Views:
When Cloud Email and Collaboration Protection detects a threat in a meeting invitation email and quarantines or deletes the message, the corresponding calendar item remains in the recipient's mailbox. To address this, administrators can configure Cloud Email and Collaboration Protection to take actions on calendar items associated with detected invitation emails.
When enabled, Cloud Email and Collaboration Protection can perform the following actions on calendar items:
  • Add disclaimer — Adds a warning message to the calendar item to notify end users the invitation emails detection.
  • Delete — Removes the corresponding calendar item from the recipient's mailbox.
Note
Note
  • This feature applies to Exchange Online only.
  • Calendar item actions work with real-time scanning only. Manual scanning does not support calendar item actions.
  • Calendar item updates may fail in certain scenarios, such as when the calendar item is protected by Microsoft Information Protection (MIP).

Before you begin

  • Exchange Online is provisioned in Cloud Email and Collaboration Protection.
  • The Exchange Online app has the Calendars.ReadWrite permission. If this permission is not included, a message appears in the configuration, prompting you to recreate the access token.

Procedure

  1. If the Exchange Online app does not already have the Calendars.ReadWrite permission, recreate the access token.
    1. Go to the service account page for Exchange Online.
    2. Recreate the access token to include the Calendars.ReadWrite permission.
  2. In Cloud Email and Collaboration Protection, go to Policy Global SettingsOther Settings Exchange Online API Protection Settings for calendar item options.
    If the Exchange Online is not provisioned, the page displays a message prompting you to provision the service first.
  3. Enable the Calendar item action option.
  4. Select the action to take on calendar items when the associated invitation email is quarantined or deleted:
    • Add disclaimer — Adds a warning to the calendar item notifying the end user that the associated invitation email was quarantined or deleted due to detected threats. Users should exercise caution with links and attachments in the calendar item.
    • Delete — Removes the calendar item from the recipient's mailbox.
  5. Click Save.
When the calendar item action is enabled and a threat is detected in an invitation email during real-time scanning, Cloud Email and Collaboration Protection performs the configured action on the corresponding calendar item.
  • If the invitation email was sent to a group, Cloud Email and Collaboration Protection applies the action to each recipient's calendar item.
  • If the invitation email includes recurring occurrences, Cloud Email and Collaboration Protection applies the action to all related calendar items.
  • Cloud Email and Collaboration Protection adds a disclaimer only once per calendar item.