How to Disable Outlook Quarantine (w/Examples) + FAQs

You disable Outlook quarantine by editing the anti-spam, anti-malware, and anti-phishing policies in the Microsoft 365 Defender portal, adjusting the quarantine policy to deliver messages to the Junk Email folder, or creating mail flow rules that bypass filtering for trusted senders. You can also turn off the legacy Outlook desktop Junk Email filter under Home > Junk > Junk Email Options, or, for on-premises Exchange Server, clear the transport-level quarantine mailbox using the Set-ContentFilterConfig cmdlet. Disabling quarantine is rarely the right move for an entire tenant, but tiered bypasses for specific users, domains, or message types are a common and defensible configuration.

The problem sits inside Exchange Online Protection, which routes suspected spam, phish, malware, and bulk mail into a hidden holding area called quarantine. The governing framework blends Microsoft’s default Standard and Strict preset security policies, U.S. anti-spam statutes like CAN-SPAM (15 U.S.C. § 7701), and sector rules such as the HIPAA Security Rule and SEC Rule 17a-4. If you turn off quarantine without compensating controls, malicious email reaches inboxes, and you can trigger breach-notification duties, fines, and civil claims.

Here is what this guide delivers in plain English:

• 🧭 A full map of every quarantine layer across Microsoft 365, Outlook, and on-prem Exchange
• 🛠️ Step-by-step admin and end-user methods to disable, bypass, or loosen quarantine
• ⚖️ The federal and state legal consequences of turning off email filtering
• 🧪 Named real-world scenarios showing safe and unsafe disablement patterns
• 🧱 A mistakes list, pros and cons, do’s and don’ts, and a 12-question FAQ

According to the Microsoft Digital Defense Report 2024, more than 90% of cyberattacks still begin with email, which is why quarantine exists and why blanket disablement is dangerous.

What Outlook Quarantine Actually Is

Outlook quarantine is not a single feature. It is a stack of filters that sit between the public internet and your inbox, and each layer has its own disable switch. Understanding the stack is the only way to disable the right piece without breaking the rest.

The top layer is Exchange Online Protection (EOP), the mail gateway that every Microsoft 365 tenant uses. EOP runs connection filtering, anti-spam, anti-malware, and anti-phishing checks before mail ever touches a mailbox. When a message fails, EOP either deletes it, sends it to Junk Email, or holds it in quarantine under the rules of a quarantine policy.

The second layer is Microsoft Defender for Office 365, which adds Safe Attachments detonation, Safe Links rewriting, and impersonation protection. Defender for Office 365 can quarantine on its own verdicts even if EOP would have let the message pass. The third layer is the mailbox itself, where Outlook’s local Junk Email filter can still move messages into the Junk folder after delivery. The fourth layer, on-premises only, is the Exchange Server content filter agent and its quarantine mailbox.

The consequence of mixing these up is common: admins turn off the tenant anti-spam policy and then panic when Outlook keeps dumping mail into Junk. That is the client-side filter, not quarantine. A real-world misconception is treating the Junk Email folder and quarantine as the same thing. They are not. Junk is inside the mailbox, and quarantine is outside it.

Why Microsoft Quarantines Mail by Default

Microsoft enforces Secure by Default on every new tenant. That means high-confidence phish and malware are quarantined even if an admin forgets to configure a policy. The rule exists because Microsoft’s telemetry shows that fewer than half of admins review quarantine daily, and unprotected users click malicious links within minutes of delivery.

The consequence of ignoring Secure by Default is that your “allow everything” mail rule will still not deliver high-confidence phish. A named example: Priya, an IT manager at a 40-person architecture firm, created a transport rule to bypass all filtering for a vendor domain. She did not understand that malware and high-confidence phish are still blocked, and she filed a support ticket claiming the rule was broken. Microsoft told her the rule was working as designed.

A common misconception is that paying for Microsoft 365 E5 lets you override Secure by Default. It does not. Only specific overrides in the anti-phishing policy or Tenant Allow/Block List can bypass those top verdicts, and even then only in narrow cases.

The Four Quarantine Surfaces

You will touch four surfaces when you disable quarantine. The Microsoft Defender portal holds tenant-wide anti-spam, anti-malware, and anti-phishing policies. The Exchange admin center holds mail flow rules and connectors. Exchange Online PowerShell lets you script every change. The Outlook desktop or web client holds the user-level Junk Email filter and the block/allow lists.

