Microsoft 365

New External Domain Anomalies Report in the Teams admin center flags unusual external communication patterns

24. March 2026

Microsoft is rolling out a new Teams admin report to help identify unexpected or abnormal communication patterns with external organisations.
The External domain anomalies report should provide an overview of how users in the tenant interact with people outside the organisation and flag sudden spikes or unusual engagement that fall outside normal patterns, helping ensure external collaboration remains secure and any unexpected activity can be investigated promptly.

The External Domain Anomalies Report in the Microsoft Teams admin center helps administrators identify unusual external collaboration patterns between users in the organization and external domains.

This detection focuses specifically on first-time external-to-internal contact. Ongoing or previously established relationships are not evaluated in the same way. The signal is designed based on observations that higher-risk scenarios often correlate with sudden increases in new external contact from a domain. By emphasising first-time interaction patterns rather than ongoing collaboration, the report highlights deviations from typical organisational behaviour.

The report is available in the Teams admin center > Analytics & reports > Protection reports. Administrators can select the Communication anomalies report, choose a date range of up to the last 10 days, and run it to review the findings.

Select the Communication anomalies report
Select the Communication anomalies report

Results show which external domains have displayed unusual communication activity, including the total number of anomalies detected and details about new one-to-one and group threads initiated by contacts from those domains. An option to block an external domain is also available directly within the report.

Communication anomalies report (Microsoft)
Communication anomalies report (Microsoft)

In addition to manually viewing the report, Teams administrators can enable automatic daily alerts summarising the top five external domains with unusual activity. Alerts are not enabled by default.
These alerts can be configured to post notifications to a specific Teams channel, keeping security teams informed without requiring them to check the report manually each day.

Channel alert rule for external domain anomalies
Channel alert rule for external domain anomalies

The rollout should be completed by April 2026.

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *