Set up a custom blocked URLs list using Office 365 ATP Safe Links

With Office 365 Advanced Threat Protection, your organization can have a custom list of website addresses (URLs) that are blocked. When a URL is blocked, users who click on links to the blocked URL are taken to a warning page that lets them know that URL is blocked. The blocked URLs list is defined by Office 365 global administrators or security administrators, and that list applies to everyone in the organization who has been assigned an Advanced Threat Protection license.

Read this article to learn how to set up your organization's custom blocked URLs list for ATP Safe Links in Office 365.

Note: The ATP Safe Links features are only available in Advanced Threat Protection is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.
Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of the extended ATP Safe Links features.

What's new?

  • URL lists for ATP Safe Links policies can support up to three wildcard asterisks (*).

  • Wildcards (*) are assumed for entries such as This means an entry, such as is similar to ** for your list of blocked URLs. (More details are included below.)

View or edit a custom list of blocked URLs

ATP Safe Links in Office 365 uses several lists, including your organization's custom blocked URLs list. If you are an Office 365 global administrator or security administrator, you can set up your custom list. You do this while you view or edit your organization's default Safe Links policy.

  1. Go to and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy > Safe Links.

  3. In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).

    Click Edit to edit your default policy for Safe Links protection

    This is where you go to view your list of blocked URLs. Note that at first, you won't have any URLs listed.

    The Blocked URLs list is in the default Safe Links policy that applies to your entire organization.
  4. Select the Enter a valid URL box, and then type a URL, and then choose the plus sign (+). Here are a few things to keep in mind:

    • You can specify a domain-only URL (like or This will block clicks on any URL that contains the domain.

    • Do not include a forward slash (/) at the end of the URL. For example, instead of entering, enter

    • You can include up to three wildcard asterisks (*) per URL. The following table lists some examples of what you can enter and what effect those entries have.

      Example Entry

      What It Does or **

      Blocks the domain, subdomains, and paths, such as,, and

      Blocks a site but not additional subpaths like*

      Blocks a site and additional subpaths like

  5. When you are finished adding URLs, in the lower right corner of the screen, choose Save.

What if I want to define exceptions for certain users in my organization?

If you want certain groups to be able to view URLs that might be blocked for others, you can specify an ATP Safe Links policy that applies to specific recipients. See Set up a custom "do not rewrite" URLs list using ATP Safe Links.

Related topics

Office 365 Advanced Threat Protection
ATP Safe Links in Office 365
Set up ATP Safe Links policies in Office 365
ATP Safe Attachments in Office 365

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.