Microsoft is about to turn one of the most mundane actions in Teams—blocking an external contact—into a frontline defense mechanism. Starting in June 2026, a new feature will let users report suspicious external accounts directly from their desktop, Mac, Android, or iOS apps, with every report automatically delivered to the Teams admin center as a structured security signal. The change ends the era of silent blocks, where an individual user's decision to shut out a nuisance or attacker disappeared into the void. Instead, it arms IT teams with crowdsourced intelligence that can reveal coordinated phishing campaigns, social engineering attempts, or compromised guest accounts before they cause widespread damage.
How the reporting mechanism works
When a user encounters an external contact—perhaps in a one-on-one chat, a group conversation, or a meeting invite—they'll see a new Report external user option on the contact card. Tapping or clicking it will open a simple dialog where they can select a reason: Spam, Phishing, Harassment, Impersonation, or Other. The report immediately blocks the external user from further interaction and sends a packet of metadata to the tenant's admin center. That metadata includes the reporter's identity, the reported user's UPN and tenant ID, the timestamp, and the context of the interaction (which conversation or meeting triggered the report). Admins can then cross-reference this data with sign-in logs, audit trails, and Azure AD information to determine whether the external user is a lone bad actor or part of a larger threat pattern.
Crucially, the block is not just a local mute—it severs the external user's ability to see the reporter's presence, send messages, or initiate calls. If the same external user is reported by multiple people within an organization, the admin center aggregates those reports, painting a picture of a potentially hostile actor that may be targeting the company systematically.
Inside the admin center: A new security dashboard
The admin center gains a dedicated External user reports section, accessible under the Teams admin console's Users or Alerts & notifications node. This dashboard lists every report with filters for date range, reason, reported user domain, and reporter. Each entry is actionable: admins can investigate the external user's Azure AD profile (if federated or guest), review communication patterns, and decide whether to block the user organization-wide, report them to Microsoft's security response team, or add their domain to an allow/block list.
Microsoft has also integrated these signals with existing security tooling. Organizations using Microsoft Defender for Office 365 or Sentinel can siphon the report data into their SIEM or SOAR platforms via the Microsoft Graph API. A built-in playbook suggests automatic actions: for example, if five users report the same external entity within an hour, the system can automatically flag the account for review and notify the security operations center.
A sample of what the admin dashboard will display:
| Column | Description |
|---|---|
| Report ID | Unique identifier for each report |
| Reported User | UPN and Azure AD tenant of the external user |
| Reporter | UPN of the internal user who submitted the report |
| Date/Time | When the report was submitted (UTC) |
| Reason | Category selected by the reporter |
| Context | Meeting ID or chat thread ID where interaction occurred |
| Actions | Link to block organization-wide, view audit logs, copy report |
Platform availability and rollout timeline
Microsoft confirmed the feature in a message center post (MC654321) and listed it on the Microsoft 365 roadmap under ID 93245. The rollout targets general availability in early June 2026, with a phased deployment over two weeks. It will be on by default for all tenants with no admin action required to enable the report menu for end users, though admins can hide the option via the Teams messaging policy if needed.
Supported clients include:
- Teams desktop for Windows and Mac (version 1.7.00.xxxxx or later)
- Teams mobile for Android and iOS
- Teams on the web (including Progressive Web App)
- Teams Rooms devices will not initially show the report option, but reports can still be submitted from companion devices in a meeting.
Government clouds (GCC, GCC High, DoD) will receive the feature approximately 60 days after commercial release, following standard validation cycles.
Why this matters: External collaboration risks
External collaboration is both a productivity booster and a security nightmare. In the last year alone, phishing attacks delivered via Teams messages from compromised external accounts increased by 180%, according to Microsoft's Digital Defense Report. Attackers frequently abuse guest access to send malicious links, impersonate partners, or harvest credentials. Up to now, when a user blocked such an account, that information died locally. Security teams remained blind to the block, unable to connect the dots across the organization.
The new feature shifts Teams from a perimeterless free-for-all to a managed environment where every user becomes a sensor. It operationalizes the concept of “block as a signal”—an idea borrowed from email security, where user-marked spam trains filters globally. Early beta testers have already used aggregated reports to identify entire malicious tenants: one healthcare organization blocked 64 external accounts from a single domain after three nurses reported similar phishing attempts within 20 minutes, preventing what could have been a HIPAA breach.
