MC927962: Microsoft Defender for Office 365: New limits for the email remediation service

Announcement IDMC927962Published Date11-07-2024
ServiceMicrosoft365DefenderLast Updated11-07-2024
CategoryPlan for changeExpiration Date03-31-2025
Roadmap IDAction Required by Date
TagsAdmin impact, Feature update, User impact


Summary
                Microsoft Defender for Office 365 introduces new limits for email remediation to maintain system stability. Key changes include a tenant-level limit of 50 concurrent remediations, an email count limit of 1 million, and specific recipient percentage requirements. Rollout begins late November 2024, with no admin action needed.


More Information

Email remediation is an existing feature in Microsoft Defender for Office 365. With this rollout, we are introducing new limits for remediation actions, to ensure system stability and optimal performance. This change aims to prevent scenarios where large-scale remediation efforts affect other users and degrade system performance.

Key changes

  • Tenant-level limit on concurrent remediations: If the total number of active concurrent remediations is 50, no new remediation can be triggered until some actions are completed.
  • Email count limit: If an active remediation involves 1 million emails, no new email remediations will be allowed.
  • Email remediations for specific recipients:
    • Ensure that the total percentage of recipients in the email selection is at least 40% of the total email count in a remediation.
    • If the recipient count is less than 40%, ensure that the email percentage per recipient does not exceed 20% of the total emails submitted.

Note: If these limits are not met, the remediation request will be blocked, and an error message will prompt the admin to distribute the load.

When this will happen:

General Availability (Worldwide): We will begin rolling out late November 2024 and expect to complete by late January 2024.

How this will affect your organization:

If you as an admin have investigated using Explorer (Threat Explorer), an email entity, Advanced Hunting, or the Automated Investigations and Response (AIR) pending queue, and have selected entities to remediate, then you can create a remediation:

  1. Go to Defender for Office 365 > Email & collaboration > Threat Explorer (or other pages that display Pending actions)
  2. Select an entity and choose the Move or Delete action.
  3. Select any action, and then go to the Choose target entities page, configure the Name and Description, and then select Next.
  4. On the Review and submit page, review your previous selections. On this last step, an error message will display if any criteria described in this message are not met.

The new limits will be on by default.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before or after the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.

    Previous Post Next Post