Microsoft Purview · Global & Security Roles

Quarantine Administrator

Members can access all quarantine actions in Microsoft Defender for Office 365 and Exchange Online Protection. Can release, delete, preview, and manage quarantined messages and files.

Scope: Full quarantine management across Exchange Online Protection and Defender for Office 365

Permissions

  • Quarantine - Access all quarantine actions for messages and files
  • Release quarantined messages to intended recipients
  • Delete quarantined messages permanently
  • Preview quarantined message content
  • Allow or block senders from quarantined messages
  • Submit false positives and false negatives to Microsoft
  • Manage quarantine policies and notifications
  • Download quarantined messages and attachments

Common use cases

  • Reviewing and releasing legitimate messages caught by spam or malware filters
  • Managing phishing quarantine for end-user reported messages
  • Investigating quarantined attachments for threat analysis
  • Configuring quarantine notification policies for users
  • Responding to mail flow incidents involving widespread quarantine
  • Managing bulk quarantine release during false positive events

Best practices

  • Review quarantine queue regularly to prevent message delays
  • Use quarantine policies to enable end-user self-service for low-risk quarantine
  • Analyze quarantine trends to tune protection policies
  • Coordinate with Security Administrator on policy changes based on quarantine data
  • Document release decisions for audit trail

Security considerations

  • Releasing quarantined messages bypasses security filters — exercise caution
  • Quarantined messages may contain malware or phishing content
  • Previewing quarantined content should be done in a secure environment
  • Monitor for unauthorized bulk release of quarantined messages
  • Download capability may expose malicious attachments to local systems

Common questions

When should I assign the Quarantine Administrator role?

Assign Quarantine Administrator when you need to: Reviewing and releasing legitimate messages caught by spam or malware filters; Managing phishing quarantine for end-user reported messages; Investigating quarantined attachments for threat analysis; Configuring quarantine notification policies for users; and Responding to mail flow incidents involving widespread quarantine. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Quarantine Administrator role do?

The Quarantine Administrator role grants permissions including: Quarantine - Access all quarantine actions for messages and files; Release quarantined messages to intended recipients; Delete quarantined messages permanently; Preview quarantined message content; Allow or block senders from quarantined messages; and Submit false positives and false negatives to Microsoft. See the Permissions section above for the full list.

What are the security risks of the Quarantine Administrator role?

Key considerations when assigning Quarantine Administrator: Releasing quarantined messages bypasses security filters — exercise caution; Quarantined messages may contain malware or phishing content; Previewing quarantined content should be done in a secure environment; and Monitor for unauthorized bulk release of quarantined messages. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →