Change Exchange Online recipient limit
Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
In this case, users are able to send bulk\Spam messages by selecting entire global address list.
Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?
For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.
For any comments regarding other issues with limits or throttling (e.g., increasing a limit), please start NEW items and please be clear what the scenario is that you need to support and why. Limits are a necessary piece of any email service, but we don’t want them to be obtrusive and block valid business scenarios.
Ahmad Abdulaziz Athar commented
The recipient limit control is necessary for organizations to set the number as needed. Every organization has their custom requirements which we are used to in the On-Prem environment. Missing out these controls post Office 365 migration is not acceptable.
Hope Microsoft does the needful soon
R M commented
500 a minute? Great googly moogly! We need to be able to reduce this drastically down to like 10!
Sanjeev Kumar Sharma commented
We are using Exchange Online Plan 1 and want to limit the number of recipients to 25. However, the option is available for 500 users and doesn't get change. Please provide some solution to the same.
Orin Eisenhauer commented
Would like to be able to restrict the number of emails to restrict bulk email.
We have the same desire as many other firms; a 20-30 recipient limit would be great for us. Not for cyber sec directly but more for bulk list access control purposes.
Jeremy Brinkman commented
We would also like to reduce this limit from 500 down to 20-30 for certain user populations.
Umair Shaikh commented
We have continuing problems with staff sending bulk emails with all recipient addresses v. Providing administrators with the option to limit the number of recipients would at least contain the problem to manageable proportions.
Umair Shaikh commented
We would like to change the default limit of 500 to 30 for our organization.
Deepika Sharma commented
One of our clients need to change the default limit of 500 to 30 for their organization. They would like to reduce the potential impact of outbound spam through their email accounts.
Lenore Charest commented
We would like to change the default limit of 500 to 99 for our organization.
Jasim Algannas commented
We've a requirement to set max recipient size to certain users with certain limits for all 0365 users in the organization, while assigning exceptions (500) for certain users? Is this achievable? We used to do same in on premise exchange and now we have hybrid setup with Exchange 2016 & 0365.” This is very important to our organization (Kingdom of Bahrain Parliament) to reduce unwanted emails from non critical users.
Jose Sisto commented
This is one of the biggest security flaws Exchange have and all of us have been waiting for long time. Is MS helping hackers and enemies?
I want to reduce the number of internal emails sent. We set up moderation on distribution groups but this doesn't stop users selecting everyone in their address book. I don't want a million emails being replied to daily about cakes for someones birthday or it is my last day, good bye! Put a note on a noticeboard!
The issue is that when people reply from phones, it defaults to "reply all" and we all hear the replies and these can go on for a few hours and mount up to thousands of emails to be deleted or filtered through. Allow us to choose the maximum. I would say anything more than 10 goes to moderation.
At the very least if the number of external recipients exceeds an administrator setting the email should be held for review.
I need the option to lower the number of recipients due to user behaviour - it's to help stop my users from creating mail-merges to many external users when they should be using third party software for this.
Mike Youing commented
We used this feature to limit the recipients for several reasons and now that is not available to the accounts we migrated to O365. This is causing several issues that our executive team does not like. Run to the cloud, its great, but we are taking things away. Sorry that is no longer available is not something that executives like to hear.
Colin Slater commented
I often have a requirement to limit the recipients to cc and bcc for enthusiastic users that don't realise the implications of blasting out emails.
It is very strange that in EAC editting a user mailbox->Mailbox Features->Mail Flow. The option to limit the recipient numbers is there but it is greyed out?
I dont understand the comments in the Admin reply saying "we have been working on this from many angles". The option is available it is disabled. Why
There exists an add-in for Outlook named RestrictExtRecips
We need to be able to set the Recipient Limit right down to, say, 20-30 to prevent hacked accounts spamming large numbers of external users. This seems an obvious security measure and, if it were coupled with the ability to give certain users higher limits, this would surely lessen the impact on phished/hacked accounts on Microsoft. Even the ability to send an Alert when an email is sent to large (definable) numbers of recipients would be good but i can't even find that in the Security Centre.
Jeremy Bradshaw commented
My comment is in response to the "Thinking About It" update. This feature is good for situations where you need to mail/mailbox-enable an account (for whatever reason, there are valid reasons), but you don't want that account to be used for sending emails. This could easily be accomplished in the past using the MaxRecipients property on on-premises mailboxes.