MC1187837 – Microsoft Defender for Office 365 Zero-hour auto-purge (ZAP) Teams protection capabilities to Defender for Office Plan 1

Product:

Defender, Defender for Office 365, Defender XDR, Teams

Platform:

Android, iOS, Linux, Mac, Online, Web, Windows Desktop, World tenant

Status:

Launched

Change type:

New feature, User impact, Admin impact

Links:

529816

Details:

Summary:
Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default in Microsoft Defender for Office 365 Plan 1, automatically moving malicious Teams messages to admin quarantine. Tenants can opt out before January 6, 2026, and admins manage quarantined content via the Security portal.

Details:
[Introduction]
Starting January 6, 2026, Zero-hour auto-purge (ZAP)-a feature that moves malicious messages from internal Microsoft Teams chats and channels to admin quarantine-will be turned on by default for Microsoft Defender for Office 365 Plan 1. This enhancement helps protect your organization by removing phishing or malware URLs from Teams conversations and placing them in the admin quarantine within the Microsoft 365 Security portal. For details on managing quarantined Teams messages, refer to Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages.
Screenshot: Example of Admin quarantine showcasing all quarantined Teams messages

This message is associated with Microsoft 365 Roadmap ID 529816.
[When this will happen:]
General Availability (Worldwide): Rollout begins early January 2026 and will complete by mid-January 2026.
Default ON setting effective January 6, 2026, unless your tenant opts out before that.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability

Created:
2025-11-19

updated:
2025-11-19

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Experience Disruption
End users will not see quarantined messages in Teams, potentially leading to confusion or frustration if they are unaware of the ZAP feature and its implications on their communications.
   - roles: End Users, Helpdesk Staff
   - references: https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365, https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages

Increased Admin Workload
Admins will need to manage quarantined content in the Security portal, which may increase their workload and require additional training on the new processes.
   - roles: Security Admins, IT Support Staff
   - references: https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages, https://security.microsoft.com/quarantine?viewid=Teams

Potential Communication Gaps
If the change is not communicated effectively, users may be unaware of the new ZAP feature, leading to misunderstandings about message availability and security measures.
   - roles: End Users, Communications Team
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=529816

Risk of Phishing Exposure
Without proper preparation and communication, users may inadvertently click on malicious links in Teams messages that are not yet quarantined, increasing the risk of phishing attacks.
   - roles: End Users, Security Admins
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams, https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365 " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365

Policy Compliance Issues
Organizations may face compliance issues if they do not review and adjust their policies regarding the handling of quarantined messages, potentially leading to data governance risks.
   - roles: Compliance Officers, Security Admins
   - references: https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Monitoring
With ZAP enabled by default, security teams can more effectively monitor and manage potential threats in Teams. This allows for quicker response times to phishing attempts and malware distribution, improving overall security posture.
   - next-steps: Train security personnel on how to utilize the admin quarantine effectively and implement a monitoring routine to review quarantined messages regularly.
   - roles: Security Administrators, IT Managers, Compliance Officers
   - references: https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365, https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages

Improved User Trust and Experience
By automatically quarantining malicious messages, users can feel more secure while using Teams, knowing that potential threats are being actively managed. This can lead to increased user satisfaction and productivity.
   - next-steps: Communicate the benefits of ZAP to all users and provide training on how to recognize phishing attempts, thereby enhancing their overall experience with Teams.
   - roles: End Users, Training Coordinators, IT Support Staff
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=529816

Streamlined IT Operations
The introduction of ZAP reduces the manual effort required by IT teams to manage and mitigate phishing threats in Teams. This automation allows IT staff to focus on more strategic initiatives rather than reactive measures.
   - next-steps: Review current IT processes related to threat management in Teams and identify areas for further automation or improvement based on the capabilities provided by ZAP.
   - roles: IT Administrators, Operations Managers, Security Analysts
   - references: https://security.microsoft.com/quarantine?viewid=Teams, https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Starting January 6, 2026, Microsoft will enable a feature called Zero-hour auto-purge (ZAP) by default for Microsoft Defender for Office 365 Plan 1 users. This feature is like having a security guard for your Microsoft Teams messages. Imagine you have a mailbox where letters arrive, and sometimes, unwanted junk mail sneaks in. ZAP acts like a vigilant mail sorter, automatically identifying and removing any suspicious or harmful letters (in this case, messages) before they reach you. These messages are then placed in a special holding area, known as admin quarantine, where an administrator can review them.

For organizations using Microsoft Teams, this means that any messages identified as phishing attempts or containing malware will be intercepted and moved to a secure area. This is similar to how a spam filter works for your email, catching potentially harmful content before it reaches your inbox. Admins can then decide what to do with these quarantined messages by accessing the Microsoft 365 Security portal.

The feature will be turned on automatically, but organizations have the option to opt out if they prefer not to use it. It's like having the option to tell your mail sorter to stop filtering certain types of mail if you want to handle them yourself. This decision needs to be made before January 6, 2026, if you choose to opt out.

For those who manage IT systems, it's important to review and communicate these changes within your organization, ensuring everyone is aware of how messages are being handled and where to find quarantined content. This will help maintain smooth operations and security within your Teams environment.