Allowing a Domain to Bypass External Tagging : Keeley Companies

Purpose:

The purpose of this document is to outline the process for allowing a trusted external domain to bypass the [EXTERNAL] tagging in Microsoft Exchange Online. This ensures that important messages from trusted partners, vendors, or services are not unnecessarily marked as external, improving user experience while maintaining security awareness for other domains.

Scope:

This procedure applies to the Microsoft 365 Exchange Online environment used by Keeley Companies. It must only be followed for verified trusted domains that require bypass of the external tagging feature.

Prerequisites:

Administrative access to Exchange Online (Global Admin or Exchange Admin role).
PowerShell access to Microsoft Exchange Online.
Verified business justification and approval from the Cybersecurity Team and the CISO.
Documented risk assessment for allowing the domain.

Steps

1. Connect to Exchange Online PowerShell

Connect-ExchangeOnline -UserPrincipalName <[email protected]>

2. Append the Trusted Domain to the Bypass List

Use the following command to append a new domain to the allowed list. This ensures existing entries are preserved.

Set-ExternalInOutlook -AllowList @{Add="trustedpartner.com"}

Note: Replace trustedpartner.com with the domain you are allowing.

3. Verify the Configuration

Check that the domain has been added to the list without overwriting existing entries:

Get-ExternalInOutlook | Select-Object -ExpandProperty AllowList

4. Document the Change

Record the change in Freshservice under Change Management.
Include:
- The domain name added.
- The business justification.
- Approval references.
- Testing and verification results.

5. Testing

Send a test email from the trusted domain to verify that the [EXTERNAL] tag is no longer applied.
Confirm with the Help Desk that user mailboxes reflect the update.

Rollback Plan

If issues arise or the domain must no longer bypass external tagging, remove it using:

Set-ExternalInOutlook -AllowList @{Remove="trustedpartner.com"}

Security Considerations

Only domains that have been formally reviewed and approved should be added.
Overuse of this bypass may reduce the effectiveness of external tagging.
Review the bypass list quarterly to confirm continued necessity.

Keeley Companies

Allowing a Domain to Bypass External Tagging

Modified on: Tue, Sep 2, 2025 8:19 AM

Related Articles