Managing email quarantine in Exchange Online is a regular and important task for maintaining a secure and efficient email environment. Exchange Online provides robust PowerShell cmdlets to handle quarantine messages effectively. Today you will learn the essential cmdlets for managing Exchange Online quarantine messages, ensuring you can handle them with ease and precision.
Table of Contents
Getting Quarantined Messages using and Using Get-QuarantineMessage
The Get-QuarantineMessage cmdlet allows you to view quarantined messages within your cloud-based organization. Let’s look at some practical examples:
PS:> Get-QuarantineMessage
Received Time Type Direction Sender Address Subject Size Expires
------------- ---- --------- -------------- ------- ---- -------
25-Jun-24 11:58:53 PM Transport rule Inbound User@ExternalDomain.com test 23728 25-Jul-24 11:58:53 PM
25-Jun-24 11:58:39 PM Transport rule Inbound User@ExternalDomain.com 111 23768 25-Jul-24 11:58:39 PMIn the example, you can see multiple properties for the message, such as the received time and the type, which justifies why this message is quarantined. In this example, it’s because a Transport rule is set to quarantine any message from the sender. The type can be Malware, High Confidence Phish, or other reasons.
Also, you can see the Direction representing if the message is inbound or outbound. To find out the Exchange quarantine messages sent to inside the organization “inbound“, use the following
PS> Get-QuarantineMessage -Direction OutboundAnother example of filtering Exchange quarantine based on the date
PS> Get-QuarantineMessage -StartReceivedDate 06/10/2024 -EndReceivedDate 06/25/2024We can get a quarantine message list for now, but what if we need to dig deeper into message details?
Finding A Single Exchange Online Quarantine By Using Identity Parameter
Use the following line to return all the messages sorted in a table along with the message identity. This identity helps us call a specific message to get all its details.
PS> Get-QuarantineMessage | select Identity,RecipientAddress,SenderAddress
Identity RecipientAddress SenderAddress
-------- ---------------- -------------
f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed {faris@farismalaeb.com} User1@ExternalDomain.comCopy the Identity that relates to the message you need
Run the Get-QuarantineMessage and pass the Identity as a parameter and you will get a load of information related to the message
PS C:\> Get-QuarantineMessage -Identity f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed | fl
Identity : f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed
ReceivedTime : 25-Jun-24 11:58:53 PM
Organization : 4b375b4a-4f87-478b-8feb-32a204a20077
MessageId : <1418289215.5542814.1719345531286@mail.ExternalDomain.com>
SenderAddress : User1@ExternalDomain.com
RecipientAddress : {faris@farismalaeb.com}
Subject : 2222
Size : 23728
Type : Transport rule
PolicyType : ExchangeTransportRule
PolicyName : EOL - Prevent Unknown Contact
TagName :
PermissionToBlockSender : False
PermissionToDelete : True
PermissionToPreview : True
PermissionToRelease : True
PermissionToRequestRelease : False
PermissionToViewHeader : False
PermissionToDownload : True
PermissionToAllowSender : True
Released : False
ReleaseStatus : NOTRELEASED
SystemReleased : False
RecipientCount : 1
QuarantineTypes : TransportRule
Expires : 25-Jul-24 11:58:53 PM
RecipientTag : {}
DeletedForRecipients : {}
QuarantinedUser : {faris@farismalaeb.com}
ReleasedUser : {}
Reported : False
Direction : Inbound
CustomData :
EntityType : Email
SourceId :
TeamsConversationType :
ApprovalUPN :
ApprovalId :
MoveToQuarantineAdminActionTakenBy :
MoveToQuarantineApprovalId :
OverrideReasonIntValue : 0
OverrideReason : None
ReleasedCount : 0
ReleasedBy : {}Take a look at the ReleaseStatus to see the message status.
Also, another important property to look at is the Expires, this value holds the date that this message will be removed from the quarantine.
