This post shares a PowerShell script to move anti-spam policy allow and block entries to your Tenant Allow/Block List (TABL) in Microsoft Defender. Managing this functionality in the TABL applies these rules consistentaly across your tenant, meaning that instead of just applying to email, these rules will also begin applying to SharePoint/OneDrive and Teams as well. For organizations managing multiple tenants during IT Services Mergers and Acquisitions centralizing these configurations through TABL helps maintain consistency, security, and compliance across environments.
You likely have many entries in your anti-spam policies, so this blog provides a script at the end that will automatically copy all the entries from the anti-spam policy to the TABL and then delete the entries from the anti-spam policy.
To run the script, you will need:
- The ExchangeOnlineManagement PowerShell module. This script was written using version 3.9.0, so it should work on that version or any later version.
- The account that connects to Exchange within the script needs either:
- Global Administrator OR
- Security Administrator + Exchange Administrator (least privilege)
Benefits of Tenant Allow/Block List
The TABL provides a centralized, tenant‑wide way to override the filtering applied by Microsoft Defender. This ensures consistent handling of email, URLs, files, and domains across your tenant. Your anti-spam policy will only apply to email. The TABL also works with Teams, Office apps, and Defender XDR scenarios. For example, blocked domains in TABL can prevent Teams chats or meetings from blocked domains.
Within TABL, you can also set entries to expire after a defined period, such as 45 days. This helps keep the list clean by automatically removing entries that are no longer in use. This is especially helpful with allow entries where you wouldn’t want that door to be open forever.
Finally, the TABL can have thousands of entries (up 15,000 with Defender for Plan 2), whereas standard policy lists can only contain 1,000 entries.
Script Overview
Settings and Exchange Connection
To begin, the script asks you for a few things:
- $PolicyName: This is the policy you want to migrate. If your rules are all in the default policy, just leave this set to Default. If they are in a custom policy, provide the name of the policy here. The script can be executed against one policy at a time.
- $Commit: Running this as false provides a what-if. You can make sure that it’s grabbing all your entries prior to executing the script. When you’re ready, change this to true and re-run the script.
- $AllowExpiryMode: This switch controls whether to auto-expire the entries or not. Set to NoExpiration or RemoveAfter45Days depending on your requirements. As of writing, the only option for automatic expiration is 45 days, so that parameter is not customizable for a number of days.
- $ExportCsv: specify the path and name of the export file of your anti-spam allow/block list.
- $LogFile: Specify the path and name of the log file for the rule migration.
Next, the script connects to Exchange Online. A written, the script will connect interactively and prompt you to login. You can connect with an app registration if you’d like, though that is out-of-scope for this blog.
Download the Tenant Allow/Block List Migration Script
Get, Export, and Format Anti-Spam Allow/Block List
The next sections get the current list from your anti-spam policy. It takes that list and exports a copy to the CSV file, which is to provide a backup in case something goes wrong with the script. Finally, this section normalizes the list to make sure the entries can be successfully added to the TABL. It also grabs your existing TABL and removes any duplicates that might already exist on your TABL.
Add to TABL
The next section takes the normalized list and adds it to the TABL. For allows, it uses the expiration setting from above. For blocks, it makes the block permanent. You should have further discussions with your IT Security Team regarding expiration for block entries; they might have some thoughts.
All actions from this section are logged to the file you specified, including whether the rule was added successfully or not.
Remove from Anti-Spam Policy
Finally, the script removes the entries from your anti-spam policy. If you do not want to do this, simply comment out this entire section. If you want to come back and run this later, you’ll need to import the CSV file that was generated.
Final Thoughts
Migrating Allow/Block List entries to the Tenant Allow/Block List streamlines security management across Microsoft 365 services and aligns with Microsoft’s best practices. The provided script automates this process, ensuring consistency and scalability while offering backup and logging for safety.
For organizations managing multiple tenants during IT Services Mergers and Acquisitions centralizing these policies is especially important for maintaining unified security controls and preventing misconfigurations across environments.
Before committing changes, test thoroughly and coordinate with your security team for optimal results.
Ready to plan your next integration?
Schedule a consultation with our M&A migration specialists and discover how WME can streamline your transition with precision and confidence.
Talk to Our Migration Experts
