Updated 5 months ago

Export Quarantined Messages Report in Exchange Online Using PowerShell

by Community Team

9 min read

No Comments

After being in quarantine for two years, we are now familiar with the word called quarantine. Rather, we were quarantined so as to prevent the virus from spreading through the environment. Now, you might be wondering what the word quarantine has to do with Microsoft 365. Simple! The messages which are considered to be compromised by hackers or potentially threatful are quarantined in Microsoft 365.

Yes! Yes! Microsoft introduced a feature called ‘Quarantine message’ to help prevent potentially harmful email messages from reaching users’ inboxes. When an email is flagged as suspicious or containing spam, malware, or other malicious content, it is automatically placed in quarantine, where it can be safely examined and potentially deleted by the IT team.

So now, let us dig deep into the quarantine messages and how to export reports on them in this blog.

What is Quarantine Message in Microsoft 365?

Think of a scenario where an employee/user receives an email asking them to click on a link to verify their account info. However, the built-in safe links policy and Exchange Online Protection (EOP) filters identify that the emails are potentially harmful and malicious before they reach the user’s inbox. By using Exchange transport rules, you can also block spam emails from onmicrosoft.com domains particularly and direct them to quarantine. Therefore, it pushes the email messages into the quarantine zone rather than reaching the users’ mailboxes. Thus, quarantining all suspicious emails helps to prevent the organization from data loss, spam, malware, and various malicious attacks.

And eventually, admins can review and take necessary measures like view, release, and delete depending upon the situation. Most importantly, quarantined messages are automatically deleted after the specified retention period and cannot be retained any longer.

Why Emails are Quarantined in Microsoft 365?

Office 365 may quarantine emails for various reasons, such as potential spam or malware, compliance policy violations, etc. Therefore, understanding the reasons for email quarantine can highly help organizations to better protect their email environment from security threats and compliance issues. Therefore, let’s see some factors that push an email to the quarantine zone in Microsoft 365.

  • Microsoft 365 Spam & Phishing Filtering Policies – Office 365 has built-in spam & phishing policies that analyze the content of emails to identify potential spam, phishing, or malware. When an email contains suspicious content, such as links to malicious websites, the email message is quarantined and never delivered to the intended recipient.
  • Anti-malware Policies – Microsoft 365 enforces strict anti-malware policies on inbound and outbound messages to prevent the delivery of emails containing malicious content. Therefore, malware messages are quarantined as they pose a significant threat in exploiting system resources.
  • Exchange Mail Flow Rules – Office 365 administrators can create mail flow rules or transport rules to identify specific types of emails and take actions such as quarantining them. Office 365 built-in templates of mail flow rules allows you to quarantine messages when they are received from unknown senders and based on the sender reputation.

Overall, the purpose of quarantining messages is to protect users from potential security threats and keep their email inboxes safe and free from spam and malware.

Pre-requisites to View Quarantine Messages

The license required to view the quarantine messages are listed below.

  1. Exchange Online Protection
  2. Microsoft 365 Defender for Office Plan 1 and Plan 2
  3. Microsoft 365 Defender

To review the quarantined reports in Microsoft 365 Defender portal, users must be assigned with specific permissions. Most importantly, users with admin-approved access can view, delete, and block quarantined messages filtered by Microsoft’s default spam and phishing policies. In addition, Microsoft introduces the ‘Allow Sender’ feature for quarantine allow and block list management, preventing trusted emails from going to quarantine.

How to Check Quarantined Email Messages in Microsoft 365?

Reviewing quarantined messages is important because it allows you to identify and handle potentially legitimate messages that have been mistakenly quarantined for other reasons. With this, admins can prevent false positives and stop actual spam & phishing attempts or other malicious content. Therefore, to check the quarantined messages, navigate to the path below.

Microsoft 365 Defender portal 🡢 Email & collaboration 🡢 Review 🡢Quarantine

Check Quarantined messages report in Microsoft 365 Defender

Ultimately, the admins can infer the following details from this email quarantine page based on the customization of columns. Also, you can view the Teams messages and Files that are quarantined in this section by switching the tab.

  • Time received – It indicates the time at which the message was pushed to quarantine.
  • Subject – The subject of the email message is displayed here.
  • Sender – It shows the email address of the sender here.
  • Quarantine reason Describes the reason for quarantining a specific message, such as Phish, Malware, Spam, etc.
  • Release statusThis provides information on whether the message was released to the recipient and reviewed or not.
  • Policy type – It refers to the type of policy which restricted the message.
  • Expires – Notifies the expiration date if it was assigned.
  • Recipient – The recipient’s mail address is recorded here for reference.
  • Message ID – The unique identifier of the quarantine message.
  • Policy name – The name of the policy that restricted the message.
  • Message size – The size of the message body is stored.
  • Mail direction – Specifies whether it was an inbound or outbound message.
  • Recipient tag – The tags like priority account of recipients are shown here.

For an in-depth analysis of a quarantined message, select a particular message from this page. A flyout appears with a complete report of quarantine details, delivery status and details about the specific quarantined email message.

Here, the admins can click “Take actions” and take the necessary actions towards the quarantined messages after reviewing them. This will give them more granular control over the quarantined messages and perform various actions such as:

  1. Move or delete
  2. Submit to Microsoft
  3. Tenant level block
  4. Initiate automated investigation
  5. Propose remediation

Quarantined message report in detail

As of now, we are clear about the process of checking quarantined messages report in Microsoft 365 Defender. Thus, let us move on to the next part of this blog, quarantine message reporting using PowerShell.

