Quarantine policies
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to:
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Quarantine policies (formerly known as quarantine tags) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined.
Traditionally, users have been allowed or denied levels of interactivity for quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
For supported protection features, quarantine policies specify what users are allowed to do to their own messages in quarantine (messages where they're a recipient) and in quarantine notifications. Quarantine notifications are the replacement for end-user spam notifications. These notifications are now controlled by quarantine policies, and contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts).
Default quarantine policies that enforce historical user capabilities are automatically assigned to actions in the supported protection features that quarantine messages. Or, you can create custom quarantine policies and assign them to the supported protection features to allow or prevent users from performing specific actions on those types of quarantined messages.
The individual quarantine policy permissions are combined into the following preset permission groups:
- No access
- Limited access
- Full access
The individual quarantine policy permissions that are contained in the preset permission groups are described in the following table:
Permission | No access | Limited access | Full access |
---|---|---|---|
Block sender (PermissionToBlockSender) | ✔ | ✔ | |
Delete (PermissionToDelete) | ✔ | ✔ | |
Preview (PermissionToPreview) | ✔ | ✔ | |
Allow recipients to release a message from quarantine (PermissionToRelease)* | ✔ | ||
Allow recipients to request a message to be released from quarantine (PermissionToRequestRelease) | ✔ |
*The Allow recipients to release a message from quarantine permission is not honored for messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or as high confidence phishing (anti-spam policies). Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the Allow recipients to request a message to be released from quarantine permission.
The default quarantine policies, their associated permission groups, and whether quarantine notifications are enabled is described in the following table:
Default quarantine policy | Permission group used | Quarantine notifications enabled? |
---|---|---|
AdminOnlyAccessPolicy | No access | No |
DefaultFullAccessPolicy | Full access | No |
NotificationEnabledPolicy* | Full access | Yes |
DefaultFullAccessWithNotificationPolicy** | Full access | Yes |
*See the next section for more information about this policy.
**This policy is used in preset security policies.
If you don't like the default permissions in the preset permission groups, or if you want to enable quarantine notifications, create and use custom quarantine policies. For more information about what each permission does, see the Quarantine policy permission details section later in this article.
You create and assign quarantine policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes).
Note
How long quarantined messages are held in quarantine before they expire is controlled by the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) in anti-spam policies. For more information, see Configure anti-spam policies in EOP.
If you change the quarantine policy that's assigned to a supported protection feature, the change affects messages that are quarantined after you make the change. Messages that were previously quarantined by that protection feature are not affected by the settings of the new quarantine policy assignment.
Full access permissions and quarantine notifications
The quarantine policy named NotificationEnabledPolicy is not available in all environments. You'll have the NotificationEnabledPolicy quarantine policy if your organization meets both of the following requirements:
- Your organization existed before the quarantine policy feature was turned on (late July/early August 2021).
- The Enable end-user spam notifications setting was turned on in one or more anti-spam policies (in the default anti-spam policy or in custom anti-spam policies).
As described earlier, quarantine notifications in quarantine policies replace end-user spam notifications that you previously turned on or turned off in anti-spam policies. The built-in quarantine policy named DefaultFullAccessPolicy duplicates the historical permissions for quarantined messages, but quarantine notifications are not turned on in the quarantine policy. And, because you can't modify the built-in policy, you can't turn on quarantine notifications in DefaultFullAccessPolicy.
To provide the permissions of DefaultFullAccessPolicy but with quarantine notifications turned on, we created the policy named NotificationEnabledPolicy to use in place of DefaultFullAccessPolicy for those organizations that needed it (organizations where end-user spam notifications were turned on).
New organizations or older organization where end-user spam notifications where never turned on in anti-spam polices don't have the quarantine policy named NotificationEnabledPolicy. To turn on quarantine notifications for quarantine polices that use Full access permissions in organizations that don't have the NotificationEnabledPolicy, you can use either of the following methods:
- Create and use custom quarantine policies with Full access permissions where quarantine notifications are turned on.
- Use the DefaultFullAccessWithNotificationPolicy.
What do you need to know before you begin?
You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.
To view, create, modify, or remove quarantine policies, you need to be a member of the Organization Management, Security Administrator, or Quarantine Administrator roles in the Microsoft 365 Defender portal. For more information, see Permissions in the Microsoft 365 Defender portal.
Step 1: Create quarantine policies in the Microsoft 365 Defender portal
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & Rules > Threat policies > Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
On the Quarantine policies page, click
Add custom policy.
The New policy wizard opens. On the Policy name page, enter a brief but unique name in the Policy name box. You'll need to identify and select the quarantine policy by name in upcoming steps. When you're finished, click Next.
On the Recipient message access page, select one of the following values:
- Limited access: The individual permissions that are included in this permission group are described earlier in this article.
- Set specific access (Advanced): Use this value to specify custom permissions. Configure the following settings that appear:
- Select release action preference: Select one of the following values:
- Blank: This is the default value.
- Allow recipients to release a message from quarantine
- Allow recipients to request a message to be released from quarantine
- Select additional actions recipients can take on quarantined messages: Select some, all, or none of the following values:
- Delete
- Preview
- Block sender
- Select release action preference: Select one of the following values:
These permissions and their effect on quarantined messages and in quarantine notifications are described in the Quarantine policy permission details section later in this article.
When you're finished, click Next.
On the End-user spam notification page, select Enable to enable quarantine notifications (formerly known as end-user spam notifications). When you're finished, click Next.
Note
As explained earlier, the built-in policies (AdminOnlyAccessPolicy or DefaultFullAccessPolicy) do not have quarantined notifications turned on, and you can't modify the policies.
On the Review policy page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard.
When you're finished, click Submit.
On the confirmation page that appears, click Done.
Now you're ready to assign the quarantine policy to a supported security feature as described in the Step 2 section.
Create quarantine policies in PowerShell
If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the New-QuarantinePolicy cmdlet.
Note
If you don't use the ESNEnabled parameter and the value $true
, then quarantine notifications are turned off.
Use the EndUserQuarantinePermissionsValue parameter
To create a quarantine policy using the EndUserQuarantinePermissionsValue parameter, use the following syntax:
New-QuarantinePolicy -Name "<UniqueName>" -EndUserQuarantinePermissionsValue <0 to 236> [-EsnEnabled $true]
The EndUserQuarantinePermissionsValue parameter uses a decimal value that's converted from a binary value. The binary value corresponds to the available end-user quarantine permissions in a specific order. For each permission, the value 1 equals True and the value 0 equals False.
The required order and values for each individual permission are described in the following table:
Permission | Decimal value | Binary value |
---|---|---|
PermissionToViewHeader* | 128 | 10000000 |
PermissionToDownload** | 64 | 01000000 |
PermissionToAllowSender** | 32 | 00100000 |
PermissionToBlockSender | 16 | 00010000 |
PermissionToRequestRelease*** | 8 | 00001000 |
PermissionToRelease*** | 4 | 00000100 |
PermissionToPreview | 2 | 00000010 |
PermissionToDelete | 1 | 00000001 |
* The value 0 doesn't hide the View message header button in the details of the quarantined message (the button is always available).
** This setting is not used (the value 0 or 1 does nothing).
*** Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
For Limited access permissions, the required values are:
Permission | Limited access |
---|---|
PermissionToViewHeader | 0 |
PermissionToDownload | 0 |
PermissionToAllowSender | 0 |
PermissionToBlockSender | 1 |
PermissionToRequestRelease | 1 |
PermissionToRelease | 0 |
PermissionToPreview | 1 |
PermissionToDelete | 1 |
Binary value | 00011011 |
Decimal value to use | 27 |
This example creates a new quarantine policy named LimitedAccess with quarantine notifications turned on that assigns the Limited access permissions as described in the previous table.
