Defender Plan 1 Users Can Now Flag Threats in Teams

Microsoft has expanded security controls in Microsoft Teams, allowing Defender for Office 365 Plan 1 users to directly flag suspicious and malicious messages.

The update strengthens Teams threat detection by enabling end-users to report risks in real time, a capability previously limited to higher-tier subscriptions.

The change, tracked under Roadmap ID 531760, allows users to report messages across chats, channels, and meeting conversations.

Microsoft confirmed the update on February 9, 2026, citing the growing need to protect collaboration platforms as actively as email systems.

The new option lets users classify messages as either a security risk, including phishing, malware, or spam, or as not a security risk when content is incorrectly flagged.

These reports feed directly into Microsoft Defender workflows and provide security teams with immediate visibility into potential threats.

“Empowering end users to act as the first line of defense is now critical as internal communication tools increasingly attract external threats,”

Microsoft said in its roadmap update.

The reporting feature remains opt-in and requires administrative activation. Organizations must enable “User reported” settings in the Microsoft Defender portal for Teams reporting to function.

Once enabled, reports will route to the Defender “User reported” page or a designated mailbox for centralized investigation.

Microsoft said the rollout will complete by late March 2026. The company highlighted a rise in attacks shifting from traditional email phishing to collaboration tools, which employees often perceive as trusted environments.

By integrating user-generated signals into Defender for Office 365, Microsoft aims to improve detection accuracy for conversational attacks, including business email compromise attempts delivered through chat.

Security teams are advised to prepare staff guidance ahead of the rollout. Further updates are expected as deployment progresses.