x-forefront-antispam-report: SFV:NSPM;SFS:(6009001)(428001)(199002)(189002)(83072002)(77982001)(85852003)(101416001)(66066001)(19580395003)(81342001)(221733001)(87936001)(16236675002)(15975445006)(76576001)(2656002)(92566001)(4396001)(21056001)(86362001)(54356999)(33646001)(46102001)(64706001)(81542001)(77096999)(86152002)(99396002)(79102001)(50986999)(20776003)(74662001)(31966008)(83322001)(74316001)(24736002)(217283001)(220243001);DIR:OUT;SFP:;SCL:1;SRVR:AM3PR07MB0488;;FPR:;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:;
    received-spf: None (: does not designate permitted sender hosts)
    authentication-results: spf=none (sender IP is );
    Content-Type: multipart/alternative;
    MIME-Version: 1.0

  2. Prabhat Nigam Says:


    I would recommend opening a ticket with Microsoft from office 365 web page.

Leave a Reply




Do NOT follow this link or you will be banned from the site!