MC1187837 – Microsoft Defender for Office 365 Zero-hour auto-purge (ZAP) Teams protection capabilities to Defender for Office Plan 1

Product:

Defender, Defender for Office 365, Defender XDR, Teams

Platform:

Android, iOS, Linux, Mac, Online, Web, Windows Desktop, World tenant

Status:

In development

Change type:

New feature, User impact, Admin impact

Links:

529816

Details:

Summary:
Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default in Microsoft Defender for Office 365 Plan 1, automatically moving malicious Teams messages to admin quarantine. Tenants can opt out before January 6, 2026, and admins manage quarantined content via the Security portal.

Details:
[Introduction]
Starting January 6, 2026, Zero-hour auto-purge (ZAP)-a feature that moves malicious messages from internal Microsoft Teams chats and channels to admin quarantine-will be turned on by default for Microsoft Defender for Office 365 Plan 1. This enhancement helps protect your organization by removing phishing or malware URLs from Teams conversations and placing them in the admin quarantine within the Microsoft 365 Security portal. For details on managing quarantined Teams messages, refer to Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages.
Screenshot: Example of Admin quarantine showcasing all quarantined Teams messages

This message is associated with Microsoft 365 Roadmap ID 529816.
[When this will happen:]
General Availability (Worldwide): Rollout begins early January 2026 and will complete by mid-January 2026.
Default ON setting effective January 6, 2026, unless your tenant opts out before that.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability

Created:
2025-11-19

updated:
2025-11-19

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Experience Disruption
End users will not see quarantined messages in Teams, potentially leading to confusion or frustration if they are unaware of the ZAP feature.
   - roles: End Users, Helpdesk Staff
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams

Increased Admin Workload
Admins will need to manage quarantined messages in the Security portal, which may increase their workload and require additional training.
   - roles: Security Admins, IT Support Staff
   - references: https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages

Potential for Missed Threats
If admins do not regularly check the quarantine, there is a risk of missing legitimate threats that may still affect users.
   - roles: Security Admins, Compliance Officers
   - references: https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365

Communication Gaps
Failure to communicate the change to users may lead to misunderstandings about message availability and security measures.
   - roles: IT Communication Managers, Helpdesk Staff
   - references: https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=529816

Policy Management Challenges
Existing ZAP settings may not align with organizational policies, leading to potential compliance issues if not reviewed.
   - roles: Compliance Officers, Security Admins
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Awareness Training
With the introduction of ZAP for Teams, there is an opportunity to enhance security awareness training for users. Training can focus on recognizing phishing attempts and understanding the importance of reporting suspicious messages, thus improving overall security culture.
   - next-steps: Develop a training module specifically addressing Teams security and phishing awareness, and schedule training sessions for all users before the ZAP feature is enabled.
   - roles: Security Administrators, IT Managers, Training Coordinators
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=529816

Streamlined Incident Response Processes
The automatic quarantine of malicious messages allows for a more streamlined incident response process. Admins can quickly review and act on quarantined messages, reducing the time to respond to potential threats.
   - next-steps: Establish a clear protocol for reviewing quarantined messages, including assigning roles for who will manage and respond to incidents. Regularly review and update the protocol based on evolving threats.
   - roles: Security Administrators, Incident Response Teams, IT Support Staff
   - references: https://learn.microsoft.com/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages, https://security.microsoft.com/quarantine?viewid=Teams

Improved Reporting and Analytics
The implementation of ZAP provides an opportunity to enhance reporting and analytics capabilities regarding Teams communications. By analyzing quarantined messages, organizations can identify trends in phishing attempts and tailor their security measures accordingly.
   - next-steps: Set up a reporting framework to analyze quarantined messages regularly. Utilize insights to improve security policies and user training.
   - roles: Data Analysts, Security Administrators, IT Managers
   - references: https://learn.microsoft.com/defender-office-365/mdo-support-teams-about#configure-zap-for-teams-protection-in-defender-for-office-365, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=529816

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only