Forum Discussion
Create playbook to release requested quarantined emails?
Hi Kithu147,
Agreed that an API is desired in this area. Recently, some updates for analyzedMessages (Emails in MDO) in Graph API were released. Let's hope that support for this use case is on the roadmap.
As far as I know, markoandrejic is correct and Exchange Online PowerShell is the only way to achieve this programmatically. Here is the documentation for the relevant action: https://learn.microsoft.com/en-us/powershell/module/exchange/release-quarantinemessage?view=exchange-ps
Actually, https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Office%20365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/readme.md in Microsoft's Defender for Office Solution is an implementation that uses Azure Functions to use this PowerShell module from a Logic App. Release-QuarantineMessage is not one of the supported actions, but it's definitely doable to add it using a similar action as a starting point, for instance: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Office%20365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/run.ps1.
Kind regards,
Rutger
Oh, and here is an example of a Logic App calling the Azure Function: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20for%20Office%20365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule. The page includes a screenshot of the workflow. I hope this is helpful! 🙂