New-QuarantinePolicy -Name LimitedAccess -EndUserQuarantinePermissionsValue 27 -EsnEnabled $true
For custom permissions, use the previous table to get the binary value that corresponds to the permissions you want. Convert the binary value to a decimal value and use the decimal value for the EndUserQuarantinePermissionsValue parameter. Don't use the binary value for the parameter value.
For detailed syntax and parameter information, see New-QuarantinePolicy.
Step 2: Assign a quarantine policy to supported features
In supported protection features that quarantine email messages, you can assign a quarantine policy that defines what users can do to quarantine messages and whether notifications for quarantined messages are turned on. Features that quarantine messages and the availability of quarantine policies are described in the following table:
Feature | Quarantine policies supported? |
---|---|
Verdicts in anti-spam policies | |
Spam (SpamAction) | Yes (SpamQuarantineTag) |
High confidence spam (HighConfidenceSpamAction) | Yes (HighConfidenceSpamQuarantineTag) |
Phishing (PhishSpamAction) | Yes (PhishQuarantineTag) |
High confidence phishing (HighConfidencePhishAction) | Yes (HighConfidencePhishQuarantineTag) |
Bulk (BulkSpamAction) | Yes (BulkQuarantineTag) |
Verdicts in anti-phishing policies | |
Spoof (AuthenticationFailAction) | Yes (SpoofQuarantineTag) |
User impersonation (TargetedUserProtectionAction) | Yes (TargetedUserQuarantineTag) |
Domain impersonation (TargetedDomainProtectionAction) | Yes (TargetedDomainQuarantineTag) |
Mailbox intelligence impersonation (MailboxIntelligenceProtectionAction) | Yes (MailboxIntelligenceQuarantineTag) |
Anti-malware policies | Yes (QuarantineTag) |
Safe Attachments protection | |
Email messages with attachments that are quarantined as malware by Safe Attachments policies (Enable and Action) | Yes (QuarantineTag) |
Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams | No |
Exchange mail flow rules (also known as transport rules) with the action: 'Deliver the message to the hosted quarantine' (Quarantine) | No |
The default quarantine policies that are used by each feature are described in Recommended settings for EOP and Microsoft Defender for Office 365 security.
The default quarantine policies, preset permission groups, and permissions are described at the beginning of this article and later in this article.
Note
If you're happy with the default end-user permissions and quarantine notifications that are provided (or not provided) by the default quarantine policies, you don't need to do anything. If you want to add or remove end-user capabilities (the available buttons) for user quarantined messages, or enable quarantine notifications and add or remove the same capabilities in quarantine notifications, you can assign a different quarantine policy to the quarantine action.
Assign quarantine policies in supported policies in the Microsoft 365 Defender portal
Note
Users can't release their own messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or high confidence phishing (anti-spam policies), regardless of how the quarantine policy is configured. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware or high confidence phishing messages.
Anti-spam policies
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-spam in the Policies section.
Or, to go directly to the Ant-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, do one of the following steps:
- Find and select an existing inbound anti-spam policy.
- Create a new inbound anti-spam policy.
Do one of the following steps:
- Edit existing: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the Actions section and then click Edit actions.
- Create new: In the new policy wizard, get to the Actions page.
On the Actions page, every verdict that has the Quarantine message action will also have the Select quarantine policy box for you to select a corresponding quarantine policy.
Note: When you create a new policy, a blank Select quarantine policy value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
Full instructions for creating and modifying anti-spam policies are described in Configure anti-spam policies in EOP.
Anti-spam policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-spam policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
<New-HostedContentFilterPolicy -Name "<Unique name>" | Set-HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag <QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag <QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>] [-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
Notes:
The default value for the PhishSpamAction and HighConfidencePhishAction parameters is Quarantine, so you don't need to use those parameters when you create new spam filter policies in PowerShell. For the SpamAction, HighConfidenceSpamAction, and BulkSpamAction parameters in new or existing anti-spam policies, the quarantine policy is effective only if the value is Quarantine.
