V1.2 of the User Passwords and MFA report includes the names of authentication methods registered for user accounts. V1.3 expands the amount of detail reported for each method, such as the phone number used for SMS challenges, or the email address used for SSPR. It’s a small but important detail that’s useful to administrators. However, it also comes with a potential privacy issue, so the script must handle that too.

Microsoft has announced the formal renaming of the Win32 version of Outlook to be Outlook (classic). It's preparing for the general availability of the new Outlook for Windows, expected very soon into the new Microsoft fiscal year starting on July 1, 2024. The change doesn’t affect the status of Outlook (classic) or the commitment to support the client until at least 2029.

The Set-PlannerUserPolicy cmdlet allows Microsoft 365 tenant administrators stop users deleting tasks created by other users. However, an undocumented consequence of setting the policy for user accounts is that it stops those accounts removing plans too. The unexpected block imposed by Set-PlannerUserPolicy caused me problems when attempting to delete a plan usingh PowerShell. It would be nice if the modules created by Microsoft worked as expected (and as documented).

The Microsoft 365 Licensing Report is a popular PowerShell script that's just been updated to V1.9 with a bunch of changes to highlight different aspects such as license costs for disabled user accounts and nactive user accounts. Copious use of some very dubious color choices makes the HTML report created by the script look very nice (if you're color blind) and the new version can generate an Excel worksheet.

Microsoft wants users to upgrade from legacy Outlook clients. The biggest impact for Microsoft 365 tenants might be the loss of OWA light, but consumer users are in for the same kind of change that enterprise users experienced when Microsoft blocked basic authentication for Exchange Online. The announcement wasn't very clear about what's happening, so we're happy to clarify matters.

The Set-MailboxFolderPermission cmdlet is usually used to set calendar permissions, including the permission for the default user to allow everyone in an organization to see each other’s calendars. But you can use cmdlets from the Microsoft Graph PowerShell SDK too. The Graph SDK cmdlets are faster, but not enough to warrant replacing the Exchange cmdlet in scripts. We explain why here.

The incoming webhook connector is a popular method to post information to Teams channels, but Microsoft seems set on retiring the Office connectors. The Teams post to channel workflow when a webhook request is received seems like is a possible replacement, but it's not just a matter of switching mechanisms. Some PowerShell magic is needed to create a suitabel adaptive card to post to the channel, which is exactly what we explain how to do here.

A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on.

Our review of the Videos chapter for the Office 365 for IT Pros eBook found a Teams meeting policy setting we hadn't documented to block downloads for channel meeting recordings. Naturally, this was a disaster, so we spent some time investigating what the policy setting does and if it's useful in practice. It works, but do you want to block downloads of channel meeting recordings?

Splatting is a PowerShell technique designed to make it easier to pass parameter values for cmdlets. It's optional to use splatting. It's a personal choice whether to use splatting, but the good thing is that you can use splatting with Microsoft Graph PowerShell SDK cmdlets, even with some pretty complex parameters.

Office 365 Connectors bring data from external sources into Microsoft 365 apps like Teams and Outlook. Workflows and Power Automate are replacing Connectors for Microsoft 365 Groups (Outlook groups) and SharePoint Online. Connectors are still available in Teams but for how long? No one knows, but it does seem like Microsoft is rationalizing no-code automation around Power Automate.

Understanding SharePoint Online storage used to be easy. Then applications like Loop arrived. Other influences like retention and archive can affect storage too. It's a complicated situation before you throw OneDrive for Business into the mix and consider that Microsoft has removed unlimited OneDrive storage while an increasing number of apps store files in OneDrive. It's a complicated situation.

Three years ago, I wrote a script to analyze the audit records generated for Teams meeting recordings. Then things changed in terms of how the audit records were generated and how the Search-UnifiedAuditLog cmdlet returns audit search results. All of which meant that considerable work was needed to revamp (rewrite) the script. Maybe you need to check any script that uses the Search-UnifiedAuditLog cmdlet too?

This article describes how to use the Microsoft Graph PowerShell SDK to report delegated permission assignments to user accounts and apps. Like in other parts of Microsoft 365, the tendency exists to accrue delegated permissions for both user accounts and apps over time. There's nothing wrong with having delegated permissions in place, if they are appropriate and needed - and that's why we report their existence.

Deciding whether to use Microsoft Graph PowerShell SDK cmdlets or Graph API requests is sometimes not easy. Some say that it's best to use Graph API requests everywhere and avoid the complication of possibly buggy Graph PowerShell SDK cmdlets. My approach is different. I start with Graph PowerShell SDK cmdlets and only resort to Graph API requests when absolutely necessary. It works for me!

The latest technology initiative from Microsoft comes in the form of Teams custom emojis, designed to bring light and happiness to Microsoft 365 tenants. Of course, the light and happiness will only happen if tenants don't disable the settings in Teams messaging poilicies that allow users to upload custom emojis. A tenant can support up to 5,000 Teams custom emojis. That's a lot of room for people to get inventive.

Without any fuss or bother, Microsoft announced that the Teams 2.1 client has regained the Notify When Available feature. This functionality allows users to subscribe to the presence status for someone else to receive notifications when that person's presence status changes to Available. It's a very useful and worthwhile feature to have that goes back to Skype. It's good to have it back!

The June 2024 update for the Office 365 for IT Pros 2024 edition ebook is available for download. We're also announcing the availability of the 2025 edition on 1 July 2024. Office 365 for IT Pros 2025 edition drops the companion volume and introduces a new book dedicated to Automating Microsoft 365 with PowerShell. Anyone who subscribes to the 2024 edition in June 2024 will receive a free update to the 2025 edition when it is published.

Copilot audit records generated for the Microsoft 365 audit log capture details of the resources (files, emails, and documents) used by Copilot in its answers. This doesn't sound very exciting, but it is important for forensic investigators who need to understand what information is consumed to generate AI answers. In another development, the Copilot for Microsoft 365 chat app is now available in Outlook classic.

Microsoft is deploying additional audit events to tenants with Purview Audit (Standard) licenses. Among the 15 Teams events in the set are Teams meeting audit events to capture details of meetings and participants. Unhappily, some of the data that you'd like to have for meetings, like the subject, are missing. And meeting participant information is available for some classes of user but not for others.

The Teams Activity feed received two recent major changes. First, calendar notifications now show up in the feed. Second, the set of filters that were available are reduced to just two (mentions and unread). Reducing the filters is part of Microsoft’s effort to streamline the Teams 2.1 client and remove unnecessary screen elements. I guess it’s OK, and you can disable the calendar notifications to stop that annoyance.

A request came in for a PowerShell script to report mailbox audit configurations to check that the important new events are being generated by mailboxes. After diverting into the hellhole of Microsoft licensing, normal sanity was resumed and a PowerShell script written to do the job. The script generates a CSV file or Excel worksheet for tenant administrators to review. After that, it's up to you.

Microsoft is changing the storage location for Teams Meeting Transcripts from Exchange Online to OneDrive for Business. The change is designed to standardize storage of meeting recordings and transcripts in OneDrive for Business. The change makes sense seeing that Stream has completed its migration to SharePoint and OneDrive. In other news, because transcripts are now so important for other features, a bunch of new controls are coming to allow organizations to limit access to this data.

The Stream browser client has received some nice new features including the ability to trim videos in a very efficient manner and to add callouts to videos to appear between specific timecodes. And there’s Copilot for Stream, which is available if you have Copilot for Microsoft 365. The extra functionality demonstrates that Microsoft continues to invest in the development of the Stream client, which is nice.

A May 20 post contains the welcome news that the new audit events promised for Purview Audit standard customers should be available in June 2024. Some of these events are for Exchange Online, like the famous MailItemsAccessed event. Others are for Teams and SharePoint Online. In the case of Exchange, tenant administrators might have to do some work to validate that mailbox audit configurations are correct.

A new feature for Teams recurring meetings allows meeting organizers to create Loop workspaces to hold content shared within the meetings. It's an example of close integration between different parts of the Microsoft 365 ecosystem to add value for customers. That's great, providing you have the correct licenses to allow meeting organizers to create Loop workspaces and don't need to support guest access (coming soon).

On April 9, 2024, Micosoft announced a big change in authentication for Outlook add-ins. It's likely that people don't realize the kind of change that's coming. The change removes legacy Exchange authentication methods and replaces them with Nested App Authentication (NAA). Time is running short for developers to upgrade and test their code and Microsoft 365 tenants to get ready for the changeover.

The Financial Times reported that the EU is lining up new charges against Microsoft for Teams anti-competive behavior. Given that Microsoft has already unbundled Teams from Office 365 products, it's hard to know what remedy the EU will seek. If it's a fine, then Microsoft could be charged up to 10% of their worldwide revenues. That's unlikely, but the issue highlights how hard it is to compete against an integrated solution.

On May 14, Microsoft announced that they will require Azure MFA for connections to services starting in July 2024. No details about the implementation are available, so it's difficult to measure the likely impact on Microsoft 365 tenants. Given that very few people access services like the Azure portal, it's probable that the impact will not be large, but it would be nice to hear thatg from Microsoft.