Finding A Single Exchange Online Quarantine By Using MessageID
You can use the MessageID which can be retrieved from the message trace log. So let’s assume we have a message sent from a user named user1@yahoo.com and the message in the message trace is showing as Quarantined in the message trace log
PS C:\> get-messageTrace -SenderAddress User1@ExternalDomain.com | fl
Message Trace ID : f2f36546-8ffa-4381-aa7c-08dc95513d63
Message ID : <1418289215.5542814.1719345531286@externaldomain.com>
Received : 25-Jun-24 7:58:53 PM
Sender Address : User1@ExternalDomain.com
Recipient Address : faris@farismalaeb.com
From IP : 74.6.129.124
To IP :
Subject : 2222
Status : Quarantined
Size : 23728Copy the Message ID and run the
PS> Get-QuarantineMessage -MessageId '<129701213.5566236.1719345518516@externalDomain.com>' | flReleasing a Quarantine Message using Release-QuarantineMessage
To release a message we can use the Release-QuarantineMessage and pass the MessageID or the Identity along with a few parameters as the following
- Identity: can be the Identity or the MessageID
- ActionType: It can hold four value
- Release: Directly releasing a message from Quarantine only admins have such permission directly In addition, As an ordinary user (not an admin), there are default capabilities that are available for the recipient of a quarantined message which can include releasing their own quarantined messages
- Request: This permission or action type is only available for end users as again admins have release privileges by default. You can have either release or request action permission you can’t both at one time
- Deny/Approve: Only admins have such permissions an end-user can’t. Those two action types are only used when the quarantine message has a Request release status. On the Quarantine page, the Release status value of the message is Release requested. An admin will review your request and approve it or deny it.
- ReleaseToAll: Allow the message to be released to all original recipients.
- User: Release the message to a certain user.
If end users find that the quarantine policy is configured to allow release privileges directly, this permission isn’t honored for messages that were quarantined (quarantine reason or type) as malware or high-confidence phishing. Even if the quarantine policy gives users this permission, users are only allowed to request the release of their quarantined malware or high-confidence phishing messages as if PermissionToRequestRelease was selected instead.
So to release a message from the Exchange Online quarantine messages, use the following
PS> Release-QuarantineMessage -Identities 'f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed' -ActionType release -ReleaseToAllTo check the quarantine messages status use the following
PS C:\> Get-QuarantineMessage -Identity 'f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed' | select Released,ReleaseStatus
Released ReleaseStatus
-------- -------------
True RELEASEDPreviewing And Deleting Exchange Online Quarantine Messages using PowerShell
A ready to use cmdlet called Preview-QuarantineMessage with not much parameters, just call the cmdlet and pass the ID. The message will be displayed in the console
PS C:\> Preview-QuarantineMessage -Identity 'f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed'
Identity : f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed
ReceivedTime : 25-Jun-24 11:58:51 PM
SenderAddress : farisnt@yahoo.com
RecipientAddress : {faris@farismalaeb.com, faris@powershellcode.com}
Subject : 2222
Body : <html><head></head><body><div class="ydp70e5d1adyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div><div><br></div><div><br></div><div
class="ydp70e5d1adsignature"><div style="TEXT-ALIGN:center;"><span style="color:rgb(0, 0, 255);" class="ydp70e5d1adApple-style-span">Faris Malaeb</span></div><div
style="TEXT-ALIGN:center;"><span style="COLOR:rgb(0,0,255);" class="ydp70e5d1adApple-style-span">System Consult</span></div><div style="TEXT-ALIGN:center;"><span
style="COLOR:rgb(0,0,255);" class="ydp70e5d1adApple-style-span">System Administrator</span></div><div style="TEXT-ALIGN:center;"><span style="COLOR:rgb(0,0,255);"
class="ydp70e5d1adApple-style-span"><br></span></div><div><br></div></div></div></div></body></html>
IsHtml : True
Cc : {}
Attachment : {}To get only the message body you can adjust the cmdlet to be
PS C:\> (Preview-QuarantineMessage -Identity 'f2f36546-8ffa-4381-aa7c-08dc95513d63\c676c76c-b3c9-d179-a1cc-ba1ecc73a1ed').BodyTo delete a quarantine message, you can use the Delete-QuarantineMessage. This cmdlet accepts Identity or Identities if you want to remove multiple messages in a single batch.
PS C:\> Delete-QuarantineMessage -Identities "MessageID1", "MessageID2", "MessageID3"Conclusion
Managing Exchange Online Quarantine Messages using PowerShell cmdlets is a powerful way to ensure email security and compliance. By mastering these cmdlets—Get-QuarantineMessage, Preview-QuarantineMessage, Release-QuarantineMessage, and Delete-QuarantineMessage—you can efficiently handle quarantined emails and maintain a secure email environment
Looking for more, tips and tricks to troubleshoot Exchange Online issues, Take a look at Troubleshooting Exchange Online Mailbox Provisioning Errors
