Microsoft Teams Adds Option To Report Messages Incorrectly Flagged As Security Threats

Microsoft has introduced a new feature in Teams that allows users to misreport messages identified as security threats, helping to reduce false positives in organizational communications.

This update, tied to Microsoft 365 Roadmap ID 501202, began rolling out in early September 2025 for targeted release and is set to complete general availability worldwide by the end of November 2025.

Organizations need Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR to access it, with the feature supporting Android, desktop (Windows and Mac), iOS, and web platforms for seamless use across devices.

By enabling direct user feedback, Microsoft aims to refine its AI-driven threat-detection models, which classify URLs and messages based on patterns such as phishing indicators and malicious links.

This addresses a common issue in which automated systems flag benign content, such as legitimate shared links in chats or channels, disrupting productivity.​

The rollout update from November 17, 2025, confirms the feature’s expansion but delays the default-on setting in the Teams admin center to early 2026, requiring admins to enable it during the initial phase manually.

Users encounter the option when a message is flagged; hovering over it reveals a “More options” menu with “Report this message,” which opens a dialog to select “Not a security concern.”

Upon submission, the report includes the message context, URL details (if applicable), and user rationale, which feed into Microsoft’s machine learning algorithms to adjust classification thresholds over time.

This process enhances AI/ML capabilities by incorporating human-verified data, reducing false-positive rates that can overload security teams with unnecessary investigations.

Technically, the system leverages Defender’s backend to analyze reported items against threat intelligence feeds, potentially updating safe list entries or refining signature-based detection for similar future instances.

Feature Implementation Details

To activate the reporting, admins must configure settings in two portals for full functionality.

In the Teams admin center, navigate to Messaging settings > Messaging safety, and toggle “Report incorrect security detections” to On, ensuring it applies across all messaging policies.

Simultaneously, in the Microsoft Defender portal, enable user-reported messages under Submissions to route feedback to the dedicated tab, where security admins review details like submission timestamps, message hashes, and attached payloads.

For existing tenants, this is off by default; for new tenants, it is enabled, preventing reports from being lost if they are mismatched.

The feature integrates with Entra ID for access controls, allowing group-based permissions to manage these toggles and view reports, enhancing governance in enterprise environments.

Reported submissions store customer data securely in the Microsoft Defender portal, including message content and metadata, but only accessible to authorized admins via role-based controls.

This data fuels iterative improvements in Defender’s AI models, which use supervised learning to retrain on false positive examples, potentially lowering CVSS-like risk scores for misclassified items in future scans.

During targeted release, the feature was off by default to allow testing. However, at general availability, it shifts to on, with preserved admin customizations.

Organizations should prepare by educating users on the process and establishing review workflows to act on reports promptly, minimizing any temporary workflow interruptions.

Compliance and Security Enhancements

Compliance aspects include data storage in Azure-based Defender services that comply with standards such as GDPR and SOC 2, with reports retained for model training but anonymized where possible.

The AI modifications interact with customer data indirectly, using aggregated feedback to evolve threat classification without exposing individual submissions beyond admin views.

Admins can control the feature via Entra ID groups, ensuring only qualified personnel handle reports, which might include indicators like IP origins or domain reputations for deeper analysis.

This empowers security teams to correlate user feedback with broader threat intelligence, such as integrating with Microsoft Defender XDR for cross-platform visibility.

Overall, this addition strengthens Teams’ security posture by closing the feedback loop on detections, fostering trust in automated tools, and enabling adaptation to evolving threats, such as sophisticated phishing campaigns.

For more, refer to Microsoft’s documentation on end-user reporting.

As of November 21, 2025, the rollout nears completion, promising more accurate protections for collaborative environments.