There is a feature in Exchange Online which blocks users from being able to send email when they send too many emails in a time period. It usually triggers either when a user sends a load of emails via Mail Merge or when their account gets compromised and it's used to send a load of spam.
You can view which accounts have been blocked from sending either by going to the Restricted Users page in the Defender Security Portal or by running the Get-BlockedSenderAddress
cmdlet in the Exchange Online EXO PowerShell Module.
The trouble is, these only show the users who are currently blocked. I have been asked by my employer to produce a report on who has been blocked in the last n days. I've looked at the reports in the Defender portal and there isn't one that does exactly that. I'm wondering if this kind of data is kept and if so, how I can extract it?
Thanks in advanced for any help.
Check it in Report > Email & collaboration > Compromised users. You can see the compromised(Suspicious or Restricted) users report in the last 90 days. URL: https://security.microsoft.com/reports/CompromisedUsers
For more information about this: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-worldwide#compromised-users-report