New MDO Teams articles

chrisda · chrisda · commit 184bff3a2596 · 2025-04-17T15:34:42.000-07:00
diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml
@@ -101,6 +101,9 @@
        items:
        - name: Defender for Office 365 SecOps guide
          href: mdo-sec-ops-guide.md
+     - name: Quickly configure Microsoft Teams protection
+       href: mdo-support-teams-quick-configure.md
+
    - name: Migrate
      items:
        - name: Migrate to Defender for Office 365
@@ -116,6 +119,8 @@
      items:
        - name: Defender for Office 365 SecOps Guide
          href: mdo-sec-ops-guide.md
+       - name: SecOps guide for Teams protection in Defender for Office 365
+         href: mdo-support-teams-sec-ops-guide.md
        - name: Threat classification
          href: mdo-threat-classification.md
        - name: Security recommendations for priority accounts
@@ -363,6 +368,8 @@
        href: office-365-ti.md
      - name: Defender for Office 365 SecOps Guide
        href: mdo-sec-ops-guide.md
+     - name: SecOps guide for Teams protection in Defender for Office 365
+       href: mdo-support-teams-sec-ops-guide.md
      - name: Analyze and classify
        items:
        - name: Campaign Views
diff --git a/defender-office-365/mdo-support-teams-quick-configure.md b/defender-office-365/mdo-support-teams-quick-configure.md
@@ -0,0 +1,111 @@
+---
+title: Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365 Plan 2
+f1.keywords: 
+  - NOCSH
+ms.author: chrisda
+author: chrisda
+manager: deniseb
+audience: Admin
+ms.topic: overview
+ms.localizationpriority: medium
+search.appverid: 
+  - MET150
+  - MOE150
+ms.collection: 
+  - m365-security
+  - tier1
+description: Admins who aren't using Microsoft Defender for Office 365 can learn how to quickly set up protection in Microsoft Teams.
+ms.service: defender-office-365
+ms.date: 04/15/2025
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
+---
+
+## Quickly configure Microsoft Teams protection in Microsoft Defender for Office 365 Plan 2
+
+Even if you aren't using Microsoft Defender for Office 365 Plan 2 for email protection, you can still use it for Microsoft Teams protection.
+
+This article contains the quick steps to turn on and configure Defender for Office 365 protection for Microsoft Teams.
+
+## What do you need to know before you begin?
+
+- You open the Microsoft Defender portal at <https://security.microsoft.com>.
+
+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:
+  - [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**.
+  - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) and [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):
+    - Membership in the **Organization Management** or **Security Administrator** role groups in Email & collaboration permissions <u>and</u> membership in the **Organization Management** role group in Exchange Online permissions.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup> or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+- Allow up to 30 minutes for a new or updated policy to be applied.
+
+- For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms).
+
+- Teams integration deployment is part of the overall deployment process of Defender for Office 365. For more information, see [Pilot and deploy Defender for Office 365](/defender-xdr/pilot-deploy-defender-office-365?toc=%2Fdefender-office-365%2FTOC.json&bc=%2Fdefender-office-365%2Fbreadcrumb%2Ftoc.json).
+
+## Step 1: Verify Safe Attachments integration for Microsoft Teams
+
+For complete instructions, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md).
+
+1. In the Microsoft Defender portal, go to the **Safe Attachments** page at <https://security.microsoft.com/safeattachmentv2>.
+2. On the **Safe Attachments** page, select :::image type="icon" source="media/m365-cc-sc-gear-icon.png" border="false"::: **Global settings**.
+3. In the **Global settings** flyout that opens, go to the **Protect files in SharePoint, OneDrive, and Microsoft Teams** section to verify **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
+
+   If the value is :::image type="icon" source="media/scc-toggle-off.png" border="false"::: **Off**, move the toggle to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**, and then select **Save**.
+
+> [!TIP]
+>
+> - You can't restrict Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to Microsoft Teams only.
+> - You can't scope Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to specific users. It's on or off for everyone.
+
+## Step 2: Verify Safe Links integration for Microsoft Teams
+
+For complete instructions, see [Use the Microsoft Defender portal to modify custom Safe Links policies](safe-links-policies-configure.md#use-the-microsoft-defender-portal-to-modify-custom-safe-links-policies).
+
+1. In the Microsoft Defender portal, go to the **Safe Links** page at <https://security.microsoft.com/safelinksv2>.
+2. On the **Safe Links** page, verify Teams integration is turned on in any custom policies (policies with a numerical **Priority** value) by doing the following steps:
+   1. Select the policy by clicking anywhere in the row other than the check box next to the first column.
+   2. In the **Teams** section of the **Protection settings** section in the details flyout that opens, verify the value is **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten**.
+
+      If the value is **Off**, select **Edit protection settings** at the bottom of the **Protection settings** section. In the **URL & click protection settings** flyout that opens, select the check box in the **Teams** section, select **Save**, and then select **Close**.
+
+   Repeat these steps on every custom Safe Links policy.
