Categories
Microsoft 365

Quarantine policies in Microsoft 365 Defender

Since December 2021 Microsoft removed the end-user spam notification from the inbound anti-spam policy, to the new quarantine policy. This policy let you also control the user message access of the quarantine. I will explain in this post everything about the quarantine policies.

What are quarantine policies

Back to April 2020, Microsoft made is possible for users to view or delete quarantined messages (expect high confidence phishing). Some organizations where not happy about it, that users have access to their own quarantine items. With quarantine policies you have more control over the quarantine for your end users.

This means that if you set an ‘to quarantine’ action in your anti-spam or anti-phishing policy, like the spoof detection in your anti-phishing policy, you can set a separate quarantine policy, which let you control if the user can release it and if the user is getting an end-user spam notification for it.

The default quarantine policies

You can access the quarantine policies by going to https://security.microsoft.com/quarantinePolicies. Out-of-the-box you will see already two policies ‘DefaultFullAccessPolicy’ and ‘AdminOnlyAccessPolicy’.

The ‘DefaultFullAccessPolicy’ has the settings as we have since April 2020. With the user message access (expect high confidence phishing) settings:

  • release the message from quarantine
  • block sender
  • delete the message
  • preview the message
  • End user spam notification is disabled by default.

The ‘AdminOnlyAccessPolicy’ which is the the default policy for quarantine access for high confidence phishing in the inbound anti-spam policy. This policy has the user message access on:

  • no allowed actions
  • End user spam notification is disabled by default.

This means, if you do not want your users to release any category of protection policy in your anti-spam or anti-phishing, you now can set all quarantine actions to ‘AdminOnlyAccessPolicy’. I know some organization has some doubts about leaving this to their end users. However, with some good user adoption, I’d advise leaving the release to the end user so that they become familiar with the quarantine. So that they will eventually see it as the new junk folder, where you can’t directly click on links for their safety. It would help if you enable the end-user spam notification, to make the check easier for your end-users.

Create a custom quarantine policy

To enable end-user spam notification, you need to create a custom quarantine policy.

  • Step 1: Go to https://security.microsoft.com/quarantinePolicies
  • Step 2: Click on ‘Add custom policy’
  • Step 3: Set a policy name like ‘Company name – End user spam notification’
  • Step 4: Choose the settings that fits your needs as per my advise, I am in favor of ‘Allow recipients to release a message from quarantine’ under ‘Set specific access’ with the ‘additional actions’ ‘Preview’ only.
  • Step 5: Check ‘Enable’ on the ‘End user spam notification’ page.
  • Step 6: Safe your policy

You have also the ability to change the notification settings under ‘Global settings’, with this you can set a display name or a disclaimer to clarify the why of this message from your organization.

After you set this all up, you can use your new policy to all ‘quarantine’ actions , expect for high confidence phishing or spam actions (as per my advice).


Share this: