A reader asked why the Entra admin center includes an option to manage per-user MFA settings for accounts. I don’t know why Microsoft added this option, but it doesn’t take away from the strategy to enforce and manage multifactor authentication through conditional access policies. Microsoft has been very focused on CA policies for the last few years and per-user MFA will eventually be subsumed into the CA strategy.
Many articles describe how to disable a service plan for a product license assigned to a Microsoft 365 account, but few cover how to enable service plans should the need arise afterward. This article covers the basics of disabling and enabling service plans for Microsoft 365 licenses using PowerShell, including the very important step of finding existing disabled plans. Everything’s easy once you know how.
A reader asked how to find emails with sensitivity labels. Everyone knows that you can find SharePoint files protected by sensitivity labels, but what about emails? MAPI properties exist that hold details of sensitivity labels. These properties are promoted to Microsoft Search, and this allows features like end-user searching through the Microsoft 365 app and Outlook to work. But the best way to find emails with sensitivity labels is to use a Purview content search.
An October 17, 2024 report highlights how Microsoft 365 Copilot can benefit SMEs in terms of increased revenue and ROI. But the report is a marketing tool designed to sell more expensive Microsoft 365 Copilot licenses. There’s a certain fear of missing out that’s presented by the report but spending a large amount on licenses without knowing exactly where the return will come from has never been a good business tactic.
Directory synchronization features control how the Entra Connect tool works when synchronizing accounts from Active Directory to Entra ID. The current advice is to use a cmdlet from the depreciated MSOL module to update settings. This article explains how to do the job with the Graph APIs, including cmdlets from the Entra PowerShell module.
A recent question asked how to force users to reauthenticate at 7AM every Monday. The solution seems to revoke access for user accounts. This article describes how to create an Azure automation runbook (PowerShell script) to find target accounts and revoke their access. By linking the runbook to an automation schedule, we can make sure that revocation happens at the desired time.
A new Cloud Licensing API has turned up in the Microsoft Graph beta endpoint. Apparently, the new API aims to improve license management in various ways. For now, the new API returns essentially the same licensing data that’s available through other APIs and cmdlets. The full story about what problem Microsoft plans to solve with the Cloud Licensing API and usage rights remains to be seen.
Container management labels are an effective way to ensure that groups, teams, and sites have the right settings. The Graph doesn’t support custom attributes for groups, so these attributes aren’t available to store details of the “approved” container management label to check if anyone has changed the label after the original assignment. Time to find a new way to store this data.
Copilot errors in generated text can happen for a variety of reasons, including poor user prompts. If the errors end up in documents, they can infect the Graph and become the root cause for further errors. Over time, spreading infection can make the results derived from Graph sources like SharePoint Online unreliable. Humans can prevent errors by checking AI content thoroughly before including it in documents, but does this always happen?
The Teams calendar app is being refreshed in November 2024 when Teams takes on the calendar UI used by OWA and the new Outlook for Windows. The unified Microsoft 365 calendar experience is based on OPX and WebView and looks much better than the old Teams calendar. It makes perfect sense for the same UI to manipulate the same calendar data in both Outlook and Teams.
Copilot Pages are part of the September 2024 Copilot Wave 2 announcement. They’re a good way to capture the text generated by Copilot in response to a prompt. Each Copilot page is a Loop component stored in a SharePoint Embedded container. Figuring out how to manage these containers will take a little time, especially as Microsoft hasn’t yet delivered the APIs needed to do the job.
Adaptive searches are a nice way to target users, sites, and groups for Purview retention processing. But a user adaptive scope can’t select members of a group and target them. That is, unless you use the same attribute to identify users for both a dynamic group and an adaptive scope, which is what’s explained here.
The Exchange admin center feature to allow administrators to initiate an upgrade distribution list process to request group owners to migrate distribution groups to Microsoft 365 groups is terrible. In my experience, the request goes into a black hole and never emerges, or the process fails immediately. But you shouldn’t be upgrading distribution lists to Microsoft 365 groups anyway because groups are often overkill when all that’s needed is a way to distribute email to multiple recipients.
The question of how best to write PowerShell for Microsoft 365 was asked during a TEC 2024 PowerShell workshop. There are many variables, and one has the right answer. To start the ball rolling, this article describes how I write PowerShell for Microsoft 365 using a variety of modules such as Exchange, SharePoint, Teams, and the Microsoft Graph PowerShell SDK.
Offline access is a fundamental feature for email clients. The new Outlook introduced initial support in June 2024. Now it can start without a network connection, which is something that Outlook classic has been doing for 27-odd years. The update provoked a search for where the new Outlook stores the data used when working offline, and we think we know where the data is.
Microsoft announced blocked Teams federated chat for trial tenants in June 2024. That block is now well and truly enforced. If you use an account in a trial tenant (and many flavors of these accounts exist), then you won’t be able to set up a federated chat with someone in another Microsoft 365 tenant. It’s an example of how Microsoft restricts service functionality to stop misuse.
The Delve browser app retires on December 16, 2024. It’s time to check if the change will affect how people interact with user profiles in Microsoft 365 tenants. A new “user profile experience” is due to arrive in November that should allow people to update details in their profile. Hopefully, the new experience will include photo updates, which have long been a problem area for Microsoft 365 apps.
