How to configure quarantine permissions and policies

Providing security admins and users with a simple way to manage false positive folders is vital, given the increased demand for a more aggressive security posture with the evolution of hybrid work. Taking a prescriptive approach, admins and users can achieve this with the guidance in this article.

Tip

For a short video aimed at admins trying to set quarantine permissions and policies, see this link. If you are an end user opt for this 1 minute overview of the process.

What you need

  • Sufficient permissions (Security Administrator role)
  • 5 minutes to perform the following procedures.

Deciding between built-in or custom quarantine policies.

Our custom policies give admins the ability to decide what items their users can triage in the False positive folder with an extended ability of allowing the user to request the release of those items from the folder.

  1. Decide what verdicts category (bulk, spam, phish, high confidence phish, or malware) of items you want your user to triage and not triage.
  2. For those categories that you don't want the users to triage, assign the items to the AdminOnlyPolicy. As for the category you want users to triage with limited access, you can create a custom policy with a request release access and assign users to that category.
  3. It's strongly recommended that malware and high confidence phish items be assigned to AdminOnlyPolicy, regular confidence phish items be assigned limited access with request release, while bulk and spam can be left as full access for users.

Important

For more information on how granular custom policies can be created, see Quarantine policies - Office 365 | Microsoft Docs.

Assigning quarantine policies and enabling notification with organization branding

When your security team has decided on which categories of items that users can triage (or not), and they've created the corresponding quarantine policies, admins should assign these policies to the respective users and enable notifications.

  1. Identify the users, groups, or domains that you would like to include in the full access category vs. the limited access category, versus the Admin-Only category.
  2. Sign in to the Microsoft Security portal.
  3. On the left nav, under Email & collaboration, select Policies & rules.
  4. Select Threat policies.
  5. Select each of the following: Anti-spam policies, Anti-phishing policy, Anti-Malware policy.
  6. Select Create policy and choose Inbound.
  7. Add policy Name, users, groups, or domains to apply the policy to, and Next.
  8. In the Actions tab, select Quarantine message for categories. You notice another panel for select quarantine policy. Use the dropdown to select the quarantine policy you created earlier.
  9. Move on to the Review section and select the Confirm button to create the new policy.
  10. Repeat these same steps for the other policies: Anti-phishing policy, Anti-Malware policy, and Safe Attachment policy.

Next Steps

  • Use Global policy available in quarantine policy to enable your organization branding logo, display name, and disclaimer.
  • Also set the User frequency to 1 day for the quarantine notification.

More information

Learn more about organization branding and notification settings here Quarantine policies.