Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Change Exchange Online recipient limit

Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
In this case, users are able to send bulk\Spam messages by selecting entire global address list.

1,305 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Bruno Leonardo shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
thinking about it  ·  O365 Compliance and Protection Feedback responded  · 

Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?

For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.

For any comments regarding other issues with limits or throttling (e.g., increasing a limit), please start NEW items and please be clear what the scenario is that you need to support and why. Limits are a necessary piece of any email service, but we don’t want them to be obtrusive and block valid business scenarios.

99 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Ahmad Abdulaziz Athar commented  ·   ·  Flag as inappropriate

    The recipient limit control is necessary for organizations to set the number as needed. Every organization has their custom requirements which we are used to in the On-Prem environment. Missing out these controls post Office 365 migration is not acceptable.

    Hope Microsoft does the needful soon

  • R M commented  ·   ·  Flag as inappropriate

    500 a minute? Great googly moogly! We need to be able to reduce this drastically down to like 10!

  • Sanjeev Kumar Sharma commented  ·   ·  Flag as inappropriate

    We are using Exchange Online Plan 1 and want to limit the number of recipients to 25. However, the option is available for 500 users and doesn't get change. Please provide some solution to the same.

  • rob commented  ·   ·  Flag as inappropriate

    We have the same desire as many other firms; a 20-30 recipient limit would be great for us. Not for cyber sec directly but more for bulk list access control purposes.

  • Umair Shaikh commented  ·   ·  Flag as inappropriate

    We have continuing problems with staff sending bulk emails with all recipient addresses v. Providing administrators with the option to limit the number of recipients would at least contain the problem to manageable proportions.

  • Deepika Sharma commented  ·   ·  Flag as inappropriate

    One of our clients need to change the default limit of 500 to 30 for their organization. They would like to reduce the potential impact of outbound spam through their email accounts.

  • Jasim Algannas commented  ·   ·  Flag as inappropriate

    We've a requirement to set max recipient size to certain users with certain limits for all 0365 users in the organization, while assigning exceptions (500) for certain users? Is this achievable? We used to do same in on premise exchange and now we have hybrid setup with Exchange 2016 & 0365.” This is very important to our organization (Kingdom of Bahrain Parliament) to reduce unwanted emails from non critical users.

  • Jose Sisto commented  ·   ·  Flag as inappropriate

    This is one of the biggest security flaws Exchange have and all of us have been waiting for long time. Is MS helping hackers and enemies?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I want to reduce the number of internal emails sent. We set up moderation on distribution groups but this doesn't stop users selecting everyone in their address book. I don't want a million emails being replied to daily about cakes for someones birthday or it is my last day, good bye! Put a note on a noticeboard!
    The issue is that when people reply from phones, it defaults to "reply all" and we all hear the replies and these can go on for a few hours and mount up to thousands of emails to be deleted or filtered through. Allow us to choose the maximum. I would say anything more than 10 goes to moderation.

  • Joel commented  ·   ·  Flag as inappropriate

    At the very least if the number of external recipients exceeds an administrator setting the email should be held for review.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I need the option to lower the number of recipients due to user behaviour - it's to help stop my users from creating mail-merges to many external users when they should be using third party software for this.

  • Mike Youing commented  ·   ·  Flag as inappropriate

    We used this feature to limit the recipients for several reasons and now that is not available to the accounts we migrated to O365. This is causing several issues that our executive team does not like. Run to the cloud, its great, but we are taking things away. Sorry that is no longer available is not something that executives like to hear.

  • Colin Slater commented  ·   ·  Flag as inappropriate

    I often have a requirement to limit the recipients to cc and bcc for enthusiastic users that don't realise the implications of blasting out emails.

    It is very strange that in EAC editting a user mailbox->Mailbox Features->Mail Flow. The option to limit the recipient numbers is there but it is greyed out?

    I dont understand the comments in the Admin reply saying "we have been working on this from many angles". The option is available it is disabled. Why

  • Anonymous commented  ·   ·  Flag as inappropriate

    We need to be able to set the Recipient Limit right down to, say, 20-30 to prevent hacked accounts spamming large numbers of external users. This seems an obvious security measure and, if it were coupled with the ability to give certain users higher limits, this would surely lessen the impact on phished/hacked accounts on Microsoft. Even the ability to send an Alert when an email is sent to large (definable) numbers of recipients would be good but i can't even find that in the Security Centre.

  • Jeremy Bradshaw commented  ·   ·  Flag as inappropriate

    My comment is in response to the "Thinking About It" update. This feature is good for situations where you need to mail/mailbox-enable an account (for whatever reason, there are valid reasons), but you don't want that account to be used for sending emails. This could easily be accomplished in the past using the MaxRecipients property on on-premises mailboxes.

← Previous 1 3 4 5

Feedback and Knowledge Base