Microsoft has quietly turned on a security feature that many Teams admins have been waiting for: user-reported suspicious messages from Teams now appear right inside the Teams admin center’s Protection reports. The addition, tracked under Microsoft 365 Roadmap ID 536571, connects frontline employees’ instincts to the tools IT teams use every day, closing a visibility gap that left Teams—a primary channel for corporate communication—outside the loop of user-driven threat intelligence. The rollout started arriving for standard multi-tenant commercial tenants in late March 2025 and should be fully available worldwide by early April.
New Signals in Your Protection Dashboard
Until now, when an employee flagged a sketchy message in Teams using the built-in “Report a concern” option, the response was, from an admin’s perspective, often a black hole. The report might land in a Microsoft backend log, but it rarely surfaced in a way that let security teams investigate or correlate it with other threats. That changes with this update.
Navigate to the Teams admin center, open the Analytics & reports area, and visit the Protection reports section. There, alongside existing data on spam, malware, and phishing detections from Microsoft’s automated filters, you’ll now find a tab or filter for “User reported” messages. These entries show messages that users manually flagged as phishing, spam, or otherwise suspicious, complete with information like the sender’s identity, the date and time of the report, and the classification the user selected—if multiple categories were offered.
The signals represent a new type of telemetry flowing into the admin center, and they’re not just a passive log. According to the roadmap item, the feature is designed to give admins “visibility into user-reported Teams messages for proactive investigation and response.” In practice, that means you can now spot a rising pattern—say, several users in the finance department reporting messages from an unfamiliar external account—and take action before the threat escalates into a broader compromise.
Why This Matters for Security Teams
Phishing and business email compromise (BEC) have long plagued email, but attackers are increasingly using collaboration platforms like Teams as an alternative delivery mechanism. A message that looks like it’s from a colleague or a partner, sent through a platform that users inherently trust more than email, can bypass traditional gateway defenses. And until now, even if a user sensed something off, the alert often went nowhere.
By capturing user-reports in the Teams admin center, Microsoft gives security operations teams a feed of human-verified threat intelligence. This is important for several reasons:
- Early warning system: Your employees become sensors, detecting social engineering attacks that automated filters might miss because they lack known malware signatures or malicious URLs.
- Reduced mean time to respond: Instead of waiting for someone to open a helpdesk ticket or forward a screenshot, the incident lands in a monitored dashboard, often minutes after the report.
- Context for investigations: A single user report might seem ambiguous, but aggregated data can reveal a campaign. For example, an external Teams call followed by a message containing a voice message lure could become visible across the organization.
- Compliance and governance: For regulated industries, having an auditable trail of user-reported security concerns—and what was done about them—supports internal and external reviews.
Microsoft has been gradually building out the infrastructure for user-reported signals in Defender for Office 365. Teams is the latest service to plug into that ecosystem, following Exchange Online, SharePoint, and OneDrive. This move acknowledges that collaboration threats are equal citizens with email threats.
Who Gets Access, and What It Requires
The feature is rolling out to standard worldwide multi-tenant Microsoft 365 commercial and education tenants. Government clouds (GCC, GCC High, DoD) are not included in this initial wave, though they historically receive security features on a separate, later schedule.
On the licensing side, the underlying technology relies on the same user reporting engine that powers Defender for Office 365. Although Microsoft has not explicitly stated the SKU requirements in the roadmap note, industry analysis suggests you’ll need one of the following:
- Microsoft 365 E5 / A5
- Microsoft 365 E5 Security / A5 Security
- Microsoft Defender for Office 365 Plan 2
Additionally, your tenant must have the User-reported messages settings configured appropriately. In most modern tenants, the built-in “Report” button in Teams is enabled by default, but you may need to turn on the forwarding of those reports to Microsoft and, by extension, to your own admin center. This is managed through the Teams messaging policy, specifically the parameter -AllowUserReportedMessages via PowerShell, or in the Teams admin center under Messaging policies.
If you don’t see user-reported data in your Protection reports yet, double-check your licensing and ensure the policy is enabled. Also, note that reports only appear after users actually start reporting—so some training and awareness might be in order before the dashboard fills up.
The Evolution of User-Reported Security in Microsoft 365
To understand the significance of this update, it helps to trace the arc of user-reporting tools in Microsoft 365.
2018–2019: The Report Message and Report Phishing add-ins for Outlook brought one-click user reporting to email. Reports went to Microsoft for analysis and also fed into the tenant’s own threat intelligence if configured.
