Create an On-Demand Policy

On-demand policies are created from the search results page. See Message Search for details.

NOTE:

Creating an on-demand policy is done with the Enforce Now button on the message search results page, and the Enforce Now button is visible only if enforcement has been enabled for your organization.  When you're viewing message search results and click the Enforce Now button.

You can only enforce 10000 or fewer messages at a time using an on-demand policy for organizations using MS Graph API Enforcement. For search results larger than 10000 messages, you may choose up to 10000 messages from the results to enforce. For organizations using Sensor Enforcement, you can enforce only 2000 or fewer messages at a time using an on-demand policy. For search results larger than 2000 messages, you may choose up to 2000 messages from the results to enforce.

Enforce Now Button
Enforce Now button

 

  1. View a list of messages by either going to Analyze > Search Messages or clicking a Message link on the Dashboard (Analyze > Dashboard).
  2. If necessary, narrow your search criteria so that the results shown are fewer than 10000 messages for organizations with Graph API enforcement and fewer than 2000 for organizations with Sensor Enforcement.

    3. You can narrow your results by adding more condition to the search criteria. For example, you can add specific Message-ID to search criteria like "To:", "From:" and "Subject."

    In this example, the search criteria are narrowed to a set of messages from a particular domain to a single user:

    Narrowing search results.

    Narrowing search results

  3. Click Enforce Now. The button changes to Enforce Selected and is inactive until you select messages to enforce.
  4. Select either all of the messages in the search results by clicking on the link or select individual or a page of search results by clicking in the boxes in the left column of search results. Note the differences in selecting all messages in the entire set versus selecting all messages shown on the current page of results:

    5. Selecting individual messages versus selecting all messages.

    Selecting individual messages versus selecting all messages.

    NOTE: If your organization has Insider Impersonation Protection enabled and is evaluating all messages (see the Evaluate Messages setting in Organization Settings) on-demand policies apply only to inbound and internal messages. Any outbound messages that you select when creating an on-demand policy will be excluded and not used as the basis for the policy.

  5. After selecting at least one message, click Enforce selected.
  6. In the Enforce Now dialog box, confirm the number of messages to be enforced and choose the enforcement action you would like to take. (The question mark icon provides additional information on why some messages may not be able to be moved.)

    7. Choosing an enforcement action.

    Choosing an enforcement action

  7. Click OK to enforce the message(s) immediately.

After you click OK, the On-demand policy details page is displayed while Cloud Email Protection contacts your sensor(s).

In-progress status of an on-demand policy.
On-demand policy details

Click the pencil icon to re-name the on-demand policy, if necessary. (For example, "Deleted Spam messages.")

In addition to the status of the enforcement action, you will also be able to see if the recipient of the message had read the message or not at the time the enforcement happened. If the Read? column contains an open envelope, it means the recipient had already read the message.