Available from the end of April 2023 there is now an option to increase the notification interval to end users about items in the quarantine.
The Microsoft 365 Quarantine is at https://security.microsoft.com/quarantine and though this is a good link to add corporate intranets, its also a useful one for users to remember and bookmark.
Up until now notifications where, at most, once every day, but a new “Within 4 Hours” option has just rolled out and the settings come with some changes that I noticed today:
The default value is Daily, though it used to be a number where the default was 3. Looking at old tenants where this value used to be 3, I see it has now changed to “Daily”. So notifications may appear to be more frequent.
If a user gets a notification when email, file or Teams Chat items are quarantined though depend upon the Quarantine Policy (found at https://security.microsoft.com/quarantinePolicies, and then under Global Settings as shown):
Each type of “suspect email” has a Quarantine Policy that you can select, an example of this is shown below:
In the above, which are the current defaults in a new tenant, a “phish” email will go to Quarantine and get the “DefaultFullAccessPolicy”, but a “high confidence phish” can only be released by the Admin (the “AdminOnlyAccessPolicy”). This means, with the current defaults, “phish” emails are not notified to users once they go into the quarantine. A user can go look themselves on the URL above, but they will not be invited to go look daily or now, even every 4 hours.
There is a Quarantine Policy called “DefaultFullAccessWithNotificationPolicy” which could be set against “Phish” class of emails so the user is notified on the above schedule. Microsoft set the default to “DefaultFullAccessPolicy” when you create a new policy manually, but if you use their preset configuration settings you get “DefaultFullAccessWithNotificationPolicy” instead!
You can also create your own Quarantine Policies with notification and various options for what users can do in the quarantine (for example, request release from the admin rather than release themselves).
So a call to action if you do notify your users of items in their quarantine might be to reduce the notification interval.
Photo by cottonbro studio from Pexels: https://www.pexels.com/photo/health-workers-wearing-face-mask-3957987/