Review
Review gives you access to release quarantine messages and restricted entities, as well as access to the action center where Microsoft has evaluated incidents and provided AIR suggested actions.
Action Center
Action center contains messages which Microsoft has evaluated and given suggestions on such as soft deleting the email. This contains actions for more than just MDO. Some actions can be taken automatically, others require admin approval. Items that require approval are pending and will remain pending for 7 days before timing out.
Quarantine
This page contains quarantined emails along with files and Teams messages if you have those enabled in your environment. This is also the page your end users access to release their message from quarantine. While they can see the Defender portal they can't see other items in the portal and they will only see their quarantined messages. Messages released from quarantine will be put in the inbox immediately and will show the time of release not the original delivery time, so they should always be delivered to the top of the inbox.
Quarantine policies dictate what a user can do with a quarantined message. You can specify different quarantine policies for spam, phishing, impersonation, etc. Users can only request the release of malware or high-confidence phishing if you give them the ability to see and release messages quarantined with that criteria.
Messages quarantined will generally be retained for 30 days, you can see a full list of retentions from Microsoft here, but the most common ones are summarized below.
| Message quarantined by | Default days | Customize |
|---|---|---|
| Anti-spam | 15 or 30 | Yes |
| Anti-phish | 15 or 30 | Yes |
| Anti-malware | 30 | No |
| Safe attachments | 30 | No |
| Teams ZAP | 30 | No |
Restricted Entities
Users who have exceeded limits set within your outbound anti-spam policy will show up here. Users here can receive email but will receive a special NDR message if they attempt to send an email while restricted.
Users in this list should be investigated and remediated if they have been compromised. You may want to consider:
- Raising the sending threshold if this happens frequently in your environment
- Speaking to the user about using a distribution list or a bulk mailing service
- Moving the user to a different policy with a higher threshold if it is common for them to send bulk email
- If compromised:
- Resetting the password
- Checking inbox rules/mail forwarding
Currently, there is no way to give a user only access to release users from the restricted entity list. You can give limited permissions but not just access to this one component. When considering what needs to happen when someone hits these limits this is ideal, an investigation should always be launched to ensure the messages sent were from the user, and they weren't compromised. A security admin has the rights to perform that investigation and then release the message.