Follow the instructions below to enable and configure the Adaptive Email Security remediation engine for your organization's Microsoft account. The remediation engine lets you decide what Adaptive does with malicious emails automatically, based on how confident the detection is.
⚠️ To complete the following steps, you must be a Microsoft Global Admin.
Step 1 — Grant remediation permissions
Remediation requires write access to your Microsoft tenant. If you've already granted read-write access, skip to Step 2. Complete this step only if you previously connected Adaptive with read-only permissions and need to re-authorize.
Go to Workspace > Integrations.
Re-authorize the integration by clicking Manage > Actions > Re-authorize.
Log into your Microsoft account.
Click Accept to enable the permissions for Adaptive Email Security.
Step 2 — Turn on Email Event Remediation
Navigate to Settings > Email Security.
Toggle on Email Event Remediation.
While this toggle is off, Adaptive stays in read-only mode — it only monitors and scores reported threats and takes no action. Turn it on to configure automated actions.
Step 3 — Set your confidence threshold and actions
Each malicious event Adaptive detects is given a confidence score from 0–100, reflecting how confident Adaptive is that the email is a genuine threat. You decide what happens above and below a threshold you choose.
In the Confidence Threshold Rules card, click Configure.
Set the Confidence Score Threshold (default: 70). Use Restore Default to return to 70 at any time.
Choose the remediation action for emails that score below the threshold (for example, Leave in inbox; flag for admin review).
Choose the remediation action for emails that score at or above the threshold (for example, Remove email from all inboxes and send to trash).
Click Save.
Available remediation action options:
Leave in inbox, no action — Adaptive scores the email but takes no action; the message stays in the recipient's mailbox.
Leave in inbox; flag for admin review — The email stays in the mailbox but is flagged for an admin to review and action manually.
Move email to spam — Adaptive moves the email to the recipient's spam folder.
Remove email from all inboxes and send to trash — Adaptive removes the email from every affected inbox and sends it to trash.
A typical setup leaves lower-confidence detections in the inbox and flags them for an admin to review, while automatically removing higher-confidence threats. Adjust the threshold up to act automatically on fewer, more certain detections, or down to act on more.
Step 4 — Decide on Auto-remediate similar messages
The Auto-remediate similar messages toggle extends an automatic remediation to closely related messages.
When on, if an email is automatically remediated, Adaptive applies the same action to similar messages (same sender/subject) detected within a rolling 72-hour window.
Leave it off if you want each message remediated individually.
Step 5 — Set-up Admin Digest Notifications
Once remediation is configured, you can set-up admin digest notifications to be sent to you via Email and/or via Slack / Teams to inform you of auto-remediation updates, as well as items flagged for Admin Review that require your attention.
Note that notifications are set up per admin, so each member of your team will have the option to set up notifications at their preferred frequency and via their preferred channel.
To configure:
Navigate to Settings > Personal Settings
Under Activity Notifications, navigate to Email Security Report
Set the preferred frequency of notification via the drop-down.
And, toggle on your preferred channel(s) of notification (email, Slack/Teams, or both)
You will start to receive a digest notification per your specified frequency.
Questions?
Reach out to [email protected]