Teams has added the ability to use slash commands (shortcuts) to the message compose box. Although the feature seems useful, I wonder about its potential usage. The fact is that people are pretty accustomed to how they compose message text and other options are available to add Loop or code blocks or set their online status, so why would they use the slash commands in the message compose box?

A recent SharePoint Onlne update enables folder deletion when items are present in a folder. This is probably the way that things should have always worked. Even so, it's good to have this capability because it helps site users clean out old and obsolete information, something that's becoming increasingly important in the AI era for Microsoft 365.

The Follow response is a new option for people invited to a meeting to indicate that they can't attend but are interested in what happens. Replying with a Follow response means that the user gains access to the meeting artifacts (like the chat and recap). It also means that the allotted time is not blocked in their calendar. The feature will be most valuable to people who have heavily-used calendars.

This article describes the process of blocking device code authentication requests against Entra ID with a preview feature for conditional access policies. It's a good idea to tighten tenant security by removing device code authentication unless a clearly-defined need exists for apps to authenticate using this method. I suspect that most tenants will find that they can happily do without device code authentication.

Team channel collaboration might be a better choice than always creating a new team to host discussions about a topic, especially if channels grow in features. Now that a single team can support a mix of up to 1,000 regular, shared, and private channels, all of which can be archived, is it a good option to continue to create new teams? The answer is probably not, especially if Microsoft continues on a path to develop channel capabilities.

The user authorization policy defines user role permissions, or actions that non-admin users can take within an Entra ID tenant. The default settings are silly. I can't think of good reasons to allow non-admin users to create new registered apps, tenants, or security groups. Why default settings allow these actions is a mystery, and it could be they're just outdated.

In a May 2 announcement, Microsoft said that they have signed up 9 ISVs to add support for Entra ID authentication methods. The third-party methods work the same way as native Entra ID authentication (like the Authenticator app), meaning that verified connections can be used by other Entra solutions like Privileged Identity Management.

The Teams iOS client can send one-minute Teams video messages (or clips) to chats or channels conversations. Now, the videos can use image or blur backgrounds. Nice as it is to be able to expose your artistic side in Teams messaging, the compliance problem with Teams video messages remains. If you allow users to send video messages, remember that they could use this route to get around compliance barriers.

Some problems emerged in V2.17 and V2.18 of the Microsoft Graph PowerShell SDK. In one case, Microsoft changed cmdlet names. In another, it's an identity issue caused by incompatible assemblies. In both cases, questions have to be asked about the level of testing done by Microsoft before they release a new module. Bugs do happen, but testing should catch the obvious problems.

On May 2, 2024, Microsoft announced the retirement of the Stream Mobile app on July 1, 2024. It's all to do with rationalization and focus, or so Microsoft says. In any case, the suggested replacements are the OneDrive and Microsoft 365 apps, both of which are capable of handling video uploads, management, and playback.

The Share to Teams Outlook add-in posts an email to a Teams chat or channel conversation. I was asked how to disable the add-in for some mailboxes. Here's how to do the job using PowerShell to find a set of target mailboxes and then turn off Send to Teams for each mailbox.

Another month, another update for the Office 365 for IT Pros eBook. In this case, it's monthly update #107 for Office 365 for IT Pros (2024 edition), now available for download by subscribers from Gumroad.com and Amazon.com. Like every month, update #107 contains a mixture of new features and revised knowledge, all essential information for Microsoft 365 tenant administrators to have.

The Copilot for Microsoft 365 license has 8 service plans to govern feature availability. You can disable individual components, if you know what you're doing. One thing that's not possible is to disable Copilot for individual Office apps. A single service plan covers all the "productivity apps," so they're either all on or all off.

The Teams classic client has been replaced by the Teams 2.1 client. Microsoft will block access to the Teams classic client for people running the app on unsupported platforms in October 2024. The final block swings into place for everyone on July 1 2025. The migration to the new client appears to be going well, so I'm not sure if many will miss the old client.

The Microsoft FY24 Q3 results didn't contain any new user numbers for Office 365 or Teams. However, we did learn that Copilot and Azure are popular words in the Microsoft lexicon. As usual, statistics were introduced without context, but investors won't really care too much as Microsoft continues to generate tons of revenue at a healthy margin, especially from its cloud business.

Teams group chats are getting a new Meet Now experience. Is that good news? Well, it's not an earthshattering change, but it is a nice change because it simplifies the way the Meet Now feature works. It's the kind of change that software vendors make to tidy up the loose ends in a product.

A reader asked if it is possible to script sending chat messages. In this article, we explore how to compose and send Teams urgent messages to a set of recipients using Microsoft Graph PowerShell SDK cmdlets. The conversation with each recipient is a one-to-one chat that Teams either creates from scratch or reuses (if a suitable one-on-one chat exists).

