Microsoft plans to roll out a Security Detection Report in the Teams admin center, giving IT administrators a consolidated view of messaging threats—including impersonation attempts, malicious URLs, and dangerous file shares—when it reaches general availability in August 2026 for worldwide standard multi-tenant customers. The new reporting interface will serve as a single web-based pane for investigating security incidents that occur across chat, channel, and meeting conversations in Microsoft Teams.

This move addresses a long-standing gap in visibility for collaboration security. While Microsoft Defender for Office 365 already protects Teams against known threats, the reporting capabilities have been fragmented across multiple dashboards. The Security Detection Report will centralize these insights, enabling admins to triage and remediate threats faster without leaving the Teams administration console.

The New Security Detection Report

Slated for general availability in August 2026, the Security Detection Report will aggregate detections from multiple Microsoft Defender for Office 365 features, including Safe Links, Safe Attachments, and impersonation protection. According to internal Microsoft planning documents, the report will cover three primary categories of threats:

  • Impersonation (user and brand impersonation attempts)
  • Malicious URLs (phishing links, malware delivery sites)
  • Harmful files (malware, ransomware payloads, zero-day threats)

The feature has been designed for ease of use, placing critical threat data directly within the Teams admin center. Admins will no longer need to toggle between the Microsoft 365 Defender portal and Teams admin center to correlate a suspicious message with its security verdict. A single view will display the date, user involved, type of threat, and a direct link to the relevant conversation for quick investigation.

A Single Pane for Teams Threat Intelligence

Today, a Teams administrator investigating a potential phishing link must navigate multiple services. For example, Safe Links detections for Teams are viewable only in the Threat Explorer within the Microsoft 365 Defender portal, while audit logs for admin actions reside in the Compliance center. The Security Detection Report collapses these silos.

When an organization is targeted by a credential-harvesting campaign that spreads through Teams chats, the report will show all impacted users, the number of clicks on the malicious URL, the time of delivery, and the action taken—whether the link was blocked, warned, or allowed. This contextual correlation accelerates incident response and minimizes the window of compromise.

Additionally, the report will include filtering capabilities by date range, threat type, user, and channel. Admins can export the data for offline analysis or integrate it with their SIEM tools through the Microsoft Graph API. Microsoft has not yet disclosed whether custom workbooks or Power BI templates will be offered, but the groundwork is in place for extensible reporting.

Impersonation: The Persistent Threat

Impersonation is one of the most pernicious attacks within collaboration platforms. Attackers often spoof the identity of a CEO, finance lead, or IT support staff to trick employees into sharing credentials or wiring funds. Microsoft Defender for Office 365 already uses advanced machine learning models to detect both user impersonation and brand impersonation in email; the same intelligence is now being extended to Teams.

The Security Detection Report will surface instances where a display name, domain, or photo closely mimics a trusted contact. Each entry will indicate the confidence level of the detection, the targeted user, and whether the message was delivered to the recipient or automatically quarantined. Admins can review the message preview directly in the report and take remedial action, such as purging the chat or adding the sender to a block list.

Because impersonation attacks often exploit human psychology rather than technical vulnerabilities, early detection and centralized reporting are essential. A single click on a well-crafted phishing message can compromise an entire tenant. The unified report empowers security operations teams to spot attack patterns—such as multiple impersonation attempts aimed at the finance department—and adjust policies accordingly.

Malicious URLs remain a primary vector for malware delivery and credential theft in Teams. Attackers embed weaponized links in chat messages, meeting invites, and even shared OneNote notebooks. Safe Links for Teams rewrites and checks URLs at time-of-click, but until now, there has been no dedicated dashboard to review these detections exclusively within the Teams admin context.

With the new report, every blocked or warned URL will be listed with the original destination, the rewritten Safe Link, the click verdict, and the user’s actions. If a user clicked a blocked link and was redirected to a warning page, the report will log that interaction. This forensic trail supports post-incident reviews and helps train employees on safe collaboration practices.

Moreover, the report will highlight trending domains and recurring attacks. If a particular phishing campaign uses a set of rapidly rotating URLs, the report will group them for quicker analysis. Security analysts can also pivot from the report to the broader Microsoft 365 Defender investigation graph to see if the same URLs appeared in email or other workloads.

File-Based Threats in Collaboration

File sharing is integral to Teams, but it also opens doors for malware distribution. Threat actors slip weaponized documents into chats or channel conversations, knowing that team members trust internally shared content. Safe Attachments for Teams scans files in real time, detonating them in a sandbox to detect zero-day threats. Yet, without a centralized report, confirming whether a file was blocked, replaced, or allowed has been cumbersome.

