Release email from quarantine blocked by DLP

%3CLINGO-SUB%20id%3D%22lingo-sub-252856%22%20slang%3D%22en-US%22%3ERelease%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20customer%20that%20is%20considering%20replacing%20a%20third%20party%20spam%20filter%20with%20EOP.%26nbsp%3B%20Currently%2C%20if%20an%20email%20is%20blocked%20due%20to%20DLP%20policies%2C%20an%20admin%20can%20log%20into%20the%20admin%20center%2C%20review%20the%20message%2C%20and%20release%20it%20if%20it%20was%20a%20false%20positive%2C%20allowing%20the%20message%20to%20be%20delivered%20to%20the%20intended%20recipient.%26nbsp%3B%20Is%20this%20possible%20with%20O365%3F%26nbsp%3B%20I%20know%20I%20can%20block%20emails%20for%20DLP%20policies%2C%20I%20know%20that%20admins%20can%20be%20notified%20that%20an%20email%20was%20blocked%20due%20to%20DLP%20policies%2C%20but%20I%20don't%20know%20that%20an%20admin%20can%20then%20release%20that%20message%20if%20it%20is%2C%20indeed%2C%20a%20false%20positive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-252856%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253607%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253607%22%20slang%3D%22en-US%22%3E%3CP%3EOverriding%20is%20an%20*optional*%20feature%20you%20as%20the%20admin%20can%20enable.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253379%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253379%22%20slang%3D%22en-US%22%3ESo%2C%20a%20blocked%20message%20cannot%20be%20released%20by%20an%20admin.%20It%20can%20only%20be%20overridden%20by%20a%20user.%20Defeats%20the%20purpose%20of%20the%20DLP%20to%20prevent%20users%20from%20sending%20out%20protected%20information%20maliciously%20if%20they%20can%20override%20the%20DLP.%20Might%20be%20a%20feature%20Microsoft%20should%20consider.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252909%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252909%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%20is%20correct%2C%20no%20quarantine.%20There%20are%20a%20couple%20of%20options%20for%20alerts%20and%20actions%2C%20which%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdata-loss-prevention-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252896%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252896%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20quarantine%20for%20DLP-flagged%20messages.%20You%20can%20however%20allow%20users%20to%20override%20the%20block%20action.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586099%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586099%22%20slang%3D%22en-US%22%3ECan%20override%20be%20enabled%20for%20single%20user%20for%20single%20instance%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a customer that is considering replacing a third party spam filter with EOP.  Currently, if an email is blocked due to DLP policies, an admin can log into the admin center, review the message, and release it if it was a false positive, allowing the message to be delivered to the intended recipient.  Is this possible with O365?  I know I can block emails for DLP policies, I know that admins can be notified that an email was blocked due to DLP policies, but I don't know that an admin can then release that message if it is, indeed, a false positive.

5 Replies

There is no quarantine for DLP-flagged messages. You can however allow users to override the block action.

Vasil is correct, no quarantine. There are a couple of options for alerts and actions, which can be found here.

So, a blocked message cannot be released by an admin. It can only be overridden by a user. Defeats the purpose of the DLP to prevent users from sending out protected information maliciously if they can override the DLP. Might be a feature Microsoft should consider.

Overriding is an *optional* feature you as the admin can enable.

Can override be enabled for single user for single instance