Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)

Iron Contributor

How can I enable quarantine notifications for the preset strict protection policies. There is no way to assign a quarantine policy to strict protection policies.

19 Replies
For the Strict policy, both SpamAction and HighConfidenceSpamAction are already set to Quarantine. You can verify this via PowerShell and the Get-HostedContentFilterPolicy cmdlet.
Got it, thanks! But this does not trigger quarantine notifications (mail to user). The messages are moved to quarantine, without notifying the user.
Check your Quarantine policy as well, by default notifications should be enabled. But the period might be too long (IIRC 3 days is the default one).

@Vasil Michev 

(from: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies)

The default policies don't have notifications enabled:

Kiril_0-1670517117966.png

 

It's also not possible to edit the two default quarantine policies (DefaultFullAccessPolicy and AdminOnlyAccessPolicy):

 

Kiril_1-1670517251131.png

 

I could create a new quarantine policy, but how should I assign the quarantine policy to the strict policy?

 

Kiril_2-1670517407379.png

 

 

There is no option to edit the strict policy.

 

Or should I just go the PowerShell way?

At least in my tenant, the "Strict" policy uses NotificationEnabledPolicy for Quarantine, and that one can be edited to enable notifications. The frequency of notifications themselves can be toggled via the "Global" settings button on top of the Quarantine policies page.

@Vasil Michev thanks! I think this is not the case in my tenant. When I check the policy using PowerShell I get the following output:

Get-HostedContentFilterPolicy "Strict Preset Security*" | fl

SpamQuarantineTag                        : DefaultFullAccessPolicy
HighConfidenceSpamQuarantineTag          : DefaultFullAccessPolicy
PhishQuarantineTag                       : DefaultFullAccessPolicy
HighConfidencePhishQuarantineTag         : AdminOnlyAccessPolicy
BulkQuarantineTag                        : DefaultFullAccessPolicy

EndUserSpamNotificationFrequency         : 3
EnableEndUserSpamNotifications           : True
EndUserSpamNotificationCustomFromAddress :
EndUserSpamNotificationCustomFromName    :
EndUserSpamNotificationCustomSubject     :
EndUserSpamNotificationLanguage          : Default
EndUserSpamNotificationLimit             : 0

 Looks like it's not enabled, or am I confusing someting?

best response confirmed by Kiril (Iron Contributor)
Solution
Well, the DefaultFullAccessPolicy quarantine policy has notifications disabled, and you cannot toggle that. And I guess it overrides the notification settings within the Strict policy. So create a new policy (or use the NotificationEnabledPolicy) and change the settings via PowerShell:

[18:12:54][O365]# Set-HostedContentFilterPolicy "Strict Preset Security*" -PhishQuarantineTag NotificationEnabledPolicy
WARNING: All recommended properties will be controlled by Microsoft.
[18:13:00][O365]# Get-HostedContentFilterPolicy "Strict Preset Security*" | fl PhishQuarantineTag

PhishQuarantineTag : NotificationEnabledPolicy

Rinse and repeat for all other actions as needed.

@Kiril-- It can't be done; those things are backed in.  But there's nothing in the "Strict" or "Standard" policies that you can't duplicate by creating a new policy yourself that includes user notification.  I did that when I realized I would have to release all the junk from quarantine myself -- no way was that happening.

@Jim Shilliday 

 

You can use PowerShell to modify some parts of the Standard and Strict preset policies.

 

This command show you which policy is applied for a High confidence spam message action:

 

Get-HostedContentFilterPolicy "Strict Preset Security Policy Name" | fl Name,HighConfidenceSpamAction,HighConfidenceSpamQuarantineTag

 

Now, if you have a Quarantine policy with notifications enabled (e.g. NotificationEnablePolicy) you can update the preset policy:

 

 

Set-HostedContentFilterPolicy "Strict Preset Security Policy Name" -HighConfidenceSpamQuarantineTag NotificationEnablePolicy

 

 

@Kiril

 

AS at April 2023 any attempted adjustments to Standard or strict presets produces the following output...

WARNING: All recommended properties will be controlled by Microsoft.

and no changes are made

The output was also displayed Dec 2022. Changes made using PowerShell still work though. I assume the Notification is not part of the recommended properties.

@Kiril 

I am trying to do the same with my standard/strict policies and the values aren't changing.

After the attempt to set the new notification policy, the recheck with 

Get-HostedContentFilterPolicy "Standard Preset Security*" | fl

returns the same result as before.

 

So, no, can't assign a different quarantine policy.

@PavelK3205 

Same here. We were told by MS support to activate preset security policies to get less false negatives (our custom policies sometimes failed to quarantine phishing emails, even though they were more restrictive than the standard preset). But the standard preset activates quarantine notifications, which we don't want, and there is no way to edit the preset policies, as shown here. Presets cannot be edited in any way. They are maintained by MS.

 

The fact that presets always have priority over custom policies is strange, as we could have wildly different settings in our custom policy and those would be entirely ignored. This is why we opted out of presets.

@CedricLienart 

We've ditched pre-sets and are using @Alex Fields PS scripts to setup the same defaults.  See the standard and custom protection scripts.  We did this to give us some granularity over Quarantine.

https://github.com/vanvfields/Microsoft-365/tree/master/Exchange%20Online

 

We subscribe to Alex's is Peer group which includes docs https://www.itpromentor.com/membership/

 

@Rob_Wellesley 

We've also disabled the presets but we were told by MS that they help reducing the amount of false negatives, and we were able to confirm this. Furthermore, MS maintains those presets and can update them when new threats emerge, resulting in a more efficient, up-to-date protection that we could not possibly match with our custom security policies.

I really wish MS would give us the option to choose which quarantine notifications to send to end users, or change the priority to make custom policies take precedence over presets...

Agree. The crazy bit is that the presets allow users to review and RELEASE phish categorised mail.

We would also like to enable preset security policy but due to the fact that users get quarantine notifications I had to disable the policies. if anyone have an idea on how to change this I would very much like to get that information.

 

according to the information in this link https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-quarantine-n...

quarantine notification policy with the name DefaultFullAccessWithNotificationPolicy is used to preset security policies (and I see no information about that this can be changed).

# Set-HostedContentFilterPolicy "Strict Preset Security Policy Name" -SpamQuarantineTag ReleaseRequestPolicy
# Set-HostedContentFilterPolicy "Strict Preset Security Policy Name" -PhishQuarantineTag ReleaseRequestPolicy
# Set-HostedContentFilterPolicy "Strict Preset Security Policy Name" -HighConfidenceSpamQuarantineTag ReleaseRequestPolicy

I also tried the Powershell, and it returned " WARNING: All recommended properties will be controlled by Microsoft. "

as both admin and end users are no longer receive any notification for HighConfidenceSpam, Any resolution from Microsoft?
1 best response

Accepted Solutions
best response confirmed by Kiril (Iron Contributor)
Solution
Well, the DefaultFullAccessPolicy quarantine policy has notifications disabled, and you cannot toggle that. And I guess it overrides the notification settings within the Strict policy. So create a new policy (or use the NotificationEnabledPolicy) and change the settings via PowerShell:

[18:12:54][O365]# Set-HostedContentFilterPolicy "Strict Preset Security*" -PhishQuarantineTag NotificationEnabledPolicy
WARNING: All recommended properties will be controlled by Microsoft.
[18:13:00][O365]# Get-HostedContentFilterPolicy "Strict Preset Security*" | fl PhishQuarantineTag

PhishQuarantineTag : NotificationEnabledPolicy

Rinse and repeat for all other actions as needed.

View solution in original post