Users can't release quarantined mail themselves, IT is drowning
M365 default policy doesn't let users release high-confidence phish, malware and so on, but does allow low-confidence and spam. The real work needs IT approval and IT drowns. Self-service release for less sensitive categories takes 80 percent of the load away.
Try this first
- 1Microsoft Defender portal → Email & collaboration → Policies & rules → Quarantine policies. Create two policies: one 'self-release' (spam, bulk) and one 'request approval' (phishing, malware).
- 2Apply the policies to anti-spam, anti-phishing and anti-malware policies. Go into each Threat policy and set quarantine policy.
- 3Enable End User Quarantine Notifications. Daily or every 4 hours, with a direct link to the release portal.
- 4Document rules for users in a short (10-line) wiki page. What they can do, what IT must do.
- 5Monitor in Threat Explorer for high-confidence items being self-released that shouldn't have been.
When to bring us in
If quarantine load comes from bad tuning rather than real threats, a policy review beats optimising the release flow.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.