Each surface has its own permission model. Global Administrator, Security Administrator, or Exchange Administrator roles are usually required, and lower-privilege roles like Quarantine Administrator can only release messages, not change policy.

How to Disable Quarantine in Microsoft 365 (Tenant-Wide)

You disable tenant quarantine by editing three policy families: anti-spam, anti-malware, and anti-phishing. You cannot “turn off” quarantine as a single feature, because Microsoft does not allow it. You can only redirect each verdict to a different action, like Junk Email or Delete. Choose redirection carefully, because Delete is irreversible.

Start in the Defender portal’s Threat policies page. Open the Anti-spam inbound policy (Default). Scroll to “Actions.” For each verdict — Spam, High-confidence spam, Phishing, High-confidence phishing, Bulk, ZAP — change the dropdown from Quarantine message to Move to Junk Email folder. Save the policy. You have not deleted quarantine, but you have stopped it from catching those verdicts.

Then open the Anti-malware policy (Default). Malware is always quarantined, and Microsoft does not let you change that action. What you can change is the quarantine policy that governs user access. Assign AdminOnlyAccessPolicy to keep users out, or DefaultFullAccessWithNotificationPolicy to let them release on their own. Finally, open the Anti-phishing policy (Default) and change spoof and impersonation actions from Quarantine to Move to Junk.

The consequence of redirecting everything to Junk is that users see more junk mail and more phish lures in their mailbox. The benefit is that nothing is invisible to the end user. A mini scenario: Marcus, an MSP engineer, redirected all spam verdicts to Junk for a 200-seat client who hated end-user quarantine notifications. Help-desk tickets about “missing email” dropped by 60% in the first week.

Using PowerShell to Bulk-Change Policies

PowerShell is faster than the portal for multi-tenant MSPs. Connect with Connect-ExchangeOnline. Then run Set-HostedContentFilterPolicy -Identity Default -SpamAction MoveToJmf -HighConfidenceSpamAction MoveToJmf -PhishSpamAction Quarantine -HighConfidencePhishAction Quarantine -BulkSpamAction MoveToJmf. Microsoft blocks changing the high-confidence phish action to anything other than Quarantine, so the cmdlet will fail if you try.

For anti-malware, use Set-MalwareFilterPolicy to change the quarantine tag and notification frequency. For anti-phishing, Set-AntiPhishPolicy controls spoof and impersonation actions. Always export the current configuration first with Get-HostedContentFilterPolicy | Export-Clixml backup.xml so you can roll back.

The consequence of skipping the backup is that you cannot prove what the tenant looked like before your change, which matters under SEC Rule 17a-4(f) and FINRA Rule 3110 supervisory obligations for broker-dealers.

Bypass Filtering with Mail Flow Rules

A mail flow rule (also called a transport rule) is the surgical tool. In the Exchange admin center, create a rule that sets the Spam Confidence Level (SCL) to -1 for mail from specific senders, domains, or IP ranges. SCL -1 tells EOP to skip spam filtering entirely, though it does not skip malware or high-confidence phish.

A real example: Elena, a compliance officer at a credit union, needed to guarantee that phishing-simulation emails from her training vendor reached user inboxes. She built a rule: If the sender domain is training-vendor.com AND the message header contains the simulation X-header, set SCL to -1 and set the header X-MS-Exchange-Organization-SkipSafeLinksProcessing to 1. That is the Microsoft-recommended pattern for third-party phishing simulations.

The consequence of writing the rule too broadly — for example, bypassing filtering for any message with the word “invoice” — is that attackers will craft messages to match your rule and slide past EOP. Microsoft’s Secure Score flags overly broad SCL -1 rules and deducts points.

How to Disable Quarantine in Outlook Desktop and Web

Outlook quarantine at the client level is really the Junk Email filter. You turn it off in three places: the Junk Email Options dialog, the blocked-sender list, and the safe-sender list. These settings do not affect server-side EOP quarantine at all.

In Outlook for Windows, go to Home > Junk > Junk Email Options. On the Options tab, select No Automatic Filtering. On the Safe Senders tab, add trusted domains. On the Blocked Senders tab, remove any entries you no longer want to block. Click OK. The client will stop moving mail to Junk on its own.

