-## Recommended actions (preview)

-After you create a communication compliance policy, it's a good idea to test it to make sure that the conditions you defined are being properly enforced by the policy. You may also want to [test your Microsoft Purview Data Loss Prevention (DLP) policies (preview)](dlp-test-dlp-policies.md) if your communication compliance policies include sensitive information types. Make sure you give your policies time to activate so that the communications you want to test are captured.

-## Unresolve messages (preview)

-## Policy for insider risk management integration (preview)

-## Storage limit notification (preview)

-## Integration with insider risk management (preview)

-## Get started with recommended actions (preview)

-Whether you're setting up communication compliance for the first time or getting started with creating new policies, the new [recommended actions](/microsoft-365/compliance/communication-compliance-configure#recommended-actions-preview) experience can help you get the most out of communication compliance capabilities. Recommended actions include setting up permissions, creating distribution groups, creating policies, and more.

-There are roles and role groups that you can use to fine-tune your access controls.

-Here's a list of applicable roles that you can use. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

-Here's a list of applicable role groups that you can use. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

-<!--

-> [!IMPORTANT]

-> Access to Activity explorer via the Security Reader or Device Management role groups or other has been removed-->

-**Microsoft 365 role groups**

-**Microsoft 365 roles**

-> Roles other than Global Admin and/or Compliance Admin, can only view activities and are not allowed to view the sensitive content.

-Activity explorer gathers activity information from the audit logs on multiple sources of activities. For more detailed information on what labeling activity makes it to Activity explorer, see [Labeling events available in Activity explorer](data-classification-activity-explorer-available-events.md).

-**Sensitivity label activities** and **Retention labeling activities** from Office native applications, the Azure Information Protection (AIP) unified labeling client and scanner, SharePoint Online, Exchange Online (sensitivity labels only), and OneDrive. Some examples are:

-**Azure Information Protection (AIP) scanner and AIP clients**

-Activity explorer also gathers **DLP policy matches** events from Exchange Online, SharePoint Online, OneDrive, Teams Chat and Channel (preview), on-premises SharePoint folders and libraries, and on-premises file shares, and Windows 10 devices via **Endpoint data loss prevention (DLP)**. Some examples events from Windows 10 devices are file:

-Understanding what actions are being taken with your sensitive labeled content helps you see if the controls that you have in place, such as [Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) policies are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled `highly confidential` and are downgraded `general`, you can manage your various policies and take new actions to restrict the undesired behavior.

-Classifiers, like [sensitive information types](sensitive-information-type-learn-about.md) (SIT) and [trainable classifiers](classifier-learn-about.md) are used in various kinds of policies to identify sensitive information. Like all models, sometimes they identify an item as being sensitive that isn't. Or sometimes that don't identify an item as being sensitive when it actually is. These are called false positives and false negatives.

-This article shows you how to confirm whether items matched by a classifier are true positive (a **Match**) or a false positive (**Not a match**) and provide **Match**, or **Not a match** feedback. You can use that feedback to tune your classifiers to increase accuracy. You can also send redacted versions of the document as well as the **Match**, **Not a Match** feedback to Microsoft if you want to help increase the accuracy of the classifiers that Microsoft provides.

-> The match/not a match feedback experience supports items in SharePoint Online sites, OneDrive for Business sites and emails in Exchange Online.

-See the [licensing requirements for Data classification analytics: Overview Content & Activity Explorer](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-classification-analytics-overview-content--activity-explorer).

-The contextual summary experience where you indicate if a matched item is a true positive (**Match**) or a false positive (**Not a match**) is similar no matter where is surfaces.

-> You must have already deployed DLP policies that use either SIT or trainable classifier to OneDrive sites, SharePoint sites or Exchange mailboxes and had item matches before you will see items in the **Contextual summary** page.

-1. Open the folder and select a document.

-1. Select the link in the **Sensitive info type** column for an item to see which SITs the item matched and the [confidence level](/microsoft-365/compliance/sensitive-information-type-learn-about.md#more-on-confidence-levels).

-1. Open an item and expand the **Contextual Summary** page. Select the **Contextual Summary** tab.

-1. Review the item and confirm if it's a match.

-1. OPTIONAL: Select **I agree to provide a copy of the file to Microsoft** if you want to submit the match feedback to Microsoft and select **Submit to Microsoft.**

-1. If it's not a match, select the ellipsis next to **Close** and select **Withdraw feedback**.

-1. Select the **Not a match**.

-1. Review the item and redact or unredact any text.

-1. Optional: Select **I agree to provide a copy of the file to Microsoft** if you want to submit the feedback to Microsoft and select **Submit to Microsoft**.

-If you later decide that the not a match feedback is incorrect, you can select the **Withdraw feedback** button. This puts the item back into the **Not a match**, **Match** page.

