Parameter Attribute DataType Description Allowed Values
Identity Key String The Identity parameter specifies the name of the SafeAttachmentpolicy that you want to modify.
Action Write String The Action parameter specifies the action for the Safe Attachments policy. Block, Replace, Allow, DynamicDelivery
ActionOnError Write Boolean The ActionOnError parameter specifies the error handling option for Safe Attachments scanning (what to do if scanning times out or an error occurs). Valid values are: $true: The action specified by the Action parameter is applied to messages even when the attachments aren't successfully scanned. $false: The action specified by the Action parameter isn't applied to messages when the attachments aren't successfully scanned. This is the default value.
AdminDisplayName Write String The AdminDisplayName parameter specifies a description for the policy.
Enable Write Boolean Specify if this policy should be enabled. Default is $true.
QuarantineTag Write String The QuarantineTag specifies the quarantine policy that's used on messages that are quarantined as malware by Safe Attachments.
Redirect Write Boolean The Redirect parameter specifies whether to send detected malware attachments to another email address. Valid values are: $true: Malware attachments are sent to the email address specified by the RedirectAddress parameter. $false: Malware attachments aren't sent to another email address. This is the default value.
RedirectAddress Write String The RedirectAddress parameter specifies the email address where detected malware attachments are sent when the Redirect parameter is set to the value $true.
Ensure Write String Specify if this policy should exist or not. Present, Absent
Credential Write PSCredential Credentials of the Exchange Global Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
CertificatePassword Write PSCredential Username can be made up to anything but password will be used for CertificatePassword
CertificatePath Write String Path to certificate used in service principal usually a PFX file.
ManagedIdentity Write Boolean Managed ID being used for authentication.


This resource configures the settings of the Safe Attachments policies in your cloud-based organization.



To authenticate with Microsoft Exchange, this resource required the following permissions:


  • Transport Hygiene, Security Admin, View-Only Configuration, Security Reader

Role Groups

  • Organization Management


Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
        [Parameter(Mandatory = $true)]
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
        EXOSafeAttachmentPolicy 'ConfigureSafeAttachmentPolicy'
            Identity             = "Marketing Block Attachments"
            Enable               = $True
            Redirect             = $True
            RedirectAddress      = "admin@contoso.com"
            Ensure               = "Present"
            Credential           = $credsGlobalAdmin