Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: MISCONFIGURATION
- FIX Available: YES
This Customer Check checks whether users can report a security concern in Teams. When this feature is enabled, end users can report suspicious messages, files, or links directly from Teams to Microsoft and to security administrators within the organization.
Why this check?
Users are often the first to notice suspicious activities in Teams, such as phishing messages, malware attachments, or unusual requests from colleagues. By providing users with an easy way to report these security concerns, you create a human defense layer that complements automated security measures.
The "Report a Security Concern" feature adds a report button to Teams messages. When a user clicks on it, the report is sent to Microsoft for analysis and can also be forwarded to your security team. This helps quickly identify phishing campaigns, compromised accounts, or new attack techniques that are not yet recognized by automated filters.
Without this feature, users rely on email or other channels to report security issues, which raises the threshold and causes delays. This means that potential attacks remain undetected longer and can spread within the organization. It is therefore important that this reporting capability is directly available within Teams.
What are the possible outcomes of this check?
This check has two possible outcomes. In Attic this is reflected as follows:
- Okay: Users can report a security concern in Teams (AllowSecurityEndUserReporting is enabled)
- Warning: Users CANNOT report a security concern in Teams, customer action is required
How should this be followed up?
If the output is Warning, we advise to enable the security reporting feature for Teams. This allows users to report suspicious messages and files to your security team.
For this check, a Fix is available, which we will offer via Attic. The fix enables AllowSecurityEndUserReporting for Teams.
Manual Instructions
Follow these steps to manually adjust the setting:
- Open PowerShell and connect to Teams using the Teams PowerShell module with the command:
Connect-MicrosoftTeams - Check the current setting with the command:
Get-CsTeamsMessagingPolicy -Identity Global | Select-Object AllowSecurityEndUserReporting - Enable the security reporting feature with the command:
Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true - Verify the change by repeating step 2. The value of AllowSecurityEndUserReporting should now be "True"
Integration with Microsoft Defender Portal
Important: This check only verifies the Teams configuration. To actually receive the reported messages in the Microsoft Defender portal, you must also perform the following additional configuration:
- Go to the Microsoft Defender portal (https://security.microsoft.com)
- Navigate to Settings > Email & collaboration > User reported settings
- Enable Microsoft Teams under the section "Monitor reported messages in Microsoft Teams"
- Configure where the reports should be sent (Microsoft, custom mailbox, or both)
Without this Defender portal configuration, the Teams report button will be visible to users, but the reports will not be processed by your security team.
Comments
0 comments
Please sign in to leave a comment.