Microsoft Defender is adding a security capability that lets admins remove users from Teams chat conversations directly from the Defender portal. This capability is available for Teams group chats and 1:1 conversations within the tenant, and is designed to support faster incident response and containment.
Timeline
The rollout should be completed in November 2025.
How does this affect your organisation?
Users with the Security Operator, Security Administrator, or Global Administrator roles can now remove users from Teams group chats and 1:1 conversations directly from the Defender portal. Users who are removed lose access to the conversation history.
This capability is available for organisations with Defender for Office 365 Plan 2. Admins can access it through the “Take action” option in Microsoft Defender, available from the Teams messages entity flyout in Submissions, Quarantine, or Advanced Hunting.
- Open the message in Microsoft Defender and select “Take action”.
- Enable the option to remove users from the chat conversation. The option is inactive if the message originates from a Teams channel.
- Select who should be removed from the conversation and add a short description.
- Confirm the action, then wait until the job is complete (about 30 to 60 minutes).
- Teams will show who removed the user, but not why. It’s also not visible that the removal was forced by Microsoft Defender. Chat members can easily re-add the user.
Results of removal actions should appear in the Microsoft Defender Action Center under the History tab (event type: Remove users). However, in my tests, no corresponding event appeared even after 24 hours.