-1. Open the **Microsoft Purview compliance portal** > **Data classification** > **Sensitive info types** page.

-1. Type the name of the SIT whose accuracy you want to check into **Search**.

-1. Open an item and expand the **Contextual Summary** page. Select the **Contextual Summary** tab.

-1. Review the item and confirm if it's a match.

-1. If it's a match, select **Close**. You're done.

-1. If it isn't a match, select the ellipsis next to **Close** and select **Withdraw feedback**. This exposes the **Not a Match** button.

-1. Select the **Not a match** button.

-1. Review the item and redact or unredact any text.

-1. Optional: Select **I agree to provide a copy of the file to Microsoft** if you want to submit the feedback to Microsoft and select **Submit to Microsoft**.

-If you later decide that the not a match feedback is incorrect, you can select the **Withdraw feedback** button. This puts the item back into the **Not a match**, **Match** page.

-1.Open an item and expand the **Contextual Summary** page.

-1. Review the item and confirm if it's a match.

-1. If it's a match, select **Close**. You're done.

-1. If it isn't a match, select **Withdraw feedback**. This exposes **Not a Match** button.

-1. Select the **Not a match** button.

-If you later decide that the not a match feedback is incorrect, you can select the **Withdraw feedback** button. This puts the item back into the **Not a match**, **Match** page.

-1. Select an alert for an item that was created or updated after the **Match**/**Not a Match** functionality was enabled for your tenant.

-1. Select the **Contextual summary** tab.

-1. Review the item and confirm if it's a match.

-1. If it's a match, select **Close**. You're done.

-1. Review the item and redact or unredact any text.

-1. Optional: Select **I agree to provide a copy of the file to Microsoft** if you want to submit the feedback to Microsoft and select **Submit to Microsoft**.

-1. Select **Close**.

-If your SIT or trainable classifiers are returning too many false positives based on the feedback, you can try some of these steps to tune them and increase the accuracy.

-

-If you're seeing high amounts of false positives, use these recommendations to fine-tune your SITs:

-[Insider risk settings](insider-risk-management-settings.md) apply to all insider risk management policies, regardless of the template you chose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control privacy, indicators, intelligent detections, and more.

-3. On the **Indicators** page, select the alert indicators you want to apply to all insider risk policies.

- - [Trainable classifiers exclusion](insider-risk-management-settings.md#trainable- classifier-exclusion-preview)

-For an existing document library:

-1. In SharePoint, navigate to the document library \> **Settings** \> **Library settings**.

-2. From the **Library settings** flyout pane, select **Default sensitivity labels**, and then select a label from the drop-down box. For example:

-

- 

-

- Although you see the setting mentions support for PDF files, this file type isn't currently supported for this scenario.

-If you're creating a new document library, you can configure the same **Default sensitivity labels** setting from the **Create document library** flyout pane.

-These limits apply to all sensitive information types (SIT) except exact data match (EDM) sensitive information types that support up to 100 STIs.

- **This feature requires [Teams Premium](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams).**

-Use this report to gain insight into overall user activity and usage per feature in your organization. This information can help you analyze trends and measure business value.

-> [!NOTE]

-> A detailed breakdown of usage per appointment is coming soon.

- A blank value means the default quarantine policy is used (AdminOnlyAccessPolicy for malware detections). When you later edit the anti-malware policy or view the settings, the default quarantine policy name is shown. For more information about default quarantine policies that are used for supported protection filtering verdicts, see [this table](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features).

- > The quarantine policy determines whether recipients receive email notifications for messages that were quarantined as malware. Quarantine notifications are disabled in the AdminOnlyAccessPolicy, so you'll need to create and assign a custom quarantine policy where notifications are turned on. For more information, see [Quarantine policies](quarantine-policies.md).

- > Users can't release their own messages that were quarantined as malware. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.

- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for spoof intelligence detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown. For more information about default quarantine policies that are used for supported protection filtering verdicts, see [this table](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features).

- |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <p> You specify how long the message should be held in quarantine later in the **Quarantine** box. <p> You specify the [quarantine policy](quarantine-policies.md) that applies to quarantined messages for the spam filter verdict in the **Select a policy** box that appears. For more information, see [Quarantine policies](quarantine-policies.md).³|Γ£ö|Γ£ö|Γ£ö^\*|Γ£ö^\*|Γ£ö|

- > ³ A blank **Select a policy** value means the default quarantine policy for that particular verdict is used. When you later edit the anti-spam policy or view the settings, the default quarantine policy name is shown. For more information about default quarantine policies that are used for the spam filter verdicts, see [this table](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features).