2020: Microsoft integrated user-reported messages directly into the Defender for Office 365 portal, adding a “User reported” tab in the Submissions page and within Threat Explorer.
2021: Automated investigation and response (AIR) capabilities began to incorporate user reports as triggers, and the Attack Simulation Training service started to recognize user-report metrics.
2022–2023: The user reporting experience became native in Outlook and OWA (no add-in required), and Teams got its own “Report a concern” feature in the chat message menu. However, those Teams reports didn’t flow to admins in a structured way; they were purely a signal to Microsoft’s backend for tuning filters.
2024: Microsoft announced Roadmap ID 536571, signaling the intention to bring Teams user reports into the admin center. The development cycle coincided with a broader shift toward unifying security analytics across the Microsoft 365 Defender suite.
Now, early 2025: The feature lands in general availability.
The delay between the user-facing Report button and admin visibility in Teams was a clear frustration point. Security analysts in large organizations often asked in forums: “Why can’t I see when my users report a Teams message?” The answer, apparently, was that Microsoft had to build the plumbing to make that telemetry available without compromising privacy or overwhelming admin dashboards with noise.
How to Start Using These Signals Right Now
If your tenant meets the prerequisites, here’s a step-by-step guide to begin leveraging the new user-reported signals:
-
Verify Licensing: Ensure your tenant holds licences that include Defender for Office 365 Plan 2 or an equivalent suite (E5, A5, E5 Security). You can check in the Microsoft 365 admin center under Billing > Your products.
-
Configure Teams Messaging Policy:
- Open Teams admin center.
- Go to Messaging policies.
- Select the global policy or the policy assigned to your users.
- Under Message reporting, ensure “Users can report concerns to Microsoft” is enabled. This setting controls the visibility of the Report button in Teams and the forwarding of reports. If you use PowerShell, the parameter is-AllowUserReportedMessages $true. -
Enable User-Reported Messages in Defender (Optional but recommended):
- Navigate to the Microsoft 365 Defender portal (security.microsoft.com).
- Under Email & collaboration > Policies & rules > Threat policies > User reported settings, make sure that “Monitor reported messages in Outlook” and any Teams-specific toggles are configured as desired. While Teams reports may flow independently, aligning with Defender ensures a unified view. -
Train Your Users: Without user participation, the reports won’t materialize. Send out a quick how-to: in Teams, they can hover over a message, click the ellipsis, and select “Report a concern,” then choose “Phishing” or “Spam.” Clear, simple guidance increases reporting volume and accuracy.
-
Check the Protection Reports:
- In Teams admin center, go to Analytics & reports > Protection reports.
- Look for a “User reported” card or tab. The exact layout may vary, but you should see a list of reported messages, with details like date, reporter, sender, and message preview (the preview may be truncated for privacy).
- Use the data to spot trends. If you see multiple reports for the same sender, consider blocking that user or domain at the Teams admin level, and also check whether the same sender appears in Defender for email reports. -
Set Up Alerts: For proactive monitoring, create an alert policy in Microsoft 365 Defender > Email & collaboration > Policies & rules > Alert policy. Use the “User reported message” activity as a trigger, so your SOC gets a notification whenever a threshold number of reports is crossed within a certain time window.
-
Integrate with SIEM and SOAR: If your organization uses a SIEM like Microsoft Sentinel, you can ingest the User-reported message logs via the Office 365 Management API or the Microsoft 365 Defender APIs. This lets you correlate Teams reports with other security events, such as a suspicious sign-in from the sender’s account.
What to Watch Next
This feature is a foundational piece, and it’s likely just the beginning. Microsoft’s roadmap hints at broader integration: eventually, Teams user reports could trigger automated investigations directly in Defender for Office 365, just like email reports do today. We may also see more granular admin controls—for example, the ability to automatically quarantine a reported message or restrict the sender’s ability to initiate chats with other users.
For IT pros managing hybrid environments, the next big ask will be on-premises awareness. While Teams is cloud-only, the user-report data might one day flow into on-premises management tools via Graph APIs, but that’s still speculative.
In the near term, if you’re running a Microsoft 365 E5 or equivalent environment, take ten minutes to verify the settings and let your users know that reporting in Teams actually matters now. It’s a small change that turns every employee into a human firewall—and gives admins the data to wield that firewall effectively.