In Outlook on the web, click Settings > Mail > Junk email. Toggle off Filter junk email, add safe senders, and remove blocked senders. The setting syncs to the mailbox and applies across all Outlook clients signed into that account.

The consequence of turning off client-side filtering is not that dangerous, because EOP still catches the worst mail at the gateway. The benefit is that users stop losing legitimate mail to false positives. A mini scenario: Derek, a solo CPA, kept missing client-portal password resets because Outlook’s local filter flagged them. He switched to No Automatic Filtering and added the portal domain to Safe Senders, and the problem ended.

End-User Quarantine Release

Users can release their own quarantined mail at https://security.microsoft.com/quarantine if the assigned quarantine policy allows it. The default for spam and bulk is DefaultFullAccessWithNotificationPolicy, which lets users preview, release, and request release. High-confidence phish and malware default to AdminOnlyAccessPolicy, which forces users to request release and wait for admin approval.

Users get an end-user quarantine notification email, sometimes called a digest, typically every 24 hours. You can change frequency to 4 hours or 7 days with Set-QuarantinePolicy -EndUserQuarantinePermissionsValue.

The consequence of turning off digests without training users to check the portal is that legitimate mail sits in quarantine until it expires — usually 30 days under the default Set-HostedContentFilterPolicy QuarantineRetentionPeriod. After that, it is gone.

Disabling Outlook’s Focused Inbox

Focused Inbox is not quarantine, but users often confuse the two. Mail in the Other tab looks “missing.” Turn it off per-user in Outlook under View > Show Focused Inbox, or tenant-wide with Set-OrganizationConfig -FocusedInboxOn $false. After that, every message lands in a single Inbox tab.

On-Premises Exchange Server Quarantine

Exchange Server 2016 and 2019 run a content filter agent that routes spam to a designated spam quarantine mailbox. You disable it with Disable-TransportAgent "Content Filter Agent" on the Edge or Mailbox server, then restart the Microsoft Exchange Transport service.

You can also clear the quarantine mailbox by opening it in Outlook as a shared mailbox and deleting items, or by running Search-Mailbox -Identity [email protected] -DeleteContent. Note that Search-Mailbox is deprecated in newer builds; Microsoft now recommends New-ComplianceSearch and New-ComplianceSearchAction.

The consequence of disabling the content filter agent on-prem is that every message is delivered, including obvious spam, unless you have a third-party gateway like Proofpoint or Mimecast in front of Exchange. Microsoft ended mainstream support for Exchange 2016 in October 2020 and extended support ends in October 2025, so most organizations should be planning migration rather than tuning quarantine.

Quarantine Scenarios and Their Consequences

The three most common disable-quarantine scenarios produce very different outcomes. Review the table before you change any policy.

A second table helps distinguish the quarantine layers:

A third table shows the legal and compliance stakes:

Named Examples in the Field

Priya, the architecture firm IT manager, learned that Secure by Default blocks high-confidence phish even with an allow rule. She fixed the problem by adding the legitimate sender to the Tenant Allow/Block List with a time-limited allow entry. That entry expires after 30 days, which Microsoft enforces to prevent permanent holes.

Marcus, the MSP engineer, wrote a runbook for his 12 tenants. Each tenant’s anti-spam policy moves spam and bulk to Junk, but keeps phish in quarantine. He documented the baseline with Get-HostedContentFilterPolicy | Export-Clixml and stores the XML in his PSA ticketing system for audit purposes.

Elena, the credit union compliance officer, built her phishing-simulation bypass using the Advanced delivery policy rather than SCL -1 rules. Advanced delivery preserves full telemetry for Defender, while SCL -1 rules wipe the spam verdicts from the message trace.

Derek, the solo CPA, uses Outlook Safe Senders for his client portals and keeps EOP defaults. He does not need tenant-wide changes, because his use case is one user.

Rachel, a hospital CISO, refused to disable quarantine tenant-wide after a VP complained about delayed mail. Instead, she created per-user quarantine notification digests every 4 hours and trained the VP’s assistant to check the portal. The hospital avoided HIPAA exposure that a blanket bypass would have created.

Mistakes to Avoid

Disabling quarantine is a surgical task. The following mistakes are the ones that generate the most tickets, breaches, and audit findings. Each mistake has a specific negative outcome.

