Remove users from Teams chats using Microsoft Defender for Office 365

Created

2025

Last updated

Reading time

3 minutes

Die Inhalte auf dieser Seite wurden maschinell übersetzt.

Microsoft Defender for Office 365 now lets authorized admins remove users from Teams group and 1:1 chats, revoking conversation access. This feature, enabled by default, supports faster incident response and logs actions for compliance. Rollout begins November 2025, requiring Security or Global Admin roles.

[Introduction]

We’re introducing a new security capability in Microsoft Defender for Office 365: the ability to remove users from Microsoft Teams conversations directly from the Defender portal. This enhancement supports faster incident response and containment by allowing authorized admins to take immediate action on suspicious or compromised accounts.

With the appropriate permissions, admins can remove users from group chats and 1:1 conversations by selecting Take action on the Teams Entity flyout and choosing Remove user from conversation in the Action Wizard. This action also revokes access to the conversation history.

Screenshot 1: Use the Action Wizard in Microsoft Defender for Office 365 to remove users from Teams conversations.

user settings

[When this will happen:]

General Availability (Worldwide): Rollout begins early November 2025 and is expected to complete by late November 2025.

[How this affects your organization:]

Who is affected: Admins using Microsoft Defender for Office 365 to monitor Teams message activity.
What will happen:
- Admins can remove users within their tenant from Teams group chats and 1:1 conversations.
- Removed users will lose access to the conversation history.
- The feature is enabled by default; no configuration changes are required.
- Action results are visible in the Action Center under the History tab (event type: Remove users).
- Detailed logs are available in Audit Logs for compliance and tracking.
- Required roles: Security Admin, Security Operator, or Global Admin.
- If a user has already been removed, they cannot be removed again.
- The Action Wizard is accessible from the Teams Entity flyout in Submissions, Quarantine, and Advanced Hunting.

[What you can do to prepare:]

No action is required to enable this feature. However, you may want to:

Communicate this update to your security operations team.
Review role assignments to ensure appropriate access to the Action Wizard.
Learn more: The Teams message entity panel in Microsoft Defender for Office 365 Plan 2.

[Compliance considerations:]

Compliance Area	Explanation
Audit logging capabilities	Defender Audit Logs will record the removal action for compliance and tracking purposes.

We are here for you!

Do you have any questions or need assistance? We’re happy to help.

Original Message Center post >