Home

Delegate role for release quarantine email only

%3CLINGO-SUB%20id%3D%22lingo-sub-571438%22%20slang%3D%22en-US%22%3EDelegate%20role%20for%20release%20quarantine%20email%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-571438%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20for%20any%20role%20or%20any%20way%20to%20customize%20the%20role%20for%20manage%2Frelease%20email%20in%20EAC%20quarantine.%20For%20our%20service%20desk%2C%20I%20only%20intend%20to%20let%20them%20release%20the%20quarantine%20email%20only%20in%20EAC%20or%20Security%20%26amp%3B%20Compliance%20Center%2C%20rather%20than%20give%20them%20higher%20privileged%20to%20be%20able%20to%20do%20other%20stuff%20like%20tracing%20the%20emails.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20similar%20role%20I%20could%20find%20in%20EAC%20is%20%E2%80%9CTransport%20Hygiene%E2%80%9D%20role.%20But%20that%20role%20will%20have%20access%20to%20the%20anti-spam%20and%20anti-malware%20polices.%20Any%20way%20we%20can%20restrict%20the%20permission%20further%3F%20Thanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EYang%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-571438%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-572176%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20role%20for%20release%20quarantine%20email%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-572176%22%20slang%3D%22en-US%22%3EI%20did%20this%20and%20it%20worked%3A-%3CBR%20%2F%3E%3CBR%20%2F%3ENew-ManagementRole%20-Parent%20%22Transport%20Hygiene%22%20-Name%20%22Custom%20Role%20for%20Helpdesk%20-%20Manage%20Quarantine%22%3CBR%20%2F%3E%3CBR%20%2F%3E%24RoleEntry%3DGet-ManagementRoleEntry%20%22Custom%20Role%20for%20Helpdesk%20-%20Manage%20Quarantine%5C*%22%20%7C%20Where%20%7B!(%24_.Name%20-match%20%22Quarantine%22)%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%24RoleEntry%7C%25%7B%24n%3D%24_.name%3B%24name%3D%22Custom%20Role%20for%20Helpdesk%20-%20Manage%20Quarantine%5C%24n%22%3B%24name%3BRemove-ManagementRoleEntry%20-Identity%20%24name%20-Confirm%3A%240%7D%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20add%20the%20%22Custom%20Role%20for%20Helpdesk%20-%20Manage%20Quarantine%22%20role%20entry%20to%20the%20role%20group%20using%20UI.%3CBR%20%2F%3EIf%20you%20are%20creating%20a%20new%20role%20group%20remember%20to%20add%20%22View-Only%20Organization%20Management%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-577338%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20role%20for%20release%20quarantine%20email%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-577338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F333418%22%20target%3D%22_blank%22%3E%40DeepakRandhawa%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20quick%20reply.%20Your%20information%20is%20really%20helpful.%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20found%20that%20I%20still%20can%20trace%20the%20emails%20if%20I%20add%20my%20role%20to%20View-Only%20Organization%20Management.%20I%20tried%20to%20use%20the%20similar%20PS%20you%20provided%20to%20restrict%20the%20role%20entries%20further%2C%20but%20with%20no%20luck.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-584348%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20role%20for%20release%20quarantine%20email%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-584348%22%20slang%3D%22en-US%22%3E%3CP%3EView-Only%20Organization%20Management%20was%20required%20to%20access%20ECP%20portal%20only.%20You%20can%20remove%20it%20now%20and%20still%20be%20able%20to%20access%20ECP%20and%20then%20only%20option%20available%20in%20mailflow%20will%20be%20Accepted%20Domains.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-584387%22%20slang%3D%22en-US%22%3ERe%3A%20Delegate%20role%20for%20release%20quarantine%20email%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-584387%22%20slang%3D%22en-US%22%3EHi%20Deepak%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20again%20for%20your%20help.%3CBR%20%2F%3E%3CBR%20%2F%3ETried%20that%20and%20seems%20like%20the%20behaviour%20for%20quarantine%20is%20bit%20different%20between%20ECP%20and%20Security%20%26amp%3B%20Compliance%20Centre.%20If%20I%20just%20keep%20customised%20role%20without%20view-only%20management%20role%2C%20I%20wouldn%E2%80%99t%20be%20able%20to%20see%20Quarantined%20email%20in%20Security%20%26amp%3B%20Compliance%20Centre.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
YU Yang
Occasional Contributor

Hi Community,

 

I am looking for any role or any way to customize the role for manage/release email in EAC quarantine. For our service desk, I only intend to let them release the quarantine email only in EAC or Security & Compliance Center, rather than give them higher privileged to be able to do other stuff like tracing the emails. 

 

The similar role I could find in EAC is “Transport Hygiene” role. But that role will have access to the anti-spam and anti-malware polices. Any way we can restrict the permission further? Thanks. 

 

Regards,

Yang

4 Replies
I did this and it worked:-

New-ManagementRole -Parent "Transport Hygiene" -Name "Custom Role for Helpdesk - Manage Quarantine"

$RoleEntry=Get-ManagementRoleEntry "Custom Role for Helpdesk - Manage Quarantine\*" | Where {!($_.Name -match "Quarantine")}

$RoleEntry|%{$n=$_.name;$name="Custom Role for Helpdesk - Manage Quarantine\$n";$name;Remove-ManagementRoleEntry -Identity $name -Confirm:$0}

Now add the "Custom Role for Helpdesk - Manage Quarantine" role entry to the role group using UI.
If you are creating a new role group remember to add "View-Only Organization Management"

@DeepakRandhawa 

 

Thanks for your quick reply. Your information is really helpful. 

But I found that I still can trace the emails if I add my role to View-Only Organization Management. I tried to use the similar PS you provided to restrict the role entries further, but with no luck. 

View-Only Organization Management was required to access ECP portal only. You can remove it now and still be able to access ECP and then only option available in mailflow will be Accepted Domains.

Hi Deepak,

Thanks again for your help.

Tried that and seems like the behaviour for quarantine is bit different between ECP and Security & Compliance Centre. If I just keep customised role without view-only management role, I wouldn’t be able to see Quarantined email in Security & Compliance Centre.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Delegate Azure AD MFA administration
Cristian Vergara in Azure Active Directory on
9 Replies
Quarantine Digest
Jerry Gonzalez in Microsoft 365 on
2 Replies
Email Domain for Posts to a Channel
Jim Hill in Microsoft Teams on
17 Replies
iOS Native VS Outlook
Daniel Schmidt in Microsoft Intune on
7 Replies
Spam Filtering too strong?
Tim Hunter in Security, Privacy & Compliance on
2 Replies