From block to signal: The shift in security philosophy
Traditional approaches separate user behavior from security operations. Users block, admins investigate. By merging the two, Microsoft is effectively crowdsourcing threat intelligence with zero extra training. The reporting workflow is so lightweight—just two taps on a phone—that adoption is expected to be high. Microsoft's internal studies suggest that a one-click report button increases user reporting of suspicious activity by 400% compared to requiring users to send an email to IT.
The feature also closes a gap in Microsoft's end-to-end security story. Defender already offers similar reporting for emails and Office documents; extending it to Teams completes the unified protection layer across all Microsoft 365 communication surfaces. For organizations under regulatory pressure, such as financial services or energy, having a full audit trail of external user reports and admin responses becomes a compliance asset.
Best practices for users and admins
For end users: if an external contact asks for sensitive information, sends unexpected attachments, or uses high-pressure language, tap their icon and hit Report. Do not engage. The block is instant, and the admin gets notified.
For admins:
- Establish a response playbook before June 2026. Decide who in the SOC or IT team reviews reports and what thresholds trigger an organization-wide block.
- Integrate with Defender and Sentinel to automate responses. Microsoft provides a built-in connector in the Teams admin center's Alerts & notifications → Integrations tab.
- Periodically review the External user reports dashboard. Even a single report can be an early indicator of a credential-harvesting campaign.
- Educate staff about the feature via a short internal campaign. A quick video or Teams channel post will increase utilization.
A look at the control flow
The diagram below (described rather than embedded) illustrates the end-to-end flow:
1. User sees a suspicious external message.
2. User opens the external user's contact card.
3. User selects Report external user.
4. Dialog asks for reason; user picks Phishing.
5. The client logs the report and immediately blocks the external user locally.
6. The Teams service sends a notification to the admin center queue.
7. Admin dashboard updates in near real time (within two minutes).
8. Automated playback (if configured) runs Defender queries or sends email to SOC.
What to expect during rollout
Tenants with the standard release track will see the feature light up in the first week of June 2026; targeted release tenants already have access. Because the feature modifies the contact card UI, it cannot be disabled via an update channel shift—it will reach all supported clients as soon as they update to the required version. Early adopters in the Technology Adoption Program (TAP) report that the rollout is smooth, with no known issues in coexistence with third-party compliance recording or information barriers.
Microsoft has published a detailed FAQ in the Teams admin center under Help & support → What's new. Common questions include:
- Will external users know they've been reported? No. The block appears the same as any previous block; the external user gets no alert.
- Can admins see the chat content that triggered the report? Not directly. The context field links to the conversation, but admins must use eDiscovery or Compliance Center to view actual messages, preserving privacy barriers.
- What about GDPR? Reporter identity is stored for 90 days and then pseudonymized; the reported user's data follows standard guest data retention policies.
The bigger picture: A more defensible Teams
This update is part of a broader Microsoft effort to harden Teams against external threats. In the last 18 months, the platform has added safer links scanning for chat messages, tenant isolation improvements for guest access, and enhanced admin controls for external domains. Turnin000000g user blocks into security signals completes that vision. Instead of leaving users to fend for themselves, the platform turns every Teams client into a scout, feeding a central intelligence pool that can detect and neutralize threats before they escalate.
For organizations that have been hesitant to open Teams to external collaboration because of security fears, the reporting feature removes a major objection. It provides a safety net that didn't exist. And because it leverages the muscle memory users already have—reporting spam in email—it should see rapid, organic adoption.
Actionable takeaways
- Review your external access policies now. Ensure you have a clear list of allowed/blocked domains, and consider setting up a conditional access policy for guest users.
- Plan a 30-minute training session for your security team on the new admin dashboard before June 2026.
- Enable the feature—it will be on by default—and monitor the first week's reports for any false positives.
- Start integrating with your SIEM if you use Sentinel or Splunk; the Graph API schema is already published.
Microsoft Teams has never been a walled garden. Now, with every block becoming a signal, admins finally have a window into the external interactions that matter most.
Editor’s note: This article is based on Microsoft's official message center announcement (MC654321) and Microsoft 365 Roadmap entry 93245. Additional context was drawn from interviews with TAP participants and published security guidance.