Exchange Online Protection Quarantine (Part 4)

By /

If you would like to read the other parts in this article series please go to:

Office 365 Portal Limitations

For the most basic tasks of managing an organization’s quarantine, the Exchange Online Protection (EOP) portal does the job. Administrators can search for messages using a variety of criteria and release messages. However, some administrators might want some extra flexibility. After all, there are a few things missing that would be really useful:

  • It is not possible to release messages without having to open them;
  • It is not possible to see if a message has been released without having to open it;
  • It is not possible to list more than 500 messages and there is no “next page” button. If the message does not show up in the list, then we need to further filter our search;
  • It is not possible to mass release messages. If there are multiple quarantined messages from a particular recipient, messages have to be released one at a time! Definitely the worst shortcoming of the portal in this list…

In order to overcome these, and at the time of writing this article, the only solution is PowerShell.

Using PowerShell

Hopefully the above features will be made available in the portal real soon. In the meantime, PowerShell to the rescue!

The first thing to do is to open a PowerShell console window and connect to EOP:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

For organizations that only use EOP to protect on-premises mailboxes, use the following ConnectionUri instead:

-ConnectionUri https://ps.protection.outlook.com/powershell-liveid/

Once connected, let us list what PowerShell cmdlets are available to manage quarantined messages:

Image
Figure 1

Ok, not that many… So what do they do? They are self-explanatory to be fair:

  • Get-QuarantineMessage allows us to list or search for messages sent to our organization and that have been quarantined by EOP. We can filter these using a variety of criteria such as sender/recipient address, subject, etc…;
  • Get-QuarantineMessageHeader shows the message header of a quarantined message (the same as clicking on “view message header…” in the portal);
  • Release-QuarantineMessage releases a quarantined message to either some, or all of its intended recipients. It is also used to report a message as a false positive.

Searching Quarantined Messages

To search for quarantined messages we use the Get-QuarantineMessage cmdlet as mentioned above. This cmdlet returns a series of message properties but, for some reason, three of these properties are always blank:

Image
Figure 2

In this case I am using the MessageID property to search for a message but I could use the Subject, for example, that the result would have been the same. However, if we specify the Identity of the message instead, then these properties are displayed! Let us look at the same message but this time by referencing its identity:

Image
Figure 3

Using this method, the previously “missing” properties are now visible. We can also see that this message was sent to one recipient and already released to it.

In the next example I am simply returning every message currently in the Quarantine:

Image
Figure 4

As this is my lab tenant, there are not many messages in the Quarantine. When there are a large number of messages, we can easily filter them based on when they were received, the sender, recipient, subject, etc. In the next example, I am restricting the results to only show emails quarantined in December by using the StartReceivedDate parameter (date in American format):

Get-QuarantineMessage -StartReceivedDate “12/01/2014”

Image
Figure 5

If there are hundreds of messages to be displayed, we may need to use one or two additional parameters:

  • The Page parameter specifies the page number of the results to view (between 1 and 1000, with 1 being the default);
  • The PageSize parameter specifies the maximum number of entries per page (between 1 and 5000, with 1000 being the default – already much better than the 500 limit in the portal).

As we have seen before, messages remain in the quarantine until they expire even after they are released, making it hard to check which messages have already been released and which have not… When using the portal, we need to open a message to see if it has been released or not. With PowerShell we can easily return every message that has not yet been released to all its recipients by checking the QuarantinedUser property (we could also use the ReleasedUser parameter to check if the message had been released to any of its recipients):

(Get-QuarantineMessage).Identity | ForEach {Get-QuarantineMessage -Identity $_ | Where {$_.QuarantinedUser}}

Image
Figure 6

If, on the other hand, we want to check messages that have already been released to all its recipients, we basically check for the opposite as before:

(Get-QuarantineMessage).Identity | ForEach {Get-QuarantineMessage -Identity $_ | Where {!$_.QuarantinedUser}}

Image
Figure 7

What if we want to export everything from the quarantine to a CSV so we can analyze it in a more user-friendly way? Not a problem! Simply use the Export-CSV cmdlet to export all the details from all the messages in the quarantine to a CSV file (remember to use Identity if you also want those three properties mentioned in the beginning):

(Get-QuarantineMessage).Identity | ForEach {Get-QuarantineMessage -Identity $_} | Export-CSV F:\Quarantine.csv -NoType

Image
Figure 8

Image
Figure 9

A cool thing about using PowerShell is that we can easily list all the messages that have already been reported as false positives. To do this we use the Reported parameter and specify $true, meaning it will filter and display only messages that have been reported. Conversely, if we specify $false we will get a list of all the messages that have not yet been reported:

Image
Figure 10

Message Headers

There is not much to say about this cmdlet to be fair. We simply specify the Identity of a message and we can see its headers:

Image
Figure 11

Releasing Quarantined Messages

Now that we have searched and found the message(s) we are looking for, we can finally release it using the Release-QuarantineMessage cmdlet, which has three main parameters:

  • ReleaseToAll releases the quarantined message to all original recipients of the message. If we previously used the User parameter (below) or the ReleaseToAll switch to release the quarantined message to some or all of the original recipients, those recipients are skipped;
  • User specifies the email address of the user to whom we want to release the quarantined message to. We can specify multiple email addresses separated by commas. Again, if we previously released the message to any of its original recipients, these will now be skipped;
  • ReportFalsePositive sends a notification message indicating the specified message was not spam.

Please note that messages can only be released to one or more of its original recipients, meaning we cannot release a message to an administrator for analysis for example.

To release a message we can simply specify a message’s Identity:

Release-QuarantineMessage –Identity “06840905-5ba1-4e93-f061-08d1dc2f8306\e5be426d-8e93-ba63-c2bd-4481bf5ebe01” –ReleaseToAll

Image
Figure 12

Or we can pipe a message using the Get-QuarantineMessage cmdlet. In this next example we try to release a message that has already been released:

Get-QuarantineMessage -MessageID “<[email protected]>” | Release-QuarantineMessage –ReleaseToAll

Image
Figure 13

Going back to the list of improvements the portal could use, one of them was the bulk release of messages. This can easily be done through PowerShell. In this example, we release all quarantined messages sent by a particular user:

Get-QuarantineMessage –SenderAddress [email protected] | Release-QuarantineMessage -ReleaseToAll

Image
Figure 14

We can also release all messages from a particular domain:

Get-QuarantineMessage | Where {$_.SenderAddress -match “@nunomota.pt”} | Release-QuarantineMessage -ReleaseToAll

Image
Figure 15

Strangely enough, it seems that it is not possible to simply report a message as a false positive without releasing it to a recipient. Everytime I try to do so I get the following error:

Image
Figure 16

However, if I use the User or the ReleaseToAll parameters it works just fine:

Image
Figure 17

Finally, if you are looking for a quick way to release and report every single email in your quarantine, just run the following:

Get-QuarantineMessage | Release-QuarantineMessage -ReleaseToAll -ReportFalsePositive

Conclusion

In this article series, we explored the Quarantine feature of Exchange Online Protection, including how to enable, configure and manage it both from the administrator and end user perspectives.

If you would like to read the other parts in this article series please go to:

About The Author

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Read Next

2 thoughts on “Exchange Online Protection Quarantine (Part 4)”

  1. Marina

    Thanks so much for posting this article – I would have been puzzling over those blank recipient/user fields for a while!

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top