Email security is important for every Microsoft 365 tenant, and the configuration of quarantine policies is a critical part of this. Every Microsoft 365 administrator has to decide the manner in which their tenant will react to spam, phishing, and malicious content in emails. One possible action is to quarantine such emails. In this post, you will learn the technicalities of configuring quarantine policies in Microsoft 365.

Importance of efficient quarantine policies

Exchange Online protection settings, such as antispam, antiphishing, antimalware, and safe attachments in Microsoft 365 Defender, are all used to safeguard your users from malicious emails. One of the actions in these settings is to quarantine emails. However, it is vital to decide on the types of actions we will allow end users to take on quarantined emails. This has a direct impact on the end user experience.

For instance, if end users are not notified about their quarantined emails, they may be unaware of such emails and may end up missing important ones. At the same time, users can also be allowed to block or release emails from quarantine. However, this should not be allowed for high-risk emails. As a result, proper awareness of these policies is essential.

Structure of quarantine policies

It's important to understand the manner in which quarantine policies have been designed in Microsoft 365.

Quarantine policies are applied with permission groups. There are three permission groups: No Access, Limited Access, and Full Access. These groups contain individual policy permissions. It's on the basis of these policy permissions that you can control the level of access end users have on quarantine emails.

Permission groups

Permission groups define the level of access that end users get through a quarantine policy. These groups are shown in the following figure:

Permissions in each permission group

Permissions in each permission group

These permission groups are assigned by default to the built-in quarantine policies, as shown in the following table:

Permission groups assigned to built in quarantine policies

Permission groups assigned to built in quarantine policies

Types of quarantine policies

Quarantine emails can be of different types depending on the severity of the risk they pose. For instance, you might not want your users to be able to release high-confidence phishing emails from their quarantine. However, you would want to empower your users to be able to release other types of quarantined emails. There are three types of policies that you can utilize to handle quarantine emails, depending on your organization's requirements.

We will explore them in the following subsections.

Default Full Access policy

This is a policy that must be applied when you want end users to have the power to release, block, delete, and preview quarantined emails. This is the most common quarantine policy. It is used in antiphishing, antispam inbound, and custom policies.

It is worth noting that this policy is present in all tenants and cannot be modified. In addition, end user quarantine email notifications are not available in this policy. However, you can enable them through custom quarantine polices, which will be covered later in this article.

Features of the default full access quarantine policy

Features of the default full access quarantine policy

Admin-only Access policy

This is the most restrictive quarantine policy. It's mainly used in scenarios where the content is highly risky, and we want an admin to review it before it is released. This policy can be applied to all types of email security policies. This policy cannot be modified by admins.

As seen in the figure here, end users would have no rights over an email hitting this policy.

Features of admin only access quarantine policy

Features of admin only access quarantine policy

Notification-enabled policy

Microsoft restructured the quarantine policy setup in August 2021. Those tenants who had an end user spam notification policy now see this notification-enabled policy. This policy replaces the end user policy.

This policy can be modified by admins; hence, it can be tailored to suit your organization's needs. All the features of the Default Full Access policy can be combined here. You can also configure end user notifications.

Features of notification enabled quarantine policy

Features of notification enabled quarantine policy

Custom policy

In addition to the policies created by Microsoft, you can also create your own custom policies. This becomes abundantly useful when you want to add features for specific emails in quarantine, and they aren't provided in any of the default policies.

For example, by default, all emails marked as high-confidence phishing attempts have the AdminOnlyAccessPolicy applied to them. This means end users won't be able to action them. Nor would they be notified of such incidents. In this scenario, if you want users to at least be notified of such events, but you don't want them to be able to delete or release the emails, then the existing policies created by Microsoft won't fulfill your requirements.

This is where a custom policy would help. You can easily create a new policy that allows users to be notified of high-confidence phishing emails sent to quarantine. You could also let the users request that such emails be released from quarantine if needed.

The figure below shows a similar policy. The next page allows you to enable notifications for users.

Example of settings in a custom quarantine policy

Example of settings in a custom quarantine policy

Where are quarantine policies applied?

Quarantine policies can be applied to quite a few email security policies. The main aim is to provide an action to Exchange Online Protection (EOP) to move emails to quarantine based on certain criteria:

  • Antiphishing policy
  • Antispam policy
  • Antimalware policy
  • Safe attachments policy

For example, the following screenshot shows the manner in which the default access and admin-only access quarantine policies have been applied to the antispam policy.

Quarantine policies applied in an antispam email security policy in EOP

Quarantine policies applied in an antispam email security policy in EOP

Quarantine notifications

It is important to let end users know that emails sent to them are quarantined. This is a part of the policies discussed in the preceding sections of this article. In this section, we explore the settings related to this.

Quarantined notifications are not enabled by default. We have to enable them through custom policies or a notification-enabled policy if your tenant had the end user spam policy in the past.

Global quarantine notification setting

Apart from enabling quarantine notifications for end users, we need to define the global quarantine notification settings for the tenant. These settings are found in the Microsoft 365 Defender portal under Policies and rules. This is the link for getting there directly. Here, click Global Settings. Let's look at the settings.

Configuration of global quarantine notification

Configuration of global quarantine notification

First, decide on the language for the notifications. As seen in the screenshot above, the language selected is the default, English.

If you want to add more languages, you need to select the language and add it. You must enter the Display name and Disclaimer again for each new language.

In the Display name section, enter the name that will appear in the quarantine email notification to end users. The Disclaimer is added at the bottom of the email.

You can also add your company logo to quarantine email notifications in the next setting. The final step is to decide the frequency of these notifications. Notification emails contain all the emails in quarantine for that recipient in the past 24 hours, as we have selected 1 day as the frequency here.

Here is an example of a quarantine email notification:

Subscribe to 4sysops newsletter!

Example of a quarantine notification email received by a user

Example of a quarantine notification email received by a user

Conclusion

Quarantine policies determine how we treat malicious emails. Understanding the different policies and how they combine with each other will help you structure them properly. It will also provide your end users with the best experience in dealing with their emails in quarantine.

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account