Some years ago, I wrote a script to demonstrate how to remove service plans with PowerShell. This article describes some upgrades to make the script even better by improving the code and leveraging complex Microsoft Graph queries against the license information stored for Entra ID user accounts. It's PowerShell, so feel free to change the script!

The M365 Conference takes place in Orlando, FL from April 28 to May 2, 2024. I have two sessions, but my attempts to find sessions that cover all of Microsoft 365 failed because there's no coverage of Entra ID and Exchange Online. Instead, the Microsoft priorities like Copilot, Viva, and SharePoint take front and center stage. I think that's a pity, but maybe the reason is because speakers don't submit sessions covering Entra ID and Exchange Online topics?

License management is a core competence for Microsoft 365 tenant administrators. This article explains how to use PowerShell to remove licenses from accounts when an equivalent service plan is available from another license. It's the kind of fix-up operation that tenant administrators need to do on an ongoing basis.

April 11 saw the general availability of Microsoft Graph activity logs, a new set of data recording details of Graph API HTTP requests made in a tenant. The logs are intended to help security analysts understand actions taken by apps in a tenant such as data access or configuration updates. Before working with Graph activity logs, security analysts will need to understand Graph API requests and the context they’re made.

Although the trend is toward password authentication, many Microsoft 365 tenants still use passwords and some force users to change passwords regularly. This article explains how to create a password expiration report with PowerShell. The script caters for where a tenant password expiration policy is set for passwords to never expire. If anything else, it's yet another example of how to extract information using PowerShell.

Exchange Online announced two important changes on April 15. SMTP AUTH is being depreciated and a new external recipient rate limit is being introduced. The changes are intended to improve the security of Exchange Online. The introduction of an external recipient rate limit is also intended to reduce the ability of spammers to abuse the platform.

The Maester tool is a community initiative to create a tool to help tenant administrators improve the security of their Entra ID tenants. It’s still in its early stages, but even so Maester shows signs that it will be a valuable asset for administrators who want to learn more about securing their tenant against possible external compromise.

Microsoft Teams now boasts the ability to add customizable group chat pictures to what might be otherwise a set of chats with not-very-good generated pictures. The idea is to make it easier for people to find the right group chat in their chat list, Of course, it might be difficult to find just the right picture to use, but Microsoft has selected 36 illustrations and there's over 1,800 emojis to choose from.

Monarch client security became an issue last year when a German website reported some issues. It turns out that the reported problems are mostly hyperbole, but that hasn't stopped them persisting, especially when email client competitors like Proton weigh in. It's regrettable that much of the commentary is based on an incomplete understanding of how Monarch works, but Microsoft doesn't help themselves by not explaining the facts.

A recent note from Microsoft advised that if your tenant uses classic Azure administrative role, you need to switch to Azure RBAC roles by 31 August 2024. This forced me to think about how many Azure services does my tenant consume. The number was surprising and it's grown over time, which is why Microsoft 365 tenant admins should pay attention to Azure.

A new parameter for the Set-CsTenantFederationConfiguration cmdlet made me look at the Teams tenant federation configuration again to improve how a script works. Instead of taking all the domains guest accounts came from and adding them to the configuration, I created a function to check if the tenant uses Microsoft 365. If it does, we add the tenant to the allow list in the tenant federation configuration. If not, we ignore the domain.

A previous attempt to write a script to report all Loop workspaces in a tenant was flawed because it only retrieved the first 200 workspaces. I hadn't realized that the Get-SPOContainer cmdlet supported an odd form of pagination to retrieve workspace data. In any case, I figured out how to page top find all available workspaces and updated the script. It's just another example of oddness in the SharePoint Online PowerShell module

According to Microsoft 365 notification MC736438, Microsoft is getting tougher at enforcing the rules for Purview information protection licenses. In a nutshell, if administrators and end users don't have premium licenses, features like automatic labeling policies or default sensitivity labels for document libraries won't work. Users can still apply sensitivity labels manually.

A new major version of the MsCommerce PowerShell module makes you hope that something good is included in the new code. In this case, it’s hard to know if the developers did anything but increase the major version number for the MsCommerce module. Not much has changed. The module is as bad as ever, but at least it can be used to disable self-purchases of all supported licenses, which is all that's really important.

The unified audit log includes Copilot for Microsoft 365 audit events captured when users interact with Copilot through apps. The information is very helpful in terms of understanding the usage of Copilot in different apps (apart from Outlook, which isn't captured). Some care needs to be taken to understand the data and interpret the audit events, but that's usual when dealing with Microsoft 365 audit data.

Microsoft announced a new component for OWA distribution list management but clearly the engineers never took role assignment policy customizations into account. If they had, they wouldn't have created something that ignores the way organizations block end user ability to create new distribution lists. It's just a sad indication of Microsoft's attitude to one of the workhorses of Exchange.

The April 2024 update for the Office 365 for IT Pros eBook is now available for subscribers to download from Gumroad.com or Amazon.com. Like every month, update #107 covers lots of new material to document the changing landscape of Microsoft 365. The author team would appreciate if subscribers download and use the updated version - there's no point in using old stuff to navigate an ecosystem that changes all the time.

On March 27, SharePoint history reached its 23rd year. That's a great achievement and SharePoint Online powers many apps. But dark clouds are on the horizon as information governance becomes a real issue for Microsoft 365 tenants. Too much information that is never cleared out is held in SharePoint, a fact revealed by the ability of Copilot to find and consume documents.

Every Microsoft 365 tenant has a tenant identifier, a unique GUID that's used within the Entra ecosystem to identify a tenant and its objects. Much has changed since I last wrote about this topic in 2021, including the introduction of new Graph APIs to resolve tenant names to identifiers and vice versa.

After the welcome announcement that the Loop app will support external access, thoughts might turn to figuring out who uses the app. Fortunately, it's easy to answer the question by using data extracted from the unified audit log. Activity records tell us about both licensed user interaction and unlicensed user activity. It's good to know what people are up to.

A new preview feature supports high completeness audit log searches. These searches are optimized to make sure that they find every matching audit instead of finishing as quickly as possible. High completeness audit log searches do take more time but their results are accurate and they find more records than Search-UnifiedAuditLog was able to in the past. Looks like a good new feature.

Message center notification MC734281 explains that Copilot for Microsoft 365 will get better grounding for Word, Excel, PowerPoint, and OneNote from April 2024. After the update, the apps will be able to ground user prompts by using Graph and web searches to find relevant information. Being able to generate accurate text seems like a good thing for an AI tool, and there's no doubt that better grounding will help. But why is it appearing six months after the general availability of Copilot for Microsoft 365?

The Microsoft 365 Groups and Teams Activity Report is a PowerShell script that I've worked on since 2016 (not all the time). Some recent Graph hiccups meant that I had to apply some fixes and workarounds. At the same time, some users hit the infamous 'not recognized as a valid datetime' problem, so another update was needed. All good, clean fun.

A new convert to internal user preview feature allows Entra ID administrators to convert external accounts to internal accounts. An option is available in the Users section of the Entra admin center or PowerShell can be used to automate the conversion of accounts. It's a useful feature that should prove popular.

Microsoft 365 Backup costs are charged on a PAYG basis against an Azure subscription. You pay a flat fee of $0.15 per month per gigabyte of protected content. This article discusses calculating the sizes of protected data and reports the costs accrued over two months.

Microsoft's support for SharePoint Online PowerShell has degraded over the last few years. Pnp.PowerShell is now the best option as not much is happening in the official SharePoint Online management module or the tenant settings Graph API. the lack of progress is a pity, but perhaps it's also true that community-driven projects sometimes deliver better results.

An article by security researchers Black Hills pointed to some vulnerabilities with incoming webhook connectors and email connections for Teams channels. Fortunately, it seems like Microsoft is making changes to Teams to improve security. Even so, it's always wise for tenants to keep an eye on how information flows into Teams.

The Loop app is a powerful collaborative platform that has been handicapped up to now with a restriction on its External Sharing capabilities. That restriction is being lifted in a two-phase process starting in April 2024. Tenants without sensitivity labels will get the capability first followed by those that use sensitivity labels.

This article describes how to use sign-in data to identify unused Entra ID registered devices. It’s an imperfect solution because Entra ID doesn’t log device information in many sign-in records. I’m sure there’s a good reason why Microsoft doesn’t capture the device information, but it’s a little frustrating. We have an imperfect and partial solution, but that’s better than nothing.

This article describes the experience of creating a custom quarantine message for Exchange Online Protection to send to those with email held in quarantine. The Microsoft Defender portal allows administrators to create custom settings for up to three languages. My initial attempts failed, but then something happened and all is well. It could just be the difference between English and English...

An interesting LinkedIn post by a Microsoft employees relates how Copilot for Microsoft 365 saves him 14 hours monthly. Reports like this must be taken with a pinch of salt because many factors combine to determine the success individuals achieve with a new technology. However, there's a ring of truth in this report. The question is can others achieve the same results?

On March 7, Microsoft published a timeline for the New Outlook for Windows client that says that support for the classic client will be until at least 2029. Three phases must be navigated and a lot of functionality added before the new Outlook for Windows can replace Outlook Classic, including fundamental functionality like offline mode.

