Share via

Clarification on APIs for Managing Quarantine Emails

Faizan Fareed 0 Reputation points
2025-01-03T12:14:55.0366667+00:00

I could not find any specific API to fetch and modify Quarantine emails (https://security.microsoft.com). I have explored the following methods to interact with quarantine emails and have a couple of questions:

Advanced hunting APIs

We can use the Advanced hunting API to search for quarantine emails, but there doesn’t seem to be a way to release them or add emails to quarantine via the API. Am I correct?

User's image

Questions:

  • Microsoft Defender (https://security.microsoft.com) is an add-on subscription and does not come with every Microsoft Office 365 subscription. Am I correct?
  • Could you please confirm which subscription includes the following features?
    • Microsoft Defender for Office 365 Plan 1
      • Advanced Hunting Portal
      • Policies and Rules (Quarantine Policies and Policies: Anti-Phishing, Anti-Spam, Anti-Malware, Safe Attachments, Safe Links)
    • Microsoft Defender for Office 365 Plan 2
      • Advanced Hunting Portal
      • Threat Explorer
      • Policies and Rules (Quarantine Policies and Policies: Anti-Phishing, Anti-Spam, Anti-Malware, Safe Attachments, Safe Links)
  • Does only the EOP plan exist (https://security.microsoft.com)?

Exchange Online PowerShell

We can use Exchange Online PowerShell cmdlets to fetch quarantine emails, but it appears that admin authentication is required at runtime.

User's image

Question:

  • Is there a way to use Exchange Online PowerShell quarantine cmdlets with application permissions instead of requiring admin credentials every time? This is important because we want to process quarantine emails as a background job.

Threat Explorer

We can use the Threat Explorer portal to view quarantine emails.

User's image

Question:

  • Is there a Microsoft Graph API available for the Threat Explorer portal? I couldn’t find one.

Do any APIs exist that I have not encountered to fetch and modify quarantine emails?

Please correct me if I am mistaken, as other users may have the same understanding and similar questions.

Thank you

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,403 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,692 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,454 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 111.3K Reputation points MVP
    2025-01-03T18:26:22.7966667+00:00

    You can use Exchange Online PowerShell via application permissions as detailed here: https://zcusa.951200.xyz/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

    On the Graph side of things, you can run Advanced hunting queries, but there is no way to perform actions against any message. The recently introduced analyzedEmail resource does allow for some remediation actions, you might want to check it out: https://zcusa.951200.xyz/en-us/graph/api/security-analyzedemail-remediate?view=graph-rest-beta&tabs=http

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.