+
+> [!TIP]
+> Teams integration is on in the [Built-in protection preset security policy](preset-security-policies.md), but any other Safe Links policies [take precedence](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies) over the Built-in protection preset security policy (as shown in the order they're listed on the **Safe Links** page).
+
+## Step 3: Configure Zero-hour auto purge (ZAP) for Microsoft Teams
+
+For complete instructions, see [Configure ZAP for Teams protection in Defender for Office 365 Plan 2](mdo-support-teams-about.md#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2).
+
+1. In the Microsoft Defender portal, go to the **Microsoft Teams protection** page at <https://security.microsoft.com/securitysettings/teamsProtectionPolicy>.
+
+2. On the **Microsoft Teams protection** page, verify the toggle in the **Zero-hour auto purge (ZAP)** section is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
+
+   If the value is :::image type="icon" source="media/scc-toggle-off.png" border="false"::: **Off**, move the toggle to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**, and then select **Save**.
+
+> [!TIP]
+> When ZAP for Microsoft Teams is turned on, you can use **Exclude these participants** on the **Microsoft Teams protection** page to exclude users from Teams protection. For more information, see [Configure ZAP for Teams protection in Defender for Office 365 Plan 2](mdo-support-teams-about.md#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2).
+
+## Step 4: Configure user reported settings for Microsoft Teams
+
+For complete instructions, see [User reported message settings in Microsoft Teams](submissions-teams.md).
+
+1. In the Teams admin center, go to the **Messaging policies** page at <https://admin.teams.microsoft.com/policies/messaging>.
+
+2. On the **Manage policies** tab of the **Messaging policies** page, verify that the **Manage policies** tab is selected, and do either of the following actions to edit the appropriate policy (the **Global (Org-wide) default** policy for all users or a custom policy for specific users):
+   - Select the link in the **Name** column.
+   - Select the policy by clicking anywhere in the row other than the **Name** column, and then select :::image type="icon" source="media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.
+
+3. In the policy details page that opens, find the **Report a security concern** toggle, and verify the value is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
+
+   If the value is :::image type="icon" source="media/scc-toggle-off.png" border="false"::: **Off**, move the toggle to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**, and then select **Save**.
+
+4. In the Microsoft Defender portal, go to the **User reported settings** page at <https://security.microsoft.com/securitysettings/userSubmission>.
+
+5. On the **User reported settings** page, go to the **Microsoft Teams** section, and verify **Monitor reported messages in Microsoft Teams** is selected.
+
+   If it's not selected, select the check box, and then select **Save**.
diff --git a/defender-office-365/mdo-support-teams-sec-ops-guide.md b/defender-office-365/mdo-support-teams-sec-ops-guide.md
@@ -0,0 +1,109 @@
+---
+title: Security Operations Guide for Teams protection
+f1.keywords: 
+  - NOCSH
+ms.author: chrisda
+author: chrisda
+manager: deniseb
+audience: Admin
+ms.topic: overview
+ms.localizationpriority: medium
+search.appverid: 
+  - MET150
+  - MOE150
+ms.collection: 
+  - m365-security
+  - tier1
+description: A prescriptive playbook for SecOps personnel to manage Microsoft Teams protection in Microsoft Defender for Office 365.
+ms.service: defender-office-365
+ms.date: 04/16/2025
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
+---
+
+# Security Operations Guide for Teams protection in Microsoft Defender for Office 365
+
+After you [configure Microsoft Teams protection in Microsoft Defender for Office 365](mdo-support-teams-quick-configure.md), you need to integrate Teams protection capabilities into your Security Operations (SecOps) response processes. This process is critical to ensure a high-quality, reliable approach to protect, detect, and respond to collaboration-related security threats.  
+
+Involving the SecOps team during the deployment/pilot phases ensures your organization is ready to deal with threats. Teams protection capabilities in Defender for Office 365 are natively integrated into the existing Defender for Office 365 and Defender XDR SecOps tools and work flows.
+
+Another important step is to ensure SecOps team members have the appropriate permissions to do their tasks.
+
+<!--- We need links to what permissions, or can we just say Security Administrator --->
+
+## Integrate user reported Teams messages into SecOps incident response
+
+When users report Teams messages as potentially malicious, the reported messages are sent to Microsoft and/or the reporting mailbox as defined by the [user reported settings in Defender for Office 365](submissions-user-reported-messages-custom-mailbox.md).  
+
+The **Teams message reported by user as security risk** alert is automatically generated and correlated to Defender XDR Incidents.  
+
+We strongly recommend that SecOps team members start triage and investigation from the [Defender XDR incidents queue in the Microsoft Defender portal](/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts) or SIEM/SOAR integration.
+
+> [!TIP]
+> Currently, **Teams message reported by user as security risk** alerts don't generate automated investigation and response (AIR) investigations.
+
+SecOps team members can review submitted Teams message details in the following locations in the Defender portal:
+
+- The **View submission** action in the Defender XDR incident.