A recent article by a Microsoft MVP attempted to lay out a case that tenants should not use Microsoft 365 PowerShell and use ISV products instead. It's a silly position to argue. PowerShell is an important automation tool for administrators that can't be replaced by any ISV product. ISV products have their place and fill many gaps, but arguing to dump PowerShell and use ISV products instead just can't be justified.

Restricted SharePoint Search is an answer for customers who don't like the idea of Copilot for Microsoft 365 being able to find documents in any site the signed-in user has access to. A curated list of 100 sites will be avialable to Copilot along with user data in OneDrive and files that have been shared with or worked on by a user. Will this scheme allow tenants to deploy Copilot while they sort out site permissions? Time will tell, starting in April 2024.

The use of Information Protection sublabels is one of the questions for teams implementing sensitivity labels in Microsoft 365 tenants. Some like the granular appearance of sublabels and consider them a valuable guide to assist users to pick the most appropriate label. Others prefer a simple list of sensitivity labels. Both approaches work well. It's up to you to decide.

An update allows Teams owners to archive Teams channels. This is an excellent way of keeping old channels online while removing them from open view. The PowerShell cmdlets have not yet caught up the archive channel option so they don't report this status, but all good things come to those who wait and I'm sure that we will be able to report archived channels soon.

Microsoft has released the View Another Mailbox feature for the new EAC. This is part of the build-out of the new EAC functionality before the retirement of the old EAC. Interestingly, the new feature depends on the old Exchange Control Panel dating back to Exchange 2010. Things aren't quite as modern and fast as Microsoft says they are.

The Office 365 for IT Pros eBook team has released the March 2024 update for the only eBook covering the Microsoft 365 ecosystem that's updated monthly. February 2024 saw many different issues that impacted the content of the book, including the retirement of Viva Topics and some annoying PowerShell bugs. It's just the kind of change that keeps us busy updating the book month after month.

Microsoft has created an easy to use Microsoft 365 Backup solution. Its key feature is speed, including speed to restore data. I tested restores for Exchange Online (which worked) and SharePoint Online and OneDrive for Business (which didn't). The lack of logging and error reporting when failures happen lead to frustration. Microsoft has some work to do to bulletproof this solution.

A Microsoft Technical Community article gave some interesting information about how to report soft-deleted Entra ID objects. We think we can improve the information by tweaking the script, especially to include the object type in the output. As always, you can download the script from GitHub.

If you wanted to write a PowerShell script to create a OneDrive storage report, you'd probably use the cmdlets from the SharePoint Online management module. But accessing OneDrive usage data via the Graph is much faster. And you can include information from other sources, such as user properties, to build out the report. All explained here.

Microsoft has released the preview of the Entra ID usage insights for premium license consumption. This could be the harbinger of a more restricted licensing regime for Entra ID premium features such as conditional access. Putting any barrier in place to stop more accounts being protected by multifactor authentication seems like a bad idea. Let's hope that this isn't the case here.

The Viva Topics retirement announced on February 22, 2024 is an inevitable side-effect of Microsoft's ongoing focus on Copilot. It is difficult to argue against the retirement. Business, technology, and implementation factors stack up against Viva Topics. The future of Microsoft Knowledge Management is firmly in the grasp of Copilot.

Teams Tags Support for Private and Shared Channels should arrive in targeted tenants soon. The new tag capability uses channel memberships instead of the team roster. It's a small but useful change, as is the option to start a chat with tagged members. On the downside, Microsoft is deprecating suggested tags. But on the upside, you can include emojis in tag names.

Two methods exist to exclude a SharePoint sites from Copilot being able to use its contents - you can exclude the site (or document library) from search results or use sensitivity labels. Given the choice, sensitivity labels are more flexible and powerful, but removing sites from search indexes is easier to implement.

Usually, we recommend that Microsoft 365 tenants use the latest version of the Microsoft Graph PowerShell SDK. However, a serious bug in V2.14 means that this (and perhaps V2.13.1) should be avoided until Microsoft fixes a problem that causes spurious output to be included when cmdlets like Get-MgUser and Get-MgGroup are run.

A longstanding problem (SP676147) open since September 2023 causes problems retrieving important SharePoint usage data like site URLs and user activity data. The problem shows up in the usage reports section of the Microsoft 365 admin center and affects any attempt to fetch SharePoint usage data via Graph API requests. It's odd that the problem has lasted so long.

The Office 365 for IT Pros team welcomes Michel de Rooij as a new author. As a PowerShell Pro, he'll like the code to update the impersonation protection list for anti-phishing policies. Or maybe he'll rewrite it to make the code better. Either way, we win and the Mail Flow chapter should get a new lease of life.

