Skip to content

Quarantine policies

Quarantine policies are an important part of your email hygiene. Policies such as anti-phishing and anti-spam will state that when a message matches a certain piece of criteria, such as phishing, that message should be quarantined. The quarantine policy applied is configured here and it dictates if a user is notified about an item in quarantine and what actions they can take on the message.

Considerations before deployment

Note that even if you specify a user can release a message from quarantine, this will never be honored for messages quarantined for malware or high confidence spam, those will always require an admin to release the message.

Automatic replies

Messages sent to quarantine will not receive automatic replies such as out of office messages at the time they are quarantined or at the time they are release.

Shared mailboxes

For shared mailboxes, any user with full access to the shared mailbox can manage quarantined items for the shared mailbox. They can only do what you specify in the policy just as if it were any other quarantined item. They can access the quarantine from the quarantine notification (if configured) or by adjusting the recipient filter on the quarantine page to the shared mailboxes email address.

Global settings

This page also has global settings near the create policy button, here you can customize your quarantine notifications. Attackers can easily replicate the Microsoft quarantine notifications and use it to trick your users (there's an attack simulation training payload for this!).

By customizing your notifications you are adding extra hurdles an attacker would have to replicate to trick your users, this of course won't help every user but by adding branding and customizations this may help clue your users into a fake quarantine notification.

Global customization options include:

  • 🌍Sender display name
    • You must select a language first before you customize the sender display name.
    • Sender display name can not equal an existing mailbox's display name
  • Specify sender address
    • You can specify an existing mailbox in your environment here.
    • If none is specified the default of quarantine@messaging.microsoft.com will be used
  • 🌍Subject
    • You must select a language first before you customize the subject.
  • 🌍Disclaimer
    • You must select a language first before you customize the disclaimer.
    • Disclaimers will appear at the very start of the quarantine message.
  • 🌍Choose language
    • You can select up to three different languages here.
    • The quarantine messages are already localized to the language of the recipient's mailbox, this is for customizing the Sender display name, Subject, and Disclaimer on this global setting page
    • For full implementation guidelines see Microsoft documentation
  • Use my company logo
    • This adds your company logo to your quarantine notification, this can help end users potentially spot fake quarantine notifications from low effort attackers.
    • This does not use the Azure/Entra ID branding but the themes in Microsoft 365, see more about configuring this in Microsoft's documentation.
      • If you don't have this configured you will not see a logo on this page. There should be a preview of your logo here if configured properly
  • Send end-user spam notifications
    • You have three choices here:
      • Send daily
      • Send weekly
      • Send every 4 hours
    • The notifications are a digest so if 3 messages got quarantined since the last notification you will see those three messages in the next digest.
    • From experience, these times are not exact. If it has been days since your last quarantined message, the next quarantine message you receive will likely result in the digest being sent soon after and this starts the "timer" for when a new quarantine digest will go out assuming another message is quarantined in that window.

Policy Configuration

There are three default policies which can not be edited, but you can view the setting for:

DefaultFullAccessPolicy
  • Allows the user to do the following to the message
    • Release
    • Delete
    • Preview
    • Allow sender
  • No notification is sent
AdminOnlyAccessPolicy
  • User cannot do anything with the message
  • User cannot see the message
  • No notification is sent
DefaultFullAccessWithNotificationPolicy
  • Allows the user to do the following to the message
    • Release
    • Delete
    • Preview
    • Allow sender
  • Quarantine notification is sent to use in the digest

Some tenants may also have NotificationEnabledPolicy, this can be modified and is a remnant of having an older Microsoft tenant (2021).

You can create a custom policy that allows all or only some options on the message. One notable item not included in any of the default policies is the ability to allow the user to request the release of a message from quarantine. This might be a good option for things like quarantined impersonations if you and your admin team have the bandwidth to handle releases the messages.

Quarantine Digest

The digest message will come from quarantine@messaging.microsoft.com unless otherwise specified in the quarantine global settings.

From the email the user can review message, release, or block sender. Users review messages in the Defender portal at [https://security.microsoft.com/quarantine].

When a message is released it is delivered to the user's mailbox at the time it was released, this means if they way two days to release a message it will be at the top of their inbox, not placed with its original timestamp.