Home

Release email from quarantine blocked by DLP

%3CLINGO-SUB%20id%3D%22lingo-sub-252856%22%20slang%3D%22en-US%22%3ERelease%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20customer%20that%20is%20considering%20replacing%20a%20third%20party%20spam%20filter%20with%20EOP.%26nbsp%3B%20Currently%2C%20if%20an%20email%20is%20blocked%20due%20to%20DLP%20policies%2C%20an%20admin%20can%20log%20into%20the%20admin%20center%2C%20review%20the%20message%2C%20and%20release%20it%20if%20it%20was%20a%20false%20positive%2C%20allowing%20the%20message%20to%20be%20delivered%20to%20the%20intended%20recipient.%26nbsp%3B%20Is%20this%20possible%20with%20O365%3F%26nbsp%3B%20I%20know%20I%20can%20block%20emails%20for%20DLP%20policies%2C%20I%20know%20that%20admins%20can%20be%20notified%20that%20an%20email%20was%20blocked%20due%20to%20DLP%20policies%2C%20but%20I%20don't%20know%20that%20an%20admin%20can%20then%20release%20that%20message%20if%20it%20is%2C%20indeed%2C%20a%20false%20positive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-252856%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253607%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253607%22%20slang%3D%22en-US%22%3E%3CP%3EOverriding%20is%20an%20*optional*%20feature%20you%20as%20the%20admin%20can%20enable.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253379%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253379%22%20slang%3D%22en-US%22%3ESo%2C%20a%20blocked%20message%20cannot%20be%20released%20by%20an%20admin.%20It%20can%20only%20be%20overridden%20by%20a%20user.%20Defeats%20the%20purpose%20of%20the%20DLP%20to%20prevent%20users%20from%20sending%20out%20protected%20information%20maliciously%20if%20they%20can%20override%20the%20DLP.%20Might%20be%20a%20feature%20Microsoft%20should%20consider.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252909%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252909%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%20is%20correct%2C%20no%20quarantine.%20There%20are%20a%20couple%20of%20options%20for%20alerts%20and%20actions%2C%20which%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdata-loss-prevention-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252896%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252896%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20quarantine%20for%20DLP-flagged%20messages.%20You%20can%20however%20allow%20users%20to%20override%20the%20block%20action.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Raechel Moermond
Occasional Contributor

I have a customer that is considering replacing a third party spam filter with EOP.  Currently, if an email is blocked due to DLP policies, an admin can log into the admin center, review the message, and release it if it was a false positive, allowing the message to be delivered to the intended recipient.  Is this possible with O365?  I know I can block emails for DLP policies, I know that admins can be notified that an email was blocked due to DLP policies, but I don't know that an admin can then release that message if it is, indeed, a false positive.

4 Replies

There is no quarantine for DLP-flagged messages. You can however allow users to override the block action.

Vasil is correct, no quarantine. There are a couple of options for alerts and actions, which can be found here.

So, a blocked message cannot be released by an admin. It can only be overridden by a user. Defeats the purpose of the DLP to prevent users from sending out protected information maliciously if they can override the DLP. Might be a feature Microsoft should consider.

Overriding is an *optional* feature you as the admin can enable.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies