With Office 365 Advanced Threat Protection (ATP), your organization can have a custom list of website addresses (URLs) that are blocked. When a URL is blocked, people who click on links to the blocked URL are taken to a warning page that resembles the following image:
The blocked URLs list is defined by your organization's Office 365 security team, and that list applies to everyone in the organization who is covered by Office 365 ATP Safe Links policies.
Read this article to learn how to set up your organization's custom blocked URLs list for ATP Safe Links in Office 365.
The ATP Safe Links features are only available in Office 365 ATP, which is included in subscriptions, such as Office 365 Enterprise E5 and Office 365 Education A5, and, as of April 30, 2018, also Microsoft 365 Business. If your organization has an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see Office 365 Advanced Threat Protection Service Description.
Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take advantage of extended ATP Safe Links features.
View or edit a custom list of blocked URLs
ATP Safe Links in Office 365 uses several lists, including your organization's custom blocked URLs list. If you have the necessary permissions assigned in the Office 365 Security & Compliance Center, you can set up your organization's custom list. You do this by editing your organization's default Safe Links policy.
Go to https://protection.office.com and sign in with your work or school account.
In the left navigation, under Threat management, choose Policy > Safe Links.
In the Policies that apply to the entire organization section, select Default, and then choose Edit (the Edit button resembles a pencil).
This is where you go to view your list of blocked URLs. Note that at first, you won't have any URLs listed.
Select the Enter a valid URL box, and then type a URL, and then choose the plus sign (+). Here are a few things to keep in mind:
You can specify a domain-only URL (like contoso.com or tailspintoys.com). This will block clicks on any URL that contains the domain.
Do not include a forward slash (/) at the end of the URL. For example, instead of entering http://www.contoso.com/, enter http://www.contoso.com.
You can include up to three wildcard asterisks (*) per URL. The following table lists some examples of what you can enter and what effect those entries have.
What It Does
contoso.com or *contoso.com*
Blocks the domain, subdomains, and paths, such as https://www.contoso.com, http://sub.contoso.com, and http://contoso.com/abc
Blocks a site http://contoso.com/a but not additional subpaths like http://contoso.com/a/b
Blocks a site http://contoso.com/a and additional subpaths like http://contoso.com/a/b
When you are finished adding URLs, in the lower right corner of the screen, choose Save.
What if I want to define exceptions for certain users in my organization?
If you want certain groups to be able to view URLs that might be blocked for others, you can specify an ATP Safe Links policy that applies to specific recipients. See Set up a custom "do not rewrite" URLs list using ATP Safe Links.