Updates from: 04/08/2023 01:36:46
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
To complete the steps in this series, you use these Microsoft 365 capabilities a
|[Step 4 - Forward a former employee's email to another employee or convert to a shared mailbox](remove-former-employee-step-4.md)|This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work.| |[Step 5 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-5.md)|If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <p> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days.| |[Step 6 - Remove and delete the Microsoft 365 license from a former employee](remove-former-employee-step-6.md)|When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <p> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days.|
-|[Step 7 - Delete a former employee's user account](remove-former-employee-step-7.md)|This removes the account from your admin center. Keeps things clean.|
+|[Step 7 - Delete a former employee's user account](remove-former-employee-step-7.md)|This removes the account from your admin center. Keeps things clean. Emails to the former employee's user account will not be received.|
## Watch: Delete a user
admin Create Dns Records At Any Dns Hosting Provider https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md
f1.keywords:
Previously updated : 02/18/2020 Last updated : 04/07/2023 audience: Admin
admin Upgrade Users To Latest Office Client https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/upgrade-users-to-latest-office-client.md
# Upgrade your Microsoft 365 for business users to the latest Office client
-## Office 2010 reaches end-of-support
-
-Office 2010 reached its end of support on October 13, 2020. Microsoft will no longer provide the following:
--- Technical support for issues--- Bug fixes for issues that are discovered--- Security fixes for vulnerabilities that are discovered-
-See [Office 2010 end of support roadmap](/deployoffice/endofsupport/office-2010-end-support-roadmap) for more information.
+## Get ready to upgrade to Microsoft 365
- **Is this the right topic for you?**
-
- If you're the admin responsible for the Microsoft 365 for business subscription in your organization, you're in the right place. Admins are typically responsible for tasks like managing users, resetting passwords, managing Office installs and adding or removing licenses.
+As an admin, you control what version of the Microsoft 365 apps people in your organization can install. We highly recommend that you help users in your organization running older versions such as [Office 2010](#office-2010-reaches-end-of-support), Office 2013, or Office 2016 upgrade to the latest version of the Microsoft 365 apps to take advantage of security and productivity improvements.
- If you're not an admin and you have a [Microsoft 365 Family](https://support.microsoft.com/office/28cbc8cf-1332-4f04-9123-9b660abb629e#BKMK_OfficePlans) product, see [How do I upgrade Office](https://support.microsoft.com/office/ee68f6cf-422f-464a-82ec-385f65391350) for information about upgrading your older, home use version of Office.
+### Is this the right topic for you?
-## Get ready to upgrade to Microsoft 365
+If you're the admin responsible for the Microsoft 365 for business subscription in your organization, you're in the right place. Admins are typically responsible for tasks like managing users, resetting passwords, managing Office installs and adding or removing licenses.
-As an admin, you control what version of Office people in your organization can install. We highly recommend that you help users in your organization running older versions of Office such as Office 2010, Office 2013, or Office 2016 upgrade to the latest version to take advantage of its security and productivity improvements.
+ If you're not an admin and you have a [Microsoft 365 Family](https://support.microsoft.com/office/28cbc8cf-1332-4f04-9123-9b660abb629e#BKMK_OfficePlans) subscription, see [How do I upgrade Office](https://support.microsoft.com/office/ee68f6cf-422f-464a-82ec-385f65391350) for information about upgrading your older, home use version of Office.
## Upgrade steps
After you've verified the users you want to upgrade all have licenses, the final
> [!TIP] > If you don't want your users installing Office themselves, see [Manage Microsoft 365 installation options in the Microsoft 365 admin center](/DeployOffice/manage-software-download-settings-office-365). You can use the [Deployment Tool](/DeployOffice/overview-office-deployment-tool) to download Microsoft 365 apps to your local network and then deploy using the software deployment method you typically use.+
+## Office 2010 reaches end-of-support
+
+Office 2010 reached its end of support on October 13, 2020. Microsoft will no longer provide the following:
+
+- Technical support for issues
+
+- Bug fixes for issues that are discovered
+
+- Security fixes for vulnerabilities that are discovered
+
+See [Office 2010 end of support roadmap](/deployoffice/endofsupport/office-2010-end-support-roadmap) for more information.
compliance Audit Premium Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-premium-setup.md
Audit (Premium) features such as the ability to log crucial events such as MailI
5. If the checkbox isn't selected, select it, and then select **Save changes.**
- The logging of audit records for MailItemsAccessed and Send will begin within 24 hours. You have to perform Step 3 to start logging of two other Audit (Premium) events: SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint.
+ The logging of audit records for MailItemsAccessed and Send will begin within 24 hours. You have to perform Step 2 to start logging of two other Audit (Premium) events: SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint.
Also, if you've customized the mailbox actions that are logged on user mailboxes or shared mailboxes, any new Audit (Premium) events released by Microsoft won't be automatically audited on those mailboxes. For information about changing the mailbox actions that are audited for each logon type, see the "Change or restore mailbox actions logged by default" section in [Manage mailbox auditing](audit-mailboxes.md#change-or-restore-mailbox-actions-logged-by-default).
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
You can also use the following resources for basic instructions:
- [Create protected PDFs from Office files](https://support.microsoft.com/topic/aba7e367-e482-49e7-b746-a385e48d01e4) -- [Sensitivity labels for Teams meetings](https://support.microsoft.com/office/sensitivity-labels-for-teams-meetings-abd9f361-6a18-4256-ae46-5d429bc16ba6)
+- [Sensitivity labels for Teams meetings](https://support.microsoft.com/office/sensitivity-labels-for-teams-meetings-2b244d1d-72d0-471e-8e58-c41079e190fb)
- [Azure Information Protection unified labeling user guide](/azure/information-protection/rms-client/clientv2-user-guide)
compliance Sensitivity Labels Meetings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-meetings.md
However, if you select a label that applies encryption, it must be a label with
## End-user documentation
-To help end users understand how to apply and change sensitivity labels in Teams, see [Sensitivity labels for Teams meetings](https://support.microsoft.com/office/sensitivity-labels-for-teams-meetings-abd9f361-6a18-4256-ae46-5d429bc16ba6). For calendar items in Outlook, the labeling experience is very similar to labeling emails. For Outlook, probably the only additional information users need is [which Outlook clients](#requirements) currently support this labeling feature.
+To help end users understand how to apply and change sensitivity labels in Teams, see [Sensitivity labels for Teams meetings](https://support.microsoft.com/office/sensitivity-labels-for-teams-meetings-2b244d1d-72d0-471e-8e58-c41079e190fb). For calendar items in Outlook, the labeling experience is very similar to labeling emails. For Outlook, probably the only additional information users need is [which Outlook clients](#requirements) currently support this labeling feature.
Remember to provide your own guidance which named label to apply for different types of meetings. Then, users can focus on the label name instead of the individual settings applied by the label.
frontline Ehr Admin Epic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-epic.md
To enable SMS notifications, your Microsoft 365 admin completes the following st
:::image type="content" source="media/ehr-connector-epic-sms-notifications.png" alt-text="Screenshot of the SMS notifications page, showing consent check boxes and the option to generate a phone number." lightbox="media/ehr-connector-epic-sms-notifications.png":::
-1. Under **Your phone numbers**, select **Generate a new phone number** to generate a phone number for your organization. Doing this starts the process to request and generate a new phone number. This process might take up to 2 minutes to complete.
+2. Under **Your phone numbers**, select **Generate a new phone number** to generate a phone number for your organization. Doing this starts the process to request and generate a new phone number. This process might take up to 2 minutes to complete.
After the phone number is generated, it's displayed on the screen. This number will be used to send SMS confirmations and reminders to your patients. The number has been provisioned but isnΓÇÖt linked to the FHIR base URL yet. You do that in the next step.
To enable SMS notifications, your Microsoft 365 admin completes the following st
Choose **Done**, and then select **Next**.
-1. Some telephone carriers now [require unverified toll numbers to be verified](/azure/communication-services/concepts/sms/sms-faq#sms-to-us-phone-numbers). This requirement became effective October 1, 2022. Some carriers are following this more strictly than others.
+3. Some telephone carriers now [require unverified toll numbers to be verified](/azure/communication-services/concepts/sms/sms-faq#sms-to-us-phone-numbers). This requirement became effective October 1, 2022. Some carriers are following this more strictly than others.
You'll need to [register your generated phone number in this form](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR0NW3g8C-tRNlyVpwWkCiS1UOEFCVTRHSFMwRk9BVTg3MVdZQlVCNEI4SS4u). This will ensure none of your SMS messages will be blocked when sent to US phone numbers.
-1. To link the phone number to a FHIR base URL, under **Phone number** in the **SMS configuration** section, select the number. Do this for each FHIR base URL for which you want to enable SMS notifications.
+4. To link the phone number to a FHIR base URL, under **Phone number** in the **SMS configuration** section, select the number. Do this for each FHIR base URL for which you want to enable SMS notifications.
:::image type="content" source="media/ehr-connector-epic-link-phone-number.png" alt-text="Screenshot showing how to link a phone number to a FHIR base URL." lightbox="media/ehr-connector-epic-link-phone-number.png"::: If youΓÇÖre configuring the connector for the first time, youΓÇÖll see the FHIR base URL that was entered in the earlier step. The same phone number can be linked to multiple FHIR base URLs, which means that patients will receive SMS notifications from the same phone number for different organizations and/or departments.
-1. Select **SMS setup** next to each FHIR base URL to set up the types of SMS notifications to send to your patients.
+5. Select **SMS setup** next to each FHIR base URL to set up the types of SMS notifications to send to your patients.
:::image type="content" source="media/ehr-connector-epic-sms-setup.png" alt-text="Screenshot showing SMS setup settings." lightbox="media/ehr-connector-epic-sms-setup.png":::
You'll need to [register your generated phone number in this form](https://forms
Choose **Save**.
-1. Select **Upload certificate** to upload a public key certificate. You must upload a Base64 encoded (public key only) .cer certificate for each environment.
+6. Select **Upload certificate** to upload a public key certificate. You must upload a Base64 encoded (public key only) .cer certificate for each environment.
A public key certificate is required to receive appointment information for sending SMS notifications. The certificate is needed to verify that the incoming information is from a valid source.
lighthouse M365 Lighthouse Tenants Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
# Overview of the Tenants page in Microsoft 365 Lighthouse
-Microsoft 365 Lighthouse lets you manage tenant accounts by selecting **Tenants** in the left navigation pane to open the Tenants page. The Tenants page contains a list of all your tenants. You can select a tenant to view detailed information including contact details and deployment status.
+Microsoft 365 Lighthouse lets you manage customer tenant accounts by selecting **Tenants** in the left navigation pane to open the Tenants page. The Tenants page contains a list of all your customer tenants. You can select a tenant to view detailed information including contact details and deployment status.
The Tenants page also includes the following options:
The Tenants page also includes the following options:
## Tenant list
-The tenant list provides insights into the different tenants you have a contract with, including their tenant Lighthouse onboarding status. The tenant list also lets you tag tenants to provide different filters throughout Lighthouse, and drill down to learn more about a given tenant and the status of its deployment plan.
+The tenant list provides insights into the different customer tenants that you have a contract with, including their Lighthouse management status. The tenant list also lets you tag tenants to provide different filters throughout Lighthouse, and drill down to learn more about a given tenant and the status of its deployment plan.
-After your tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), its status will show as **Active** in the tenant list.
+After your customer tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), their status will show as **Active** in the tenant list.
The tenant list lets you:
The tenant list lets you:
- Search for tenants by name. - Filter tenants by status, delegated admin privilege (DAP), and tags.
-To inactivate the tenant or view and manage tags, select the three dots (more actions) next to the tenant name. You can view individual tenants by either selecting the tenant name or by selecting one of the tags assigned to the tenant.
+To inactivate a tenant or view and manage tags, select the three dots (more actions) next to the tenant name. You can view individual tenants by either selecting the tenant name or by selecting one of the tags assigned to the tenant.
-For information on how to add tenants, see [Add and manage multiple tenants in your Partner Center account](/partner-center/multi-tenant-account).
+For information on how to add customer tenants, see [Add and manage multiple tenants in your Partner Center account](/partner-center/multi-tenant-account).
## Tenant status The following table shows the different statuses and their meaning. For information on how to troubleshoot customer tenant statuses, see [Troubleshoot error messages and problems in Microsoft 365 Lighthouse: Customer tenant onboarding](m365-lighthouse-troubleshoot.md#customer-tenant-onboarding).<br><br>
-| Status | Description |
-|||
-| Active | Tenant onboarding and data flow have started. |
-| Inactive | Tenant was offboarded at the request of the MSP and is no longer being managed in Lighthouse. |
-| In process | Tenant discovered but not fully onboarded. |
-| Ineligible - DAP or GDAP isn't set up | Partner must have delegated (DAP) or granular delegated (GDAP) admin privileges set up with the tenant. |
-| Ineligible - Required license is missing | Tenant doesn't have the required license. |
-| Ineligible - User count exceeded | Tenant has more users than allowed. |
-| Ineligible - Geo check failed | Partner and customer must reside in the same geographic location. |
+| Status | Description |
+||--|
+| Active | This customer tenant can be actively managed and monitored in Lighthouse for users and devices with required licenses. |
+| Inactive | Your organization has excluded this customer tenant from Lighthouse management. |
+| Limited | This customer tenant has access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health. <br> Select the tenant name to see a detailed status of Lighthouse management requirements. For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).|
+| In process | An error occurred during the onboarding process for this customer tenant and we're working on a fix. If this error persists for more than 24 hours, please contact Support. |
-Once you inactivate a tenant, you can't take action on the tenant until the inactivation process completes. It may take up to 48 hours for inactivation to complete. If you decide to reactivate a tenant, it may take up to 48 hours for data to reappear.
+> [!NOTE]
+> Once you inactivate a customer tenant, you can't take action on the tenant until the inactivation process completes. It may take up to 48 hours for inactivation to complete. If you decide to reactivate a customer tenant, it may take up to 48 hours for data to reappear.
## Tenant tags
-To help organize your tenants and easily filter the existing views, you can create and assign tags to your tenants. To learn more, see [Manage your tenant list in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenant-list.md).
+To help organize your customer tenants and easily filter the existing views, you can create and assign tags to your tenants. To learn more, see [Manage your tenant list in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenant-list.md).
> [!NOTE] > You can create up to 30 tags across all tenant. ## Tenant details page
-To view detailed tenant information, select a tenant from the list of tenants. The tenant details page contains contact information and deployment plan status.
+To view detailed customer tenant information, select a tenant from the list of tenants. The tenant details page contains contact information and deployment plan status.
:::image type="content" source="../media/m365-lighthouse-tenants-page-overview/tenant-details-page.png" alt-text="Screenshot of the Tenant details page." lightbox="../media/m365-lighthouse-tenants-page-overview/tenant-details-page.png"::: ### Overview tab
-On the Overview tab, you can view tenant overview, contact information, and Microsoft 365 service usage.
+On the Overview tab, you can view customer tenant overview information, contact information, and Microsoft 365 service usage.
#### Tenant overview section
-The Tenant overview section provides information about the tenant from its Microsoft 365 account.<br><br>
+The Tenant overview section provides information about the customer tenant from its Microsoft 365 account.<br><br>
| Tenant information | Description| |--||
+| Roles | The roles assigned to you in the tenant. Roles determine which tasks you can complete for customers, and what data you can view.|
| Headquarters | Where the tenant is located.| | Industry |The organization's industry.|
-| Website |The organization's website. You may edit this field if no data is provided.|
| Customer domain |The organization's domain.|
+| Website |The organization's website. You may edit this field if no data is provided.|
| Total users |The number of users assigned in the tenant. You may select this number to open the Users page for that tenant.| | Total devices|The number of devices enrolled in the tenant. You may select this number to open the Devices page for that tenant.|
To edit details, add notes, or delete an existing contact, select the contact na
#### Microsoft 365 services usage section
-Lighthouse provides insights into Microsoft 365 services usage, including how many users within a tenant are licensed and actively using each service. The **Active users & devices** column indicates the number of users or devices that have signed in to the service at least once in the past 28 days. The **Change in activity** column indicates change in active users and devices since last month.
