Merge pull request #5848 from MicrosoftDocs/main

[AutoPublish] main to live - 12/05 10:37 PST | 12/06 00:07 IST

Author: m365-skilling-repo-management[bot]

defender-office-365/mdo-support-teams-about.md

@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 09/11/2025
+ms.date: 10/27/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
@@ -58,6 +58,9 @@ Microsoft 365 E5 and Defender for Office 365 Plan 2 extend Teams protection with
 
 - **Teams message entity panel**: A single place to store all Teams message metadata for immediate SecOps review. Any threats coming from Teams chats, group chats, meeting chats, and other channels can be found in one place as soon as they're assessed. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
+  > [!TIP]
+  > To remove users from Teams chats, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
+
 - **Attack simulation training using Teams messages**: To ensure users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations using Teams messages instead of email messages. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
 
 - **Hunting on Teams messages with URLs**: You can hunt for Teams messages containing URL across three new advanced hunting tables: [MessageEvents](/defender-xdr/advanced-hunting-messageevents-table), [MessagePostDeliveryEvents](/defender-xdr/advanced-hunting-messagepostdeliveryevents-table), and [MessageURLInfo](/defender-xdr/advanced-hunting-messageurlinfo-table).

defender-office-365/quarantine-admin-manage-messages-files.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to view and manage quarantined messages for all users in Microsoft 365 organizations with cloud mailboxes. Admins in organizations with Microsoft Defender for Office 365 can also manage quarantined files in SharePoint, OneDrive, and Microsoft Teams.
 ms.service: defender-office-365
-ms.date: 10/07/2025
+ms.date: 10/27/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -789,7 +789,7 @@ The next section in the details flyout is related to quarantined Teams messages:
   - **Policy name**: The value is **Teams Protection Policy**.
   - **Quarantine policy**
 
-The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
 When you're finished in the details flyout, select **Close**.
 
@@ -811,7 +811,7 @@ On the **Teams messages** tab, select the quarantined message by using either of
 
 Using either method to select the message, some actions are available under :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**.
 
-After you select the quarantined message, the available actions are described in the following subsections.
+After you select the quarantined Teams message, the available actions are described in the following subsections.
 
 #### Release quarantined Teams messages
 
@@ -878,6 +878,16 @@ By default, The .html message file is saved in a compressed file named Quarantin
 
 Back on the **Download messages** flyout, select **Done**.
 
+#### Remove users from quarantined Teams chats
+
+> [!TIP]
+> Currently, this feature is in Preview, isn't available in all organizations, and is subject to change.
+
+1. On the **Teams messages** tab, select the Teams message by clicking anywhere in the row other than the check box next to the first column.
+2. In the details flyout that opens (the Teams message entity panel), select :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout.
+
+For complete instructions, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
+
 #### Take action on multiple quarantined Teams messages
 
 When you select multiple quarantined messages on the **Teams messages** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Teams messages** tab:

defender-office-365/submissions-admin.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.custom: seo-marvel-apr2020
 description: "Admins can learn how to use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages."
 ms.service: defender-office-365
-ms.date: 09/11/2025
+ms.date: 10/27/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -556,9 +556,6 @@ When you're finished in the details flyout, select **Close**.
 
 ### View Teams admin submissions to Microsoft in Defender for Office 365 Plan 2
 
-> [!TIP]
-> [Submission of Teams message to Microsoft](submissions-teams.md) is currently in Preview, isn't available in all organizations, and is subject to change.
-
 In the Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.
 
 On the **Submissions** page, select the **Teams messages** tab.
@@ -642,7 +639,10 @@ The next sections in the details flyout are related to Teams submissions:
   - **Submitted by**
   - **Submission status**
 
-The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+
+> [!TIP]
+> To remove users from Teams chats, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
 
 When you're finished in the details flyout, select **Close**.
 
@@ -1120,9 +1120,11 @@ The next sections in the details flyout are related to user reported Teams submi
   - **Phish simulation**: The value is **Yes** or **No**.
   - **Converted to admin submission**: The value is **Yes** or **No**. For more information, see [View converted admin submissions](#view-converted-admin-submissions).
 
-The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams mMessage entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
+The rest of the details flyout contains the **Message details**, **Sender**, **Participants**, **Channel details**, and **URLs** sections that are part of the _Teams message entity panel_. For more information, see [The Teams message entity panel in Microsoft Defender for Office 365 Plan 2](teams-message-entity-panel.md).
 
 > [!TIP]
+> To remove users from Teams chats, see [Remove users from Teams chats in the Teams message entity panel](teams-message-entity-panel.md#remove-users-from-teams-chats-in-the-teams-message-entity-panel).
+>
 > If the **Result** value is **Phish simulation**, the details flyout might contain the following information only:
 >
 > - **Result details** section

defender-office-365/submissions-outlook-report-messages.md

@@ -14,7 +14,7 @@ ms.collection:
 description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 09/28/2025
+ms.date: 12/05/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -51,7 +51,7 @@ The built-in **Report** button is available in the following versions of Outlook
 - The new Outlook for Windows<sup>\*</sup>
 - Outlook on the web<sup>\*</sup>
 
-<sup>\*</sup> In this version of Outlook, the built-in **Report** button also supports reporting messages from shared mailboxes or other mailboxes by a delegate.
+<sup>\*</sup> In this version of Outlook, the built-in **Report** button also supports reporting messages from shared mailboxes or other mailboxes by a delegate. The delegate user needs [Send As permissions](/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user) to report messages from the shared mailbox. Without Send As permission, the message is **not** sent to the reporting mailbox. Instead, the message is removed from the folder.
 
 The **Report** button is available in supported versions of Outlook if both of the following conditions are true:
 

defender-office-365/teams-message-entity-panel.md

@@ -16,9 +16,9 @@ ms.collection:
   - highpri
 description: Describes the Teams message entity panel for Microsoft Teams in Microsoft Defender for Office 365 Plan 2, how it does post-breach work like ZAP and Safe Links and gives admins a single pane of glass on Teams chat and channel threats like suspicious URLs..
 ms.service: defender-office-365
-ms.date: 11/16/2023
+ms.date: 10/27/2025
 appliesto:
-  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
   - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 ---
 
@@ -34,10 +34,12 @@ This article explains the information and actions on the Teams message entity pa
 
 To use the Email entity page, you need to be assigned permissions. You have the following options:
 
-- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** role groups.
-- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
-  - _Full access_: Membership in the **Global Administrator**<sup>\*</sup> or **Security Administrator** roles.
-  - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles.
+- _Full access_:
+  - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** role groups.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in one of the following roles gives users the required permissions _and_ permissions for other features in Microsoft 365: **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Operator**.
+- _Read-only access_:
+  - Microsoft Entra permissions: **Global Reader** or **Security Reader**.
+- _[Remove users from Teams chats](#remove-users-from-teams-chats-in-the-teams-message-entity-panel)_: Requires membership in one of the following Microsoft Entra roles: **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Operator**.
 
   > [!IMPORTANT]
   > <sup>\*</sup> Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
@@ -50,7 +52,25 @@ There are no direct links to the Teams message entity panel from the top levels
 
