The Teams message entity panel in Microsoft Defender for Office 365 Plan 2

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Similar to the The Email summary panel for email messages, Microsoft 365 organizations that have Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5) have the Microsoft Teams message entity panel in the Microsoft Defender portal. The Teams message entity panel is a details flyout includes all Microsoft Teams data about suspicious or malicious chats, channels, and group chats on a single, actionable panel.

This article explains the information and actions on the Teams message entity panel.

Permissions and licensing for the Teams message entity panel

To use the Email entity page, you need to be assigned permissions. You have the following options:

  • Email & collaboration permissions in the Microsoft Defender portal: Membership in the Organization Management, Security Administrator, or Quarantine Administrator role groups.

  • Microsoft Entra permissions: Membership these roles gives users the required permissions and permissions for other features in Microsoft 365:

    • Full access: Membership in the Global Administrator* or Security Administrator roles.
    • Read-only access: Membership in the Global Reader or Security Reader roles.

    Important

    * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Where to find the Teams message entity panel

There are no direct links to the Teams message entity panel from the top levels of the Defender portal. Instead, the Teams message entity panel is available in the following locations:

  • From the Quarantine page at https://security.microsoft.com/quarantine: Select the Teams message tab > select an entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel.

  • From the Submissions page at https://security.microsoft.com/reportsubmission:

    • Select the Teams messages tab > select an entry by clicking anywhere in the row other than the check box.
    • Select the User reported tab > select a Teams entry by clicking anywhere in the row other than the check box. You can filter the entries by selecting Filter > Message type > Teams. The details flyout that opens is the Teams message entity panel.

What's on the Teams message entity panel

The following information is available at the top of the Teams message entity panel:

  • The title of the flyout is the subject or the first 100 characters of the Teams message.
  • The current message verdict.
  • The number of links in the message.
  • The actions that are available at the top of the flyout depend on where you opened the Teams message entity panel.

Tip

To see details about other Teams messages without leaving the Email summary panel of the current message, use Previous item and Next item at the top of the flyout.

The next sections in the Teams message entity panel depend on where you opened it:

The rest of the Teams message entity panel contains the following information, regardless of where you opened it:

  • Message details section:

    • Threats
    • Message location
    • Sender address
    • Time received
    • Detection tech
    • Teams message ID: You can use this value as an identifier of a Teams message in Defender for Office 365.
  • Sender section:

    • The sender's name and email address
    • Domain
    • External: The value Yes indicates the message was sent between an internal user and an external user.
  • One of the following sections, depending on whether the message if from a chat or a channel:

    • Chat: The Participants section:
      • Conversation type
      • Chat name
      • Name and email: Contains the name and email addresses of all of the participants (including the sender). If there are more than 10 participants, it also links to a secondary panel that lists all the participants in the chat at the time of the suspected threat.
    • Channel: The Channel details section:
      • Conversation type
      • Conversation name: Contains the name of the channel.
      • Name and email: Contains the name and address of the channel.
  • URLs section:

    • Name and type Contains the URL from the Teams message.
    • Threat

    If the message has more than 10 URLs, select View all URLs to see all of them.

Screenshot of the Teams Message Entity panel from a quarantined Teams message showing the common sections.

For more information

The Microsoft Defender for Office 365 Email Entity Page and how it works

Safe Links in Microsoft Defender for Office 365

Zero-hour auto purge (ZAP) in Microsoft Teams