ZAP policies in Teams

kodi 10 Reputation points
2025-06-10T05:36:00.71+00:00

Hello

We recently encountered a situation where a user received a message in Microsoft Teams that contained a malicious URL. Although our Defender for Office 365 policy is configured with ZAP enabled and working as expected before but the malicious message in Teams was not removed after the threat was detected by Microsoft.

We've verified the policy settings, and ZAP appears to be functioning properly in Exchange Online. However, in this case, the malicious message remained visible in the Teams chat even after several hours.

We’ve already reviewed this documentation: https://learn.microsoft.com/en-us/defender-office-365/mdo-support-teams-about and understand that detection is supported, but message removal behavior is unclear.

Any insights or clarification would be greatly appreciated.

Microsoft Teams | Development
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Jack-Bu 2,300 Reputation points Microsoft External Staff Moderator
    2025-06-10T09:16:15.17+00:00

    Dear kodi@hotmail

    Thanks for reaching out to Microsoft Q&A Forum.   

    I understand you're reporting that a malicious URL was delivered via Microsoft Teams, detected by Microsoft Defender for Office 365, and yet the message remained visible after detection. Based on my research, here are some possible double checks:   

    1. License Requirement 

    ZAP support for Microsoft Teams is available only for customers with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. If you do not have this license package, please purchase it to use the related features.  undefined

    Reference: Zero-hour auto purge in Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn   

    2. Policies checking

    Could you provide me screen shot of this screen below. This action can help me check the different undefined

    3. Message Type – Internal vs. External
    At this time, I'm unsure whether the message you received originated internally or externally. But these are 2 possible case:  Internal messages: ZAP can remove Teams messages flagged as malware or high confidence phishingExternal messages (e.g., from guest users or federated domains): Currently not supported by ZAP in Microsoft Teams.  

    Note: Can you please specify the type of message you received so that I can assist you better?  Reference: Zero-hour auto purge in Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn  

    4. The messages still display because the cache (temporary memory) in Microsoft Teams(desktop) has not been cleared. 

    Reference: Clear the Teams client cache - Microsoft Teams | Microsoft Learn 


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.    


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.