You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/teams-message-entity-panel.md
+11-9Lines changed: 11 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,10 +34,12 @@ This article explains the information and actions on the Teams message entity pa
34
34
35
35
To use the Email entity page, you need to be assigned permissions. You have the following options:
36
36
37
-
-[Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** role groups.
38
-
-[Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
39
-
-_Full access_: Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Operator** roles.
40
-
-_Read-only access_: Membership in the **Global Reader** or **Security Reader** roles.
37
+
-_Full access_:
38
+
-[Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management**, **Security Administrator**, or **Quarantine Administrator** role groups.
39
+
-[Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in one of the following roles gives users the required permissions _and_ permissions for other features in Microsoft 365: **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Operator**.
40
+
-_Read-only access_:
41
+
- Microsoft Entra permissions: **Global Reader** or **Security Reader**.
42
+
-_[Remove users from Teams chats](#remove-users-from-teams-chats-in-the-teams-message-entity-panel)_: Requires membership in one of the following Microsoft Entra roles: **Global Administrator**<sup>\*</sup>, **Security Administrator**, or **Security Operator**.
41
43
42
44
> [!IMPORTANT]
43
45
> <sup>\*</sup> Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
@@ -50,9 +52,11 @@ There are no direct links to the Teams message entity panel from the top levels
50
52
51
53
- From the **Submissions** page at <https://security.microsoft.com/reportsubmission>:
52
54
- Select the **Teams messages** tab \> select an entry by clicking anywhere in the row other than the check box.
53
-
- Select the **User reported** tab \> select a Teams entry by clicking anywhere in the row other than the check box. You can filter the entries by selecting :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**\>**Message type**\>**Teams**.
55
+
- Select the **User reported** tab \> select a Teams entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel.
54
56
55
-
- From the **Advanced Hunting** page at <https://security.microsoft.com/v2/advanced-hunting>, select a **TeamsMessageId** value (link) from the **MessageEvents** table in the query results. For example:
57
+
You can filter the entries by selecting :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**\>**Message type**\>**Teams**.
58
+
59
+
- From the **Advanced Hunting** page at <https://security.microsoft.com/v2/advanced-hunting>, select a **TeamsMessageId** value (link) from the **MessageEvents** table in the query results. The details flyout that opens is the Teams message entity panel. For example:
56
60
57
61
```kusto
58
62
UrlClickEvents
@@ -124,8 +128,6 @@ The rest of the Teams message entity panel contains the following information, r
124
128
> [!TIP]
125
129
> Currently, this feature is in Preview, isn't available in all organizations, and is subject to change.
126
130
>
127
-
> This feature works only for Teams chats and group chats that contain URLs.
128
-
>
129
131
> You can only remove _internal_ users in your organization from a chat.
130
132
>
131
133
> When you remove users from a chat, the sender of the chat isn't blocked, and the removed users can start new chats with the sender.
@@ -143,7 +145,7 @@ Do the following steps in the **Take action** wizard:
143
145
144
146
-**Impacted asset**: The email address of the user.
145
147
-**Action**: This value is always **Remove user from conversation**.
146
-
-**Target entity**: The **Threat id** GUID value of the chat.
148
+
-**Target entity**: The **Thread id** GUID value of the chat.
147
149
-**Expires on**
148
150
149
151
By default, all users in the chat are selected, including external users you can't remove from the chat. Verify the _internal_ users to remove from the chat are selected.
0 commit comments