The Security Detection Report will enumerate all files flagged by Safe Attachments, noting the file name, uploader, location, and the detection details—such as the specific malware family or suspicious behavior. For files that were blocked and replaced with a placeholder, admins can see the original file hash for further analysis. If a file was delivered but later deemed malicious, the report provides the tools to initiate an automated investigation and response playbook, such as removing the file from all chats and quarantine the file in SharePoint.

This level of visibility is especially valuable in organizations that handle sensitive data, where a single ransomware payload could have cascading effects. The report’s file-centric view complements the data governance reports already available in the Teams admin center, rounding out the administrative toolkit.

How Administrators Will Use the Report

Accessing the Security Detection Report will be straightforward: once generally available, it will appear under a new Security node in the Teams admin center, likely nested under Analytics & reports. Microsoft has designed the interface with the familiar look of other Microsoft 365 admin center reports, featuring cards, charts, and drill-through capabilities.

A typical workflow might proceed as follows:

  1. An admin checks the Security Detection Report daily, noticing a spike in impersonation detections.
  2. Filtering by threat type, they isolate ten messages targeting the CFO’s team.
  3. They review each message and confirm the phishing attempt.
  4. With two clicks, they purge the messages from all affected Teams chats and set up a rule to block similar external senders.
  5. They export the incident details for a post-mortem report.

Role-based access control will determine who can view the report. Global admins, Teams admins, and security operators with the appropriate permissions will have access. Microsoft has not yet indicated whether the report will be available in the Education, GCC, DoD, or other sovereign clouds at the same time as the worldwide multi-tenant release.

Integration with Defender for Office 365

Under the hood, the Security Detection Report relies entirely on the detection stack of Microsoft Defender for Office 365. This means organizations must have the appropriate licensing to see data in the report. While Microsoft has not finalized the exact licensing requirements, it is expected that Defender for Office 365 Plan 1 or Plan 2 (or equivalent capabilities bundled in Microsoft 365 E5) will be necessary.

Licensed tenants will benefit from the same advanced threat protection already available for email: machine learning models that detect malicious attachments, time-of-click URL analysis, and anti-impersonation algorithms. The report simply brings that protection to the surface within the Teams admin context. For organizations already invested in the Defender suite, this will be a welcome addition that reduces operational overhead.

It’s worth noting that Teams uses separate, domain-specific lists for Safe Links and Safe Attachments policies. Admins can manage these policies in the Microsoft 365 Defender portal, but the report will reflect the effective policy for each detection. This alignment ensures that what admins see in the report matches the configured security posture.

Availability and Licensing

Microsoft has confirmed that the Security Detection Report will reach general availability in August 2026 for worldwide standard multi-tenant customers. Initially, it will not be available for GCC, GCC High, DoD, or other specialty clouds. Support for those environments typically follows a few months after the global rollout, but no timeline has been provided.

No separate license purchase will be required beyond the existing Defender for Office 365 plans. However, some features—such as advanced correlation with Microsoft Sentinel or extended data retention—may demand higher-tier licenses. Microsoft plans to publish detailed prerequisites in the Microsoft 365 message center closer to the launch date.

What This Means for Enterprise Security

The introduction of the Security Detection Report is more than a UX improvement; it signals Microsoft’s commitment to maturing Teams as a secure enterprise communication and collaboration platform. As more business-critical conversations move from email to chat, the attack surface expands, and so does the need for embedded, admin-friendly security controls.

For security operations teams, the report reduces the cognitive load of incident investigation by contextualizing detections where they happen. It allows for faster identification of compromised accounts, leaked credentials, or lateral movement attempts that begin with a simple Teams message. Small and medium-sized businesses without dedicated security analysts will also benefit, as the report surfaces high-priority threats without requiring deep technical expertise.

However, the report is only as effective as the underlying policies. Organizations should already have Safe Links, Safe Attachments, and anti-impersonation policies configured for Teams. The report won’t replace proactive security measures; it will amplify them by providing the missing feedback loop.

Forward Look

Although August 2026 seems distant, Microsoft is likely to begin private previews in late 2025 or early 2026, giving early adopters a chance to influence the feature. The company has also hinted at expanding the report to include meeting-specific threats, such as unsanctioned app integrations and malicious meeting invites, though these additions have not been confirmed.

Looking further ahead, expect deeper integration with Microsoft’s security orchestration, automation, and response (SOAR) tools. Automated playbooks could be triggered directly from a detection in the report, such as disabling a compromised user’s account or initiating a broader investigation in Microsoft Sentinel. Real-time alerts and integration with mobile admin apps are also natural next steps.

In the relentless cat-and-mouse game of cybersecurity, visibility is power. With the Security Detection Report, Microsoft is handing IT teams a flashlight to illuminate the shadowy corners of their Teams environment. The new feature will be eagerly watched by administrators worldwide as they shore up their defenses against the next generation of collaboration-based attacks.