- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
Importance of efficient quarantine policies
Exchange Online protection settings, such as antispam, antiphishing, antimalware, and safe attachments in Microsoft 365 Defender, are all used to safeguard your users from malicious emails. One of the actions in these settings is to quarantine emails. However, it is vital to decide on the types of actions we will allow end users to take on quarantined emails. This has a direct impact on the end user experience.
For instance, if end users are not notified about their quarantined emails, they may be unaware of such emails and may end up missing important ones. At the same time, users can also be allowed to block or release emails from quarantine. However, this should not be allowed for high-risk emails. As a result, proper awareness of these policies is essential.
Structure of quarantine policies
It's important to understand the manner in which quarantine policies have been designed in Microsoft 365.
Quarantine policies are applied with permission groups. There are three permission groups: No Access, Limited Access, and Full Access. These groups contain individual policy permissions. It's on the basis of these policy permissions that you can control the level of access end users have on quarantine emails.
Permission groups
Permission groups define the level of access that end users get through a quarantine policy. These groups are shown in the following figure:
Permissions in each permission group
These permission groups are assigned by default to the built-in quarantine policies, as shown in the following table:
Permission groups assigned to built in quarantine policies
Types of quarantine policies
Quarantine emails can be of different types depending on the severity of the risk they pose. For instance, you might not want your users to be able to release high-confidence phishing emails from their quarantine. However, you would want to empower your users to be able to release other types of quarantined emails. There are three types of policies that you can utilize to handle quarantine emails, depending on your organization's requirements.
We will explore them in the following subsections.
Default Full Access policy
This is a policy that must be applied when you want end users to have the power to release, block, delete, and preview quarantined emails. This is the most common quarantine policy. It is used in antiphishing, antispam inbound, and custom policies.
It is worth noting that this policy is present in all tenants and cannot be modified. In addition, end user quarantine email notifications are not available in this policy. However, you can enable them through custom quarantine polices, which will be covered later in this article.
Features of the default full access quarantine policy
Admin-only Access policy
This is the most restrictive quarantine policy. It's mainly used in scenarios where the content is highly risky, and we want an admin to review it before it is released. This policy can be applied to all types of email security policies. This policy cannot be modified by admins.
As seen in the figure here, end users would have no rights over an email hitting this policy.
Features of admin only access quarantine policy
Notification-enabled policy
Microsoft restructured the quarantine policy setup in August 2021. Those tenants who had an end user spam notification policy now see this notification-enabled policy. This policy replaces the end user policy.
This policy can be modified by admins; hence, it can be tailored to suit your organization's needs. All the features of the Default Full Access policy can be combined here. You can also configure end user notifications.
Features of notification enabled quarantine policy
Custom policy
In addition to the policies created by Microsoft, you can also create your own custom policies. This becomes abundantly useful when you want to add features for specific emails in quarantine, and they aren't provided in any of the default policies.
For example, by default, all emails marked as high-confidence phishing attempts have the AdminOnlyAccessPolicy applied to them. This means end users won't be able to action them. Nor would they be notified of such incidents. In this scenario, if you want users to at least be notified of such events, but you don't want them to be able to delete or release the emails, then the existing policies created by Microsoft won't fulfill your requirements.
This is where a custom policy would help. You can easily create a new policy that allows users to be notified of high-confidence phishing emails sent to quarantine. You could also let the users request that such emails be released from quarantine if needed.
The figure below shows a similar policy. The next page allows you to enable notifications for users.
Example of settings in a custom quarantine policy
Where are quarantine policies applied?
Quarantine policies can be applied to quite a few email security policies. The main aim is to provide an action to Exchange Online Protection (EOP) to move emails to quarantine based on certain criteria:
- Antiphishing policy
- Antispam policy
- Antimalware policy
- Safe attachments policy
For example, the following screenshot shows the manner in which the default access and admin-only access quarantine policies have been applied to the antispam policy.
Quarantine policies applied in an antispam email security policy in EOP
Quarantine notifications
It is important to let end users know that emails sent to them are quarantined. This is a part of the policies discussed in the preceding sections of this article. In this section, we explore the settings related to this.
Quarantined notifications are not enabled by default. We have to enable them through custom policies or a notification-enabled policy if your tenant had the end user spam policy in the past.
Global quarantine notification setting
Apart from enabling quarantine notifications for end users, we need to define the global quarantine notification settings for the tenant. These settings are found in the Microsoft 365 Defender portal under Policies and rules. This is the link for getting there directly. Here, click Global Settings. Let's look at the settings.
Configuration of global quarantine notification
First, decide on the language for the notifications. As seen in the screenshot above, the language selected is the default, English.
If you want to add more languages, you need to select the language and add it. You must enter the Display name and Disclaimer again for each new language.
In the Display name section, enter the name that will appear in the quarantine email notification to end users. The Disclaimer is added at the bottom of the email.
You can also add your company logo to quarantine email notifications in the next setting. The final step is to decide the frequency of these notifications. Notification emails contain all the emails in quarantine for that recipient in the past 24 hours, as we have selected 1 day as the frequency here.
Here is an example of a quarantine email notification:
Subscribe to 4sysops newsletter!
Example of a quarantine notification email received by a user
Conclusion
Quarantine policies determine how we treat malicious emails. Understanding the different policies and how they combine with each other will help you structure them properly. It will also provide your end users with the best experience in dealing with their emails in quarantine.