To see the important parameter values in existing anti-spam policies, run the following command:
Get-HostedContentFilterPolicy | Format-List Name,*SpamAction,HighConfidencePhishAction,*QuarantineTag
For information about the default action values and the recommended action values for Standard and Strict, see EOP anti-spam policy settings.
If you create a new anti-spam policy without specifying the quarantine policy for the spam filtering verdict, the default quarantine policy for that verdict is used. The default quarantine policies for each spam filter verdict are shown in EOP anti-spam policy settings.
Specify a different quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular spam filtering verdict.
A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the New-HostedContentFilterPolicy cmdlet and an exclusive spam filter rule (recipient filters) using the New-HostedContentFilterRule cmdlet. For instructions, see Use PowerShell to create anti-spam policies.
This example creates a new spam filter policy named Research Department with the following settings:
- The action for all spam filtering verdicts is set to Quarantine.
- The custom quarantine policy named NoAccess that assigns No access permissions replaces any default quarantine policies that don't already assign No access permissions by default.
New-HostedContentFilterPolicy -Name "Research Department" -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
For detailed syntax and parameter information, see New-HostedContentFilterPolicy.
This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine -SpamQuarantineTag NoAccess
For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.
Anti-phishing policies
Spoof intelligence is available in EOP and Defender for Office 365. User impersonation protection, domain impersonation protection, and mailbox intelligence are available only in Defender for Office 365. For more information, see Anti-phishing policies in Microsoft 365.
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-phishing in the Policies section.
Or, to go directly to the Ant-spam policies page, use https://security.microsoft.com/antiphishing.
On the Anti-phishing page, do one of the following steps:
- Find and select an existing anti-phishing policy.
- Create a new anti-phishing policy.
Do one of the following steps:
- Edit existing: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the Protection settings section and then click Edit protection settings.
- Create new: In the new policy wizard, get to the Actions page.
On the Protection settings page, verify that the following settings are turned on and configured as required:
- Enabled users to protect: Specify users.
- Enabled domains to protect: Select Include domains I own and/or Include custom domains and specify the domains.
- Enable mailbox intelligence
- Enable intelligence for impersonation protection
- Enable spoof intelligence
Do one of the following steps:
- Edit existing: In the policy details flyout, go to the Actions section and then click Edit actions.
- Create new: In the new policy wizard, get to the Actions page.
On the Actions page, every verdict that has the Quarantine the message action will also have the Apply quarantine policy box for you to select a corresponding quarantine policy.
Note: When you create a new policy, a blank Apply quarantine policy value indicates the default quarantine policy for that action is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
Full instructions for creating and modifying anti-phishing policies are available in the following topics:
- Configure anti-phishing policies in EOP
- Configure anti-phishing policies in Microsoft Defender for Office 365
Anti-phishing policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-phishing policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
<New-AntiPhishPolicy -Name "<Unique name>" | Set-AntiPhishPolicy -Identity "<Policy name>"> [-EnableSpoofIntelligence $true] [-AuthenticationFailAction Quarantine] [-SpoofQuarantineTag <QuarantineTagName>] [-EnableMailboxIntelligence $true] [-EnableMailboxIntelligenceProtection $true] [-MailboxIntelligenceProtectionAction Quarantine] [-MailboxIntelligenceQuarantineTag <QuarantineTagName>] [-EnableOrganizationDomainsProtection $true] [-EnableTargetedDomainsProtection $true] [-TargetedDomainProtectionAction Quarantine] [-TargetedDomainQuarantineTag <QuarantineTagName>] [-EnableTargetedUserProtection $true] [-TargetedUserProtectionAction Quarantine] [-TargetedUserQuarantineTag <QuarantineTagName>] ...
Notes:
The Enable* parameters are required to turn on the specific protection features. The default value for the EnableMailboxIntelligence and EnableSpoofIntelligence parameters is $true, so you don't need to use these parameters when you create new anti-phish policies in PowerShell. All other Enable* parameters need to have the value $true so you can set the value Quarantine in the corresponding *Action parameters to then assign a quarantine policy. None of the *\Action parameters have the default value Quarantine.