Get Reports on Quarantined Messages Using PowerShell

Generating granular reports in admin centers is a tiresome task that often requires shifting between multiple tabs and may not always result in reports that meet our specific needs. The major drawback in viewing quarantine reports via the Defender portal is that it requires additional subscriptions to view quarantined files. Above all, searching for a message in the quarantine page of the Defender portal requires multiple filtering as the search box only scans the main page.

Thus, admins can use PowerShell to analyze quarantined messages and files in the cloud-based environment to ease the process. Therefore, here are some PowerShell cmdlets to generate quarantined messages report. But before using these cmdlets in your PowerShell environment, make sure to connect to the Exchange Online PowerShell module and proceed.

  1. Get Reports on Quarantined Emails by Date Range
  2. Get Reports on Quarantined Emails from a Specific User
  3. Analyze Quarantined Messages Report for a Specific User
  4. Find the Top 10 Quarantined Domain in Microsoft 365
  5. Top 10 Users With ‘Most Quarantined Emails’ Report

Get Reports on Quarantined Emails by Date Range

It’s important to note that the retention period for quarantined messages is set to 30 days by default. Once this period is over, the messages are deleted automatically and cannot be recovered.

Therefore, to easily retrieve reports for your quarantined emails, you can modify the date range in the below cmdlet. This simple tweak allows you to hone in on the specific timeframe that you need to investigate, helping you efficiently get the information you need.

Get quarantined messages report by date range

Get Reports on Quarantined Emails from a Specific User

If a large number of emails from a specific domain are being quarantined and are identified as phishing attempts, the IT team can take steps to block the sender and prevent further attempts.

Overall, reports on quarantined emails sent by a specific domain can be very useful for identifying potential threats and spam messages and help organizations take steps to improve their email security. Run the below cmdlets to get the list of emails quarantined from specific domain after mentioning the sender address and date range in the cmdlets.

Get quarantined email report sent by a specific user

Analyze Quarantined Messages Report for a Specific User

Administrators can use this quarantined messages report to analyze the emails that are being quarantined for a particular user and adjust the email security system’s settings to reduce the number of false positives. By reviewing the quarantined emails, administrators can ensure that important emails are not being blocked by the security system and that any malicious emails are not being delivered to the user’s inbox.

The following command lists all quarantined emails for a specific user for a given period of time. Make sure you replace the recipient address and the date range in the cmdlet before running them.

Quarantined emails for specific user

Find the Top 10 Quarantined Domain in Microsoft 365

Locate the weak spots of your organization for better usage of quarantine policies with the reports on the top 10 users whose domain’s mail is quarantined in and around your organization. This report allows you to identify potential risk users at your organization and take required actions on them.

Quarantined messages sent by top 10 domains


Top 10 Users With ‘Most Quarantined Emails’ Report

Instead of taking action on every single quarantine message, you can take bulk actions easily after analyzing these reports which identify the fragile users of your Office 365 environment. Thereby, admins can frame strict threat policies and mail flow rules to tighten the security of your organizational setup. Execute the following cmdlets to get a quarantine message report on the emails received by the top 10 users

Top 10 users with most quarantined messages report


Gain Advanced Quarantined Message Reports with AdminDroid!

Don’t put all your effort into fetching the detailed stats of quarantined messages in Microsoft 365 admin center or PowerShell! The M365 admin center fails to provide comprehensive information on quarantine messages, leading admins to rely on cumbersome PowerShell commands for detailed reports. But for complex reports, admins need to use multiple lines of code which is a time-intensive and troublesome job!

Instead, start using AdminDroid Microsoft 365 auditing tool, and get more comprehensive and robust information on quarantined messages. The AdminDroid’s quarantined messages report are far beyond the limitations of the native Microsoft 365 experience!

Email Quarantine Reports:
  • With AdminDroid’s email quarantine reports, admins can audit all the activities related to quarantining of spam, phishing, and malware emails. Monitoring the quarantined messages makes you aware of these potential threats barging into your organization and the weak points.
    • Also, examining those messages enables you to make informed decisions, such as whether to move or delete, submit to Microsoft if they are false positives, implement tenant-level blocks, or propose remediation based on detections & investigations.
Quarantined Mailboxes Reports:
  • This covers advanced reports on quarantined mailboxes including details like quarantine last crash, end of quarantine, quarantine file version, and many more under the AdminDroid Exchange Online reporting tool.

Moreover, the AdminDroid Exchange Online management tool provide 170+ Exchange Online reports, easing your burden of monitoring and managing mailbox activities, access, permission changes, and efficient mailbox management.

AdminDroid report

AdminDroid's report

AdminDroid not only provides solution for Exchange Online management but also for other services like Azure AD, Microsoft Teams, SharePoint Online, OneDrive, Yammer, etc. Ultimately, AdminDroid offers more than 1800+ comprehensive built-in reports and 30+ smart dashboards for various Office 365 services with an easy-to-set-up nature.

Why AdminDroid?
  • With its user-friendly interface, you can enjoy hassle-free Office 365 management.
  • Schedule reports to run and export results automatically with AdminDroid quick scheduling feature.
  • Get notified only for critical and crucial events without false alarms through AdminDroid alerts.
  • AdminDroid supports granular access delegation and modern authentication.
  • In the end, get the desired reports in a desired manner with AdminDroid enriched filters and enhanced customization options available.

Finally, download AdminDroid now to have crystal-clear stats and records of your Office 365 environment.

Coming to an end, I hope that this blog has provided you with valuable insights into managing quarantine messages and generating reports using PowerShell. Staying ahead of the curve is vital, and using PowerShell is an excellent way to do so! And if you have any questions or require further assistance, feel free to reach us through the comments section.

Always remember, in today’s ever-evolving threat landscape, being proactive is the key to staying secure!

Share article