Quarantine policies - Defender for Microsoft 365
Quarantine policies help protect organizations by controlling how suspicious emails are handled. They let users manage safe messages but keep dangerous ones like phishing or malware under admin control. This way, users stay safe, and admins can review anything risky before it reaches the inbox.
Quarantine policies in Defender for Microsoft 365 let admins control how users interact with emails that are flagged as suspicious and moved to quarantine. These policies decide two main things: what actions users can take on their own quarantined messages (messages where they're a recipient) and how often they receive quarantine notification emails (every four hours, daily, or weekly).
The permissions users get depend on why the message was quarantined. For example, if an email is flagged as spam or bulk, users can usually open it, preview the content, or release it to their inbox if they think it is safe. However, for more dangerous categories like high-confidence phishing or malware, users are not allowed to view or release the message. Only admins can take action on these high‑risk items to protect the organization.
Example: A newsletter wrongly marked as spam can be released by the user, but a phishing email pretending to be IT support cannot be opened or released.
When a message is quarantined:
1. It depends on what detected the threat.
- Emails with malware (virus) found by Anti‑malware policies → always quarantined
- Emails flagged as malware or phishing by Safe Attachments → always quarantined
- Emails marked as high‑confidence phishing by Anti‑spam → always quarantined
2. It depends on the security preset we use.
Standard preset → Quarantines only high‑risk items
Strict preset → Quarantines more types of suspicious emails (more aggressive protection)
Example: If an email has a dangerous attachment, it is always quarantined and if it's only suspicious spam, Standard may allow it to go to Junk, but Strict will quarantine it.
Before applying these settings, we need to configure the quarantine policy in the Microsoft 365 security portal. This helps safeguard users’ mailboxes from spam while giving them the flexibility to release safe emails, and allows the IT team to review and control potentially harmful messages.
Step 1: In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration → Policies & rules → Threat policies → Quarantine policy in the Rules section.
Step 2: On the Quarantine policies page, select Add custom policy to start the new quarantine policy wizard.
Step 3: On the Policy name page, enter a brief but unique name in the Policy name box like we have given “Custom quarantine policy - 1” → select Next.
Step 4: On the Recipient message access page, we can select one of the following values:
- Limited access
Users get limited control over their quarantined emails. They can do most actions, but they cannot release messages without admin approval.
- Set specific access (Advanced)
1. Select release action preference
- Blank (default): Users can’t release or request release.
- Allow recipients to request release: Users can ask the admin to release the message.
- Allow recipients to release: Users can release the message themselves.
2. Select additional actions users can take
- Delete: Remove the message from quarantine
- Preview: View message content safely
- Block sender: Stop future emails from that sender
- Allow sender: Mark sender as safe so emails go to inbox
Once done select Next.
Step 5: On the Quarantine notification page, select Enable to turn on quarantine notifications, and then we can select one of the following values:
- Include quarantined messages from blocked senders: Users will see emails even if the sender is blocked.
- Don’t include quarantined messages from blocked senders: Emails from blocked senders will not appear in user notifications.
Once done select Next.
Step 6: On the Review policy page, we can review our selections. Select Edit in each section to modify the settings within the section. When we are finished on the Review policy page, select Submit, and then select Done in the confirmation page.
When we go back on the Quarantine policy page, the policy that we created is now listed and is ready to assign the quarantine policy to a supported security feature.
Now once the policy is created, we assign it to supported features. Assigning a quarantine policy to supported features controls what users are allowed to do with emails that are moved to quarantine. It also decides whether users will get notification emails about their quarantined messages. We can assign it to anti-spam policies, anti-phishing policies, anti-malware policies and safe attachment protection. In this article we have added it under anti-malware policy.
Step 1: In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration → Policies & rules → Threat policies → Anti-malware in the Policies section.
Step 2: On the Anti-malware page, we choose Default → edit protection settings → quarantine policy. On the Protection settings page, view or select a quarantine policy in the Quarantine policy box. Here we have chosen our custom policy → select Save.
Note that users can never release emails that are quarantined as malware, no matter what the quarantine policy settings are. Even if the policy allows release, users will only be able to request the release, and the admin must approve it.