To see the important parameter values in existing anti-phish policies, run the following command:
Get-AntiPhishPolicy | Format-List Name,Enable*Intelligence,Enable*Protection,*Action,*QuarantineTag
For information about the default action values and the recommended action values for Standard and Strict, see EOP anti-phishing policy settings and Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365.
If you create a new anti-phishing policy without specifying the quarantine policy for the anti-phishing action, the default quarantine policy for that action is used. The default quarantine policies for each anti-phishing action are shown in EOP anti-phishing policy settings and Anti-phishing policy settings in Microsoft Defender for Office 365.
Specify a different quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular anti-phishing action.
A new anti-phishing policy in PowerShell requires an anti-phish policy (settings) using the New-AntiPhishPolicy cmdlet and an exclusive anti-phish rule (recipient filters) using the New-AntiPhishRule cmdlet. For instructions, see the following topics:
This example creates a new anti-phish policy named Research Department with the following settings:
- The action for all spam filtering verdicts is set to Quarantine.
- The custom quarantine policy named NoAccess that assigns No access permissions replaces any default quarantine policies that don't already assign No access permissions by default.
New-AntiPhishPolicy -Name "Research Department" -AuthenticationFailAction Quarantine -SpoofQuarantineTag NoAccess -EnableMailboxIntelligenceProtection $true -MailboxIntelligenceProtectionAction Quarantine -MailboxIntelligenceQuarantineTag NoAccess -EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
For detailed syntax and parameter information, see New-AntiPhishPolicy.
This example modifies the existing anti-phish policy named Human Resources. The action for messages detected by user impersonation and domain impersonation is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
Set-AntiPhishPolicy -Identity "Human Resources" -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
For detailed syntax and parameter information, see Set-AntiPhishPolicy.
Anti-malware policies
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.
Or, to go directly to the Anti-malware page, use https://security.microsoft.com/antimalwarev2.
On the Anti-malware page, do one of the following steps:
- Find and select an existing anti-malware policy.
- Create a new anti-malware policy.
Do one of the following steps:
- Edit existing: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the Protection settings section and then click Edit protection settings.
- Create new: In the new policy wizard, get to the Actions page.
On the Protection settings page, select a quarantine policy in the Quarantine policy box.
Note: When you create a new policy, a blank Quarantine policy value indicates the default quarantine policy for that is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
Anti-malware policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-malware policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
<New-AntiMalwarePolicy -Name "<Unique name>" | Set-AntiMalwarePolicy -Identity "<Policy name>"> [-QuarantineTag <QuarantineTagName>]
Notes:
When you create new anti-malware policies without using the QuarantineTag parameter when you create a new anti-malware policy, the default quarantine policy for malware detections is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on messages that are quarantined as malware.
To see the important parameter values in existing anti-phish policies, run the following command:
Get-MalwareFilterPolicy | Format-Table Name,QuarantineTag
A new anti-malware policy in PowerShell requires a malware filter policy (settings) using the New-MalwareFilterPolicy cmdlet and an exclusive malware filter rule (recipient filters) using the New-MalwareFilterRule cmdlet. For instructions, see Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies.
This example creates a malware filter policy named Research Department that uses the custom quarantine policy named NoAccess that assigns No access permissions to the quarantined messages.
New-MalwareFilterPolicy -Name "Research Department" -QuarantineTag NoAccess
For detailed syntax and parameter information, see New-MalwareFilterPolicy.
This example modifies the existing malware filter policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns No access permissions to the quarantined messages.
New-MalwareFilterPolicy -Identity "Human Resources" -QuarantineTag NoAccess
For detailed syntax and parameter information, see Set-MalwareFilterPolicy.
Safe Attachments policies in Defender for Office 365
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Safe Attachments in the Policies section.
Or, to go directly to the Safe Attachments page, use https://security.microsoft.com/safeattachmentv2.
On the Safe Attachments page, do one of the following steps:
- Find and select an existing Safe Attachments policy.
