Is it possible to create tenant level allow/block in Microsoft 365 via Graph API?

Chan, Alan 20 Reputation points
2024-09-18T22:10:56.57+00:00

There is a method via Powershell that requires the Exchange.Manage permission and Exchange Administrator assigned role on a Service Principal. This method requires to connect to Exchange Online first and then running the New-TenantAllowBlockListItems cmdlet.

Is there a way to do this via Graph API? I see there is documentation for tenantAllowOrBlockListAction in beta, but at first glance I don't see the endpoint in Graph Explorer.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,124 questions
Microsoft Exchange Online
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,273 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,595 questions
Accepted answer
  1. Vasil Michev 108.1K Reputation points MVP
    2024-09-19T06:16:06.8966667+00:00

    No, not yet at least. For the time being the only supported method for managing the TABL programmatically is via the above PowerShell cmdlet and its siblings.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neuvi Jiang 1,460 Reputation points Microsoft Vendor
    2024-09-19T07:58:45.9766667+00:00

    Hi Chan, Alan,

    Thank you for posting in the Q&A Forums.

    You can use the Microsoft Graph API to read, create, update, and delete antispam policies that control email filtering behavior, including blocking and allowing based on specific conditions such as sender, recipient, subject, and so on.

    The following are general steps for managing antispam policies through the Microsoft Graph API:

    Obtain an access token: First, you need to obtain an access token through Azure AD that will be used for subsequent Graph API requests.

    List Anti-Spam Policies: You can use the Graph API to list all current anti-spam policies to see which policies already exist and their configurations.

    Create or Update Anti-Spam Policies: Depending on your needs, create new anti-spam policies or update existing policies to add or modify block and allow lists. This usually involves setting various properties of the policy, such as isEnabled, priority, mode (e.g., enable or testOnly), and conditions and actions.

    Applying changes: Once you have created a policy or made changes to it, these changes are automatically applied to your Exchange Online environment.

    Example

    While I can't provide a complete example code (as it would involve multiple API calls and complex JSON loads), I can provide a conceptual example of a Graph API request for querying an anti-spam policy:

    GET https://graph.microsoft.com/v1.0/security/antispamPolicies

    Content-Type: application/json

    Authorization: Bearer {access_token}

    Cautions

    Make sure that your application or service account has sufficient permissions to perform these actions. This typically means having the appropriate Azure AD role and Exchange Online administrative privileges.

    Given the constant updates and changes to the Graph API, it is recommended that you consult the latest Microsoft Graph documentation for the latest information and examples.

    For complex requirements, such as needing precise control over entries in block and allow lists, you may need to write more sophisticated logic to ensure that the policies implemented through the API match your business needs.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.