- > Users can't release their own messages that were quarantined as high confidence phishing. At best, admins can configure the quarantine policy so users can request the release of their quarantined high confidence phishing messages.

-|Starting point|Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <p> >Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices|

-You can't modify the policy settings in the protection profiles. The **Standard**, **Strict**, and **Built-in protection** policy setting values are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).

- - **Quarantine policy**: The default value is blank, which means the AdminOnlyAccessPolicy policy is used. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).

-6. (Recommended) As a global administrator or a SharePoint Online administrator, run the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet with the _DisallowInfectedFileDownload_ parameter set to `$true` in SharePoint Online PowerShell.

- To prevent users from managing their own quarantined phishing messages, admins can assign a quarantine policy that denies access to quarantined messages from the **Phishing email** filtering verdict in anti-spam policies. For more information, see [Assign quarantine policies in anti-spam policies](quarantine-policies.md#anti-spam-policies)[Quarantine policies](quarantine-policies.md).

-|Bulk||||

-|Spam||||

-|High confidence spam||||

-|Phishing||||

-|High confidence phishing||||

-|Spoof intelligence protection in EOP||||

-|Impersonated user protection in Defender for Office 365||||

-|Impersonated domain protection in Defender for Office 365||||

-|Mailbox intelligence protection in Defender for Office 365||||

-|Email messages with attachments that are quarantined as malware.||||

-|Safe Attachments policies that quarantine email messages with malicious attachments as malware.||||

-|Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that quarantines malicious files as malware.||||

-|Mail flow rules that quarantine email messages.||||

-_Quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined in [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see [Quarantine policies](quarantine-policies.md).

-> Your ability to view quarantined messages is controlled by the [quarantine policy](quarantine-policies.md) that applies to the quarantined message type (which might be the [default quarantine policy for the quarantine reason](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features)).

-> Your ability to take action on quarantined messages is controlled by the [quarantine policy](quarantine-policies.md) that applies to the quarantined message type (which might be the [default quarantine policy for the quarantine reason](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features)). This section describes all available actions.

-Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined. This feature is available in all Microsoft 365 organizations with Exchange Online mailboxes.

-For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do to their own messages (messages where they're a recipient) in quarantine and in _quarantine notifications_. [Quarantine notifications](quarantine-quarantine-notifications.md) are the replacement for end-user spam notifications. These notifications are now controlled by quarantine policies, and contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts).

-Default quarantine policies that enforce the historical user capabilities are automatically assigned to actions in the supported protection features that quarantine messages. Or, you can create custom quarantine policies and assign them to the supported protection features to allow or prevent users from performing specific actions on those types of quarantined messages.

-|**Block sender** (_PermissionToBlockSender_)||||

-|**Delete** (_PermissionToDelete_)||||

-|**Preview** (_PermissionToPreview_)||||

-|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)^\*||||

-|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||||

-^\*The **Allow recipients to release a message from quarantine** permission is not honored in anti-malware policies or for the high confidence phishing verdict in anti-spam policies. Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the **Allow recipients to request a message to be released from quarantine** permission.

-^\* The quarantine policy named NotificationEnabledPolicy is not present in all environments. You'll have the NotificationEnabledPolicy quarantine policy if your organization meets both of the following requirements:

-As described earlier, quarantine notifications in quarantine policies replace end-user spam notifications that you used to turn on or turn off in anti-spam policies. The built-in quarantine policy named DefaultFullAccessPolicy duplicates the historical _permissions_ for quarantined messages, but _quarantine notifications_ are not turned on in the quarantine policy. And, because you can't modify the built-in policy, you can't turn on quarantine notifications in DefaultFullAccessPolicy.

-For new organizations or older organizations that never had end-user spam notifications enabled in anti-spam policies, you won't have the quarantine policy named NotificationEnabledPolicy. The way for you to turn on quarantine notifications is to create and use custom quarantine policies where quarantine notifications are turned on.

-Now you're ready to assign the quarantine policy to a quarantine feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.

-|Feature|Quarantine policies supported?|Default quarantine policies used|

-||::||

-|[Anti-spam policies](anti-spam-policies-configure.md): <ul><li>**Spam** (_SpamAction_)</li><li>**High confidence spam** (_HighConfidenceSpamAction_)</li><li>**Phishing** (_PhishSpamAction_)</li><li>**High confidence phishing** (_HighConfidencePhishAction_)</li><li>**Bulk** (_BulkSpamAction_)</li></ul>|Yes|<ul><li>DefaultFullAccessPolicy^\* (Full access)</li><li>DefaultFullAccessPolicy^\* (Full access)</li><li>DefaultFullAccessPolicy^\* (Full access)</li><li>AdminOnlyAccessPolicy (No access)</li><li>DefaultFullAccessPolicy^\* (Full access)</li></ul>|

-|Anti-phishing policies: <ul><li>[Spoof intelligence protection](anti-phishing-policies-about.md#spoof-settings) (_AuthenticationFailAction_)</li><li>[Impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365):<ul><li>**If message is detected as an impersonated user** (_TargetedUserProtectionAction_)</li><li>**If message is detected as an impersonated domain** (_TargetedDomainProtectionAction_)</li><li>**If mailbox intelligence detects and impersonated user** (_MailboxIntelligenceProtectionAction_)</li></ul></li></ul>|Yes|<ul><li>DefaultFullAccessPolicy^\* (Full access)</li><li>Impersonation protection:<ul><li>DefaultFullAccessPolicy^\* (Full access)</li><li>DefaultFullAccessPolicy^\* (Full access)</li><li>DefaultFullAccessPolicy^\* (Full access)</li></ul></li></ul>|

-|[Anti-malware policies](anti-malware-policies-configure.md): All detected messages are always quarantined.|Yes|AdminOnlyAccessPolicy (No access)|

-|[Safe Attachments protection](safe-attachments-about.md): <ul><li>Email messages with attachments that are quarantined as malware by Safe Attachments policies (_Enable_ and _Action_)</li><li>Files quarantined as malware by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li></ul>|<ul><li>Yes</li><li>No</li></ul>|<ul><li>AdminOnlyAccessPolicy (No access)</li><li>n/a</li></ul>|

-|[Mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: **Deliver the message to the hosted quarantine** (_Quarantine_).|No|n/a|

-^\* As [previously described in this article](#full-access-permissions-and-quarantine-notifications), your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

-> Users can't release their own messages that were quarantined as malware (anti-malware policies) or high confidence phishing (anti-spam policies), regardless of how the quarantine policy is configured. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware or high confidence phishing messages.

- You need to replace a default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular spam filtering verdict.

- You need to replace a default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular verdict.

- Write-Output -InputObject "Anti-spam policies","-";Get-HostedContentFilterPolicy | Format-List Name,*QuarantineTag; Write-Output -InputObject "Anti-phishing policies","-";Get-AntiPhishPolicy | Format-List Name,*QuarantineTag; Write-Output -InputObject "Anti-malware policies","-";Get-MalwareFilterPolicy | Format-List Name,QuarantineTag; Write-Output -InputObject "Safe Attachments policies","";Get-SafeAttachmentPolicy | Format-List Name,QuarantineTag

-> This permission is not honored in anti-malware policies or for the high confidence phishing verdict in anti-spam policies. Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the [Allow recipients to request a message to be released from quarantine permission](#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission) permission.

-_Quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined (for supported features). For more information, see [Quarantine policies](quarantine-policies.md). Quarantine polices also control whether the affected recipients (including shared mailboxes) get periodic _quarantine notifications_ about their quarantined messages. Quarantine notifications are the replacement for end-user spam notifications for all supported protection features (not just anti-spam policy verdicts).

-For shared mailboxes, quarantine notifications are supported only for users who are granted FullAccess permission to the shared mailbox. For more information, see [Use the EAC to edit shared mailbox delegation](/Exchange/collaboration-exo/shared-mailboxes#use-the-eac-to-edit-shared-mailbox-delegation).

-When you receive a quarantine notification, the following information is always available for each quarantined message:

-> A blocked sender can still send you mail. Any messages from this sender that make it to your mailbox will be immediately moved to the Junk Email folder. Future messages from this sender will go to your Junk Email folder or to quarantine. If you would like to delete these messages on arrival instead of quarantining them, use [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to delete the messages on arrival.

-|**Actions**||||Wherever you select **Quarantine message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br><br> Standard and Strict preset security policies use the default quarantine policies (AdminOnlyAccessPolicy or DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy with no quarantine notifications for **High confidence phishing**; DefaultFullAccessPolicy with no quarantine notifications for everything else). <br><br> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-spam policies. For more information, see [Quarantine policies](quarantine-policies.md).|

-|**High confidence phishing** detection action <br><br> _HighConfidencePhishAction_|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`||

-|**Retain spam in quarantine for this many days** <br><br> _QuarantineRetentionPeriod_|15 days|30 days|30 days| <br><br> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).|

-|**Quarantine policy**|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy with no quarantine notifications). <br><br> Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> Admins can create and select custom quarantine policies that define more capabilities for users in the default or custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md).|

-|**If message is detected as spoof** <br><br> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br><br> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy with no quarantine notifications). <br><br> Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md).|

-|**Actions**||||Wherever you select **Quarantine the message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br><br> Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types). <br><br> Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md).|

-|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy| <br><br> Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy with no quarantine notifications). <br><br> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|