- Create a new Safe Attachments policy.
Do one of the following steps:
- Edit existing: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the Settings section and then click Edit settings.
- Create new: In the new policy wizard, get to the Settings page.
On the Settings page, do the following steps:
- Safe Attachments unknown malware response: Select Block, Replace, or Dynamic Delivery.
- Select a quarantine policy in the Quarantine policy box.
Note: When you create a new policy, a blank Quarantine policy value indicates the default quarantine policy is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
Full instructions for creating and modifying Safe Attachments policies are described in Set up Safe Attachments policies in Microsoft Defender for Office 365.
Safe Attachments policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in Safe Attachments policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
<New-SafeAttachmentPolicy -Name "<Unique name>" | Set-SafeAttachmentPolicy -Identity "<Policy name>"> -Enable $true -Action <Block | Replace | DynamicDelivery> [-QuarantineTag <QuarantineTagName>]
Notes:
The Action parameter values Block, Replace, or DynamicDelivery can result in quarantined messages (the value Allow does not quarantine messages). The value of the Action parameter in meaningful only when the value of the Enable parameter is
$true
.When you create new Safe Attachments policies without using the QuarantineTag parameter, the default quarantine policy for Safe Attachments detections in email is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on email messages that are quarantined by Safe Attachments policies.
To see the important parameter values, run the following command:
Get-SafeAttachmentPolicy | Format-List Name,Enable,Action,QuarantineTag
A new Safe Attachments policy in PowerShell requires a safe attachment policy (settings) using the New-SafeAttachmentPolicy cmdlet and an exclusive safe attachment rule (recipient filters) using the New-SafeAttachmentRule cmdlet. For instructions, see Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies.
This example creates a safe attachment policy named Research Department that blocks detected messages and uses the custom quarantine policy named NoAccess that assigns No access permissions to the quarantined messages.
New-SafeAttachmentPolicy -Name "Research Department" -Enable $true -Action Block -QuarantineTag NoAccess
For detailed syntax and parameter information, see New-MalwareFilterPolicy.
This example modifies the existing safe attachment policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns No access permissions.
Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag NoAccess
For detailed syntax and parameter information, see Set-MalwareFilterPolicy.
Configure global quarantine notification settings in the Microsoft 365 Defender portal
The global settings for quarantine policies allow you to customize the quarantine notifications that are sent to recipients of quarantined messages if quarantine notifications are turned on in the quarantine policy. For more information about these notifications, see Quarantine notifications.
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
On the Quarantine policies page, select Global settings.
In the Quarantine notification settings flyout that opens, configure the following settings:
Note
We don't allow the same display name, subject, or disclaimer text for different languages. You need to provide a different display name, subject, and disclaimer text for each language that you select.
The same sender address is used for all languages. Although you can select a different sender email address for each language, the last sender you specify is used for all languages.
Customize quarantine notifications based on the recipient's language:
The Display name of the sender that's used in quarantine notifications as shown in the following screenshot.
The Subject field of the quarantine notification messages.
The Disclaimer text that's added to the bottom of quarantine notifications. The localized text, A disclaimer from your organization: is always included first, followed by the text you specify as show in the following screenshot:
The language identifier for the Display name, Subject, and Disclaimer values. Quarantine notifications are already localized based on the recipient's language settings. The Display name, Subject, and Disclaimer values are used in quarantine notifications that apply to the recipient's language.
Select the language in the Choose language box before you enter values in the Display name, Subject and Disclaimer boxes. When you change the value in the Choose language box, the values in the Display name, Subject, and Disclaimer boxes are emptied.
Follow these steps to customize quarantine notifications based on the recipient's language:
Select the language from the Choose language box. The default value is Default, which means the default language for the Microsoft 365 organization. For more information, see How to set language and region settings for Microsoft 365.
Enter values for Display name, Subject, and Disclaimer. The values must be unique for each language. If you try to reuse a Display name, Subject, or Disclaimer value for multiple languages, you'll get an error when you click Save.