+Lighthouse provides insights into Microsoft 365 services usage, including how many users within a customer tenant are licensed and actively using each service. The **Active users & devices** column indicates the number of users or devices that have signed in to the service at least once in the past 28 days. The **Change in activity** column indicates change in active users and devices since last month.
The **Microsoft 365 services usage** section contains two sub-sections:
The **Microsoft 365 services usage** section contains two sub-sections:
### Deployment Plan tab
-The Deployment Plans tab provides status on a tenant's deployment plan. The deployment steps in the list are based on the baseline applied to the tenant. To see deployment step details, select a deployment step from the list.
+The Deployment Plans tab provides status on a customer tenant's deployment plan. The deployment steps in the list are based on the baseline applied to the tenant. To see deployment step details, select a deployment step from the list.
The Deployment Plan tab also includes the following options:
security Anti Malware Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
- **Enable zero-hour auto purge for malware**: If you select this option, ZAP quarantines malware messages that have already been delivered. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).
- - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
-
- A blank value means the default quarantine policy is used (AdminOnlyAccessPolicy for malware detections). When you later edit the anti-malware policy or view the settings, the actual quarantine policy name is shown. For more information about default quarantine policies that are used for anti-malware, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
+ - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
> [!NOTE]
- > The quarantine policy also determines whether recipients receive email notifications for messages that were quarantined as malware. Quarantine notifications are disabled in AdminOnlyAccessPolicy, so if you want to notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where notifications are turned on.
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
>
- > Regardless of the settings in the quarantine policy, users can't release their own messages that were quarantined as malware. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.
+ > Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
- **Admin notifications**: Select none, one, or both of the following options:
This example creates a new malware filter policy named Contoso Malware Filter Po
- Notify admin@contoso.com when malware is detected in a message from an internal sender. - The common attachments filter is enabled (`-EnableFileFilter $true`) and the default list of file types is used (we aren't using the _FileTypes_ parameter). - Messages detected by the common attachments filter are rejected with an NDR (we aren't using the _FileTypeAction_ parameter, and the default value is `Reject`).-- The default [quarantine policy](quarantine-policies.md) for malware detections is used (we aren't using the _QuarantineTag_ parameter).
+- The default quarantine policy for malware detections is used (we aren't using the _QuarantineTag_ parameter).
```PowerShell New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableFileFilter $true -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com
Set-MalwareFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a malware filter policy, see [Use PowerShell to specify the quarantine policy in anti-malware policies](quarantine-policies.md#anti-malware-policies-in-powershell).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in a malware filter policy, see [Use PowerShell to specify the quarantine policy in anti-malware policies](quarantine-policies.md#anti-malware-policies-in-powershell).
### Use PowerShell to modify malware filter rules
security Anti Malware Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-about.md
EOP offers multi-layered malware protection that's designed to catch all known m
In EOP, messages that are found to contain malware in _any_ attachments are quarantined. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by _quarantine policies_. By default, messages that were quarantined due to malware can only be viewed and released by admins. For more information, see the following topics: -- [Quarantine policies](quarantine-policies.md)
+- [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy)
+- [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings)
- [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md). As explained in the next section, anti-malware policies also contain a _common attachments filter_. Message that contain the specified file types are _automatically_ identified as malware. You can choose whether to quarantine or reject the messages.
Anti-malware policies control the settings and notification options for malware
- **Zero-hour auto purge (ZAP) for malware**: ZAP for malware quarantines messages that are found to contain malware _after_ they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on. -- **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. By default, recipients don't receive notifications for messages that were quarantined as malware. For more information, see [Quarantine policies](quarantine-policies.md).
+- **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. By default, recipients don't receive notifications for messages that were quarantined as malware. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Admin notifications**: You can specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders. You can customize the **From address**, **subject**, and **message text** for internal and external notifications.
security Anti Phishing Policies About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md
The following spoof settings are available in anti-phishing policies in EOP and
- [Manage quarantined messages and files as an admin in Microsoft 365](quarantine-admin-manage-messages-files.md) - [Find and release quarantined messages as a user in Microsoft 365](quarantine-end-user.md)
- If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that were quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that were quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
### Unauthenticated sender indicators
For detected user impersonation attempts, the following actions are available:
- [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md)
- If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).
+ If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Deliver the message and add other addresses to the Bcc line**: Deliver the message to the intended recipients and silently deliver the message to the specified recipients. - **Delete the message before it's delivered**: Silently delete the entire message, including all attachments.
For detected domain impersonation attempts, the following actions are available:
- [Manage quarantined messages and files as an admin in Microsoft 365](manage-quarantined-messages-and-files.md) - [Find and release quarantined messages as a user in Microsoft 365](find-and-release-quarantined-messages-as-a-user.md)
- If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that are quarantined by domain impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).
+ If you select **Quarantine the message**, you can also select the quarantine policy that applies to messages that are quarantined by domain impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Deliver the message and add other addresses to the Bcc line**: Deliver the message to the intended recipients and silently deliver the message to the specified recipients. - **Delete the message before it's delivered**: Silently deletes the entire message, including all attachments.
For impersonation attempts detected by mailbox intelligence, the following actio
- **Don't apply any action**: This is the default value. This action has the same result as when **Enable mailbox intelligence** is turned on but **Enable intelligence impersonation protection** is turned off. - **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders**-- **Quarantine the message**: If you select this action, you can also select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+- **Quarantine the message**: If you select this action, you can also select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
security Anti Phishing Policies Eop Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
6. On the **Actions** page that appears, configure the following settings: - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders: - **Move message to the recipients' Junk Email folders**
- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for spoof intelligence detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown. For more information about default quarantine policies that are used for spoof intelligence detections, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
+ If you don't select a quarantine policy, the default quarantine policy for spoof intelligence detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown. For more information about default quarantine policies that are used for spoof intelligence detections, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).
- **Safety tips & indicators**: - **Show first contact safety tip**: For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).
New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-Enab
This example creates an anti-phish policy named Research Quarantine with the following settings: - The description is: Research department policy.-- Changes the default action for spoofing detections to Quarantine and uses the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _SpoofQuarantineTag_ parameter).
+- Changes the default action for spoofing detections to Quarantine and uses the default quarantine policy for the quarantined messages (we aren't using the _SpoofQuarantineTag_ parameter).
```powershell New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research department policy" -AuthenticationFailAction Quarantine
New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research departmen
For detailed syntax and parameter information, see [New-AntiPhishPolicy](/powershell/module/exchange/New-AntiPhishPolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policies](quarantine-policies.md) to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
+> [!TIP]
+> For detailed instructions to specify the quarantine policies to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
#### Step 2: Use PowerShell to create an anti-phish rule
Set-AntiPhishPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powershell/module/exchange/Set-AntiPhishPolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
### Use PowerShell to modify anti-phish rules
security Anti Phishing Policies Mdo Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Don't apply any action** - **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders**
- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for user impersonation detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.
+ If you don't select a quarantine policy, the default quarantine policy for user impersonation detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Move message to the recipients' Junk Email folders** - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by domain impersonation protection.
- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for domain impersonation detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.
+ If you don't select a quarantine policy, the default quarantine policy for domain impersonation detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered**
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Don't apply any action** - **Redirect message to other email addresses** - **Move message to the recipients' Junk Email folders**
- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for mailbox intelligence detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.
+ If you don't select a quarantine policy, the default quarantine policy for mailbox intelligence detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
- **Deliver the message and add other addresses to the Bcc line** - **Delete the message before it's delivered** - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders: - **Move message to the recipients' Junk Email folders**
- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank **Apply quarantine policy** value means the default quarantine policy is used (DefaultFullAccessPolicy for spoof intelligence detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.
+ If you don't select a quarantine policy, the default quarantine policy for spoof intelligence detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
- **Safety tips & indicators**: Configure the following settings: - **Show first contact safety tip**: For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).
This example creates an anti-phish policy named Research Quarantine with the fol
- The policy is enabled (we aren't using the _Enabled_ parameter, and the default value is `$true`). - The description is: Research department policy.-- Changes the default action for spoofing detections to Quarantine, and uses the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _SpoofQuarantineTag_ parameter).
+- Changes the default action for spoofing detections to Quarantine, and uses the default quarantine policy for the quarantined messages (we aren't using the _SpoofQuarantineTag_ parameter).
- Enables organization domains protection for all accepted domains, and targeted domains protection for fabrikam.com.-- Specifies Quarantine as the action for domain impersonation detections, and uses the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _TargetedDomainQuarantineTag_ parameter).
+- Specifies Quarantine as the action for domain impersonation detections, and uses the default quarantine policy for the quarantined messages (we aren't using the _TargetedDomainQuarantineTag_ parameter).
- Specifies Mai Fujito (mfujito@fabrikam.com) as the user to protect from impersonation.-- Specifies Quarantine as the action for user impersonation detections, and uses the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _TargetedUserQuarantineTag_ parameter).-- Enables mailbox intelligence (_EnableMailboxIntelligence_), allows mailbox intelligence protection to take action on messages (_EnableMailboxIntelligenceProtection_), specifies Quarantine as the action for detected messages, and uses the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _MailboxIntelligenceQuarantineTag_ parameter).
+- Specifies Quarantine as the action for user impersonation detections, and uses the default quarantine policy for the quarantined messages (we aren't using the _TargetedUserQuarantineTag_ parameter).
+- Enables mailbox intelligence (_EnableMailboxIntelligence_), allows mailbox intelligence protection to take action on messages (_EnableMailboxIntelligenceProtection_), specifies Quarantine as the action for detected messages, and uses the default quarantine policy for the quarantined messages (we aren't using the _MailboxIntelligenceQuarantineTag_ parameter).
- Enables all safety tips. ```powershell
New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research departmen
For detailed syntax and parameter information, see [New-AntiPhishPolicy](/powershell/module/exchange/New-AntiPhishPolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policies](quarantine-policies.md) to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
+> [!TIP]
+> For detailed instructions to specify the quarantine policies to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
#### Step 2: Use PowerShell to create an anti-phish rule
Set-AntiPhishPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powershell/module/exchange/Set-AntiPhishPolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policies](quarantine-policies.md) to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
+> [!TIP]
+> For detailed instructions to specify the quarantine policies to use in an anti-phish policy, see [Use PowerShell to specify the quarantine policy in anti-phishing policies](quarantine-policies.md#anti-phishing-policies).
### Use PowerShell to modify anti-phish rules
security Anti Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
|Action|Spam|High<br>confidence<br>spam|Phishing|High<br>confidence<br>phishing|Bulk| ||::|::|::|::|::|
- |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1,4</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö||Γ£ö<sup>\*</sup>|
- |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|Γ£ö|Γ£ö|Γ£ö||Γ£ö|
- |**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.<sup>1,2</sup> <p> You enter the text later in the **Prefix subject line with this text** box.|Γ£ö|Γ£ö|Γ£ö||Γ£ö|
- |**Redirect message to email address**: Sends the message to other recipients instead of the intended recipients. <p> You specify the recipients later in the **Redirect to this email address** box.|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.¹ ⁴|✔<sup>\*</sup>|✔<sup>\*</sup>|✔||✔<sup>\*</sup>|
+ |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <br/><br/> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <br/><br/> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.┬╣ ┬▓|Γ£ö|Γ£ö|Γ£ö||Γ£ö|
+ |**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.┬╣ ┬▓ <br/><br/> You enter the text later in the **Prefix subject line with this text** box.|Γ£ö|Γ£ö|Γ£ö||Γ£ö|
+ |**Redirect message to email address**: Sends the message to other recipients instead of the intended recipients. <br/><br/> You specify the recipients later in the **Redirect to this email address** box.|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
|**Delete message**: Silently deletes the entire message, including all attachments.|Γ£ö|Γ£ö|Γ£ö||Γ£ö|
- |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <p> You specify how long the message should be held in quarantine later in the **Quarantine** box. <p> You specify the [quarantine policy](quarantine-policies.md) that applies to quarantined messages for the spam filter verdict in the **Select a policy** box that appears. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).<sup>3</sup>|Γ£ö|Γ£ö|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö|
+ |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <br/><br/> You select or use the default _quarantine policy_ for the spam filtering verdict in the **Select quarantine policy** box that appears.³ ⁵ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). <br/><br/> You specify how long the messages are held in quarantine in the **Retain spam in quarantine for this many days** box.|✔|✔|✔<sup>\*</sup>|✔<sup>\*</sup>|✔|
|**No action**|||||Γ£ö|
- > <sup>1</sup> EOP now uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet no longer has any effect on mail flow. For more information, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).
- >
- > In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
- >
- > <sup>2</sup> You can this use value as a condition in mail flow rules to filter or route the message.
- >
- > <sup>3</sup> A blank **Select quarantine policy** value means the default quarantine policy for that particular verdict is used. When you later edit the anti-spam policy or view the settings, the actual quarantine policy name is shown. For more information about default quarantine policies that are used for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
- >
- > <sup>4</sup> For **High confidence phishing**, the action **Move message to Junk Email folder** has effectively been deprecated. Although you might be able to select **Move message to Junk Email folder**, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).
- >
- > Regardless of the settings in the quarantine policy, users can't release their own messages that were quarantined as high confidence phishing. At best, admins can configure the quarantine policy so users can request the release of their quarantined high confidence phishing messages.
+ ┬╣ EOP uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet no longer has any effect on mail flow. For more information, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).
+
+ In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
+
+ ┬▓ You can this use value as a condition in mail flow rules to filter or route the message.
+
+ ┬│ If the spam filtering verdict quarantines messages by default (**Quarantine message** is already selected when you get to the page), the default quarantine policy name is shown in the **Select quarantine policy** box. If you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+
+ ⁴ For **High confidence phishing**, the **Move message to Junk Email folder** action has effectively been deprecated. Although you might be able to select **Move message to Junk Email folder**, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).
+
+ ⁵ Users can't release their own messages that were quarantined as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined high confidence phishing messages, although we typically don't recommend it.
- **Retain spam in quarantine for this many days**: Specifies how long to keep the message in quarantine if you selected **Quarantine message** as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable. A valid value is from 1 to 30 days.
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
> > This setting also controls how long messages that were quarantined by **anti-phishing** policies are retained. For more information, see [Quarantined messages in EOP and Defender for Office 365](quarantine-about.md).
- - **Add this X-header text**: This box is required and available only if you selected **Add X-header** as the action for a spam filtering verdict. The value you specify is the header field *name* that's added to the message header. The header field *value* is always `This message appears to be spam`.
+ - **Add this X-header text**: This box is required and available only if you selected **Add X-header** as the action for a spam filtering verdict. The value you specify is the header field _name_ that's added to the message header. The header field _value_ is always `This message appears to be spam`.
The maximum length is 255 characters, and the value can't contain spaces or colons (:).
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
- **Enable ZAP for spam messages**: By default, ZAP is enabled for spam detections, but you can disable it by clearing the checkbox. > [!NOTE]
- > End-user spam notifications have been replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Quarantine policies](quarantine-policies.md).
+ > End-user spam notifications have been replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
When you're finished, click **Next**.
