Microsoft Defender for Office 365 support for Microsoft Teams (Preview)


Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to


This article lists new features in the latest release of Microsoft Defender for Office 365. These features are currently in preview. Once you run the cmdlet, please be aware that it will take a few days for the features to to be available.

With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 already provides protection against malicious URLs in Teams through Safe Links, and now Microsoft is extending this protection with a new set of capabilities designed to disrupt the attack chain.

  • Reporting suspicious messages and files to admins and Microsoft (optional): Users will have the ability to report potential malicious messages to their admins. The admins can review these messages and report them to Microsoft. For more information, see User reported settings in Teams.

  • Zero-Hour Auto Purge (ZAP): ZAP is an existing email protection feature that proactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered. For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. Note that for this preview, ZAP will be quarantining based on malicious or phishing messages, and not spam. For more information, see Zero-hour auto purge in Microsoft Defender for Office 365.

  • Quarantine: Admins will be able to review quarantined messages that are identified as malicious by ZAP. Admins will also be able to release the message if the message is determined as safe. For more information, see Manage quarantined messages and files as an admin.

The Teams Message Entity Panel is one single place to store all of Teams message metadata that will allow for immediate SecOps review. Any threat coming from chats, group or meeting chats, and other channels can be found in one place as soon as it is assessed. For more information, see Teams Message Entity Panel for Microsoft Teams.

  • Attack Simulation and Training: In order to ensure your users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations in Teams similar to how they do so in email. For more information, see Microsoft Teams in Attack simulation training.

Enable Microsoft Defender for Teams

If you're interested in previewing the previously described features for ALL users in your tenant, you can use an Exchange Online PowerShell cmdlet to enable them. Make sure you have the latest version of the PowerShell module.

After you connect to Exchange Online PowerShell, run the following command to join the Teams preview:

Set-TeamsSecurityPreview -Enable $true


This cmdlet informs Microsoft that you want to join the Teams preview. By running this cmdlet, your tenant will be added to the rollout schedule. The features will be enabled over time during the preview period.

To check the status for your tenant, run the following command:


See also