Microsoft Purview · Global & Security Roles
Quarantine Administrator
Members can access all quarantine actions in Microsoft Defender for Office 365 and Exchange Online Protection. Can release, delete, preview, and manage quarantined messages and files.
Scope: Full quarantine management across Exchange Online Protection and Defender for Office 365
Permissions
- Quarantine - Access all quarantine actions for messages and files
- Release quarantined messages to intended recipients
- Delete quarantined messages permanently
- Preview quarantined message content
- Allow or block senders from quarantined messages
- Submit false positives and false negatives to Microsoft
- Manage quarantine policies and notifications
- Download quarantined messages and attachments
Common use cases
- Reviewing and releasing legitimate messages caught by spam or malware filters
- Managing phishing quarantine for end-user reported messages
- Investigating quarantined attachments for threat analysis
- Configuring quarantine notification policies for users
- Responding to mail flow incidents involving widespread quarantine
- Managing bulk quarantine release during false positive events
Best practices
- Review quarantine queue regularly to prevent message delays
- Use quarantine policies to enable end-user self-service for low-risk quarantine
- Analyze quarantine trends to tune protection policies
- Coordinate with Security Administrator on policy changes based on quarantine data
- Document release decisions for audit trail
Security considerations
- Releasing quarantined messages bypasses security filters — exercise caution
- Quarantined messages may contain malware or phishing content
- Previewing quarantined content should be done in a secure environment
- Monitor for unauthorized bulk release of quarantined messages
- Download capability may expose malicious attachments to local systems