Microsoft Defender

New Defender XDR permission for viewing and downloading quarantined emails

18. April 2026

Microsoft is updating how access to quarantined email content is managed in Microsoft Defender for Office 365. A new permission is being introduced that gives organizations more precise control over who can view and download the content of quarantined messages.


Timeline

The rollout should be completed in May 2026.

How does this affect your organization?

Following the recent permission update in Defender XDR RBAC to scope access to user-reported malware and phishing emails, Microsoft is rolling out an additional permission to grant read access to all quarantined emails.

New Defender XDR permission: Quarantine Emails (Read)
New Defender XDR permission: Quarantine Emails (Read)

Administrators who currently hold permissions such as Email and collaboration quarantine (manage) or Security data basics (read) will automatically receive the new permission, so their access to quarantined message content continues without interruption. IT Security members without the new permission will still be able to see message metadata, but will no longer be able to preview or download the actual content of quarantined emails.

To summarize the four permissions:

  • Email & collaboration metadata (Read)
    Users with this permission can investigate email threats using hunting tools and dashboards, but cannot open or download any message content.

  • Email & collaboration content (Read)
    Users with this permission can open and download any email content and attachments across all Defender workflows and scenarios.

  • NEW: Email & collaboration content: Emails associated with alerts (Read)
    Users with this permission can open and download email content only when the message has triggered a user-reported alert for malware or phishing.

  • NEW: Email & collaboration content: Quarantine Emails (Read)
    Users with this permission can open and download quarantined messages, but have no access to email content outside of quarantine.

This update has no impact on how threats are detected, how email verdicts are assigned, or how mail flows through the organization. It also does not change the end-user quarantine experience.

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *