MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
I need a tech with limited permissions to be able to Remediate malicious email delivered in Office 365 These are the options I have in Admin. I tried a bunch of recommended actions, yet I don't seem to have the correct Admin portals as shown here. For example, I don't have MS 365 Defender Permissions Group shown in the video:
Notification for pending actions
I'm having an issue where Defender isn't notifying me on pending actions like deleting an email and it's not waiting long enough for me to approve actions. Example: An email is delivered at 6pm (after hours) with a malicious URL. Defender detects it and ZAPs the URL automatically and sends me a useless alert "Email messages containing malicious URL removed after delivery". Sometimes this alert requires my intervention, sometimes not but the same alert comes through every time so I have to check every time. The next morning I come in around 8 and see the useless alerts and go to my Actions queue and all the pending actions have now timed out so now I'm hunting to get rid of these messages. If I could get notified when I need to take action I can disable the useless alert telling me it zapped a URL as not every ZAP requires Admin intervention. I could also configure this "admin approval required" alert to text me so I can take action immediately instead of the next time I check my email. I have 2 questions: 1. How do I setup Defender to send me a notification whenever I have pending actions? 2. How can I change the default behavior of the automated investigations? Ideally, if Defender finds a bad URL or attachment I'd rather have it just soft delete without my intervention.
Add to Remediation is unavailable without Search and Purge
Greetings, Per the Microsoft documentation there should be the ability to add malicious emails to a remediation container without requiring the search and purge role. This remediation container should then be in the action center waiting for a security analyst with the search and purge role to approve or deny the pending action. Currently as it stands, adding to remediation container requires the user to have search and purge. The search and purge role allows the user to move emails in inboxes, both soft and hard delete emails. If an analyst needs the search and purge role to add to a remediation container this does not adhere to principal of least permissions, because the analyst can simply delete the emails themselves or approve the remediation container that they themselves made. Having the base security admin roles have the ability to add to remediation containers allows for lower tiered analyst to do phishing investigations, and designate emails for removal, without having the ability to hard delete a user's inbox. Reference: MS documentation outlining Two step approval: Remediate malicious email that was delivered in Office 365 | Microsoft Learn
Automate email soft delete Approval
Hello Everyone, our security team creating Email Soft delete actions based on the investigations. An admin needs to approve those soft delete actions. Does anyone know how we can automate the approval of Email Soft delete action ? As of now, Microsoft dont have option to do this
Quarantine - Certain Users Not Showing
We have our environment setup to where we get active alerts for any emails that are requested to be released from quarantine. My team then goes in and looks at the email to make sure it is legit enough to be released. Since we have been doing this, we have noticed that certain users will not show up in the quarantine section from time to time. Even though I can pull up the email in Explorer and verify that it was sent to quarantine, it cannot be searched or found in there. I was even able to verify several OTHER users who received these quarantined emails and they do show up. I thought at one point it was just certain emails but recently verified that it is the user themselves. Even though I can verify that 100+ emails have been received and sent to quarantine in the past 30 days by a user, NONE of them show up in the actual quarantine section of Microsoft 365 Defender no matter how it is searched for. Does anyone have any possible fixes for this? It is very frustrating if we are trying to manage these emails for our end users.Keep "bad" mails for analysis but not in users mailbox
Hello, I configured EOP rules. But there are still bad mails which go through the rules and go in the mailboxes of the colleagues. For an analysis I would like to keep these mails. But they should not be in the mailboxes of the users. How can I proceed here? Regards Stefan
