45 days after last used date

Adding details about 45 days after last used date

Author: dhairyya

defender-office-365/tenant-allow-block-list-about.md

@@ -96,7 +96,7 @@ The following list describes what happens in the Tenant Allow/Block List when yo
   - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow/Block List.
   - If the message wasn't blocked due to filtering, no allow entries are created anywhere.
 
-By default, allow entries for domains and email addresses, files, and URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
+By default, allow entries for domains and email addresses, files, and URLs exist for 45 days after last used date. Whenever the entity is encountered during mailflow or time of click and the entity has not been learned to be clean by the filtering, the allow entry will kick in and in the real time the last used date will be updated. So the 45 day after last used date will keep the allow entry for 45 days after the filtering system has learned the entity to be clean and you will have full visibility into it.  By default, allow entries for spoofed senders never expire.
 
 > [!IMPORTANT]
 > Microsoft doesn't allow you to create allow entries directly. Unnecessary allow entries expose your organization to malicious email that could have been filtered by the system.

defender-office-365/tenant-allow-block-list-email-spoof-configure.md

@@ -82,7 +82,7 @@ Instead, you use the **Emails** tab on the **Submissions** page at <https://secu
 >
 > When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden.
 >
-> By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious.
+> By default, allow entries for domains and email addresses, files, and URLs exist for 45 days after last used date. Whenever the entity is encountered during mailflow or time of click and the entity has not been learned to be clean by the filtering, the allow entry will kick in and in the real time the last used date will be updated. So the 45 day after last used date will keep the allow entry for 45 days after the filtering system has learned the entity to be clean and you will have full visibility into it. 
 >
 > During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages will be delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), URL filtering, and file filtering, the message is delivered if it's also from an allowed sender.
 
@@ -220,6 +220,7 @@ In existing domain and email address entries, you can change the expiration date
        - **1 day**
        - **7 days**
        - **30 days**
+       - **45 days after last used date**
        - **Specific date**: The maximum value is 30 days from today.
      - **Optional note**
 

defender-office-365/tenant-allow-block-list-files-configure.md

@@ -82,7 +82,7 @@ Instead, you use the **Email attachments** tab on the **Submissions** page at <h
 >
 > When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden.
 >
-> By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious.
+> By default, allow entries for domains and email addresses, files, and URLs exist for 45 days after last used date. Whenever the entity is encountered during mailflow or time of click and the entity has not been learned to be clean by the filtering, the allow entry will kick in and in the real time the last used date will be updated. So the 45 day after last used date will keep the allow entry for 45 days after the filtering system has learned the entity to be clean and you will have full visibility into it. 
 >
 > During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), the message is delivered if it also contains an allowed file.
 >
@@ -221,6 +221,7 @@ In existing file entries, you can change the expiration date and note.
        - **1 day**
        - **7 days**
        - **30 days**
+       - **45 days after last used date**
        - **Specific date**: The maximum value is 30 days from today.
      - **Optional note**
 

defender-office-365/tenant-allow-block-list-urls-configure.md

@@ -84,7 +84,7 @@ Instead, you use the **URLs** tab on the **Submissions** page at <https://securi
 >
 > When the entity in the allow entry is encountered again (during mail flow or at time of click), all filters associated with that entity are overridden.
 >
-> By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious.
+> By default, allow entries for domains and email addresses, files, and URLs exist for 45 days after last used date. Whenever the entity is encountered during mailflow or time of click and the entity has not been learned to be clean by the filtering, the allow entry will kick in and in the real time the last used date will be updated. So the 45 day after last used date will keep the allow entry for 45 days after the filtering system has learned the entity to be clean and you will have full visibility into it. 
 >
 > During mail flow, if messages containing the allowed URL pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md) and file filtering, the message is delivered if it also contains an allowed URL.
 >
@@ -221,6 +221,7 @@ In existing URL entries, you can change the expiration date and note.
        - **1 day**
        - **7 days**
        - **30 days**
+       - **45 days after last used date**
        - **Specific date**: The maximum value is 30 days from today.
      - **Optional note**