Microsoft is significantly expanding threat detection capabilities in Microsoft Teams by allowing Defender for Office 365 Plan 1 users to report suspicious messages directly. This change, tracked under roadmap ID 531760, marks a new approach in Microsoft’s security strategy, democratizing threat intelligence gathering, a feature that was previously reserved only for Plan 2 subscribers.
Teams is not being vacated
The update, which is expected to be active by the end of March 2026, addresses the growing need to secure collaboration platforms with the same effectiveness as is done with email environments. The line between internal communication and external threats is becoming blurred, making it critical to empower end users to act as the first line of defense as a component of a robust security posture.
Previously, the ability to report messages within Teams, whether in direct chats, channels, or meeting logs, was exclusive to organizations with Defender for Office 365 Plan 2. This left Plan 1 environments relying solely on automatic protections without the advantage of receiving real-time feedback from users.
With the new feature, users will be able to tag messages in two distinct categories. These user-generated signals are vital for security operation centers (SOC), providing immediate visibility into potential breaches and helping to train Microsoft’s detection algorithms to better recognize conversational attacks.
However, activating this feature requires administrative action. Microsoft has emphasized that the reporting capability is an optional feature and that administrators must enable the user reporting settings in the Microsoft Defender portal. It is crucial for security teams to update their internal documentation and communicate these changes to staff to facilitate the use of this new tool when it becomes available.