New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments
This example creates a spam filter policy named Contoso Executives with the following settings: -- Quarantine messages when the spam filtering verdict is spam or high confidence spam, and use the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _SpamQuarantineTag_ or _HighConfidenceSpamQuarantineTag_ parameters).
+- Quarantine messages when the spam filtering verdict is spam or high confidence spam, and use the default quarantine policy for the quarantined messages (we aren't using the _SpamQuarantineTag_ or _HighConfidenceSpamQuarantineTag_ parameters).
- BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict. ```PowerShell
New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamActi
For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell).
#### Step 2: Use PowerShell to create a spam filter rule
Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell).
### Use PowerShell to modify spam filter rules
security Anti Spam Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md
The anti-spam settings in EOP are made of the following technologies:
- **Connection filtering**: Identifies good and bad email source servers early in the inbound email connection via the IP Allow List, IP Block List, and the *safe list* (a dynamic but non-editable list of trusted senders maintained by Microsoft). You configure these settings in the connection filter policy. Learn more at [Configure connection filtering](connection-filter-policies-configure.md). -- **Spam filtering (content filtering)**: EOP uses the spam filtering verdicts **Spam**, **High confidence spam**, **Bulk email**, **Phishing email** and **High confidence phishing email** to classify messages. You can configure the actions to take based on these verdicts, and you can configure what users are allowed to do to quarantined messages and whether user receive quarantine notifications by using [quarantine policies](quarantine-policies.md). For more information, see [Configure anti-spam policies in Microsoft 365](anti-spam-policies-configure.md).
+- **Spam filtering (content filtering)**: EOP uses the spam filtering verdicts **Spam**, **High confidence spam**, **Bulk email**, **Phishing email** and **High confidence phishing email** to classify messages. You can configure the actions to take based on these verdicts, and you can configure what users are allowed to do to quarantined messages and whether user receive quarantine notifications by using [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy). For more information, see [Configure anti-spam policies in Microsoft 365](anti-spam-policies-configure.md).
> [!NOTE] > By default, spam filtering is configured to send messages that were marked as spam to the recipient's Junk Email folder. However, in hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the EOP spam headers that are added to messages. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).
security Eop About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/eop-about.md
To understand how EOP works, it helps to see how it processes incoming email:
1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).
-2. Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use [quarantine policies](quarantine-policies.md) to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see [Anti-malware protection in EOP](anti-malware-protection-about.md).
+2. Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy) to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see [Anti-malware protection in EOP](anti-malware-protection-about.md).
3. The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender. In on-premises organization with Exchange Enterprise CAL with Services licenses, [Microsoft Purview data loss prevention (DLP)](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) checks in EOP also happen at this point.
-4. The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using [quarantine policies](quarantine-policies.md). For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md).
+4. The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy). For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md).
A message that successfully passes all of these protection layers is delivered to the recipients.
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
You can apply EOP protections to different users than Defender for Office 365 pr
### Policy settings in preset security policies
-You can't modify the policy settings in the protection profiles. The **Standard**, **Strict**, and **Built-in protection** policy setting values, including the default [quarantine policies](quarantine-policies.md) that are used, are listed in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+You can't modify the policy settings in the protection profiles. The **Standard**, **Strict**, and **Built-in protection** policy setting values, including the [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy), are listed in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
> [!NOTE] > In Defender for Office 365 protections, you need to identify the senders for [user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and the internal or external domains for [domain impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
audience: Admin ms.localizationpriority: medium Previously updated : 3/2/2023 Last updated : 4/5/2023 search.appverid: - MOE150 - MET150
For more information about the recommended settings for anti-malware, see [EOP a
- **Protection settings** section: - **Enable the common attachments filter**: Select (turn on). Click **Customize file types** to add more file types. - **Enable zero-hour auto purge for malware**: Verify this setting is selected. For more information about ZAP for malware, see [Zero-hour auto purge (ZAP) for malware](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-malware).
- - **Quarantine policy**: Leave the default value AdminOnlyAccessPolicy selected. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine policy**: Leave the default value AdminOnlyAccessPolicy selected. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Notification** section: Verify that none of the notification settings are selected. When you're finished, click **Save**.
The following procedure describes how to configure the default anti-phishing pol
- **Actions** section: Click **Edit actions** and configure the following settings in the flyout that opens: - **Message actions** section: Configure the following settings:
- - **If message is detected as an impersonated user**<sup>\*</sup>: Select **Quarantine the message**. An **Apply quarantine policy** box appears where you select the [quarantine policy](quarantine-policies.md) that applies to messages that are quarantined by user impersonation protection.
- - **If message is detected as an impersonated domain**<sup>\*</sup>: Select **Quarantine the message**. An **Apply quarantine policy** box appears where you select the [quarantine policy](quarantine-policies.md) that applies to messages that are quarantined by domain impersonation protection.
- - **If mailbox intelligence detects an impersonated user**<sup>\*</sup>: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). If you select **Quarantine the message**, an **Apply quarantine policy** box appears where you select the [quarantine policy](quarantine-policies.md) that applies to messages that are quarantined by mailbox intelligence protection.
- - **If message is detected as spoof**: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). If you select **Quarantine the message**, an **Apply quarantine policy** box appears where you select the [quarantine policy](quarantine-policies.md) that applies to messages that are quarantined by spoof intelligence protection.
+ - **If message is detected as an impersonated user**<sup>\*</sup>: Select **Quarantine the message**. Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by user impersonation protection.
+ - **If message is detected as an impersonated domain**<sup>\*</sup>: Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by user domain impersonation protection.
+ - **If mailbox intelligence detects an impersonated user**<sup>\*</sup>: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by mailbox intelligence protection.
+ - **If message is detected as spoof**: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by spoof intelligence protection.
- **Safety tips & indicators** section: Configure the following settings: - **Show first contact safety tip**: Select (turn on). - **Show user impersonation safety tip**<sup>\*</sup>: Select (turn on).
For more information about the recommended settings for anti-spam, see [EOP anti
- **High confidence phishing**: Verify **Quarantine messages** is selected. - **Bulk**: Verify **Move message to Junk Email folder** is selected (Standard) or select **Quarantine message** (Strict).
- For each action where you select **Quarantine message**, a **Select quarantine policy** box appears where you select the [quarantine policy](quarantine-policies.md) that applies to messages that are quarantined by anti-spam protection.
+ For each action where you select **Quarantine message**, leave the default value in the **Select quarantine policy** box that appears (including blank values) to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by anti-spam protection.
- **Retain spam in quarantine for this many days**: Verify the value **30** days. - **Enable spam safety tips**: Verify this setting is selected (turned on).
For more information about the recommended settings for Safe Attachments, see .[
- **Users and domains** page: Because this is your first policy and you likely want to maximize coverage, consider entering your [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the **Domains** box. Otherwise, you can use the **Users** and **Groups** boxes for more granular control. You can specify exceptions by selecting **Exclude these users, groups, and domains** and entering values. - **Settings** page: - **Safe Attachments unknown malware response**: Select **Block**.
- - **Quarantine policy**: The default value is blank, which means the default AdminOnlyAccessPolicy policy is used. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine policy**: The default value is blank, which means the default AdminOnlyAccessPolicy policy is used. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- **Redirect attachment with detected attachments** : **Enable redirect**: Turn this setting on (select) and enter an email address to receive detected messages. - **Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)**: Verify this setting is selected.
security Quarantine About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md
By default, anti-spam policies quarantine phishing and high confidence phishing
Both users and admins can work with quarantined messages: -- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). The default quarantine policies that are used by supported security features are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). The default quarantine policies that are used by supported security features are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
- Admins can work with all types of quarantined messages for all users. By default, only admins can work with messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md). - By default, users can work with quarantined messages where they are a recipient and the message was quarantined as spam, bulk email, or phishing (not high confidence phishing). For more information, see [Find and release quarantined messages as a user in EOP](quarantine-end-user.md).
- To prevent users from managing their own quarantined phishing (not high confidence phishing) messages, admins can assign a quarantine policy that denies access to quarantined messages from the **Phishing email** filtering verdict in anti-spam policies. For more information, see [Assign quarantine policies in anti-spam policies](quarantine-policies.md#anti-spam-policies)[Quarantine policies](quarantine-policies.md).
+ To prevent users from managing their own quarantined phishing (not high confidence phishing) messages, admins can assign a quarantine policy that denies access to quarantined messages from the **Phishing email** filtering verdict in anti-spam policies. For more information, see [Assign quarantine policies in anti-spam policies](quarantine-policies.md#anti-spam-policies).
- Admins can report false positives to Microsoft from quarantine. For more information, see [Take action on quarantined email](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email) and [Take action on quarantined files](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-files).
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Admins can view, release, and delete all types of quarantined messages for all users. Admins can also report false positives to Microsoft.
-By default, only admins can manage messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). But admins can use _quarantine policies_ to define what users are allowed to do to quarantined messages based on why the message was quarantined (for supported features). For more information, see [Quarantine policies](quarantine-policies.md).
+By default, only admins can manage messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). But admins can use _quarantine policies_ to define what users are allowed to do to quarantined messages based on why the message was quarantined (for supported features). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
Admins in organizations with Microsoft Defender for Office 365 can also manage files that were quarantined by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) and [Zero-hour auto purge](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
security Quarantine End User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md
As an ordinary user (not an admin), the **default** capabilities that are availa
|**Mail flow rules (transport rules)**|||| |&nbsp;&nbsp;&nbsp;Mail flow rules that quarantine email messages.||||
-_Quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined in [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for messages that were quarantined by the security feature as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see [Quarantine policies](quarantine-policies.md).
+_Quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined in [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for messages that were quarantined by the security feature as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) quarantine notifications from quarantine policies.
You view and manage your quarantined messages in the Microsoft 365 Defender port
## View your quarantined messages > [!NOTE]
-> Your ability to view quarantined messages is controlled by the [quarantine policy](quarantine-policies.md) that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)).
+> Your ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)).
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine**. To go directly to the **Quarantine** page, use <https://security.microsoft.com/quarantine>.
To take action on the message, see the next section.
### Take action on quarantined email > [!NOTE]
-> Your ability to view quarantined messages is controlled by the [quarantine policy](quarantine-policies.md) that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)). This section describes all available actions.
+> Your ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)). This section describes all available actions.
After you select a quarantined message from the list, the following actions are available in the details flyout:
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
description: Admins can learn how to use quarantine policies to control what users are able to do to quarantined messages. Previously updated : 3/3/2023 Last updated : 4/5/2023 # Quarantine policies
Last updated 3/3/2023
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined.
+In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, _quarantine policies_ allow admins to define the user experience for quarantined messages:
-Traditionally, users have been allowed or denied levels of interactivity for quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
+- What users are allowed to do to their own quarantined messages (messages where they're a recipient) based on why the message was quarantined.
+- Whether users receive notifications about their quarantined messages via [Quarantine notifications](quarantine-quarantine-notifications.md).
-For [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features), quarantine policies specify what users are allowed to do to their own messages in quarantine (messages where they're a recipient) and in _quarantine notifications_. [Quarantine notifications](quarantine-quarantine-notifications.md) are the replacement for end-user spam notifications. These notifications are now controlled by quarantine policies, and contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts).
+Traditionally, users have been allowed or denied levels of interactivity for quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
-Default quarantine policies that enforce historical user capabilities are automatically assigned to actions in the supported protection features that quarantine messages. Or, you can create custom quarantine policies and assign them to the supported protection features to allow or prevent users from performing specific actions on those types of quarantined messages.
+Default quarantine policies enforce these historical user capabilities, and are automatically assigned in [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features) that quarantine messages.
-The individual quarantine policy permissions are combined into the following preset permission groups:
+For details about the elements of a quarantine policy, default quarantine policies, and individual permissions, see the [Appendix](#appendix) section at the end of this article.
-- No access-- Limited access-- Full access-
-The individual quarantine policy permissions that are contained in the preset permission groups are described in the following table:
-
-|Permission|No access|Limited access|Full access|
-||::|::|::|
-|**Block sender** (_PermissionToBlockSender_)||Γ£ö|Γ£ö|
-|**Delete** (_PermissionToDelete_)||Γ£ö|Γ£ö|
-|**Preview** (_PermissionToPreview_)||Γ£ö|Γ£ö|
-|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)<sup>\*</sup>|||Γ£ö|
-|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||Γ£ö||
-
-<sup>\*</sup>The **Allow recipients to release a message from quarantine** permission is not honored for messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or as high confidence phishing (anti-spam policies). Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the **Allow recipients to request a message to be released from quarantine** permission.
-
-The default quarantine policies, their associated permission groups, and whether quarantine notifications are enabled is described in the following table:
-
-|Default quarantine policy|Permission group used|Quarantine notifications enabled?|
-||::|::|
-|AdminOnlyAccessPolicy|No access|No|
-|DefaultFullAccessPolicy|Full access|No|
-|NotificationEnabledPolicy<sup>\*</sup>|Full access|Yes|
-|DefaultFullAccessWithNotificationPolicy<sup>\*\*</sup>|Full access|Yes|
-
-<sup>\*</sup>See [the next section](#full-access-permissions-and-quarantine-notifications) for more information about this policy.
-
-<sup>\*\*</sup>This policy is used in [preset security policies](preset-security-policies.md).
-
-If you don't like the default permissions in the preset permission groups, or if you want to enable quarantine notifications, create and use custom quarantine policies. For more information about what each permission does, see the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
+If you don't like the default user capabilities for quarantined messages for a specific feature (including the lack of quarantine notifications), you can create and use custom quarantine policies as described in this article.
You create and assign quarantine policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange Online mailboxes; standalone EOP PowerShell in EOP organizations without Exchange Online mailboxes).
-> [!NOTE]
-> How long quarantined messages are held in quarantine before they expire is controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) in anti-spam policies. For more information, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).
->
-> If you change the quarantine policy that's assigned to a supported protection feature, the change affects messages that are quarantined _after_ you make the change. Messages that were previously quarantined by that protection feature are not affected by the settings of the new quarantine policy assignment.
-
-## Full access permissions and quarantine notifications
-
-The quarantine policy named NotificationEnabledPolicy is not available in all environments. You'll have the NotificationEnabledPolicy quarantine policy if your organization meets both of the following requirements:
--- Your organization existed before the quarantine policy feature was turned on (late July/early August 2021).-- The **Enable end-user spam notifications** setting was turned on in one or more [anti-spam policies](anti-spam-policies-configure.md) (in the default anti-spam policy or in custom anti-spam policies).-
-As described earlier, quarantine notifications in quarantine policies replace end-user spam notifications that you previously turned on or turned off in anti-spam policies. The built-in quarantine policy named DefaultFullAccessPolicy duplicates the historical _permissions_ for quarantined messages, but _quarantine notifications_ are not turned on in the quarantine policy. And, because you can't modify the built-in policy, you can't turn on quarantine notifications in DefaultFullAccessPolicy.
-
-To provide the permissions of DefaultFullAccessPolicy but with quarantine notifications turned on, we created the policy named NotificationEnabledPolicy to use in place of DefaultFullAccessPolicy for those organizations that needed it (organizations where end-user spam notifications were turned on).
-
-New organizations or older organization where end-user spam notifications where never turned on in anti-spam polices don't have the quarantine policy named NotificationEnabledPolicy. To turn on quarantine notifications for quarantine polices that use **Full access** permissions in organizations that don't have the NotificationEnabledPolicy, you can use either of the following methods:
--- Create and use custom quarantine policies with **Full access** permissions where quarantine notifications are turned on.-- Use the DefaultFullAccessWithNotificationPolicy.- ## What do you need to know before you begin? - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>. - To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). -- To view, create, modify, or remove quarantine policies, you need to be a member of the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** roles in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md).
+- If you change the quarantine policy that's assigned to a supported protection feature, the change affects quarantined message _after_ you make the change. Messages that were quarantined before you made the change aren't affected by the settings of the new quarantine policy assignment.
+
+- How long messages that were quarantined by anti-spam and anti-phishing protection are held before they expire is controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) in anti-spam policies. For more information, see the table in [Quarantined email messages in EOP and Defender for Office 365](quarantine-about.md).
+
+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:
+ - [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups:
+ - **Organization Management**
+ - **Security Administrator**
+ - **Quarantine Administrator**
+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, or **Quarantine Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
## Step 1: Create quarantine policies in the Microsoft 365 Defender portal
-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Policies & Rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & Rules** \> **Threat policies** \> **Quarantine policy** in the **Rules** section. Or, to go directly to the **Quarantine policy** page, use <https://security.microsoft.com/quarantinePolicies>.
:::image type="content" source="../../medio-quarantine-policy-page.png":::
-2. On the **Quarantine policies** page, click ![Add custom policy icon.](../../media/m365-cc-sc-create-icon.png) **Add custom policy**.
+2. On the **Quarantine policies** page, click ![Add custom policy icon.](../../media/m365-cc-sc-create-icon.png) **Add custom policy** to start the new quarantine policy wizard.
+
+3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop down list in upcoming steps.
-3. The **New policy** wizard opens. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. You'll need to identify and select the quarantine policy by name in upcoming steps. When you're finished, click **Next**.
+ When you're finished on the **Policy name** page, click **Next**.
4. On the **Recipient message access** page, select one of the following values:
- - **Limited access**: The individual permissions that are included in this permission group are described earlier in this article.
+ - **Limited access**: The individual permissions that are included in this permission group are described in the [Appendix](#appendix) section.
+ - **Set specific access (Advanced)**: Use this value to specify custom permissions. Configure the following settings that appear:
- - **Select release action preference**: Select one of the following values:
+ - **Select release action preference**: Select one of the following values from the drop down:
- Blank: This is the default value.
- - **Allow recipients to release a message from quarantine**
- **Allow recipients to request a message to be released from quarantine**
+ - **Allow recipients to release a message from quarantine**
- **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values: - **Delete** - **Preview**
New organizations or older organization where end-user spam notifications where
These permissions and their effect on quarantined messages and in quarantine notifications are described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section later in this article.
- When you're finished, click **Next**.
+ When you're finished on the **Recipient message access** page, click **Next**.
-5. On the **End-user spam notification** page, select **Enable** to enable quarantine notifications (formerly known as end-user spam notifications). When you're finished, click **Next**.
+5. On the **Quarantine notification** page, select **Enable** to enable quarantine notifications.
- > [!NOTE]
- > As explained earlier, the built-in policies (AdminOnlyAccessPolicy or DefaultFullAccessPolicy) do not have quarantined notifications turned on, and you can't modify the policies.
+ When you're finished on the **Quarantine notification** page, click **Next**.
-6. On the **Review policy** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+6. On the **Review policy** page, you can review your selections. Click **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
- When you're finished, click **Submit**.
+ When you're finished on the **Review policy** page, click **Submit**, and then click **Done** in the confirmation page.
-7. On the confirmation page that appears, click **Done**.
+7. On the confirmation page that appears, you can use the links to review quarantined messages or go to the **Anti-spam policies** page in the Defender portal.
-Now you're ready to assign the quarantine policy to a supported security feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.
+ When you're finished on the page, click **Done**.
+
+Back on the **Quarantine policy** page, the policy that you created is now listed. You're ready to assign the quarantine policy to a supported security feature as described in the [Step 2](#step-2-assign-a-quarantine-policy-to-supported-features) section.
### Create quarantine policies in PowerShell If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the **New-QuarantinePolicy** cmdlet. > [!NOTE]
-> If you don't use the _ESNEnabled_ parameter and the value `$true`, then quarantine notifications are turned off.
+> If you don't use the _ESNEnabled_ parameter and the value `$true`, quarantine notifications are turned off.
#### Use the EndUserQuarantinePermissionsValue parameter
The required order and values for each individual permission are described in th
|Permission|Decimal value|Binary value| ||::|::|
-|PermissionToViewHeader<sup>\*</sup>|128|10000000|
-|PermissionToDownload<sup>\*\*</sup>|64|01000000|
-|PermissionToAllowSender<sup>\*\*</sup>|32|00100000|
+|PermissionToViewHeader┬╣|128|10000000|
+|PermissionToDownload┬▓|64|01000000|
+|PermissionToAllowSender┬▓|32|00100000|
|PermissionToBlockSender|16|00010000|
-|PermissionToRequestRelease<sup>\*\*\*</sup>|8|00001000|
-|PermissionToRelease<sup>\*\*\*</sup>|4|00000100|
+|PermissionToRequestRelease┬│|8|00001000|
+|PermissionToRelease┬│|4|00000100|
|PermissionToPreview|2|00000010| |PermissionToDelete|1|00000001|
-<sup>\*</sup> The value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
+┬╣ The value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
-<sup>\*\*</sup> This setting is not used (the value 0 or 1 does nothing).
+┬▓ The PermissionToAllowSender permission isn't used (the value 0 or 1 does nothing).
-<sup>\*\*\*</sup> Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
+┬│ Don't set both of these permission values to 1. Set one permission value to 1 and the other value to 0, or set both values to 0.
For Limited access permissions, the required values are:
For detailed syntax and parameter information, see [New-QuarantinePolicy](/power
## Step 2: Assign a quarantine policy to supported features
-In _supported_ protection features that quarantine email messages, you can assign a quarantine policy that defines what users can do to quarantine messages and whether notifications for quarantined messages are turned on. Features that quarantine messages and the availability of quarantine policies are described in the following table:
+In supported protection features that quarantine email messages, the assigned quarantine policy defines what users can do to quarantine messages and whether quarantine notifications are turned on. Protection features that quarantine messages and whether they support quarantine policies are described in the following table:
|Feature|Quarantine policies supported?| ||::|
In _supported_ protection features that quarantine email messages, you can assig
|&nbsp;&nbsp;&nbsp;Files that are quarantined as malware by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)|No| |**[Exchange mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) with the action: 'Deliver the message to the hosted quarantine' (_Quarantine_)**|No|
-The default quarantine policies that are used by each feature are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+The default quarantine policies that are used by each protection feature are described in the related tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
-The default quarantine policies, preset permission groups, and permissions are described at [the beginning of this article](#quarantine-policies) and [later in this article](#preset-permissions-groups).
+The default quarantine policies, preset permission groups, and permissions are described in the [Appendix](#appendix) section at the end of this article.
-> [!NOTE]
-> If you're happy with the default end-user permissions and quarantine notifications that are provided (or not provided) by the default quarantine policies, you don't need to do anything. If you want to add or remove end-user capabilities (the available buttons) for user quarantined messages, or enable quarantine notifications and add or remove the same capabilities in quarantine notifications, you can assign a different quarantine policy to the quarantine action.
+The rest of this step explains how to assign quarantine policies for supported filter verdicts.
## Assign quarantine policies in supported policies in the Microsoft 365 Defender portal > [!NOTE]
-> Users can't release their own messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or high confidence phishing (anti-spam policies), regardless of how the quarantine policy is configured. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware or high confidence phishing messages.
+> Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware or high confidence phishing messages, although we typically don't recommend it.
### Anti-spam policies
-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Ant-spam policies** page, use <https://security.microsoft.com/antispam>.
- Or, to go directly to the **Ant-spam policies** page, use <https://security.microsoft.com/antispam>.
+2. On the **Anti-spam policies** page, use either of the following methods:
+ - Select an existing **inbound** anti-spam policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Actions** section and then click **Edit actions**.
+ - Click ![Create policy icon.](../../media/m365-cc-sc-create-icon.png) **Create policy**, select **Inbound** from the drop down list to start the new anti-spam policy wizard, and then get to the **Actions** page.
-2. On the **Anti-spam policies** page, do one of the following steps:
- - Find and select an existing **inbound** anti-spam policy.
- - Create a new **inbound** anti-spam policy.
+3. On the **Actions** page or flyout, every verdict that has the **Quarantine message** action selected also has the **Select quarantine policy** box for you to select a quarantine policy.
-3. Do one of the following steps:
- - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
- - **Create new**: In the new policy wizard, get to the **Actions** page.
-
-4. On the **Actions** page, every verdict that has the **Quarantine message** action will also have the **Select quarantine policy** box for you to select a corresponding quarantine policy.
-
- **Note**: When you create a new policy, a blank **Select quarantine policy** value indicates the default quarantine policy for that verdict is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
+ During the creation of the anti-spam policy, if you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. The default quarantine policies are listed in the [supported features table](#step-2-assign-a-quarantine-policy-to-supported-features).
:::image type="content" source="../../media/quarantine-tags-in-anti-spam-policies.png" alt-text="The Quarantine policy selections in an anti-spam policy" lightbox="../../media/quarantine-tags-in-anti-spam-policies.png":::
If you'd rather use PowerShell to assign quarantine policies in anti-spam polici
**Notes**: -- The default value for the _PhishSpamAction_ and _HighConfidencePhishAction_ parameters is Quarantine, so you don't need to use those parameters when you create new spam filter policies in PowerShell. For the _SpamAction_, _HighConfidenceSpamAction_, and _BulkSpamAction_ parameters in new or existing anti-spam policies, the quarantine policy is effective only if the value is Quarantine.
+- Quarantine policies matter only when messages are quarantined. The default value for the _HighConfidencePhishAction_ parameter is Quarantine, so you don't need to use that _\*Action_ parameter when you create new spam filter policies in PowerShell. By default, all other _\*Action_ parameters in new spam filter policies aren't set to value Quarantine.
To see the important parameter values in existing anti-spam policies, run the following command: ```powershell
- Get-HostedContentFilterPolicy | Format-List Name,*SpamAction,HighConfidencePhishAction,*QuarantineTag
+ Get-HostedContentFilterPolicy | Format-List Name,SpamAction,SpamQuarantineTag,HighConfidenceSpamAction,HighConfidenceSpamQuarantineTag,PhishSpamAction,PhishQuarantineTag,HighConfidencePhishAction,HighConfidencePhishQuarantineTag,BulkSpamAction,BulkQuarantineTag
```
- For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+- If you create an anti-spam policy without specifying the quarantine policy for the spam filtering verdict, the default quarantine policy for that verdict is used. For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
-- If you create a new anti-spam policy without specifying the quarantine policy for the spam filtering verdict, the default quarantine policy for that verdict is used. The default quarantine policies for each spam filter verdict are shown in [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
+ Specify a different quarantine policy to turn on quarantine notifications or change the default end-user capabilities on quarantined messages for that particular spam filtering verdict.
- Specify a different quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular spam filtering verdict.
+ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined high confidence phishing messages, although we typically don't recommend it.
-- A new anti-spam policy in PowerShell requires a spam filter policy (settings) using the **New-HostedContentFilterPolicy** cmdlet and an exclusive spam filter rule (recipient filters) using the **New-HostedContentFilterRule** cmdlet. For instructions, see [Use PowerShell to create anti-spam policies](anti-spam-policies-configure.md#use-powershell-to-create-anti-spam-policies).
+- In PowerShell, a new anti-spam policy in PowerShell requires a spam filter policy using the **New-HostedContentFilterPolicy** cmdlet (settings), and an exclusive spam filter rule using the **New-HostedContentFilterRule** cmdlet (recipient filters). For instructions, see [Use PowerShell to create anti-spam policies](anti-spam-policies-configure.md#use-powershell-to-create-anti-spam-policies).
This example creates a new spam filter policy named Research Department with the following settings: - The action for all spam filtering verdicts is set to Quarantine.-- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default.
+- The default quarantine policy named AdminOnlyAccessPolicy that assigns **No access** permissions replaces the default quarantine policy that's used (high confidence phishing messages are quarantined by default and the AdminOnlyAccessPolicy quarantine policy is used by default).
```powershell
-New-HostedContentFilterPolicy -Name "Research Department" -SpamAction Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag NoAccess
+New-HostedContentFilterPolicy -Name "Research Department" -SpamAction Quarantine -SpamQuarantineTag AdminOnlyAccessPolicy -HighConfidenceSpamAction Quarantine -HighConfidenceSpamQuarantineTag AdminOnlyAccessPolicy -PhishSpamAction Quarantine -PhishQuarantineTag AdminOnlyAccessPolicy -BulkSpamAction Quarantine -BulkQuarantineTag AdminOnlyAccessPolicy
``` For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy).
-This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
+This example modifies the existing spam filter policy named Human Resources. The action for the spam quarantine verdict is set to Quarantine, and the custom quarantine policy named ContosoNoAccess is assigned.
```powershell
-Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine -SpamQuarantineTag NoAccess
+Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction Quarantine -SpamQuarantineTag ContosoNoAccess
``` For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy). ### Anti-phishing policies
-Spoof intelligence is available in EOP and Defender for Office 365. User impersonation protection, domain impersonation protection, and mailbox intelligence are available only in Defender for Office 365. For more information, see [Anti-phishing policies in Microsoft 365](anti-phishing-policies-about.md).
-
-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.
+Spoof intelligence is available in EOP and Defender for Office 365. User impersonation protection, domain impersonation protection, and mailbox intelligence protection are available only in Defender for Office 365. For more information, see [Anti-phishing policies in Microsoft 365](anti-phishing-policies-about.md).
- Or, to go directly to the **Ant-spam policies** page, use <https://security.microsoft.com/antiphishing>.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. Or, to go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.
-2. On the **Anti-phishing** page, do one of the following steps:
- - Find and select an existing anti-phishing policy.
- - Create a new anti-phishing policy.
+2. On the **Anti-phishing** page, use either of the following methods:
+ - Select an existing anti-phishing policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, click the **Edit** link in the relevant section as described in the next steps.
+ - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new anti-phishing policy wizard. The relevant pages are described in the next steps.
-3. Do one of the following steps:
- - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Protection settings** section and then click **Edit protection settings**.
- - **Create new**: In the new policy wizard, get to the **Actions** page.
-
-4. On the **Protection settings** page, verify that the following settings are turned on and configured as required:
+3. On the **Phishing threshold & protection** page or flyout, verify that the following settings are turned on and configured as required:
- **Enabled users to protect**: Specify users. - **Enabled domains to protect**: Select **Include domains I own** and/or **Include custom domains** and specify the domains. - **Enable mailbox intelligence** - **Enable intelligence for impersonation protection** - **Enable spoof intelligence**
-5. Do one of the following steps:
- - **Edit existing**: In the policy details flyout, go to the **Actions** section and then click **Edit actions**.
- - **Create new**: In the new policy wizard, get to the **Actions** page.
-
-6. On the **Actions** page, every verdict that has the **Quarantine the message** action will also have the **Apply quarantine policy** box for you to select a corresponding quarantine policy.
+4. On the **Actions** page or flyout, every verdict that has the **Quarantine the message** action also has the **Apply quarantine policy** box for you to select a quarantine policy.
- **Note**: When you create a new policy, a blank **Apply quarantine policy** value indicates the default quarantine policy for that action is used. When you later edit the policy, the blank values are replaced by the actual default quarantine policy names as described in the previous table.
+ During the creation of the anti-phishing policy, if you don't select a quarantine policy, the default quarantine policy for is used. When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown. The default quarantine policies are listed in the [supported features table](#step-2-assign-a-quarantine-policy-to-supported-features).
