Microsoft Defender for Office 365 quarantine content read permission update

Microsoft Defender for Office 365 will introduce a new permission for viewing quarantined email content via Defender XDR Unified RBAC, rolling out late March to mid-April 2026. Admins need this permission to access message content; others see metadata only. Existing eligible admins will be auto-assigned this permission.

[Introduction]

We’re introducing updated access controls for quarantined messages in Microsoft Defender for Office 365. These updates add a new permission that provides more granular control over who can view quarantined email content, helping organizations better protect sensitive email data.

These changes affect permissions assigned through Defender XDR Unified RBAC.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out late March 2026 and expect to complete by mid-April 2026.

[How this will affect your organization:]

Who is affected:

• Microsoft 365 administrators and security operators who are assigned permissions to access quarantined messages in Microsoft Defender for Office 365
• Only those using Microsoft Defender XDR Unified role-based access control (URBAC); this change does not apply to legacy role-based access control.
• Microsoft 365 administrators who are assigned Security operations, Security data, Email and collaboration quarantine (manage), or Security data basics (read) permissions today, which provide access to preview and download quarantined content.

What will happen:

• A new permission, Email and collaboration content: Quarantine emails (read), is being introduced to control access to quarantined message content.
• To view and download the content of quarantined email messages, admins must have the new permission.
• Admins without this permission will continue to see metadata only and will not be able to preview or download quarantined message content.
• This update does not change threat detection, verdict, or mail flow behavior. It only affects access to message content after items are quarantined.
• There is no impact to user quarantine experiences.
• To maintain parity, admins with existing access permissions (including Email and collaboration quarantine (manage) or Security data basics (read)) will automatically be assigned this new permission.

[What you can do to prepare:]

• Review which administrators in your organization require access to quarantined message content.
• Validate that you were auto assigned this new permission (if applicable).
• Update role assignments as needed in the Microsoft Defender portal under Roles and Role assignments.
• Communicate this change to security operations and helpdesk teams that investigate quarantined messages.

Learn more:

• Manage quarantined messages and files as an admin - Microsoft Defender for Office 365 | Microsoft Learn (will be updated before rollout)
• Quarantine policies - Microsoft Defender for Office 365 | Microsoft Learn (will be updated before rollout)

[Compliance considerations:]

No additional compliance considerations were identified. Review as appropriate for your organization.