Use Specify sender address to select an existing recipient to use as the sender of quarantine notifications. If you've already specified a sender for a different language, the sender you specify will overwrite your previous selection (the same sender email address is used for all languages).
Click the Add button.
Repeat the previous steps to create a maximum of three customized quarantine notifications based on the recipient's language. An unlabeled box shows the languages that you've configured:
Use my company logo: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your custom logo. This option is not supported if your organization has a custom logo pointing to a URL instead of an uploaded image file.
The following screenshot shows a custom logo in a quarantine notification:
Send end-user spam notification every (days): Select the frequency for quarantine notifications. The default value is 3 days, but you can select 1 to 15 days.
When you're finished, click Save.
View quarantine policies in the Microsoft 365 Defender portal
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
The Quarantine policies page shows the list of policies by Name and Last updated date.
To view the settings of built-in or custom quarantine policies, select the quarantine policy from the list by clicking on the name.
To view the global settings, click Global settings
View quarantine policies in PowerShell
If you'd rather use PowerShell to view quarantine policies, do any of the following steps:
To view a summary list of all built-in or custom policies, run the following command:
Get-QuarantinePolicy | Format-Table Name
To view the settings of built-in or custom quarantine policies, replace <QuarantinePolicyName> with the name of the quarantine policy, and run the following command:
Get-QuarantinePolicy -Identity "<QuarantinePolicyName>"
To view the global settings for quarantine notifications, run the following command:
Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy
For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.
Modify quarantine policies in the Microsoft 365 Defender portal
You can't modify the built-in quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy. You can modify the built-in policy named NotificationEnabledPolicy (if you have it) and custom quarantine policies.
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
On the Quarantine policies page, select the policy by clicking on the name.
After you select the policy, click the
Edit policy icon that appears.
The Edit policy wizard that opens is virtually identical to the New policy wizard as described in the Create quarantine policies in the Microsoft 365 Defender portal section earlier in this article.
The main difference is: you can't rename an existing policy.
When you're finished modifying the policy, go to the Summary page and click Submit.
Modify quarantine policies in PowerShell
If you'd rather use PowerShell to modify a custom quarantine policy, replace <QuarantinePolicyName> with the name of the quarantine policy, and use the following syntax:
Set-QuarantinePolicy -Identity "<QuarantinePolicyName>" [Settings]
The available settings are the same as described for creating quarantine policies earlier in this article.
For detailed syntax and parameter information, see Set-QuarantinePolicy.
Remove quarantine policies in the Microsoft 365 Defender portal
Notes:
You can't remove the built-in quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy. You can remove the built-in policy named NotificationEnabledPolicy (if you have it) and custom quarantine policies.
Before you remove a quarantine policy, verify that it's not being used. For example, run the following command in PowerShell:
Write-Output -InputObject "Anti-spam policies",("-"*25);Get-HostedContentFilterPolicy | Format-List Name,*QuarantineTag; Write-Output -InputObject "Anti-phishing policies",("-"*25);Get-AntiPhishPolicy | Format-List Name,*QuarantineTag; Write-Output -InputObject "Anti-malware policies",("-"*25);Get-MalwareFilterPolicy | Format-List Name,QuarantineTag; Write-Output -InputObject "Safe Attachments policies",("-"*25);Get-SafeAttachmentPolicy | Format-List Name,QuarantineTag
If the quarantine policy is being used, replace the assigned quarantine policy before you remove it.
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Quarantine policies in the Rules section. Or, to go directly to the Quarantine policies page, use https://security.microsoft.com/quarantinePolicies.
On the Quarantine policies page, select the custom quarantine policy that you want to remove by clicking on the name.
After you select the policy, click the
Delete policy icon that appears.
Click Remove policy in the confirmation dialog that appears.
Remove quarantine policies in PowerShell
If you'd rather use PowerShell to remove a custom quarantine policy, replace <QuarantinePolicyName> with the name of the quarantine policy, and run the following command:
Remove-QuarantinePolicy -Identity "<QuarantinePolicyName>"
For detailed syntax and parameter information, see Remove-QuarantinePolicy.
