Skip to Content

How to Edit Recipients of Quarantine Email Requests in MS Defender

By: Author Alex Lim

Posted on

Categories Uncategorized

Learn how to edit the list of admins who receive quarantine email requests from users in MS Defender for Office 365.

Quarantine is a feature in MS Defender for Office 365 that holds potentially dangerous or unwanted messages and files that were detected by the security policies. Users can request to release some of the quarantined items, and admins can configure who will receive these requests as alerts. In this article, you will learn how to edit the list of recipients of quarantine email requests in MS Defender for Office 365.

What is Quarantine in MS Defender for Office 365?

Quarantine is a secure place where MS Defender for Office 365 stores messages and files that were identified as spam, malware, phishing, or other threats by the security policies. Quarantine helps protect users and the organization from harmful or unwanted content, while also allowing users to access the items that they need.

Users can view and manage their own quarantined messages and files in the Microsoft Defender portal, or through quarantine notifications that are sent to their email address. Users can also request to release some of the quarantined items, if they think they are not dangerous or unwanted. For example, a user might request to release a message that was falsely detected as spam or phishing.

How to Edit the List of Recipients of Quarantine Email Requests

When a user requests to release a quarantined item, an alert is sent to the admins who are responsible for reviewing and approving the request. By default, the alert is sent to the TenantAdmins group, which includes all the global administrators and security administrators in the organization. However, you can edit the list of recipients of the quarantine email requests, and add or remove specific admins or groups.

To edit the list of recipients of quarantine email requests, you need to follow these steps:

  1. Go to the Microsoft Defender portal.
  2. In the navigation pane, select Policies > Alert policies.
  3. In the list of alert policies, search for Quarantine and find the policy named User requested to release a quarantined message.
  4. Click Edit policy to modify the settings of the policy.
  5. In the Edit policy page, go to the Alert settings section, and click Edit recipients.
  6. In the Edit recipients dialog box, you can add or remove the admins or groups who will receive the quarantine email requests. You can use the search box to find the recipients by name or email address, or select them from the list. You can also use the Select all and Clear all buttons to select or clear all the recipients in the list.
  7. After you have edited the list of recipients, click Save to apply the changes.
  8. Click Save again to save the policy settings.

Frequently Asked Questions (FAQs)

Question: How can I view and manage the quarantine email requests as an admin?

Answer: As an admin, you can view and manage the quarantine email requests in the Microsoft Defender portal or in PowerShell. To view and manage the quarantine email requests in the Microsoft Defender portal, follow these steps:

  1. Go to the Microsoft Defender portal.
  2. In the navigation pane, select Quarantine.
  3. In the Quarantine page, select the Requests tab to see the list of quarantine email requests from users.
  4. You can use the filters and the search box to find the requests that you want to review.
  5. You can select one or more requests, and click Release, Delete, or Report to perform the corresponding action. You can also click View message details to see more information about the request and the quarantined item.

To view and manage the quarantine email requests in PowerShell, you need to connect to Exchange Online PowerShell or standalone EOP PowerShell, depending on your organization type.

Question: How can I configure the quarantine policies for different protection features?

Answer: Quarantine policies define what users and admins can do to quarantined messages and files based on why they were quarantined. For example, you can configure the quarantine policy for anti-spam policies to allow users to view, release, and delete quarantined messages that were detected as spam, bulk, or phishing. You can also configure the quarantine policy for anti-malware policies to allow admins to view, release, and delete quarantined messages and files that were detected as malware.

To configure the quarantine policies for different protection features, you need to go to the Microsoft Defender portal, and select Policies > Quarantine policies. You can create, edit, or delete custom quarantine policies, and apply them to specific protection features, such as anti-spam policies, anti-phishing policies, anti-malware policies, or mail flow rules. You can also modify the default quarantine policies that are applied to all protection features.

Summary

In this article, you learned how to edit the list of recipients of quarantine email requests in MS Defender for Office 365. You also learned what is quarantine in MS Defender for Office 365, and how to view and manage the quarantine email requests as an admin. You also learned how to configure the quarantine policies for different protection features.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. The information and instructions in this article are based on the current version of MS Defender for Office 365 as of the date of publication. The information and instructions may change or become outdated in the future. You should always consult the official documentation and support resources of MS Defender for Office 365 before applying any changes or updates to your organization. The author and publisher of this article are not responsible for any errors, omissions, damages, or losses that may result from following the information and instructions in this article.