• Turning off the anti-malware policy entirely — you cannot, and trying wastes hours; malware action is always Quarantine.
• Using SCL -1 for broad keyword matches like “invoice” — attackers craft messages that match and slip past filtering.
• Forgetting that high-confidence phish cannot be redirected — the portal silently keeps Quarantine even if you try to change it.
• Disabling end-user quarantine notifications without training — legitimate mail expires after 30 days with no one checking.
• Editing the Default policy instead of creating a scoped custom policy — you lose Microsoft’s recommended baseline for all users.
• Skipping a configuration backup before changes — you cannot roll back or prove prior state under SEC 17a-4.
• Bypassing filtering for a whole top-level domain like .com — the rule becomes a universal phishing tunnel.
• Confusing Junk Email with quarantine — users report “missing mail” when it is sitting in their own Junk folder.
• Leaving the on-prem Content Filter Agent disabled with no replacement — inboxes flood with spam within hours.
• Allowing a domain in Tenant Allow/Block List longer than 30 days — Microsoft expires allow entries on purpose, and the “fix” silently ends.
• Ignoring the Submissions portal for false positives — Microsoft uses submissions to retrain the filter for your tenant.

Do’s and Don’ts

The do’s and don’ts below sit above every tactical step. Follow them and most disablement projects stay safe.

• Do scope policies to groups or users before rolling changes tenant-wide, because blast radius control is the single biggest risk reducer.
• Do back up every policy with PowerShell export, because you need proof of prior state for audits and rollbacks.
• Do use the Advanced delivery policy for phishing simulations, because it preserves Defender telemetry.
• Do redirect verdicts to Junk instead of Delete, because Delete is irreversible and legal hold obligations may apply.
• Do monitor Microsoft Secure Score after every change, because it flags configuration drift.
• Don’t disable quarantine tenant-wide, because Secure by Default exists for a reason and malware still reaches users.
• Don’t edit Default policies, because custom policies override Default and leave the baseline intact.
• Don’t use SCL -1 rules for broad matches, because attackers mimic your match conditions.
• Don’t turn off end-user notifications without training, because users cannot release what they cannot see.
• Don’t skip documentation, because auditors and successors both need a trail.

Pros and Cons of Disabling Quarantine

Disabling or loosening quarantine has real benefits and real costs. Weigh both sides before you touch a policy.

• Pro: Fewer “missing email” help-desk tickets, because users see all mail in Inbox or Junk.
• Pro: Faster delivery of time-sensitive vendor mail, because EOP holds can delay by minutes or hours.
• Pro: Simpler end-user training, because there is no separate portal to check.
• Pro: Better compatibility with third-party gateways, because EOP rules do not fight the gateway’s verdicts.
• Pro: Higher visibility for security teams, because suspicious mail in Junk is still reviewable.
• Con: More phishing lures reach inboxes, because spam filtering is weaker than quarantine.
• Con: Higher risk of ransomware and BEC, because one click in Junk is enough.
• Con: Compliance exposure under HIPAA, SEC 17a-4, and the FTC Safeguards Rule.
• Con: Secure Score drops, which affects cyber insurance underwriting.
• Con: Configuration drift is harder to detect, because custom rules proliferate.

Key Entities and Their Roles

Microsoft owns the platform and sets the defaults through Exchange Online Protection and Defender for Office 365. The Cybersecurity and Infrastructure Security Agency (CISA) publishes Binding Operational Directive 25-01 for federal civilian agencies, which requires Secure by Default baselines on Microsoft 365.

The Federal Trade Commission enforces the Safeguards Rule for financial institutions, which treats email filtering as a reasonable safeguard. The Department of Health and Human Services Office for Civil Rights enforces HIPAA, and its breach portal lists dozens of phishing-caused incidents each year.

The Securities and Exchange Commission and FINRA jointly enforce email-retention and supervisory duties. State attorneys general enforce state data-breach statutes like California Civil Code § 1798.82 and the New York SHIELD Act, both of which treat unfiltered phishing that causes a breach as evidence of inadequate safeguards.

Recap of Relevant Rulings and Guidance

In LabMD, Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018), the Eleventh Circuit vacated an FTC order for lack of specificity but left intact the principle that unreasonable security practices violate Section 5 of the FTC Act. The opinion is the most cited case for why email security controls, including quarantine, must be documented and specific.

In In re Equifax Inc. Customer Data Security Breach Litigation, MDL No. 2800 (N.D. Ga. 2020), the court approved a settlement that included mandatory phishing controls. Although Equifax involved a web application, the final order’s email-security provisions are frequently cited in vendor questionnaires.