System alerts for quarantine release requests
By default, the default alert policy named User requested to release a quarantined message automatically generates an informational alert and sends notification to Organization Management (global administrator) whenever a user requests the release of a quarantined message:
Admins can customize the email notification recipients or create a custom alert policy for more options.
For more information about alert policies, see Alert policies in Microsoft 365.
Quarantine policy permission details
The following sections describe the effects of preset permission groups and individual permissions in the details of quarantined messages and in quarantine notifications.
Preset permissions groups
The individual permissions that are included in preset permission groups are listed in the table at the beginning of this article.
No access
If the quarantine policy assigns the No access permissions (admin only access), users will not able to see those messages that are quarantined:
- Quarantined message details: No messages will show in the end-user view.
- Quarantine notifications: No notifications will be sent for those messages.
Limited access
If the quarantine policy assigns the Limited access permissions, users get the following capabilities:
Quarantined message details: The following buttons are available:
- Request release
- View message headers
- Preview message
- Remove from quarantine
- Block sender
Quarantine notifications: The following buttons are available:
- Block sender
- Request release
- Review
Full access
If the quarantine policy assigns the Full access permissions (all available permissions), users get the following capabilities:
Quarantined message details: The following buttons are available:
- Release message
- View message headers
- Preview message
- Remove from quarantine
- Block sender
Quarantine notifications: The following buttons are available:
- Block sender
- Release
- Review
Note
As explained earlier, quarantine notifications are disabled in the default quarantine policy named DefaultFullAccessPolicy, even though that quarantine policy has the Full access permission group assigned. Quarantine notifications are available only in custom quarantine policies that you create or in the default quarantine access policy named NotificationEnabledPolicy (if that policy is available in your organization).
Individual permissions
Block sender permission
The Block sender permission (PermissionToBlockSender) controls access to the button that allows users to conveniently add the quarantined message sender to their Blocked Senders list.
Quarantined message details:
- Block sender permission enabled: The Block sender button is available.
- Block sender permission disabled: The Block sender button is not available.
Quarantine notifications:
- Block sender permission enabled: The Block sender button is available.
- Block sender permission disabled: The Block sender button is not available.
For more information about the Blocked Senders list, see Block messages from someone and Use Exchange Online PowerShell to configure the safelist collection on a mailbox.
Delete permission
The Delete permission (PermissionToDelete) controls the ability to of users to delete their messages (messages where the user is a recipient) from quarantine.
Quarantined message details:
- Delete permission enabled: The Remove from quarantine button is available.
- Delete permission disabled: The Remove from quarantine button is not available.
Quarantine notifications: No effect.
Preview permission
The Preview permission (PermissionToPreview) controls the ability to of users to preview their messages in quarantine.
Quarantined message details:
- Preview permission enabled: The Preview message button is available.
- Preview permission disabled: The Preview message button is not available.
Quarantine notifications: No effect.
Allow recipients to release a message from quarantine permission
Note
This permission is not honored for messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or as high confidence phishing (anti-spam policies). Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the Allow recipients to request a message to be released from quarantine permission permission.
The Allow recipients to release a message from quarantine permission (PermissionToRelease) controls the ability of users to release their quarantined messages directly and without the approval of an admin.
Quarantined message details:
- Permission enabled: The Release message button is available.
- Permission disabled: The Release message button is not available.
Quarantine notifications:
- Permission enabled: The Release button is available.
- Permission disabled: The Release button is not available.
Allow recipients to request a message to be released from quarantine permission
The Allow recipients to request a message to be released from quarantine permission (PermissionToRequestRelease) controls the ability of users to request the release of their quarantined messages. The message is only released after an admin approves the request.
Quarantined message details:
- Permission enabled: The Request release button is available.
- Permission disabled: The Request release button is not available.
Quarantine notifications:
- Permission enabled: The Request release button is available.
- Permission disabled: The Request release button is not available.
Feedback
Submit and view feedback for