Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)

Regular Contributor

How can I enable quarantine notifications for the preset strict protection policies. There is no way to assign a quarantine policy to strict protection policies.

10 Replies
For the Strict policy, both SpamAction and HighConfidenceSpamAction are already set to Quarantine. You can verify this via PowerShell and the Get-HostedContentFilterPolicy cmdlet.
Got it, thanks! But this does not trigger quarantine notifications (mail to user). The messages are moved to quarantine, without notifying the user.
Check your Quarantine policy as well, by default notifications should be enabled. But the period might be too long (IIRC 3 days is the default one).

@Vasil Michev 


The default policies don't have notifications enabled:



It's also not possible to edit the two default quarantine policies (DefaultFullAccessPolicy and AdminOnlyAccessPolicy):




I could create a new quarantine policy, but how should I assign the quarantine policy to the strict policy?





There is no option to edit the strict policy.


Or should I just go the PowerShell way?

At least in my tenant, the "Strict" policy uses NotificationEnabledPolicy for Quarantine, and that one can be edited to enable notifications. The frequency of notifications themselves can be toggled via the "Global" settings button on top of the Quarantine policies page.

@Vasil Michev thanks! I think this is not the case in my tenant. When I check the policy using PowerShell I get the following output:

Get-HostedContentFilterPolicy "Strict Preset Security*" | fl

SpamQuarantineTag                        : DefaultFullAccessPolicy
HighConfidenceSpamQuarantineTag          : DefaultFullAccessPolicy
PhishQuarantineTag                       : DefaultFullAccessPolicy
HighConfidencePhishQuarantineTag         : AdminOnlyAccessPolicy
BulkQuarantineTag                        : DefaultFullAccessPolicy

EndUserSpamNotificationFrequency         : 3
EnableEndUserSpamNotifications           : True
EndUserSpamNotificationCustomFromAddress :
EndUserSpamNotificationCustomFromName    :
EndUserSpamNotificationCustomSubject     :
EndUserSpamNotificationLanguage          : Default
EndUserSpamNotificationLimit             : 0

 Looks like it's not enabled, or am I confusing someting?

best response confirmed by Kiril (Regular Contributor)
Well, the DefaultFullAccessPolicy quarantine policy has notifications disabled, and you cannot toggle that. And I guess it overrides the notification settings within the Strict policy. So create a new policy (or use the NotificationEnabledPolicy) and change the settings via PowerShell:

[18:12:54][O365]# Set-HostedContentFilterPolicy "Strict Preset Security*" -PhishQuarantineTag NotificationEnabledPolicy
WARNING: All recommended properties will be controlled by Microsoft.
[18:13:00][O365]# Get-HostedContentFilterPolicy "Strict Preset Security*" | fl PhishQuarantineTag

PhishQuarantineTag : NotificationEnabledPolicy

Rinse and repeat for all other actions as needed.

@Kiril-- It can't be done; those things are backed in.  But there's nothing in the "Strict" or "Standard" policies that you can't duplicate by creating a new policy yourself that includes user notification.  I did that when I realized I would have to release all the junk from quarantine myself -- no way was that happening.

@Jim Shilliday 


You can use PowerShell to modify some parts of the Standard and Strict preset policies.


This command show you which policy is applied for a High confidence spam message action:


Get-HostedContentFilterPolicy "Strict Preset Security Policy Name" | fl Name,HighConfidenceSpamAction,HighConfidenceSpamQuarantineTag


Now, if you have a Quarantine policy with notifications enabled (e.g. NotificationEnablePolicy) you can update the preset policy:



Set-HostedContentFilterPolicy "Strict Preset Security Policy Name" -HighConfidenceSpamQuarantineTag NotificationEnablePolicy