- :::image type="content" source="../../media/quarantine-tags-in-anti-phishing-policies.png" alt-text="The Quarantine policy selections in an anti-phishing policy" lightbox="../../media/quarantine-tags-in-anti-phishing-policies.png":::
+ :::image type="content" source="../../media/quarantine-tags-in-anti-phishing-policies.png" alt-text="The Quarantine policy selections in an anti-phishing policy." lightbox="../../media/quarantine-tags-in-anti-phishing-policies.png":::
-Full instructions for creating and modifying anti-phishing policies are available in the following topics:
+Full instructions for creating and modifying anti-phishing policies are available in the following articles:
- [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md) - [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)
If you'd rather use PowerShell to assign quarantine policies in anti-phishing po
**Notes**: -- The _Enable\*_ parameters are required to turn on the specific protection features. The default value for the _EnableMailboxIntelligence_ and _EnableSpoofIntelligence_ parameters is $true, so you don't need to use these parameters when you create new anti-phish policies in PowerShell. All other _Enable\*_ parameters need to have the value $true so you can set the value Quarantine in the corresponding _\*Action_ parameters to then assign a quarantine policy. None of the _*\Action_ parameters have the default value Quarantine.
+- Quarantine policies in anti-phish policies matter only when messages are quarantined. In anti-phish policies, messages are quarantined when the _Enable\*_ parameter value for the feature is $true **and** the corresponding _*\Action_ parameter value is Quarantine. The default value for the _EnableMailboxIntelligence_ and _EnableSpoofIntelligence_ parameters is $true, so you don't need to use them when you create new anti-phish policies in PowerShell. By default, no _*\Action_ parameters have the value Quarantine.
To see the important parameter values in existing anti-phish policies, run the following command: ```powershell
- Get-AntiPhishPolicy | Format-List Name,Enable*Intelligence,Enable*Protection,*Action,*QuarantineTag
+ Get-AntiPhishPolicy | Format-List EnableSpoofIntelligence,AuthenticationFailAction,SpoofQuarantineTag,EnableTargetedUserProtection,TargetedUserProtectionAction,TargetedUserQuarantineTag,EnableTargetedDomainsProtection,EnableOrganizationDomainsProtection,TargetedDomainProtectionAction,TargetedDomainQuarantineTag,EnableMailboxIntelligence,EnableMailboxIntelligenceProtection,MailboxIntelligenceProtectionAction,MailboxIntelligenceQuarantineTag
```
- For information about the default action values and the recommended action values for Standard and Strict, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+ For information about the default and recommended action values for Standard and Strict configurations, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
- If you create a new anti-phishing policy without specifying the quarantine policy for the anti-phishing action, the default quarantine policy for that action is used. The default quarantine policies for each anti-phishing action are shown in [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365). Specify a different quarantine policy only if you want to change the default end-user capabilities on quarantined messages for that particular anti-phishing action. -- A new anti-phishing policy in PowerShell requires an anti-phish policy (settings) using the **New-AntiPhishPolicy** cmdlet and an exclusive anti-phish rule (recipient filters) using the **New-AntiPhishRule** cmdlet. For instructions, see the following topics:
+- A new anti-phishing policy in PowerShell requires an anti-phish policy using the **New-AntiPhishPolicy** cmdlet (settings), and an exclusive anti-phish rule using the **New-AntiPhishRule** cmdlet (recipient filters). For instructions, see the following articles:
- [Use PowerShell to configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md#use-exchange-online-powershell-to-configure-anti-phishing-policies) - [Use Exchange Online PowerShell to configure anti-phishing policies](anti-phishing-policies-mdo-configure.md#use-exchange-online-powershell-to-configure-anti-phishing-policies) This example creates a new anti-phish policy named Research Department with the following settings: - The action for all spam filtering verdicts is set to Quarantine.-- The custom quarantine policy named NoAccess that assigns **No access** permissions replaces any default quarantine policies that don't already assign **No access** permissions by default.
+- The default quarantine policy named AdminOnlyAccessPolicy that assigns **No access** permissions replaces the default quarantine policy that's used.
```powershell New-AntiPhishPolicy -Name "Research Department" -AuthenticationFailAction Quarantine -SpoofQuarantineTag NoAccess -EnableMailboxIntelligenceProtection $true -MailboxIntelligenceProtectionAction Quarantine -MailboxIntelligenceQuarantineTag NoAccess -EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
New-AntiPhishPolicy -Name "Research Department" -AuthenticationFailAction Quaran
For detailed syntax and parameter information, see [New-AntiPhishPolicy](/powershell/module/exchange/new-antiphishpolicy).
-This example modifies the existing anti-phish policy named Human Resources. The action for messages detected by user impersonation and domain impersonation is set to Quarantine, and the custom quarantine policy named NoAccess is assigned.
+This example modifies the existing anti-phish policy named Human Resources. The action for messages detected by user impersonation and domain impersonation is set to Quarantine, and the custom quarantine policy named ContosoNoAccess is assigned.
```powershell
-Set-AntiPhishPolicy -Identity "Human Resources" -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
+Set-AntiPhishPolicy -Identity "Human Resources" -EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction Quarantine -TargetedDomainQuarantineTag ContosoNoAccess -EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag ContosoNoAccess
``` For detailed syntax and parameter information, see [Set-AntiPhishPolicy](/powershell/module/exchange/set-antiphishpolicy). ### Anti-malware policies
-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Anti-malware** in the **Policies** section. Or, to go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
- Or, to go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.
+2. On the **Anti-malware** page, use either of the following methods:
+ - Select an existing anti-malware policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, go to the **Protection settings** section, and then click the **Edit protection settings**.
+ - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new anti-malware policy wizard and get to the **Protection settings** page.
-2. On the **Anti-malware** page, do one of the following steps:
- - Find and select an existing anti-malware policy.
- - Create a new anti-malware policy.
+3. On the **Protection settings** page or flyout, view or select a quarantine policy in the **Quarantine policy** box.
-3. Do one of the following steps:
- - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Protection settings** section and then click **Edit protection settings**.
- - **Create new**: In the new policy wizard, get to the **Actions** page.
+ Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
-4. On the **Protection settings** page, select a quarantine policy in the **Quarantine policy** box.
+ Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
- **Note**: When you create a new policy, a blank **Quarantine policy** value indicates the default quarantine policy for that is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
+ :::image type="content" source="../../media/quarantine-tags-in-anti-malware-policies.png" alt-text="The Quarantine policy selections in an anti-malware policy." lightbox="../../media/quarantine-tags-in-anti-malware-policies.png":::
+
+Full instructions for creating and modifying anti-malware policies are available in [Configure anti-malware policies](anti-malware-policies-configure.md).
#### Anti-malware policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-malware pol
**Notes**: -- When you create new anti-malware policies without using the QuarantineTag parameter when you create a new anti-malware policy, the default quarantine policy for malware detections is used (AdminOnlyAccessPolicy).
+- When you create new anti-malware policies without using the _QuarantineTag_ parameter, the default quarantine policy named AdminOnlyAccessPolicy is used.
- You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on messages that are quarantined as malware.
+ Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
To see the important parameter values in existing anti-phish policies, run the following command:
If you'd rather use PowerShell to assign quarantine policies in anti-malware pol
Get-MalwareFilterPolicy | Format-Table Name,QuarantineTag ``` -- A new anti-malware policy in PowerShell requires a malware filter policy (settings) using the **New-MalwareFilterPolicy** cmdlet and an exclusive malware filter rule (recipient filters) using the **New-MalwareFilterRule** cmdlet. For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies](anti-malware-policies-configure.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-anti-malware-policies).
+- A new anti-malware policy in PowerShell requires a malware filter policy using the **New-MalwareFilterPolicy** cmdlet (settings), and an exclusive malware filter rule using the **New-MalwareFilterRule** cmdlet (recipient filters). For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-malware policies](anti-malware-policies-configure.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-anti-malware-policies).
-This example creates a malware filter policy named Research Department that uses the custom quarantine policy named NoAccess that assigns **No access** permissions to the quarantined messages.
+This example creates a malware filter policy named Research Department that uses the custom quarantine policy named ContosoNoAccess that assigns **No access** permissions to the quarantined messages.
```powershell
-New-MalwareFilterPolicy -Name "Research Department" -QuarantineTag NoAccess
+New-MalwareFilterPolicy -Name "Research Department" -QuarantineTag ContosoNoAccess
``` For detailed syntax and parameter information, see [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy).
-This example modifies the existing malware filter policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns **No access** permissions to the quarantined messages.
+This example modifies the existing malware filter policy named Human Resources to use the custom quarantine policy named ContosoNoAccess that assigns **No access** permissions to the quarantined messages.
```powershell
-New-MalwareFilterPolicy -Identity "Human Resources" -QuarantineTag NoAccess
+New-MalwareFilterPolicy -Identity "Human Resources" -QuarantineTag ContosoNoAccess
``` For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy). ### Safe Attachments policies in Defender for Office 365
-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section.
-
- Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Safe Attachments** in the **Policies** section. Or, to go directly to the **Safe Attachments** page, use <https://security.microsoft.com/safeattachmentv2>.
-2. On the **Safe Attachments** page, do one of the following steps:
- - Find and select an existing Safe Attachments policy.
- - Create a new Safe Attachments policy.
+2. On the **Safe Attachments** page, use either of the following methods:
+ - Select an existing Safe Attachments policy by clicking anywhere in the row other than the check box next to the name. In the policy details flyout that opens, click the **Edit settings** link in **Settings** section.
+ - Click ![Create icon.](../../media/m365-cc-sc-create-icon.png) **Create** to start the new Safe Attachments policy wizard and get to the **Settings** page.
-3. Do one of the following steps:
- - **Edit existing**: Select the policy by clicking on the name of the policy. In the policy details flyout, go to the **Settings** section and then click **Edit settings**.
- - **Create new**: In the new policy wizard, get to the **Settings** page.
+3. On the **Settings** page or flyout, view or select a quarantine policy in the **Quarantine policy** box.
-4. On the **Settings** page, do the following steps:
- 1. **Safe Attachments unknown malware response**: Select **Block**, **Replace**, or **Dynamic Delivery**.
- 2. Select a quarantine policy in the **Quarantine policy** box.
+ Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
- **Note**: When you create a new policy, a blank **Quarantine policy** value indicates the default quarantine policy is used. When you later edit the policy, the blank value is replaced by the actual default quarantine policy name as described in the previous table.
+ :::image type="content" source="../../media/quarantine-tags-in-safe-attachments-policies.png" alt-text="The Quarantine policy selections in a Safe Attachments policy." lightbox="../../media/quarantine-tags-in-safe-attachments-policies.png":::
Full instructions for creating and modifying Safe Attachments policies are described in [Set up Safe Attachments policies in Microsoft Defender for Office 365](safe-attachments-policies-configure.md).
If you'd rather use PowerShell to assign quarantine policies in Safe Attachments
**Notes**: -- The _Action_ parameter values Block, Replace, or DynamicDelivery can result in quarantined messages (the value Allow does not quarantine messages). The value of the _Action_ parameter in meaningful only when the value of the _Enable_ parameter is `$true`.
+- The _Action_ parameter values Block, Replace, or DynamicDelivery can result in quarantined messages (the value Allow doesn't quarantine messages). The value of the _Action_ parameter in meaningful only when the value of the _Enable_ parameter is `$true`.
-- When you create new Safe Attachments policies without using the QuarantineTag parameter, the default quarantine policy for Safe Attachments detections in email is used (AdminOnlyAccessPolicy).
+- When you create new Safe Attachments policies without using the _QuarantineTag_ parameter, the default quarantine policy named AdminOnlyAccessPolicy is used for malware detections by Safe Attachments.
- You need to replace the default quarantine policy with a custom quarantine policy only if you want to change the default end-user capabilities on email messages that are quarantined by Safe Attachments policies.
+ Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
To see the important parameter values, run the following command:
If you'd rather use PowerShell to assign quarantine policies in Safe Attachments
Get-SafeAttachmentPolicy | Format-List Name,Enable,Action,QuarantineTag ``` -- A new Safe Attachments policy in PowerShell requires a safe attachment policy (settings) using the **New-SafeAttachmentPolicy** cmdlet and an exclusive safe attachment rule (recipient filters) using the **New-SafeAttachmentRule** cmdlet. For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies](safe-attachments-policies-configure.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-attachments-policies).
+- A new Safe Attachments policy in PowerShell requires a safe attachment policy using the **New-SafeAttachmentPolicy** cmdlet (settings), and an exclusive safe attachment rule using the **New-SafeAttachmentRule** cmdlet (recipient filters). For instructions, see [Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Attachments policies](safe-attachments-policies-configure.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-safe-attachments-policies).
-This example creates a safe attachment policy named Research Department that blocks detected messages and uses the custom quarantine policy named NoAccess that assigns **No access** permissions to the quarantined messages.
+This example creates a safe attachment policy named Research Department that blocks detected messages and uses the custom quarantine policy named ContosoNoAccess that assigns **No access** permissions to the quarantined messages.
```powershell New-SafeAttachmentPolicy -Name "Research Department" -Enable $true -Action Block -QuarantineTag NoAccess
New-SafeAttachmentPolicy -Name "Research Department" -Enable $true -Action Block
For detailed syntax and parameter information, see [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy).
-This example modifies the existing safe attachment policy named Human Resources by assigning the custom quarantine policy named NoAccess that assigns **No access** permissions.
+This example modifies the existing safe attachment policy named Human Resources to use the custom quarantine policy named ContosoNoAccess that assigns **No access** permissions.
```powershell
-Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag NoAccess
+Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag ContosoNoAccess
``` For detailed syntax and parameter information, see [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy). ## Configure global quarantine notification settings in the Microsoft 365 Defender portal
-The global settings for quarantine policies allow you to customize the quarantine notifications that are sent to recipients of quarantined messages if quarantine notifications are turned on in the quarantine policy. For more information about these notifications, see [Quarantine notifications](quarantine-quarantine-notifications.md).
+The global settings for quarantine policies allow you to customize the quarantine notifications that are sent to recipients of quarantined messages if quarantine notifications are turned on in the quarantine policy. For more information about quarantine notifications, see [Quarantine notifications](quarantine-quarantine-notifications.md).
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
+### Customize quarantine notifications for different languages
-2. On the **Quarantine policies** page, select **Global settings**.
+Quarantine notifications are already localized based on the recipient's language settings. You can customize the **Sender display name**, **Subject**, and **Disclaimer** values that are used in quarantine notifications based on the recipient's language.
-3. In the **Quarantine notification settings** flyout that opens, configure the following settings:
+- The **Sender display name** as shown in the following screenshot:
- > [!NOTE]
- > We don't allow the same display name, subject, or disclaimer text for different languages. You need to provide a different display name, subject, and disclaimer text for each language that you select.
- >
- > The same sender address is used for all languages. Although you can select a different sender email address for each language, the last sender you specify is used for all languages.
+ :::image type="content" source="../../media/quarantine-tags-esn-customization-display-name.png" alt-text="A customized sender display name in a quarantine notification." lightbox="../../media/quarantine-tags-esn-customization-display-name.png":::
- - Customize quarantine notifications based on the recipient's language:
+- The **Subject** field of quarantine notification messages.
- - The **Display name** of the sender that's used in quarantine notifications as shown in the following screenshot.
+- The **Disclaimer** text that's added to the bottom of quarantine notifications. The localized text, **A disclaimer from your organization:** is always included first, followed by the text you specify as show in the following screenshot:
- :::image type="content" source="../../media/quarantine-tags-esn-customization-display-name.png" alt-text="A customized sender display name in a quarantine notification." lightbox="../../media/quarantine-tags-esn-customization-display-name.png":::
- - The **Subject** field of the quarantine notification messages.
