Forum Discussion
Bulk release of Quarantined Messages (PowerShell) and Release Requests
Many times we need to release lots of quarantined messages, and all we know the limitation, ( and time consuming ), that we face in the security admin portal.
With the following cmdlts you'll be able to filter, check and release users quarantined messages.
I'll explain only some options, ( that we'll use the most ), but you can find many other filtering options in the articles at the end of this post.
Example:
Get-QuarantineMessage -PageSize 500 -QuarantineTypes Bulk,Phish,Spam -RecipientAddress "EmailAddress"
With this cmdlt you'll get a list of the quarantined messages sent to a specific user.
Instead of -RecipientAddress we can use -SenderAddress in order to filter by sender or, both to filter the quarantined messages sent by a specific address to a specific user.
The -PageSize can be configured from 1 to 1000. This is the output size you'll get in PS.
You can filter by -Quarantinetypes or -Type. If you don't use this, you'll get all quarantined messages. Valid Quarantine types are:
Bulk
HighConfPhish
Malware
Phish
Spam
SPOMalware (Microsoft Defender for Office 365 only)
TransportRule
You can complete the previous cmdlt with | Release-QuarantineMessage -ReleaseToAll
Example:
Get-QuarantineMessage -PageSize 500 -QuarantineTypes Bulk,Phish,Spam -RecipientAddress "EmailAddress" | Release-QuarantineMessage -ReleaseToAll
This will release the previous filtered messages.
NOTE: If some messages were already released, the cmdlt will skip those and will not release them again.
You can also report false positive to MS with: -ReportFalsePositive
Sources:
Get-QuarantineMessage (ExchangePowerShell) | Microsoft Learn
Release-QuarantineMessage (ExchangePowerShell) | Microsoft Learn
Extra tip:
Recently one Admin asked about how to filter the users Release Requests in the Admin Center, in order to control those request and ensure they're being released.
For that, navigate to https://security.microsoft.com
On the left menu, click on "Review" and then on "Quarantine" in the central window.
Now you're in the Quarantine queue view.
Click on "Filter" (upper right icon) and, with many other filtering options, you'll find "Release requested" (see screenshot below).
Applying this filter, you'll then see only the Quarantined messages for those that a Release Request was launched by the user. So you can easily work with that queue and empty it if required.
FcoManigrasso This is use info. Do we also Graph API's available to bulk release quarantined emails today Could you share details or pointers around that. It would be a great feature to have if one doesn't exist today. Thanks
- That would be great, but as per now this is only possible with PS. (Or I´m not aware about other possibilities). I guess you should be able to create a query with KQL, but not for release. https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-beta&tabs=http
Have a great day,
BR
Francisco Manigrasso.
