← Back
Microsoft Defender for Office 365 Zero-hour auto-purge (ZAP) Teams protection capabilities to Defender for Office Plan 1
MC1187837 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-11-18 22:51:17
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-01-06 00:00:00
Services
Microsoft Defender XDR
Tags
New feature, User impact, Admin impact
Master tags
Security
Roadmap IDs
529816

One-line summary

Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default for Teams in Defender for Office 365 Plan 1, automatically quarantining malicious messages.

Similar updates

More like this
MC1171845 (Updated) Microsoft Defender for Office 365: Enhancing the quarantine experience for administrators
(Updated) Microsoft Defender for Office 365: Enhancing the quarantine experience for administrators Defender for Office 365 quarantine will list messages by individual recipient, improving admin clarity; rollout starts early January 2026 with backend enhancements and cmdlet behavior changes. Updated November 12, 2025: We have updated the.
MC1133508 (Updated) Microsoft Teams Integration with Microsoft Defender for Office Tenant Allow/Block List for blocking domains
Than... Introduction We're introducing a new integration between Microsoft Teams and Microsoft Defender for Office 365 that enables security admins to manage blocked external domains in Teams using the Tenant Allow/Block List (TABL) in the Microsoft Defender portal. This feature enhances security by allowing organizations to centrally manage.
MC1200576 Teams admin center: Messaging safety defaults changing to "On" by default
Teams admin center: Messaging safety defaults changing to "On" by default Starting January 12, 2026, Microsoft Teams will enable messaging safety features by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect detections. Exist... [Introduction] We’re improving messaging security in Microsoft.
MC1200058 Microsoft Defender for Office 365: Admins can block external users in Microsoft Teams from Defender Portal
Microsoft Defender for Office 365: Admins can block external users in Microsoft Teams from Defender Portal Admins can now block external users in Microsoft Teams via the Tenant Allow/Block List in the Microsoft Defender portal, controlling access and communications. [Introduction] We’re introducing an integration between Microsoft Teams and.
MC1148539 (Updated) Microsoft Teams: Malicious URL Protection for Teams Chat and Channels
(Updated) Microsoft Teams: Malicious URL Protection for Teams Chat and Channels Malicious URL Protection in Teams rolls out globally in Nov 2025, warning users about unsafe links; feature defaults ON at GA, with admin override possible. T... Introduction Microsoft Teams is introducing enhanced protection against phishing attacks by detecting and.
MC1147984 (Updated) Microsoft Teams: User reporting for incorrectly identified security concerns
Thank you for your patience. Introduction Microsoft Teams now enables users to report messages they believe were incorrectly flagged as security threats in chats and channels. This capability is available to organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR. It empowers users to provide feedback on false.

Details

RoadmapIds
529816
Summary
Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default in Microsoft Defender for Office 365 Plan 1, automatically moving malicious Teams messages to admin quarantine. Tenants can opt out before January 6, 2026, and admins manage quarantined content via the Security portal.
Platforms
Android, Desktop, iOS, Linux, Mac, Web

Body (from Message Center)

[Introduction]

Starting January 6, 2026Zero-hour auto-purge (ZAP)—a feature that moves malicious messages from internal Microsoft Teams chats and channels to admin quarantine—will be turned on by default for Microsoft Defender for Office 365 Plan 1. This enhancement helps protect your organization by removing phishing or malware URLs from Teams conversations and placing them in the admin quarantine within the Microsoft 365 Security portal. For details on managing quarantined Teams messages, refer to Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages.

Screenshot: Example of Admin quarantine showcasing all quarantined Teams messages

user settings

This message is associated with Microsoft 365 Roadmap ID 529816.

[When this will happen:]

  • General Availability (Worldwide): Rollout begins early January 2026 and will complete by mid-January 2026.
  • Default ON setting effective January 6, 2026, unless your tenant opts out before that.

[How this affects your organization:]

Who is affected:

  • All tenants using Microsoft Defender for Office 365 Plan 1 with Microsoft Teams.

What will happen:

  • ZAP will automatically move internal Teams messages detected as phishing or malware to the admin quarantine tab in the Security portal.
  • By default, ZAP protection for Teams will be ON for all tenants.
  • Existing ZAP settings apply; no policy changes are required unless you choose to opt out.
  • End users will not see quarantined messages in Teams; admins can review and manage quarantined content in the Security portal.

[What you can do to prepare:]

  • Review ZAP settings in the Microsoft 365 Security portal before January 6, 2026.
  • If you want to opt out of the default ON setting, do so via ZAP settings in the Security portal between December 6, 2025, and January 5, 2026.
  • Communicate this change to your helpdesk and update internal documentation as needed.

Learn more:

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

[Feedback:]

We value your input. Please leave feedback directly from this Message Center post by selecting Thumbs up or Thumbs down, and adding a comment. (Optional) Include your email address in the text box so the responsible team can follow up if needed.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-01-06T00:00:00Z",
    "ai_actions": [
      "Review ZAP settings in Security portal",
      "Opt out if desired before January 6, 2026",
      "Inform helpdesk and update documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default for Teams in Defender for Office 365 Plan 1, automatically quarantining malicious messages.",
    "ai_topics": [
      "Defender",
      "Teams"
    ],
    "category": "planForChange",
    "details_map": {
      "Platforms": "Android, Desktop, iOS, Linux, Mac, Web",
      "RoadmapIds": "529816",
      "Summary": "Starting January 6, 2026, Zero-hour auto-purge (ZAP) will be enabled by default in Microsoft Defender for Office 365 Plan 1, automatically moving malicious Teams messages to admin quarantine. Tenants can opt out before January 6, 2026, and admins manage quarantined content via the Security portal."
    },
    "id": "MC1187837",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-11-18T22:51:17Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": "Android, Desktop, iOS, Linux, Mac, Web",
    "roadmap_ids": [
      "529816"
    ],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "New feature",
      "User impact",
      "Admin impact"
    ],
    "title": "Microsoft Defender for Office 365 Zero-hour auto-purge (ZAP) Teams protection capabilities to Defender for Office Plan 1"
  }
}