+To create customized quarantine notifications for up to three languages, do the following steps:
- - The **Disclaimer** text that's added to the bottom of quarantine notifications. The localized text, **A disclaimer from your organization:** is always included first, followed by the text you specify as show in the following screenshot:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
- :::image type="content" source="../../media/quarantine-tags-esn-customization-disclaimer.png" alt-text="A custom disclaimer at the bottom of a quarantine notification." lightbox="../../media/quarantine-tags-esn-customization-disclaimer.png":::
+2. On the **Quarantine policies** page, click ![Global settings icon.](../../media/m365-cc-sc-gear-icon.png) **Global settings**.
- - The language identifier for the **Display name**, **Subject**, and **Disclaimer** values. Quarantine notifications are already localized based on the recipient's language settings. The **Display name**, **Subject**, and **Disclaimer** values are used in quarantine notifications that apply to the recipient's language.
+3. In the **Quarantine notification settings** flyout that opens, do the following steps:
- Select the language in the **Choose language** box _before_ you enter values in the **Display name**, **Subject** and **Disclaimer** boxes. When you change the value in the **Choose language** box, the values in the **Display name**, **Subject**, and **Disclaimer** boxes are emptied.
+ 1. Select the language from the **Choose language** box. The default value is **Default**, which means the default language for the Microsoft 365 organization. For more information, see [How to set language and region settings for Microsoft 365](/office365/troubleshoot/access-management/set-language-and-region).
- Follow these steps to customize quarantine notifications based on the recipient's language:
+ Although this box is in the middle of the page, you need to select it first. If you enter values in the **Sender display name**, **Subject**, or **Disclaimer** boxes before you select the language value, the other values are removed and you start over when you select the language value.
- 1. Select the language from the **Choose language** box. The default value is **Default**, which means the default language for the Microsoft 365 organization. For more information, see [How to set language and region settings for Microsoft 365](/office365/troubleshoot/access-management/set-language-and-region).
- 2. Enter values for **Display name**, **Subject**, and **Disclaimer**. The values must be unique for each language. If you try to reuse a **Display name**, **Subject**, or **Disclaimer** value for multiple languages, you'll get an error when you click **Save**.
- 3. Use **Specify sender address** to select an existing recipient to use as the sender of quarantine notifications. If you've already specified a sender for a different language, the sender you specify will overwrite your previous selection (the same sender email address is used for all languages).
- 4. Click the **Add** button.
- 5. Repeat the previous steps to create a maximum of three customized quarantine notifications based on the recipient's language. An unlabeled box shows the languages that you've configured:
+ 2. Enter values for **Sender display name**, **Subject**, and **Disclaimer**. The values must be unique for each language. If you try to reuse a value in a different language, you'll get an error when you click **Save**.
+ 3. Click the **Add** button.
+ 4. Repeat the previous steps to create a maximum of three customized quarantine notifications based on the recipient's language. An unlabeled box shows the languages that you've configured:
- :::image type="content" source="../../media/quarantine-tags-esn-customization-selected-languages.png" alt-text="The selected languages in the global quarantine notification settings of quarantine policies." lightbox="../../media/quarantine-tags-esn-customization-selected-languages.png":::
+ :::image type="content" source="../../media/quarantine-tags-esn-customization-selected-languages.png" alt-text="The selected languages in the global quarantine notification settings of quarantine policies." lightbox="../../media/quarantine-tags-esn-customization-selected-languages.png":::
- - **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. This option is not supported if your organization has a custom logo pointing to a URL instead of an uploaded image file.
+ Click the language value in the box to edit the settings for that language. Click ![Remove selection icon.](../../media/m365-cc-sc-remove-selection-icon.png) to remove the language.
- The following screenshot shows a custom logo in a quarantine notification:
+4. When you're finished on the **Quarantine notifications** flyout, click **Save**.
- :::image type="content" source="../../media/quarantine-tags-esn-customization-logo.png" alt-text="A custom logo in a quarantine notification" lightbox="../../media/quarantine-tags-esn-customization-logo.png":::
+ :::image type="content" source="../../medio-quarantine-policy-quarantine-notification-settings.png":::
- - **Send end-user spam notification every (days)**: Select the frequency for quarantine notifications. The default value is 3 days, but you can select 1 to 15 days.
+### Customize all quarantine notifications
-4. When you're finished, click **Save**.
+Even if you don't customize quarantine notifications for different languages, settings are available in the **Quarantine notifications flyout** to customize all quarantine notifications. Or, you can configure the settings before, during, or after you customize quarantine notifications for different languages (these settings apply to all languages):
- :::image type="content" source="../../medio-quarantine-policy-quarantine-notification-settings.png":::
+- **Specify sender address**: Select an existing user for the sender email address of quarantine notifications.
+
+- **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. This option isn't supported if your organization has a custom logo pointing to a URL instead of an uploaded image file.
+
+ A custom logo in a quarantine notification is shown in the following screenshot:
+
+ :::image type="content" source="../../media/quarantine-tags-esn-customization-logo.png" alt-text="A custom logo in a quarantine notification" lightbox="../../media/quarantine-tags-esn-customization-logo.png":::
+
+ - **Send end-user spam notification every (days)**: Select the frequency for quarantine notifications. The default value is 3 days, but you can select 1 to 15 days.
+
+When you're finished in the **Quarantine notifications flyout**, click **Save**.
+
+### Use PowerShell to configure global quarantine notification settings
+
+If you'd rather use PowerShell to configure global quarantine notification settings, connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and use the following syntax:
+
+```powershell
+Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy | Set-QuarantinePolicy -MultiLanguageSetting ('Language1','Language2','Language3') -MultiLanguageCustomDisclaimer ('Language1 Disclaimer','Language2 Disclaimer','Language3 Disclaimer') -ESNCustomSubject ('Language1 Subject','Language2 Subject','Language3 Subject') -MultiLanguageSenderName ('Language1 Sender Display Name','Language2 Sender Display Name','Language3 Sender Display Name') [-EndUserSpamNotificationCustomFromAddress <InternalUserEmailAddress>] [-OrganizationBrandingEnabled <$true | $false>] [-EndUserSpamNotificationFrequencyInDays <1 to 30>]
+```
+
+**Notes**:
+
+- You can specify a maximum of 3 available languages (the value Default is the [default language for the Microsoft 365 organization](/office365/troubleshoot/access-management/set-language-and-region).
+- For each language, you need to specify unique _MultiLanguageCustomDisclaimer_, _ESNCustomSubject_, and _MultiLanguageSenderName_ values.
+- If any of the text values contain quotation marks, you need to escape the quotation mark with an additional quotation mark. For example, change `d'assistance` to `d''assistance`.
+
+This example configures the following settings:
+
+- Customized quarantine notifications for the default language and Spanish.
+- The quarantine notification sender's email address is set to michelle@contoso.onmicrosoft.com.
+
+```powershell
+Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy | Set-QuarantinePolicy -MultiLanguageSetting ('Default','Spanish') -MultiLanguageCustomDisclaimer ('For more information, contact the Help Desk.','Para obtener más información, comuníquese con la mesa de ayuda.') -ESNCustomSubject ('You have quarantined messages','Tienes mensajes en cuarentena') -MultiLanguageSenderName ('Contoso administrator','Administradora de contoso') -EndUserSpamNotificationCustomFromAddress michelle@contoso.onmicrosoft.com
+```
+
+For detailed syntax and parameter information, see [Set-QuarantinePolicy](/powershell/module/exchange/set-quarantinepolicy).
## View quarantine policies in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
-2. The **Quarantine policies** page shows the list of policies by **Name** and **Last updated** date.
+2. The **Quarantine policies** page shows the list of policies by **Policy name** and **Last updated** date/time.
-3. To view the settings of built-in or custom quarantine policies, select the quarantine policy from the list by clicking on the name.
+3. To view the settings of default or custom quarantine policies, select the policy by clicking anywhere in the row other than the check box next to the name. Details are available in the flyout that opens.
4. To view the global settings, click **Global settings**
The global settings for quarantine policies allow you to customize the quarantin
If you'd rather use PowerShell to view quarantine policies, do any of the following steps: -- To view a summary list of all built-in or custom policies, run the following command:
+- To view a summary list of all default or custom policies, run the following command:
```powershell Get-QuarantinePolicy | Format-Table Name ``` -- To view the settings of built-in or custom quarantine policies, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
+- To view the settings of default or custom quarantine policies, replace \<QuarantinePolicyName\> with the name of the quarantine policy, and run the following command:
```powershell Get-QuarantinePolicy -Identity "<QuarantinePolicyName>"
For detailed syntax and parameter information, see [Get-HostedContentFilterPolic
## Modify quarantine policies in the Microsoft 365 Defender portal
-You can't modify the built-in quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy. You can modify the built-in policy named NotificationEnabledPolicy ([if you have it](#full-access-permissions-and-quarantine-notifications)) and custom quarantine policies.
-
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
+You can't modify the default quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy.
-2. On the **Quarantine policies** page, select the policy by clicking on the name.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
-3. After you select the policy, click the ![Edit policy icon.](../../media/m365-cc-sc-edit-icon.png) **Edit policy** icon that appears.
+2. On the **Quarantine policies** page, select the policy by clicking the check box next to the name.
-4. The **Edit policy** wizard that opens is virtually identical to the **New policy** wizard as described in the [Create quarantine policies in the Microsoft 365 Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section earlier in this article.
+3. Click the ![Edit policy icon.](../../media/m365-cc-sc-edit-icon.png) **Edit policy** icon that appears.
- The main difference is: you can't rename an existing policy.
-
-5. When you're finished modifying the policy, go to the **Summary** page and click **Submit**.
+The policy wizard opens with the settings and values of the selected quarantine policy. The steps are virtually the same as described in the [Create quarantine policies in the Microsoft 365 Defender portal](#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal) section. The main difference is: you can't rename an existing policy.
### Modify quarantine policies in PowerShell
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/power
**Notes**: -- You can't remove the built-in quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy. You can remove the built-in policy named NotificationEnabledPolicy ([if you have it](#full-access-permissions-and-quarantine-notifications)) and custom quarantine policies.
+- You can't remove the default quarantine policies named AdminOnlyAccessPolicy, DefaultFullAccessPolicy, or DefaultFullAccessWithNotificationPolicy.
- Before you remove a quarantine policy, verify that it's not being used. For example, run the following command in PowerShell: ```powershell
For detailed syntax and parameter information, see [Set-QuarantinePolicy](/power
If the quarantine policy is being used, [replace the assigned quarantine policy](#step-2-assign-a-quarantine-policy-to-supported-features) before you remove it.
-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Quarantine policies** in the **Rules** section. Or, to go directly to the **Quarantine policies** page, use <https://security.microsoft.com/quarantinePolicies>.
-2. On the **Quarantine policies** page, select the custom quarantine policy that you want to remove by clicking on the name.
+2. On the **Quarantine policies** page, select the policy by clicking the check box next to the name.
-3. After you select the policy, click the ![Delete policy icon.](../../media/m365-cc-sc-delete-icon.png) **Delete policy** icon that appears.
+3. Click the ![Delete policy icon.](../../media/m365-cc-sc-delete-icon.png) **Delete policy** icon that appears.
-4. Click **Remove policy** in the confirmation dialog that appears.
+4. Click **Remove policy** in the confirmation dialog.
### Remove quarantine policies in PowerShell
Admins can customize the email notification recipients or create a custom alert
For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
-## Quarantine policy permission details
+## Appendix
+
+### Anatomy of a quarantine policy
+
+A quarantine policy contains _permissions_ that are combined into _preset permission groups_. The preset permissions groups are:
+
+- No access
+- Limited access
+- Full access
+
+As previously described, _default quarantine policies_ enforce historical user capabilities on quarantined messages, and are automatically assigned to actions in [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features) that quarantine messages.
+
+The default quarantine policies are:
+
+- AdminOnlyAccessPolicy
+- DefaultFullAccessPolicy
+- NotificationEnabledPolicy (in some organizations)
+- DefaultFullAccessWithNotificationPolicy
+
+Quarantine policies also control whether users receive _quarantine notifications_ about messages that were quarantined instead of delivered to them. Quarantine notifications do two things:
+
+- Inform the user that the message is in quarantine.
+- Take action on the quarantined message from the quarantine notification. Permissions control what the user can do in the quarantine notification as described in the [Quarantine policy permission details](#quarantine-policy-permission-details) section.
+
+The relationship between permissions, permissions groups, and the default quarantine policies are described in the following tables:
+
+|Permission|No access|Limited access|Full access|
+||::|::|::|
+|**Block sender** (_PermissionToBlockSender_)||Γ£ö|Γ£ö|
+|**Delete** (_PermissionToDelete_)||Γ£ö|Γ£ö|
+|**Preview** (_PermissionToPreview_)||Γ£ö|Γ£ö|
+|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)┬╣|||Γ£ö|
+|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||Γ£ö||
+
+|Default quarantine policy|Permission group used|Quarantine notifications enabled?|
+||::|::|
+|AdminOnlyAccessPolicy|No access|No|
+|DefaultFullAccessPolicy|Full access|No|
+|DefaultFullAccessWithNotificationPolicy┬▓|Full access|Yes|
+|NotificationEnabledPolicy┬│|Full access|Yes|
+
+┬╣ **Allow recipients to release a message from quarantine** isn't honored for messages that were quarantined by the following verdicts:
+
+- **Malware** by anti-malware policies or Safe Attachments policies.
+- **High confidence phishing** by anti-spam policies.
+
+In other words, users can never release their own malware or high confidence phishing messages from quarantine, regardless of how you configure the quarantine policy. At best, admins can create and use a custom quarantine policy with the **Allow recipients to request a message to be released from quarantine** permission, although we typically don't recommend it.
+
+┬▓ This policy is used in [preset security policies](preset-security-policies.md) instead of the DefaultFullAccessPolicy policy to enable quarantine notifications.
+
+┬│ Your organization might not have the policy named NotificationEnabledPolicy as described in the next section.
+
+#### Full access permissions and quarantine notifications
+
+The default quarantine policy named DefaultFullAccessPolicy duplicates the historical _permissions_ for less harmful quarantined messages, but _quarantine notifications_ aren't turned on in the quarantine policy. Where DefaultFullAccessPolicy is used by default is described in the feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+
+To give organizations the permissions of DefaultFullAccessPolicy with quarantine notifications turned on, we selectively included a default policy named NotificationEnabledPolicy based on the following criteria:
+
+- The organization existed before the introduction of quarantine policies (July-August 2021).
+
+ **and**
+
+- The **Enable end-user spam notifications** setting was turned on in one or more [anti-spam policies](anti-spam-policies-configure.md). Before the introduction of quarantine policies, this setting determined whether users received notifications about their quarantined messages
+
+Newer organizations or older organizations that never turned on end-user spam notifications don't have the policy named NotificationEnabledPolicy.
+
+To give users **Full access** permissions _and_ quarantine notifications, organizations that don't have the NotificationEnabledPolicy policy have the following options:
+
+- Use the default policy named DefaultFullAccessWithNotificationPolicy.
+- Create and use custom quarantine policies with **Full access** permissions and quarantine notifications turned on.
+
+### Quarantine policy permission details
-The following sections describe the effects of preset permission groups and individual permissions in the details of quarantined messages and in quarantine notifications.
+The following sections describe the effects of preset permission groups and individual permissions for uses in quarantined messages and in quarantine notifications.
-### Preset permissions groups
+#### Preset permissions groups
-The individual permissions that are included in preset permission groups are listed in the table at the beginning of this article.