Microsoft originally said that Copilot for Microsoft would only support the Monarch client. Now it turns out the Outlook Win32 Copilot support is coming. No formal announcement is available and Microsoft hasn't shared when the support will turn up in an Office channel, but it's good news that this deployment blocker is no more. And Teams has a new Copilot experience, so things are moving in the world of AI-powered assistants.

The latest version of the Microsoft 365 Licensing Report script includes code to generate cost analyses for the departments and countries assigned to user accounts. Everything works well if the properties of Entra ID user accounts are complete and accurate. Sometimes this isn't so, and that leads to problems when attributing costs at a department or country level.

If your Microsoft 365 tenant has Entra P2 licenses, you can use the Entra Identity Secure Score feature to measure your tenant against Microsoft benchmarks and recommendations, including expiring app credentials. The fact that credentials expire is one of the reasons why I don't use apps as much any more. Using the Microsoft Graph PowerShell SDK is just easier.

If conditional access policies impose MFA for all cloud apps, it gives external users a problem when they use Outlook desktop to read protected email. The issue is because Outlook can't obtain a use license to decrypt the content because it can't satisfy the MFA challenge. It's an example of how two good parts of the Microsoft 365 ecosystem clash.

This article describes how to use the Microsoft Graph PowerShell SDK to retrieve and interpret Microsoft 365 message center posts with the intention of discovering what percentage of announcemengts end up being delayed (not being available at the predicted date). Teams makes lots of feature announcements and over 57% of those announcements are delayed.

Message center notification MC711019 covers the ability to hide the General channel for a team, a feature designed to free up space in the teams and channels list. Team members (including guests) can decide if they want to see the General channel in their list. Because teams can have up to 1,000 channels, being able to hide the General channel is a useful change.

The Microsoft Graph includes the Service Communications API. SDK cmdlets can use the API to retrieve and work with service health data. In this article, we show how to use Graph SDK cmdlets (based on the API) to fetch and work with service health data, including creating an email report to update people about the current state of tenant health.

This article explains how to check Managed Identity permissions, or rather the set of consented Graph and other permissions held by the service principals used for managed identities. These can become highly permissioned over time, and that's why checking periodically is a good idea.

The latest version of the MSIndentityTools PowerShell module includes the Export-MsIdAppConsentGrantReport cmdlet to generate a report of OAuth app permissions. Allied with the ImportExcel module, the cmdlet can produce a very nice workbook containing lots of information about permissions held by the apps in a tenant. But even better, you can export the data to PowerShell and use it in your scripts.

A question asked if it's possible to hide individual distribution list members. It's easy to hide the complete membership but not as simple to hide just a few. However, an old technique dating back to the early days of Exchange Server works. Sometimes the old tricks are the best!

The February 2024 update for the Office 365 for IT Pros eBook (monthly update #104) is now available for download. Lots happened during January in terms of breakthrough announcements, hacks, new features, and deprecated functionality. All grist to the mill for a book that's been through 104 monthly updates.

Office 365 Reaches 400 million. Well, to be precise, in their FY24 Q2 results, Microsoft said that the figure is "over 400 million paid seats," but who's going to quibble with the ongoing success that Office 365 has had in adding users over many years. Not much was learned about the financial impact of Copilot. We'll have to wait to see how that plays out.

The Graph User.ReadBasic.All permission is now available for both delegated and application usage. Think before rushing to use the permission. Although the permission does what it sets out to do, the restriction on filtering means that many scenarios need the full User.Read.All permission.

A January 26 post announces the deprecation of four old Exchange audit cmdlets in favor of the Search-UnifiedAuditLog cmdlet. Removing old cmdlets is fine, but it would be nice if Microsoft took the opportunity to make Search-UnifiedAuditLog work better. Too many inconsistencies exist in how workloads provide information in audit events and Microsoft has made some recent unannounced changes.

Microsoft is changing the way that Exchange Online address book updates work to force users to use search rather than browsing through the GAL/OAB. That's fine and should improve things. When playing with finding how many items are in the GAL, I found that the Get-MgDomainNameReference cmdlet appears to have some issues. First, it can only return up to 999 items, which isn’t a lot when you’re dealing with users and groups that have a connection to a domain. Second, it doesn’t return a nextlink, so you can never fetch all available items. It just goes to prove that Microsoft Graph PowerShell SDK cmdlets are at the mercy of the underlying APIs.

The ability to apply custom corporate branding for Entra Id screens has existed since 2020. You can update elements through the admin center or PowerShell. This article explains how to use the Microsoft Graph PowerShell SDK to customize the sign-in text and background image for the sign-in screen.

Recent attacker activity made me think that access might have been gained through an OAuth app. Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.