The SEC’s 2023 cybersecurity disclosure rule requires public companies to describe material cybersecurity incidents on Form 8-K within four business days. Disabling quarantine, if it contributes to a material incident, is the kind of control failure the rule expects to be disclosed.

Step-by-Step Process Forms and PowerShell

The tenant-level process has 10 discrete steps, and each carries its own choice point. Skipping any step creates a gap that auditors will find.

1. Document the current state with Get-HostedContentFilterPolicy, Get-MalwareFilterPolicy, Get-AntiPhishPolicy, and Get-TransportRule piped to Export-Clixml.
2. Identify the scope — one user, one group, one domain, or the tenant.
3. Create a custom policy rather than editing Default, using New-HostedContentFilterPolicy and New-HostedContentFilterRule.
4. Choose the action for each verdict: MoveToJmf for spam and bulk, Quarantine for phish and malware.
5. Assign a quarantine policy — AdminOnlyAccessPolicy, NotificationEnabledPolicy, or a custom policy.
6. Set the end-user notification frequency with -EndUserSpamNotificationFrequency.
7. Apply the policy to a scoped group with New-HostedContentFilterRule -SentToMemberOf.
8. Test with a named user from the Submissions portal or the Microsoft 365 Attack Simulator.
9. Review Message Trace to confirm verdicts behave as expected.
10. Monitor Secure Score and user tickets for 30 days before rolling tenant-wide.

The consequence of skipping step 3 and editing Default is that Microsoft updates the Default policy across tenants periodically, and your changes can be overwritten. A common misconception is that “Default” means “disabled by default.” It does not. Default is the active baseline.

State-Level Nuances

California treats inadequate email security as a factor in CCPA enforcement under Cal. Civ. Code § 1798.150. New York relies on the SHIELD Act, which requires reasonable safeguards including email filtering. Massachusetts under 201 CMR 17.00 requires a written information security program that covers email.

Texas, Illinois, and Florida each require breach notice when phishing causes an incident. The consequence of disabling quarantine and suffering a resulting breach is that state notification timelines — typically 30 to 60 days — begin running the moment you identify the incident.

FAQs

Can I fully disable quarantine in Microsoft 365?

No. Microsoft’s Secure by Default prevents full disablement for high-confidence phish and malware, though you can redirect most other verdicts to Junk Email.

Does disabling Outlook’s Junk filter affect tenant quarantine?

No. The Outlook desktop Junk filter is client-side only and does not change EOP or Defender for Office 365 behavior at the gateway.

Is it legal to disable quarantine in a regulated industry?

No. Healthcare, finance, and public-company sectors must show reasonable safeguards, and blanket disablement conflicts with HIPAA, GLBA, and SEC rules.

Can users release their own quarantined phishing mail?

No. Default policy assigns AdminOnlyAccessPolicy to high-confidence phish and malware, so users can only request release, not complete it.

Will an SCL -1 rule bypass malware scanning?

No. SCL -1 skips spam filtering only, and malware plus high-confidence phish are still blocked by Secure by Default.

Does the Tenant Allow/Block List permanently allow senders?

No. Microsoft expires allow entries after 30 days unless extended, which forces periodic review of every override.

Are quarantine retention periods adjustable?

Yes. The default is 30 days for most verdicts and can be lowered with Set-HostedContentFilterPolicy -QuarantineRetentionPeriod.

Can I disable end-user quarantine notifications only?

Yes. Set the quarantine policy to a variant without notifications, or lower frequency with Set-QuarantinePolicy, while keeping filtering active.

Is the Advanced delivery policy safer than SCL -1 rules?

Yes. Advanced delivery preserves Defender telemetry and is Microsoft’s recommended path for phishing simulations and security operations mailboxes.

Does disabling quarantine lower Microsoft Secure Score?

Yes. Secure Score deducts points for broad bypass rules, weakened anti-spam actions, and missing quarantine policies.

Can on-prem Exchange quarantine be cleared without PowerShell?

Yes. Administrators can open the spam quarantine mailbox in Outlook and delete items manually, though PowerShell is faster and auditable.

Will Microsoft ever change the phish quarantine rule?

No. Microsoft has publicly committed to Secure by Default, and recent product direction is toward stricter defaults, not looser ones.

Word count: approximately 3,650