 Hi, my name is Sean Jacobs. I'm one of the systems architects here at Protected Trust. And today, I would like to give a short presentation on quarantine policies in Office 365. Quarantine policies allow you to enable notifications that will go to your users on a regular basis to provide them with an idea of the types of messages that have been quarantined for them. It also allows you to do things like you can create policies that will allow the users to release things on their own if you want to, or request that you as an administrator release them on their behalf. Or you can also just give them notifications so that they're aware of the types of things that are being quarantined. Quarantine policies are used by all of the threat protection policies. So your anti-fishing and anti-spam policies, for example, especially anti-spam, that's where most of the configuration for those policies will be done. We just have to make sure those policies are created before we attempt to use them in the anti-spam policy. To get to these settings, you'll want to go to the Microsoft 365 Defender Portal at security.microsoft.com. And once here, under the email and collaboration section, you'll want to go to Policies and Rules, and then Threat Policies, and then Quarantine Policies. You will notice by default in all tenants you're going to have these three policies that are available, the default full access policy, the admin only access policy, and the default full access policy with notification. I'm sorry, the default full access with notification policy. There's also global settings. The global settings are probably the first place that you actually want to visit in your quarantine policy settings. For the global settings, you can go in and configure things like those quarantine notifications that get sent to end users. By default, I'll just show you an example of what they look like by default. By default, they come from Quarantine at messaging.microsoft.com. They have a Microsoft logo and so on. If you want, you can customize the way that those look. So you can say they come from your company's IT department or your company's IT person. And specify that user's sending address. You can also use your own custom subject and provide your own disclaimer that would be placed at the top of that email. You have the option to use your company logo. If you have that configured in your tenant settings, then it will use your own company logo instead of the Microsoft logo. The most interesting setting in here, though, is this send end user spam notifications every days. You have an option here to send them daily or weekly or within four hours. The within four hours setting is fairly new. It's only been available for a couple of months that I'm aware of here in May of 2023. Historically, we've always set this to daily by default when we're doing a security roadmap for a client because that will allow users to get regular notifications of the things that are in their quarantine. This new setting, though, for within four hours, we may be switching folks to that just because that would get you those quarantine notifications in an even more timely manner. And so that seems like it would be something that would be very useful for users that want to receive their email when it gets sent. So the quarantine policies that are available, you'll notice there's two that are called default full access policy. You'll notice this one says with notification. So that notification setting that we just specified here, like how frequently they occur, this policy is the only one that by default will send a notification. So you'll notice if we look at the settings for that policy, it's allowing the users to release the message from quarantine, to block sender, to delete the message, to preview the message, and it's sending those quarantine notifications. So with us having it set to within four hours, then using a policy that has quarantine notification enabled is what's actually going to allow these messages to get sent to the end users. The default full access policy, you'll notice the quarantine notifications are disabled. Same thing with the admin only access policy, quarantine notifications are disabled. So with either of those default policies, these quarantine notification emails do not get sent. You can create your own custom policy that does things closer to what you want to do, if you want. We'll say custom quarantine policy. And we'll say we want to set specific access. So the release action preference, we could say we want to allow recipients to request a message to be released from quarantine, for example. And then for additional actions, let's say we want the users to be able to maybe just only preview the message. We don't want to give them the option to delete the message or block the sender. We just want to give them the option to preview. Quarantine notification in this one we will enable, and that will send the notifications to those end users. And that's pretty much it. Once we submit, we say done, then we'll have a new quarantine policy that can be then used in our anti-spam policy, for example. And just to give a quick glimpse as to where that would be set. So in our policies and rules again and threat policies, if we went and looked at something like our anti-spam policy and our anti-spam inbound policy, then down here in the actions are where we can specify which policies would be used in a given situation. So for example, for high-confidence spam messages or high-confidence phishing messages, we could instead use that custom quarantine policy. Maybe not for that one. Oh, high-confidence phishing. Can I not use custom policies? I'll have to look into that. Anyway, so here's where you would actually use those policies and be able to select which policies get used. And we'll go into that more when we actually do our new video on the anti-spam policies because quite a bit has changed in here since the last time we recorded a video. So back down in here. And again, back down to quarantine policies. So that is pretty much the configuration of the quarantine policies. One thing that you'll notice is that, well, if we give users access. So if we go back and look in the quarantine message. So here's an example of a quarantine notification that we've actually provided some options for the end users. So without an administrator having to release the message, for example, the end user would have the ability to go in and release the message. In this case, neither one of these messages do I want to release. But if I did, I could just select that release button and it's going to open a web page. It's actually going to open the same quarantine page that I was just accessing as an administrator, but it's going to access it from the end user's endpoint, which would only give them access to their own quarantined messages. And that's pretty much it. That's the quarantine policies. We'll discuss that a little bit more when we get to the other threat policies like the anti-fishing policy and the anti-spam policies. But this is one of the first places that I like to go to now when I'm first setting up. When I'm doing security roadmap-related things for a tenant, before I go in and set up the anti-spam policy, for example, I like to make sure that the quarantine policy things are taken care of, especially this setting in here for doing end user notifications more quickly. So, and that's pretty much it.