Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Similar to the The Email summary panel for email messages, Microsoft 365 organizations that have Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5) have the Microsoft Teams message entity panel in the Microsoft Defender portal. The Teams message entity panel is a details flyout includes all Microsoft Teams data about suspicious or malicious chats, channels, and group chats on a single, actionable panel.
This article explains the information and actions on the Teams message entity panel.
Permissions and licensing for the Teams message entity panel
To use the Email entity page, you need to be assigned permissions. You have the following options:
Full access:
- Email & collaboration permissions in the Microsoft Defender portal: Membership in the Organization Management, Security Administrator, or Quarantine Administrator role groups.
- Microsoft Entra permissions: Membership in one of the following roles gives users the required permissions and permissions for other features in Microsoft 365: Global Administrator*, Security Administrator, or Security Operator.
Read-only access:
- Microsoft Entra permissions: Global Reader or Security Reader.
Remove users from Teams chats: Requires membership in one of the following Microsoft Entra roles: Global Administrator*, Security Administrator, or Security Operator.
Important
* Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
Where to find the Teams message entity panel
There are no direct links to the Teams message entity panel from the top levels of the Defender portal. Instead, the Teams message entity panel is available in the following locations:
From the Quarantine page at https://security.microsoft.com/quarantine: Select the Teams message tab > select an entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel.
From the Submissions page at https://security.microsoft.com/reportsubmission:
Select the Teams messages tab > select an entry by clicking anywhere in the row other than the check box.
Select the User reported tab > select a Teams entry by clicking anywhere in the row other than the check box. The details flyout that opens is the Teams message entity panel.
You can filter the entries by selecting
Filter > Message type > Teams.
From the Advanced Hunting page at https://security.microsoft.com/v2/advanced-hunting, select a TeamsMessageId value (link) from the MessageEvents table in the query results. The details flyout that opens is the Teams message entity panel. For example:
UrlClickEvents | where ThreatTypes !="" and Workload =="Teams" | summarize count() by Url, ThreatTypes, ActionType, Workload | project Url, ThreatTypes, ActionType, Workload, ClickCount=count_ | top 20 by ClickCount UrlClickEvents | limit 100 MessageEvents | limit 100
What's on the Teams message entity panel
The following information is available at the top of the Teams message entity panel:
- The title of the flyout is the subject or the first 100 characters of the Teams message.
- The current message verdict.
- The number of links in the message.
- The actions that are available at the top of the flyout depend on where you opened the Teams message entity panel.
Tip
To see details about other Teams messages without leaving the Email summary panel of the current message, use 
Previous item and Next item at the top of the flyout.
The next sections in the Teams message entity panel depend on where you opened it:
- Quarantined Teams messages
- View Teams admin submission details
- View user reported Teams message details in Defender for Office 365 Plan 2
The rest of the Teams message entity panel contains the following information, regardless of where you opened it:
Message details section:
- Threats
- Message location
- Sender address
- Time received
- Detection tech
- Teams message ID: You can use this value as an identifier of a Teams message in Defender for Office 365.
Sender section:
- The sender's name and email address
- Domain
- External: The value Yes indicates the message was sent between an internal user and an external user.
One of the following sections, depending on whether the message if from a chat or a channel:
- Chat: The Participants section:
- Conversation type
- Chat name
- Name and email: Contains the name and email addresses of all of the participants (including the sender). If there are more than 10 participants, it also links to a secondary panel that lists all the participants in the chat at the time of the suspected threat.
- Channel: The Channel details section:
- Conversation type
- Conversation name: Contains the name of the channel.
- Name and email: Contains the name and address of the channel.
- Chat: The Participants section:
URLs section:
- Name and type Contains the URL from the Teams message.
- Threat
If the message has more than 10 URLs, select View all URLs to see all of them.
Remove users from Teams chats in the Teams message entity panel
Tip
Currently, this feature is in Preview, isn't available in all organizations, and is subject to change.
You can only remove internal users in your organization from a chat.
When you remove users from a chat, the sender of the chat isn't blocked, and the removed users can start new chats with the sender.
In the Teams entity panel, you can select 
Take action at the top of the flyout (often under 
More actions) to remove users from a Teams chat.
Do the following steps in the Take action wizard:
On the Choose response actions page, select Remove user from conversation from the Conversation level actions section, and then select Next.
On the Choose target entities page, configure the following options:
- Name Enter a unique, descriptive name for the remove user scenario.
- Description: Enter optional details.
The rest of the page contains a details table with the following information about the users in the chat:
- Impacted asset: The email address of the user.
- Action: This value is always Remove user from conversation.
- Target entity: The Thread id GUID value of the chat.
- Expires on
By default, all users in the chat are selected, including external users you can't remove from the chat. Verify the internal users to remove from the chat are selected.
When you're finished on the Choose target entities page, select Next.
On the Review and submit page, review your previous selections.
Select Back to go back and change your selections.
When you're finished on the Review and submit page, select Submit.
Removing users from a Teams chat is recorded on the History tab of the Action center page at https://security.microsoft.com/action-center/history. You can filter the results by Action type > Remove users from Teams conversations and/or Entity type > Teams message. In the alert details, you can confirm users were or were not removed from the Teams chat.
Tip
Removing users from Teams chats doesn't create an investigation ID or an automated investigation.
For more information
The Microsoft Defender for Office 365 Email Entity Page and how it works