Forum Discussion
Solved
Mail Flow Rule (Transport Rule) Name Missing In Quarantine Details
Since August 2, around 5:00 AM Microsoft stopped showing the name of the Mail Flow Rule (Transport Rule) responsible for quarantined emails in the Policy Name field. It now only shows the name of the Policy (defined under the Threat Policies) if it was responsible for the Quarantine. Most of our emails are quarantined because of Transport Rules (Policy Type: Exchange Transport Rule), and not being able to see what Transport Rule was responsible for the quarantined email is a huge problem with false positives, as it will be extremely hard to determine what Transport Rule needs to be edited to prevent the false positive in the future. Attached is a screen shot of 2 email details side-by-side, same external email sent just minutes after each other (during the time the Policy Name went in and out), the one shows Policy Name (the name of the Transport Rule), and the other not. I looked if it was maybe moved to another location or renamed, but that is not the case. Does anyone else has this same problem? Did you find a way to solve it?
- Run a message trace, you should see the Transport rule reflected in the (detailed) output. It's not going to help you with the UI change of course... for that best submit Feedback in the portal.
- I have the same issue which occurred on the same day. I have opened a support ticket with Microsoft but without any luck. I have been doing the message trace, but it has certainly been time-consuming. I hope there is a resolution soon.
drandre222 My ticket has still not been resolved yet either, they keep apologizing for the delay, but I am not hopeful it will ever get resolved. I have been using the Explorer instead, you can add the Transport Rule column which makes it very easy to track what rule quarantined an email in case of a false positive. In Explorer you can also query Transport Rule names in case you have created one that is more prone to false positives, like we have. You can then quickly see if there are any obvious false positives quarantined by that specific Transport Rule.
GreatToHearFromYou Thanks for your response. Unfortunately with my current tenant, it is only an E3 which does not have the Office 365 Threat Intelligence license. I may decide to upgrade to this updated licensing.
- Run a message trace, you should see the Transport rule reflected in the (detailed) output. It's not going to help you with the UI change of course... for that best submit Feedback in the portal.
- Thank you! The Message Trace did indeed show the Transport Rule name in Details, but I couldn't query it. However, via Message Trace I got into Explorer and in there I am able to query messages using the Transport Rule Name. This allows me to see what emails have been quarantined and which Transport Rule was responsible for it. Unfortunately, it doesn't fix the UI and in case of a false positive I still have to go to quarantine and find the message there to release it, but at least it is better than blind guessing.
I did open a ticket with Microsoft, but they basically told me that Transport Rule Names don't show in the quarantine details, even though I sent them a screenshot showing clearly that it did.