+The individual permissions that are included in preset permission groups are described in the [Anatomy of a quarantine policy](#anatomy-of-a-quarantine-policy) section.
-#### No access
+##### No access
-If the quarantine policy assigns the **No access** permissions (admin only access), users will not able to see those messages that are quarantined:
+If the quarantine policy assigns **No access** permissions (admin only access), users can't see quarantined messages:
-- **Quarantined message details**: No messages will show in the end-user view.-- **Quarantine notifications**: No notifications will be sent for those messages.
+- **Message details in quarantine**: The quarantined messages aren't visible to the user.
+- **Quarantine notifications**: No notifications are sent for those quarantined messages.
-#### Limited access
+##### Limited access
-If the quarantine policy assigns the **Limited access** permissions, users get the following capabilities:
+If the quarantine policy assigns **Limited access** permissions, users get the following capabilities:
-- **Quarantined message details**: The following buttons are available:
+- **Message details in quarantine**: The following buttons are available:
- **Request release** - **View message headers** - **Preview message**
If the quarantine policy assigns the **Limited access** permissions, users get t
:::image type="content" source="../../media/quarantine-tags-esn-limited-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user limited access permissions" lightbox="../../media/quarantine-tags-esn-limited-access.png":::
-#### Full access
+##### Full access
-If the quarantine policy assigns the **Full access** permissions (all available permissions), users get the following capabilities:
+If the quarantine policy assigns **Full access** permissions (all available permissions), users get the following capabilities:
-- **Quarantined message details**: The following buttons are available:
+- **Message details in quarantine**: The following buttons are available:
- **Release message** - **View message headers** - **Preview message**
If the quarantine policy assigns the **Full access** permissions (all available
:::image type="content" source="../../media/quarantine-tags-esn-full-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user full access permissions" lightbox="../../media/quarantine-tags-esn-full-access.png"::: > [!NOTE]
-> As explained earlier, quarantine notifications are disabled in the default quarantine policy named DefaultFullAccessPolicy, even though that quarantine policy has the **Full access** permission group assigned. Quarantine notifications are available only in custom quarantine policies that you create or in the default quarantine access policy named NotificationEnabledPolicy ([if that policy is available in your organization](#full-access-permissions-and-quarantine-notifications)).
+> As explained earlier, quarantine notifications are turned on only in the default policies named DefaultFullAccessWithNotificationPolicy or ([if your organization is old enough](#full-access-permissions-and-quarantine-notifications)) NotificationEnabledPolicy.
-### Individual permissions
+#### Individual permissions
-#### Block sender permission
+##### Block sender permission
The **Block sender** permission (_PermissionToBlockSender_) controls access to the button that allows users to conveniently add the quarantined message sender to their Blocked Senders list. -- **Quarantined message details**:
+- **Message details in quarantine**:
- **Block sender** permission enabled: The **Block sender** button is available.
- - **Block sender** permission disabled: The **Block sender** button is not available.
+ - **Block sender** permission disabled: The **Block sender** button isn't available.
- **Quarantine notifications**: - **Block sender** permission enabled: The **Block sender** button is available.
- - **Block sender** permission disabled: The **Block sender** button is not available.
+ - **Block sender** permission disabled: The **Block sender** button isn't available.
For more information about the Blocked Senders list, see [Block messages from someone](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077#__toc304379667) and [Use Exchange Online PowerShell to configure the safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox).
-#### Delete permission
+##### Delete permission
-The **Delete** permission (_PermissionToDelete_) controls the ability to of users to delete their messages (messages where the user is a recipient) from quarantine.
+The **Delete** permission (_PermissionToDelete_) controls the ability to of users to delete their messages from quarantine (messages where they're a recipient).
-- **Quarantined message details**:
+- **Message details in quarantine**:
- **Delete** permission enabled: The **Remove from quarantine** button is available.
- - **Delete** permission disabled: The **Remove from quarantine** button is not available.
+ - **Delete** permission disabled: The **Remove from quarantine** button isn't available.
- **Quarantine notifications**: No effect.
-#### Preview permission
+##### Preview permission
The **Preview** permission (_PermissionToPreview_) controls the ability to of users to preview their messages in quarantine. -- **Quarantined message details**:
+- **Message details in quarantine**:
- **Preview** permission enabled: The **Preview message** button is available.
- - **Preview** permission disabled: The **Preview message** button is not available.
+ - **Preview** permission disabled: The **Preview message** button isn't available.
- **Quarantine notifications**: No effect.
-#### Allow recipients to release a message from quarantine permission
+##### Allow recipients to release a message from quarantine permission
> [!NOTE]
-> This permission is not honored for messages that were quarantined as malware (anti-malware policies or Safe Attachments policies) or as high confidence phishing (anti-spam policies). Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the [Allow recipients to request a message to be released from quarantine permission](#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission) permission.
+> This permission isn't honored for messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how you configure the quarantine policy. At best, you can use the [Allow recipients to request a message to be released from quarantine permission](#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission) permission so users can view and _request_ the release of their quarantined malware or high confidence phishing messages, although we typically don't recommend it.
The **Allow recipients to release a message from quarantine** permission (_PermissionToRelease_) controls the ability of users to release their quarantined messages directly and without the approval of an admin. -- **Quarantined message details**:
+- **Message details in quarantine**:
- Permission enabled: The **Release message** button is available.
- - Permission disabled: The **Release message** button is not available.
+ - Permission disabled: The **Release message** button isn't available.
- **Quarantine notifications**: - Permission enabled: The **Release** button is available.
- - Permission disabled: The **Release** button is not available.
+ - Permission disabled: The **Release** button isn't available.
-#### Allow recipients to request a message to be released from quarantine permission
+##### Allow recipients to request a message to be released from quarantine permission
-The **Allow recipients to request a message to be released from quarantine** permission (_PermissionToRequestRelease_) controls the ability of users to _request_ the release of their quarantined messages. The message is only released after an admin approves the request.
+The **Allow recipients to request a message to be released from quarantine** permission (_PermissionToRequestRelease_) controls the ability of users to _request_ the release of their quarantined messages. Messages are released only after an admin approves the request.
-- **Quarantined message details**:
+- **Message details in quarantine**:
- Permission enabled: The **Request release** button is available.
- - Permission disabled: The **Request release** button is not available.
+ - Permission disabled: The **Request release** button isn't available.
- **Quarantine notifications**: - Permission enabled: The **Request release** button is available.
- - Permission disabled: The **Request release** button is not available.
+ - Permission disabled: The **Request release** button isn't available.
security Quarantine Quarantine Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md
description: Admins can learn about end-user spam notifications for quarantined messages in Exchange Online Protection (EOP). Previously updated : 3/3/2023 Last updated : 4/7/2023 # Use quarantine notifications to release and report quarantined messages
Last updated 3/3/2023
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantined messages in EOP](quarantine-about.md).
-_Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).
+_Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
Quarantine notifications are not turned on in the built-in quarantine notifications named AdminOnlyAccessPolicy or DefaultFullAccessPolicy. Quarantine notifications are turned on in the following built-in quarantine policies: -- **NotificationEnabledPolicy** [if your organization has it](quarantine-policies.md#full-access-permissions-and-quarantine-notifications). - **DefaultFullAccessWithNotificationPolicy** that's used in [preset security policies](preset-security-policies.md).
+- **NotificationEnabledPolicy** [if your organization has it](quarantine-policies.md#full-access-permissions-and-quarantine-notifications).
Otherwise, to turn on quarantine notifications in quarantine policies, you need to [create and configure a new quarantine policy](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
-Admins can also use the global settings in quarantine policies to customize the sender's display name, disclaimer text in different languages, and the company logo that's used in quarantine notifications. For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal).
+Admins can also use the global settings in quarantine policies to create quarantine notifications in different languages and to customize the sender's email address and the company logo that's used in quarantine notifications. For instructions, see [Configure global quarantine notification settings](quarantine-policies.md#configure-global-quarantine-notification-settings-in-the-microsoft-365-defender-portal).
For shared mailboxes, quarantine notifications are supported only for users who are granted FullAccess permission to the mailbox. For more information, see [Use the EAC to edit shared mailbox delegation](/Exchange/collaboration-exo/shared-mailboxes#use-the-eac-to-edit-shared-mailbox-delegation). > [!NOTE]
-> By default, messages that are quarantined as high confidence phishing, malware, by mail flow rules (also known as transport rules), or Safe Attachments policies in Defender for Office 365 are only available to admins (by default, the AdminOnlyAccessPolicy quarantine policy is used). For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md).
+> By default, messages that are quarantined as high confidence phishing by anti-spam policies, malware by anti-malware policies or Safe Attachments, or by mail flow rules (also known as transport rules) are available only to admins. For more information, see the table at [Find and release quarantined messages as a user in EOP](quarantine-end-user.md).
> > Quarantine notifications for messages sent to distribution groups or mail-enabled security groups are sent to all group members. >
security Quarantine Shared Mailbox Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages.md
Previously, the ability for users to manage quarantined messages sent to a share
Now, automapping is no longer required for users to manage quarantined messages that were sent to shared mailboxes. It just works. There are two different methods to access quarantined messages that were sent to a shared mailbox: - If the following statements are all true:
- - An admin has configured [quarantine policies](quarantine-policies.md) to allow quarantine notifications (formerly known as end-user spam notifications).
+ - An admin has configured [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy) to allow quarantine notifications (formerly known as end-user spam notifications).
- The user has access to quarantine notifications of the shared mailbox. - The user has Full Access permissions to the shared mailbox (directly or via a security group).
Now, automapping is no longer required for users to manage quarantined messages
## Things to keep in mind -- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).
+- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
- The first user to act on the quarantined message decides the fate of the message for everyone who uses the shared mailbox. For example, if a shared mailbox is accessed by 10 users, and a user decides to delete the quarantine message, the message is deleted for all 10 users. Likewise, if a user decides to release the message, it's released to the shared mailbox and is accessible by all other users of the shared mailbox.
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
description: What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365? Previously updated : 3/22/2023 Last updated : 4/6/2023 # Recommended settings for EOP and Microsoft Defender for Office 365 security
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configur
To create and configure anti-spam policies, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).
+Wherever you select **Quarantine message** as the action for a spam filter verdict, a **Select quarantine policy** box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+If you _change_ the action of a spam filtering verdict to **Quarantine message** when you create anti-spam policies the the Defender portal, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.
+
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Bulk email threshold & spam properties**|||||
To create and configure anti-spam policies, see [Configure anti-spam policies in
|**Contains specific languages** <br/><br/> _EnableLanguageBlockList_ <br/><br/> _LanguageBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.| |**From these countries** <br/><br/> _EnableRegionBlockList_ <br/><br/> _RegionBlockList_|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|**Off** <br/><br/> `$false` <br/><br/> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.| |**Test mode** (_TestModeAction_)|**None**|**None**|**None**|This setting is part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.|
-|**Actions**||||Wherever you select **Quarantine message** as the action for a spam filter verdict, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. <br/><br/> The **Select quarantine policy** value is blank when you create a new anti-spam policy in the Defender portal. This blank value means the default quarantine policy for that particular spam filter verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table [here](quarantine-end-user.md). <br/><br/> The default quarantine policies that are used for each impersonation verdict are described in this table. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-spam policy or in custom anti-spam policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the spam filter verdict is to quarantine messages.|
+|**Actions**|||||
|**Spam** detection action <br/><br/> _SpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spam** <br/><br/> _SpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spam** <br/><br/> _SpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spam detections are quarantined.|
|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Hight confidence spam** <br/><br/> _HighConfidenceSpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the action quarantines the message.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Hight confidence spam** <br/><br/> _HighConfidenceSpamQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.|
|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Move message to Junk Email folder**<sup>\*</sup> <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Phishing** <br/><br/> _PhishQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|
-|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|Users can't release their own messages that were quarantined as high confidence phishing. At best, admins can configure the quarantine policy so users can request the release of their quarantined high confidence phishing messages.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Phishing** <br/><br/> _PhishQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if phishing detections are quarantined.|
+|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined high confidence phishing messages, although we typically don't recommend it.|
|**Quarantine policy** for **High confidence phishing** <br/><br/> _HighConfidencePhishQuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|| |**Bulk** detection action <br/><br/> _BulkSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Bulk** <br/><br/> _BulkQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only when the detection action quarantines the message.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Bulk** <br/><br/> _BulkQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|
|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).| |**Enable spam safety tips** <br/><br/> _InlineSafetyTipsEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |Enable zero-hour auto purge (ZAP) for phishing messages <br/><br/> _PhishZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
For more information about the default sending limits in the service, see [Sendi
To create and configure anti-malware policies, see [Configure anti-malware policies in EOP](anti-malware-policies-configure.md).
+Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md).
+
+Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware messages, although we typically don't recommend it.
+ |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Protection settings**|||||
-|**Enable the common attachments filter** <br/><br/> _EnableFileFilter_|Selected <br/><br/> `$true`<sup>\*</sup>|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|The common attachment filter identifies messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies). <br/><br/> <sup>\*</sup>The common attachments filter is on by default in new anti-malare policies that you create in the Microsoft 365 Defender portal. The common attahcments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|
+|**Enable the common attachments filter** <br/><br/> _EnableFileFilter_|Selected <br/><br/> `$true`<sup>\*</sup>|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|For the list of file types in the common attachments filter, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies). <br/><br/> <sup>\*</sup> The common attachments filter is on by default in new anti-malware policies that you create in the Microsoft 365 Defender portal. The common attachments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|
|Common attachment filter notifications (**When these file types are found**) <br/><br/> _FileTypeAction_|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|**Reject the message with a non-delivery report (NDR)** <br/><br/> `Reject`|| |**Enable zero-hour auto purge for malware** <br/><br/> _ZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|The **Quarantine policy** value is blank when you create a new anti-malware policy in the Defender portal. This blank value means the default quarantine policy from malware detections is used (AdminOnlyAccessPolicy with no quarantine notifications). This default quarantine policy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md). <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with less restrictive capabilities in the default anti-malware policy or in custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> Users can't release their own messages that were quarantined as malware. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.|
+|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
|**Admin notifications**||||| |**Notify an admin about undelivered messages from internal senders** <br/><br/> _EnableInternalSenderAdminNotifications_ <br/><br/> _InternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.| |**Notify an admin about undelivered messages from external senders** <br/><br/> _EnableExternalSenderAdminNotifications_ <br/><br/> _ExternalSenderAdminAddress_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|We have no specific recommendation for this setting.|
For more information about these settings, see [Spoof settings](anti-phishing-po
The spoof settings are inter-related, but the **Show first contact safety tip** setting has no dependency on spoof settings.
+Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+Although the **Apply quarantine policy** value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy┬╣ is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
+
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**||||| |**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |**Actions**|||||
-|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br/><br/> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).|
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spoof** <br/><br/> _SpoofQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy| <br/><br/> The **Apply quarantine policy** value is blank when you create a new anti-phishing policy in the Defender portal. This blank value means the default quarantine policy for the spoof is used. This default quarantine policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table [here](quarantine-end-user.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the spoof verdict is to quarantine messages. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-phishing policy or in custom anti-phishing policies.|
+|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br/><br/> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **Spoof** <br/><br/> _SpoofQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spoof detections are quarantined.|
|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|Not selected <br/><br/> `$false`|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).| |**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).| |**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|
Additional security benefits come with a Microsoft Defender for Office 365 subsc
> [!IMPORTANT] >
-> - The default anti-phishing policy in Microsoft Defender for Office 365 provides [spoof protection](anti-phishing-policies-about.md#spoof-settings) and mailbox intelligence for all recipients. However, the other available [impersonation protection](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) features and [advanced settings](#advanced-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.
+> - The default anti-phishing policy in Microsoft Defender for Office 365 provides [spoof protection](anti-phishing-policies-about.md#spoof-settings) and mailbox intelligence for all recipients. However, the other available [impersonation protection](#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) features and [advanced settings](#advanced-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) are not configured or enabled in the default policy. To enable all protection features, use one of the following methods:
+>
+> - Turn on and use the Standard and/or Strict [preset security policies](preset-security-policies.md) and configure impersonation protection there.
+> - Modify the default anti-phishing policy.
+>
+> - Create additional anti-phishing policies.
> > - Although there's no default Safe Attachments policy or Safe Links policy, the **Built-in protection** preset security policy provides Safe Attachments protection and Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies or Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). >
For more information about this setting, see [Advanced phishing thresholds in an
For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](anti-phishing-policies-mdo-configure.md).
+Wherever you select **Quarantine the message** as the action for an impersonation verdict, an **Apply quarantine policy** box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+Although the **Apply quarantine policy** value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as impersonation as described in the table [here](quarantine-end-user.md). When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
+
+Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
For more information about these settings, see [Impersonation settings in anti-p
|**Add trusted senders and domains** <br/><br/> _ExcludedSenders_ <br/><br/> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.| |**Enable mailbox intelligence** <br/><br/> _EnableMailboxIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |**Enable intelligence for impersonation protection** <br/><br/> _EnableMailboxIntelligenceProtection_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|
-|**Actions**||||Wherever you select **Quarantine the message** as the action for an impersonation verdict, an **Apply quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages and whether they receive notifications for quarantined messages. <br/><br/> The **Apply quarantine policy** value is blank when you create a new anti-phishing policy in the Defender portal. This blank value means the default quarantine policy for that particular impersonation verdict is used. These default quarantine policies enforce the historical capabilities for messages that were quarantined as impersonation as described in the table [here](quarantine-end-user.md). <br/><br/> The default quarantine policies that are used for each impersonation verdict are described in this table. <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with more restrictive or less restrictive capabilities in the default anti-phishing policy or in custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> The capabilities of the quarantine policy are meaningful only if the action for the impersonation verdict is to quarantine messages.|
+|**Actions**|||||
|**If message is detected as an impersonated user** <br/><br/> _TargetedUserProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **user impersonation** <br/><br/> _TargetedUserQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the user impersonation verdict is to quarantine messages.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **user impersonation** <br/><br/> _TargetedUserQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if user impersonation detections are quarantined.|
|**If message is detected as an impersonated domain** <br/><br/> _TargetedDomainProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Quarantine the message** <br/><br/> `Quarantine`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **domain impersonation** <br/><br/> _TargetedDomainQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the domain impersonation verdict is to quarantine messages.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **domain impersonation** <br/><br/> _TargetedDomainQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if domain impersonation detections are quarantined.|
|**If mailbox intelligence detects an impersonated user** <br/><br/> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br/><br/> `NoAction`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`||
-|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **mailbox intelligence impersonation** <br/><br/> _MailboxIntelligenceQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The capabilities of the quarantine policy are meaningful only if the action for the mailbox intelligence impersonation verdict is to quarantine messages.|
+|&nbsp;&nbsp;&nbsp;**Quarantine policy** for **mailbox intelligence impersonation** <br/><br/> _MailboxIntelligenceQuarantineTag_|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if mailbox intelligence detections are quarantined.|
|**Show user impersonation safety tip** <br/><br/> _EnableSimilarUsersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |**Show domain impersonation safety tip** <br/><br/> _EnableSimilarDomainsSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |**Show user impersonation unusual characters safety tip** <br/><br/> _EnableUnusualCharactersSafetyTips_|Off <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
> > The **Default in custom** column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
+Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+The **Quarantine policy** value is blank when you create a new Safe Attachments policy in the Defender portal. This blank value means the default quarantine policy named AdminOnlyAccessPolicy is used. This policy enforces the historical capabilities for messages that were quarantined as malware by Safe Attachments as described in the table [here](quarantine-end-user.md).
+
+Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware messages, although we typically don't recommend it.
+ |Security feature name|Default in custom|Built-in protection|Standard|Strict|Comment| ||::|::|::|::|| |**Safe Attachments unknown malware response** <br/><br/> _Enable_ and _Action_|**Off** <br/><br/> `-Enable $false` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|**Block** <br/><br/> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|
-|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|The **Quarantine policy** value is blank when you create a new Safe Attachments policy in the Defender portal. This blank value means the default quarantine policy from Safe Attachments detections is used (AdminOnlyAccessPolicy with no quarantine notifications). This default quarantine policy enforces the historical capabilities for messages that were quarantined as malware by Safe Attachments as described in the table [here](quarantine-end-user.md). <br/><br/> Admins can create custom quarantine policies or select other built-in quarantine policies with less restrictive capabilities in the default anti-malware policy or in custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md). <br/><br/> Users can't release their own messages that were quarantined as malware by Safe Attachments. At best, admins can configure the quarantine policy so users can request the release of their quarantined malware messages.|
+|**Quarantine policy** <br/><br/> _QuarantineTag_|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||
|**Redirect attachment with detected attachments** : **Enable redirect** <br/><br/> _Redirect_ <br/><br/> _RedirectAddress_|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br/><br/> `-Redirect $false` <br/><br/> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Selected and specify an email address. <br/><br/> `$true` <br/><br/> an email address|Redirect messages to a security admin for review. <br/><br/> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.| |**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br/><br/> _ActionOnError_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
security Safe Attachments About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-about.md
This section describes the settings in Safe Attachments policies:
|||| |**Off**|Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by [anti-malware protection in EOP](anti-malware-protection-about.md).|Turn scanning off for selected recipients. <br/><br/> Prevent unnecessary delays in routing internal mail. <br/><br/> **This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP will not quarantine messages if Safe Attachments is turned off and a malware signal is not received. For details, see [Zero-hour auto purge](zero-hour-auto-purge.md)**| |**Monitor**|Delivers messages with attachments and then tracks what happens with detected malware. <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|See where detected malware goes in your organization.|
- |**Block**|Prevents messages with detected malware attachments from being delivered. <br/><br/> Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> Automatically blocks future instances of the messages and attachments. <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <br/><br/> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).|
- |**Replace**|**Note**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901). <br/><br/> Removes detected malware attachments. <br/><br/> Notifies recipients that attachments have been removed. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|
- |**Dynamic Delivery**|Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> For details, see the [Dynamic Delivery in Safe Attachments policies](#dynamic-delivery-in-safe-attachments-policies) section later in this article.|Avoid message delays while protecting recipients from malicious files.|
+ |**Block**|Prevents messages with detected malware attachments from being delivered. <br/><br/> Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.┬╣ <br/><br/> Automatically blocks future instances of the messages and attachments. <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <br/><br/> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).|
+ |**Replace**|**Note**: This action will be deprecated. For more information, see [MC424901](https://admin.microsoft.com/AdminPortal/Home#/MessageCenter/:/messages/MC424901). <br/><br/> Removes detected malware attachments. <br/><br/> Notifies recipients that attachments have been removed. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.┬╣ <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.|
+ |**Dynamic Delivery**|Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.┬╣ <br/><br/> For details, see the [Dynamic Delivery in Safe Attachments policies](#dynamic-delivery-in-safe-attachments-policies) section later in this article.|Avoid message delays while protecting recipients from malicious files.|
- <sup>\*</sup>**Quarantine policy**: Admins can create and assign _quarantine policies_ in Safe Attachments policies that define what users are allowed to do to quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md).
+ ┬╣ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware messages, although we typically don't recommend it.
- **Redirect messages with detected attachments**: **Enable redirect** and **Send messages that contain blocked, monitored, or replaced attachments to the specified email address**: For **Block**, **Monitor**, or **Replace** actions, send messages that contain malware attachments to the specified internal or external email address for analysis and investigation.
security Safe Attachments Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
These values are explained in [Safe Attachments policy settings](safe-attachments-about.md#safe-attachments-policy-settings).
- - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (**Block**, **Replace**, or **Dynamic Delivery**). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Quarantine policies](quarantine-policies.md).
+ - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined by Safe Attachments (**Block**, **Replace**, or **Dynamic Delivery**). Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
- A blank value means the default quarantine policy is used (AdminOnlyAccessPolicy for email detections by Safe Attachments). When you later edit the Safe Attachments policy or view the settings, the default quarantine policy name is shown.
+ A blank value means the default quarantine policy for malware detections by Safe Attachments is used (AdminOnlyAccessPolicy). When you later view or edit the Safe Attachments policy settings, the quarantine policy name is shown.
+
+ > [!NOTE]
+ > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware by Safe Attachments, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+ >
+ > Users can't release their own messages that were quarantined as malware by Safe Attachments policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of quarantined malware messages, although we typically don't recommend it.
- **Redirect messages with detected attachments**: If you select **Enable redirect**, you can specify an email address in the **Send messages that contain blocked, monitored, or replaced attachments to the specified email address** box to send messages that contain malware attachments for analysis and investigation.
New-SafeAttachmentPolicy -Name "<PolicyName>" -Enable $true [-AdminDisplayName "
This example creates a safe attachment policy named Contoso All with the following values: - Block messages that are found to contain malware by Safe Documents scanning (we aren't using the _Action_ parameter, and the default value is `Block`).-- The default [quarantine policy](quarantine-policies.md) is used (AdminOnlyAccessPolicy), because we aren't using the _QuarantineTag_ parameter.
+- The default quarantine policy is used (AdminOnlyAccessPolicy), because we aren't using the _QuarantineTag_ parameter.
- Redirection is enabled, and messages that are found to contain malware are sent to sec-ops@contoso.com for analysis and investigation. - If Safe Attachments scanning isn't available or encounters errors, don't deliver the message (we aren't using the _ActionOnError_ parameter, and the default value is `$true`).
New-SafeAttachmentPolicy -Name "Contoso All" -Enable $true -Redirect $true -Redi
For detailed syntax and parameter information, see [New-SafeAttachmentPolicy](/powershell/module/exchange/new-safeattachmentpolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a safe attachment policy, see [Use PowerShell to specify the quarantine policy in Safe Attachments policies](quarantine-policies.md#safe-attachments-policies-in-powershell).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in a safe attachment policy, see [Use PowerShell to specify the quarantine policy in Safe Attachments policies](quarantine-policies.md#safe-attachments-policies-in-powershell).
#### Step 2: Use PowerShell to create a safe attachment rule
Set-SafeAttachmentPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see [Set-SafeAttachmentPolicy](/powershell/module/exchange/set-safeattachmentpolicy).
-> [!NOTE]
-> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a safe attachment policy, see [Use PowerShell to specify the quarantine policy in Safe Attachments policies](quarantine-policies.md#safe-attachments-policies-in-powershell).
+> [!TIP]
+> For detailed instructions to specify the quarantine policy to use in a safe attachment policy, see [Use PowerShell to specify the quarantine policy in Safe Attachments policies](quarantine-policies.md#safe-attachments-policies-in-powershell).
### Use PowerShell to modify safe attachment rules
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
Watch this short video to learn how ZAP in Microsoft Defender for Office 365 aut
### Zero-hour auto purge (ZAP) for malware
-For **read or unread messages** that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. But, admins can create and use _quarantine policies_ to define what users are allowed to do to messages that were quarantined as malware. For more information, see [Quarantine policies](quarantine-policies.md).
+For **read or unread messages** that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+> [!NOTE]
+> Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware messages, although we typically don't recommend it.
ZAP for malware is enabled by default in anti-malware policies. For more information, see [Configure anti-malware policies in EOP](anti-malware-policies-configure.md).
For more information about configuring spam filtering verdicts, see [Configure a
### Zero-hour auto purge (ZAP) for high confidence phishing
-For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phish messages. But, admins can create and use _quarantine policies_ to define what users are allowed to do to messages that were quarantined as high confidence phishing. For more information, see [Quarantine policies](quarantine-policies.md)
+For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phish messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+> [!NOTE]
+> Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined high confidence phishing messages, although we typically don't recommend it.
ZAP for high confidence phish is enabled by default. For more information, see [Secure by Default in Office 365](secure-by-default.md).
For **unread messages** that are identified as spam after delivery, the ZAP outc
- **Move message to Junk Email**: ZAP moves the message to the Junk Email folder. For more information, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md). -- **Quarantine message**: ZAP quarantines the message. By default, end-users can view and manage spam quarantined messages where they're a recipient. But, admins can create and use _quarantine policies_ to define what users are allowed to do to messages that were quarantined as spam. For more information, see [Quarantine policies](quarantine-policies.md)
+- **Quarantine message**: ZAP quarantines the message. By default, end-users can view and manage spam quarantined messages where they're a recipient. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
By default, spam ZAP is enabled in anti-spam policies, and the default action for the **Spam** filtering verdict is **Move message to Junk Email folder**, which means spam ZAP moves **unread** messages to the Junk Email folder by default.
ZAP will not quarantine any message that's in the process of [Dynamic Delivery](
> [!NOTE] > This section lists new features which are currently in preview.
-When a chat message is identified as potentially phishing or malicious in Microsoft Teams, ZAP blocks the message and quarantines it. This message is blocked for both the recipient and the sender. Note that this protection feature only applies to messages in a chat or in a meeting within the organization.
+When a chat message is identified as potentially phishing or malicious in Microsoft Teams, ZAP blocks the message and quarantines it. This message is blocked for both the recipient and the sender. Note that this protection feature only applies to messages in a chat or in a meeting within the organization.
**Sender view**:
When a chat message is identified as potentially phishing or malicious in Micros
:::image type="content" source="../../media/zero-hour-auto-purge-recipient.png" alt-text="Image showing how zero-hour auto purge works for the recipient." lightbox="../../media/zero-hour-auto-purge-recipient.png":::
-Admins can view and manage these quarantined messages in Microsoft Teams. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-messages-in-microsoft-teams). Note that if you're not an admin, you won't be able to view or manage quarantined messages for this release.
+Admins can view and manage these quarantined messages in Microsoft Teams. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-messages-in-microsoft-teams). Note that if you're not an admin, you won't be able to view or manage quarantined messages for this release.
> [!NOTE] > Zero-hour auto purge (ZAP) in Microsoft Teams is available only to customers with Microsoft Defender for Office 365 E5 and Defender for Office P2 subscriptions. ### Zero-hour auto purge (ZAP) for high confidence phishing in Teams
-For messages that are identified as high confidence phishing after delivery, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined high confidence phish messages. For more information, see [Quarantine policies](quarantine-policies.md).
+For messages that are identified as high confidence phishing after delivery, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages.
### Zero-hour auto purge (ZAP) for malware in Teams
-For messages that are identified as malware, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined malware messages. For more information, see [Quarantine policies](quarantine-policies.md).
+For messages that are identified as malware, ZAP blocks and quarantines the message. By default, only admins can view and manage quarantined malware messages.
-Note that for this release, ZAP is available only to messages that are identified as high confidence phish or malware.
+Note that for this release, ZAP is available only for messages that are identified as high confidence phish or malware.
### Review messages blocked in Teams
syntex Use Content Center Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/use-content-center-site.md
description: Learn how to provision and use the content center site template in
# Use the content center site template for Microsoft Syntex > [!NOTE]
-> The content center site template is provided in the SharePoint look book service, which is no longer being updated. Some of the information in the template might not reflect the current Syntex features.
+> The content center site template is provided in the SharePoint look book service, which is no longer being updated. Some of the information in this template might not reflect the current Syntex features.
The Microsoft Syntex content center site is a ready-to-deploy instructional SharePoint site template designed to help you better understand Syntex capabilities.