+- The **User reported** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>:
+  - Admins can submit user reported Teams messages to Microsoft for analysis from the **User reported** tab. Entries on the **Teams messages** tab are the result of manually submitting user reported Teams message to Microsoft ([converting the user submission to an admin submission](submissions-admin.md#submit-user-reported-messages-to-microsoft-for-analysis)).
+  - Admins can use **Mark and notify** on reported Teams messages to send response email to users who reported messages.
+
+SecOps team members can also use block entries in the Tenant Allow/Block List to block the following indicators of compromise:
+
+- Suspicious URLs as yet unidentified by Defender for Office 365. URL block entries are enforced at time of click in Teams when [Teams integration in Safe Links policies is turned on](mdo-support-teams-quick-configure.md#step-2-verify-safe-links-integration-for-microsoft-teams).
+- Files by using the SHA256 hash value.
+
+## Enable SecOps to proactively manage false negatives in Microsoft Teams
+
+SecOps team members can use threat hunting or information from external threat intelligence feeds to proactively respond to false negative Teams messages (bad messages allowed). They can use the information to proactively block threats. For example:
+
+- [Create URL block entries](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) in the Tenant Allow/Block List in Defender for Office 365. Block entries apply at time of click for URLs in Teams.  
+- [Block domains in Teams using the Teams admin center](/microsoftteams/trusted-organizations-external-meetings-chat#specify-trusted-microsoft-365-organizations).
+- Submit undetected URLs to Microsoft using [admin submission](submissions-admin.md#report-questionable-urls-to-microsoft).
+
+> [!TIP]
+> As previously described, admins can't proactively submit Teams messages to Microsoft for analysis. Instead, they submit user reported Teams messages to Microsoft ([converting the user submission to an admin submission](submissions-admin.md#submit-user-reported-messages-to-microsoft-for-analysis)).
+
+## Enable SecOps to manage false positives in Microsoft Teams
+
+SecOps team members can triage and respond to false positive Teams messages (good messages blocked) on the **Quarantine** page in Defender for Office 365 at <https://security.microsoft.com/quarantine>.
+
+- Teams messages detected by zero-hour auto protection (ZAP) are available on the **Teams messages** tab. SecOps team members can [take action](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-teams-messages) on these messages. For example, preview messages, download messages, submit messages to Microsoft for review, and release the messages from quarantine.
+
+  > [!TIP]
+  > Teams messages released from quarantine are available to senders and recipients in the original location in Teams chats and channel posts.
+
+- Files in Teams messages detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams are available on the **Files** tab. SecOps team members can [take action](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-files) on these files. For example, view file details, download files, submit messages to Microsoft for review, and release the files from quarantine.
+
+  > [!TIP]
+  > Files released from quarantine are available to users in the original location in SharePoint, OneDrive, and Teams.
+
+## Enable SecOps to hunt for threats and detections in Microsoft Teams
+
+SecOps team members can proactively hunt for potentially malicious Teams messages, URL clicks in Teams, and file detected as malicious. You can use this information to find potential threats, analyze patterns, and develop custom detections in Defender XDR to automatically generate incidents.
+
+- On the **Explorer** page (Threat Explorer) in the Defender portal at <https://security.microsoft.com/threatexplorerv3>:
+  - **Content malware** tab: This tab contains files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. You can use the [available filters](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-content-malware-view-in-threat-explorer-and-real-time-detections) to hunt on detection data.
+  - **URL click** tab: This tab contains all user clicks on URLs in email, in supported Office files in SharePoint and OneDrive, and in Microsoft Teams. You can use the [available filters](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-url-clicks-view-in-threat-explorer) to hunt on detection data.
+
+- On the **Advanced hunting** page in the Defender portal at <https://security.microsoft.com/v2/advanced-hunting>. The following hunting tables are available for Teams-related threats:
+  - [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table): Contains raw data about every internal and external Teams message that included a URL. Sender address, Sender display name, Sender type, and more are available in this table.
+  - [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table): Contains raw data about ZAP events on Teams messages.
+  - [MessageUrlInfo](/defender-xdr/advanced-hunting-messageurlinfo-table): Contains raw data about URLs in Teams messages.
+  - [UrlClickEvents](/defender-xdr/advanced-hunting-urlclickevents-table): Contains raw data about every allowed or blocked URL click by users in Teams clients.
+
+  SecOps team members can join these hunting tables with other workload tables (for example, EmailEvents or Device-related tables) to gain insight into end to end user activities.
+
+  For example, you can use the following query to hunt for allowed clicks on URLs in Teams messages that were removed by ZAP:
+
+  ```kusto
+  MessagePostDeliveryEvents 
+  | join MessageUrlInfo on TeamsMessageId 
+  | join UrlClickEvents on Url 
+  | join EmailUrlInfo on Url 
+  | where Workload == "Teams" and ActionType1 == "ClickAllowed" 
+  | project TimeGenerated, TeamsMessageId, ActionType, RecipientDetails, LatestDeliveryLocation, Url, ActionType1
+  ```
+
+  [Community queries in advanced hunting](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/use-community-queries-to-hunt-more-effectively-across-email-and-collaboration-th/4254664) also offers Teams query examples.