Microsoft plans to change the way that the Teams website channel tab works in early April 2024. Instead of the client opening a site, a new browser tab opens. Microsoft says that the change better aligns with best practice for web security and privacy. Even so, it creates an administrative challenge to find what teams have website channel tabs that might need to be adjusted. Fortunately, we have a script to do just that.

Lots of hype surrounds Copilot for Microsoft 365, but I like the way that Copilot for Teams extracts real value from meeting transcripts to generate meeting notes. Even better, Copilot for Teams allows meeting participants to interrogate the transcript to find questions asked and answered (or not) among other capabilities. It's one of the most obvious ways to extract value from Copilot.

MC705357 (9 Jan 2024) says that the dynamic group rule builder in the Entra ID and Intune admin centers no longer supports the contains and notContains operators. There's no real cause to worry because existing rules continue to work and if you need to use contains or notContains in a membership rule, you can edit the rule manually.

Microsoft's January 15 announcement reduced deployment costs and opened the possibility for Copilot for Microsoft 365 deployments to many Office 365 tenants. Reducing costs is great, but just because Copilot for Microsoft 365 is now available to many more tenants doesn't mean that it is a silver bullet to address all IT woes.

The essence of a good teams naming convention is simplicity and clarity. This article explains why those aspects are so important in terms of helping users. We suggest some guidelines that tenant administrators can use to make sure that their team names are simple and clear.

Entra ID registered apps can authenticate using app secrets and certificates. These credentials expire over time, so it’s good to review app credential expiration dates periodically. This article explains how to use the Microsoft Graph PowerShell SDK to generate a report about app credential expiration dates to allow tenant administrators to manage registered apps a little better…

Document mismatch notifications tell users when they apply a higher-priority sensitivity label to documents than applied to the site. Some organizations don't like these messages because they think the notifications confuse recipients. In this article, we discuss how to use a mail flow rule to redirect the messages to an address who can help people understand how to use sensitivity labels.

Entra ID supports user extension attributes but the same facility is unavailable for group objects. That seems strange, but it might be due to the way that Entra ID thinks about group object. In any case, it's an inconsistency that Microsoft should address. Also covered is how to report problems with Graph SDK cmdlets and a new function to help you understand the permissions needed to run a script.

Audit events generated for the new Stream look like any other SharePoint Online event. Extracting the Stream audit events takes a little more effort than before when Stream classic generated its own dedicated set of events. In this article, we examine the advanced Stream audit events that are apparently coming to Purview Audit standard customers and how to extract the Stream audit events from the unified audit log.

The Stream browser app has received a bunch of recent enhancements, some of which are still deploying to tenants. The changes make it easier for Microsoft 365 tenants work with video. While investigating recent changes, we found some stuff that works well and some limitations that we never knew about before.

A new Share Someone's Contact Info feature is available for Teams one-to-one and group chats. The option inserts a link to the person's profile card in a chat message. Contact information can only be shared for members of the tenant (guests are unsupported). It's a small but useful addition to Teams chat.

Password profiles store the password settings for Entra ID user accounts. By updating the password profile, you can update an account's password and force actions like force the user to change their password on the next sign-in or force the user to enable multifactor authentication for the account. All done with cmdlets from the Microsoft Graph PowerShell SDK.

In message center notification MC703706 Microsoft announces yet another attempt to retire the Search-Mailbox cmdlet. This time it's due to happen in March 2024. I don't mind Microsoft removing old technology from its products, but it's important that the old functionality is replaced by newer, better technology. And that's not the case here. At least, not so far.

This article explains how I use custom document properties with SharePoint Online to track the topics covered by blog articles that I write. The custom document properties allow me to track where and when articles appear and the technology areas covered in their text. It's a very easy update that can be applied in many situations where SharePoint is used to store documents.

A new beta Graph API supports the creation of a Viva Engage community. This article explains how to use the Graph SDK to create a new community with the API. It's the start on the transition from the old Yammer APIs to fully embrace the Graph API.

Copilot for Word reference documents help to ground the prompts sent to LLMs for processing. The documents can be too large, which means that their contents aren't fully taken into account when the LLM processes the prompt. This might or might not be an issue.

The January 2024 update for the Office 365 for IT Pros eBook is available for subscribers to download from Gumroad.com or Amazon. Like any monthly update, the January 2024 update is packed full of changes across the content chapters. Readers should download the updated files as soon as convenient to make sure that they have the most up-to-date information available.

A question came in about how to report admin consent requests as viewed through the Entra ID admin center. PowerShell does the trick, once you know how. The key thing is to find the right cmdlet to use. Once you know that, the rest is pretty easy as we explain in this article.