Englisch + German / English / Microsoft 365 / Microsoft Defender

Reporting suspicious Teams messages comes to Defender for Office 365 Plan 1

25. January 2026

Microsoft is expanding user reporting for suspicious and non-suspicious (false positive) blocks in Teams messages to organizations licensed for Microsoft Defender for Office 365 Plan 1. Previously, both capabilities were limited to Plan 2.
Reporting suspicious Teams messages helps security teams identify and investigate potential phishing, malware, and spam across Teams chats, channels, and meeting chats, including both internal and external conversations.

This update respects existing User reported settings in Defender for Office 365 and only extends the licensing requirements.

Timeline

The rollout should be completed in February 2026.

What is changing?

Currently, reporting suspicious Teams messages and the recently introduced option to report non-security risks (false positives) require a Defender for Office 365 Plan 2 license.

January 2026:
In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can decide whether users are allowed to report messages in Microsoft Teams.

Starting in February 2026, Microsoft will make both features available with Defender for Office 365 Plan 1.
Users can select “Report this message” in Teams chats, channel conversations, and meeting chats to report a potential security risk.

  • User-reported messages are enabled by default in new tenants. In older tenants, this feature is disabled and must be enabled manually by a Defender administrator.
  • User reporting of Teams messages is not supported in US government tenants, including GCC, GCC High, and DoD.
Report a security risk
Report a security risk

The same applies to reporting non-security risks, unless disabled by a Teams administrator (it is enabled by default). The enhancement for non-security risks has been rolling out since 12 January.

Report a non security risk (a false positive)
Report a non security risk (a false positive)

All submissions appear on the User reported page in the Defender portal and/or in the configured mailbox destination.
Teams administrators should review their current configuration in the Teams admin center or manage it via PowerShell.

The relevant PowerShell settings are:

AllowSecurityEndUserReporting
This setting determines whether users can report any security concern in a Teams message to their administrator. Possible values: True, False

ReportIncorrectSecurityDetections
This setting enables end users to report incorrect security detections in Teams messages within the tenant.

Possible values:

  • Enabled (default)
  • Disabled

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *