Release email from quarantine blocked by DLP

%3CLINGO-SUB%20id%3D%22lingo-sub-252856%22%20slang%3D%22en-US%22%3ERelease%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20customer%20that%20is%20considering%20replacing%20a%20third%20party%20spam%20filter%20with%20EOP.%26nbsp%3B%20Currently%2C%20if%20an%20email%20is%20blocked%20due%20to%20DLP%20policies%2C%20an%20admin%20can%20log%20into%20the%20admin%20center%2C%20review%20the%20message%2C%20and%20release%20it%20if%20it%20was%20a%20false%20positive%2C%20allowing%20the%20message%20to%20be%20delivered%20to%20the%20intended%20recipient.%26nbsp%3B%20Is%20this%20possible%20with%20O365%3F%26nbsp%3B%20I%20know%20I%20can%20block%20emails%20for%20DLP%20policies%2C%20I%20know%20that%20admins%20can%20be%20notified%20that%20an%20email%20was%20blocked%20due%20to%20DLP%20policies%2C%20but%20I%20don't%20know%20that%20an%20admin%20can%20then%20release%20that%20message%20if%20it%20is%2C%20indeed%2C%20a%20false%20positive.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-252856%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253607%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253607%22%20slang%3D%22en-US%22%3E%3CP%3EOverriding%20is%20an%20*optional*%20feature%20you%20as%20the%20admin%20can%20enable.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253379%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253379%22%20slang%3D%22en-US%22%3ESo%2C%20a%20blocked%20message%20cannot%20be%20released%20by%20an%20admin.%20It%20can%20only%20be%20overridden%20by%20a%20user.%20Defeats%20the%20purpose%20of%20the%20DLP%20to%20prevent%20users%20from%20sending%20out%20protected%20information%20maliciously%20if%20they%20can%20override%20the%20DLP.%20Might%20be%20a%20feature%20Microsoft%20should%20consider.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252909%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252909%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%20is%20correct%2C%20no%20quarantine.%20There%20are%20a%20couple%20of%20options%20for%20alerts%20and%20actions%2C%20which%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdata-loss-prevention-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252896%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252896%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20quarantine%20for%20DLP-flagged%20messages.%20You%20can%20however%20allow%20users%20to%20override%20the%20block%20action.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586099%22%20slang%3D%22en-US%22%3ERe%3A%20Release%20email%20from%20quarantine%20blocked%20by%20DLP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586099%22%20slang%3D%22en-US%22%3ECan%20override%20be%20enabled%20for%20single%20user%20for%20single%20instance%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have a customer that is considering replacing a third party spam filter with EOP.  Currently, if an email is blocked due to DLP policies, an admin can log into the admin center, review the message, and release it if it was a false positive, allowing the message to be delivered to the intended recipient.  Is this possible with O365?  I know I can block emails for DLP policies, I know that admins can be notified that an email was blocked due to DLP policies, but I don't know that an admin can then release that message if it is, indeed, a false positive.

5 Replies
Highlighted

There is no quarantine for DLP-flagged messages. You can however allow users to override the block action.

Highlighted

Vasil is correct, no quarantine. There are a couple of options for alerts and actions, which can be found here.

Highlighted
So, a blocked message cannot be released by an admin. It can only be overridden by a user. Defeats the purpose of the DLP to prevent users from sending out protected information maliciously if they can override the DLP. Might be a feature Microsoft should consider.
Highlighted

Overriding is an *optional* feature you as the admin can enable.

Highlighted
Can override be enabled for single user for single instance