 - From the **Submissions** page at <https://security.microsoft.com/reportsubmission>:
   - Select the **Teams messages** tab \> select an entry by clicking anywhere in the row other than the check box.
-  - Select the **User reported** tab \> select a Teams entry by clicking anywhere in the row other than the check box. You can filter the entries by selecting :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Message type** \> **Teams**. The details flyout that opens is the Teams message entity panel.
+  - Select the **User reported** tab \> select a Teams entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel.
+
+    You can filter the entries by selecting :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** \> **Message type** \> **Teams**.
+
+- From the **Advanced Hunting** page at <https://security.microsoft.com/v2/advanced-hunting>, select a **TeamsMessageId** value (link) from the **MessageEvents** table in the query results. The details flyout that opens is the Teams message entity panel. For example:
+
+  ```kusto
+  UrlClickEvents
+  | where ThreatTypes !="" and Workload =="Teams"
+  | summarize count() by Url, ThreatTypes, ActionType, Workload
+  | project Url, ThreatTypes, ActionType, Workload, ClickCount=count_
+  | top 20 by ClickCount
+
+  UrlClickEvents
+  | limit 100
+
+  MessageEvents
+  | limit 100
+  ```
 
 ## What's on the Teams message entity panel
 
@@ -103,6 +123,46 @@ The rest of the Teams message entity panel contains the following information, r
 
 :::image type="content" source="media/teams-message-entity-panel-shown-in-quarantine.png" alt-text="Screenshot of the Teams Message Entity panel from a quarantined Teams message showing the common sections." lightbox="media/teams-message-entity-panel-shown-in-quarantine.png":::
 
+## Remove users from Teams chats in the Teams message entity panel
+
+> [!TIP]
+> Currently, this feature is in Preview, isn't available in all organizations, and is subject to change.
+>
+> You can only remove _internal_ users in your organization from a chat.
+>
+> When you remove users from a chat, the sender of the chat isn't blocked, and the removed users can start new chats with the sender.
+
+In the Teams entity panel, you can select :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout (often under :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions**) to remove users from a Teams chat.
+
+Do the following steps in the **Take action** wizard:
+
+1. On the **Choose response actions** page, select **Remove user from conversation** from the **Conversation level actions** section, and then select **Next**.
+2. On the **Choose target entities** page, configure the following options:
+   - **Name** Enter a unique, descriptive name for the remove user scenario.
+   - **Description**: Enter optional details.
+
+   The rest of the page contains a details table with the following information about the users in the chat:
+
+   - **Impacted asset**: The email address of the user.
+   - **Action**: This value is always **Remove user from conversation**.
+   - **Target entity**: The **Thread id** GUID value of the chat.
+   - **Expires on**
+
+   By default, all users in the chat are selected, including external users you can't remove from the chat. Verify the _internal_ users to remove from the chat are selected.
+
+   When you're finished on the **Choose target entities** page, select **Next**.
+
+3. On the **Review and submit** page, review your previous selections.
+
+   Select **Back** to go back and change your selections.
+
+   When you're finished on the **Review and submit** page, select **Submit**.
+
+Removing users from a Teams chat is recorded on the **History** tab of the **Action center** page at <https://security.microsoft.com/action-center/history>. You can filter the results by **Action type** \> **Remove users from Teams conversations** and/or **Entity type** \> **Teams message**. In the alert details, you can confirm users were or were not removed from the Teams chat.
+
+> [!TIP]
+> Removing users from Teams chats doesn't create an investigation ID or an automated investigation.
+
 ## For more information
 
 [The Microsoft Defender for Office 365 Email Entity Page and how it works](mdo-email-entity-page.md)

defender-office-365/tenant-allow-block-list-about.md

@@ -8,7 +8,7 @@ manager: bagol
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 09/22/2025
+ms.date: 12/05/2025
 search.appverid:
 - MET150
 ms.collection:
@@ -37,7 +37,7 @@ The Tenant Allow/Block list is available in the Microsoft Defender portal at <ht
 For usage and configuration instructions, see the following articles:
 
 - **Domains and email addresses** and **spoofed senders**: [Allow or block emails using the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md)
-  - Entries apply to the MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender), not the From address (also known as the `5322.From` address or P2 sender). For more information about these addresses, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication).
+  - Entries apply to the From address (also known as the `5322.From` address or P2 sender), not the MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender). For more information about these addresses, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication).
   - Entries apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios.
   - Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
 - **Files**: [Allow or block files using the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)