The Maester tool is a great way to get a security assessment for a Microsoft 365 tenant. Being able to create custom Maester tests makes it even better. In this article, we explain how to create a custom Maester test that reads the Entra ID Groups policy to report if users are allowed to create new Microsoft 365 groups (and teams).
Unsurprisingly, Microsoft announced the deprecation of the Revoke-SPOUserSession cmdlet for November 2024. The cmdlet is replaced by the Revoke-MgUserSignInSession cmdlet, which works across Microsoft 365 rather than just SharePoint Online. All of this happened while the 2nd annual PowerShell Script-Off happened at TEC 2024 and competitors struggled with what to do to secure a user account for an ex-employee.
SharePoint Advanced Management (SAM) is a $3/user/month add-on that can help Microsoft 365 tenants manage problems like oversharing, data governance, and site lifecycle. A TEC 2024 session describe how SAM can help tenants cope with these issues in the AI era.
The Outlook (classic) client has a registry setting to control moving deleted items from a shared mailbox. The new Outlook for Windows client doesn’t have an equivalent setting, so items removed from a shared mailbox end up in the Deleted Items folder of the user’s mailbox rather than the Deleted Items folder in the shared mailbox. It’s an example of one of the things to fix before the new Outlook can take over.
The Office 365 for IT Pros team is delighted to announce the availability of monthly update #112. Subscribers for the 2025 edition can now download the updated files from Gumroad.com. We’ve also updated the Automating Microsoft 365 with PowerShell book, which is included as part of the Office 365 for IT Pros bundle and availanle separately, including as a printed version. We’re now working on monthly update #113, due on November 1, 2024.
Following a change made to Microsoft Synchronization Technology to support the new Outlook for Windows, Outlook mobile supports access to archive mailboxes. For mailboxes enabled with an archive, the archive mailbox is listed like other mailboxes and opened in the same way. The only thing to remember is that archive items tend to be old and therefore you’ll probably have to instruct Outlook to download the items to the device.
TEC 2024 (aka “The Experts Conference”) takes place on Oct 1-2 at the Loews Arlington Hotel. TEC is a great conference for many reasons, notably the intensely practical nature of the coverage technology receives during conference keynotes, sessions, and workshops. If you’re looking for a high-quality event to attend in 2025, put TEC 2025 on the list.
Some organizations want to disable OneDrive for Business to force people to use SharePoint Online. This might have been possible in the past. It isn’t practical now because of the way that Microsoft has concentrated personal storage for Microsoft 365 apps in OneDrive for Business. It’s a better idea to come up with some practical methods to ensure that valuable information is recovered from OneDrive on an ongoing basis.
MC894577 announces that DLP policy tips displayed in Outlook will soon support a set of new conditions. That’s good, but the text of the announcement is unclear about important points like the clients that will support the new policy tips, what kinds of groups are supported by the conditions, and precise details of how Outlook will differentiate between users with Office 365 E3 and E5 licenses.
An article described some benefits that could be gained from not installing the complete Microsoft Graph PowerShell SDK. The question is whether the claimed benefits are more theoretical than actual. It’s hard to say because it all depends on how someone uses the SDK for development or to run scripts. Anyway, it’s a topic worth discussing.
A recent script demonstrated how to import contacts into user mailboxes using a list in a SharePoint site as the source. With a quick change, a CSV file becomes the source. This is a great example of how adaptable PowerShell is and how to update code found in articles to meet your needs. If you do ask an author to change their code, remember to try to make the change yourself first, and if you fail, explain to the author why the change should be made.
The new Outlook for Windows and OWA now can suppress duplicate contacts. This means duplicate contacts are hidden, not removed. Tests reveal that duplicate suppression does work and probably does well in most cases. However, the lack of documentation around when suppression occurs and how decisions to suppress are made mean that Microsoft has some work to do here.
Microsoft’s advice is to use the Get-ExoMailbox cmdlet instead of its older Get-Mailbox counterpart. Generally, this is good advice that you should follow. However, the older cmdlet can do a job in certain circumstances, so don’t write it off completely. More importantly, make sure that filtering of objects is done using server-side filters. This will improve script performance significantly.
Sometimes you don’t need the full-fledged Graph API to report details of items in Recoverable Items and the Get-RecoverableItems cmdlet can do the job. The data fetched by the cmdlet isn’t as rich as the information available through the Graph, but if all you want is a simple listing of what’s in a mailbox’s Deletions folder, Get-RecoverableItems is a good solution. And best of all, we provide a full script to show how.
This article explains how to use the Microsoft Graph PowerShell SDK to report Recoverable Items in a form that is usable for eDiscovery investigators and other highly-privileged use. The script fetches details of items found in folders like Deletions, Purges, Versions, and SubstrateHolds. Because accessing mailbox data is a sensitive action, consider restricting access to confidential mailboxes using RBAC for applications.
A new Entra ID photo update settings policy aims to cure the mish-mash of existing settings controlling how user profile photos are updated in Microsoft 365. The new policy is based on a Microsoft Graph resource. Work is needed to update clients to respect the policy settings and take over from current controls, like the OWA mailbox policy.
In MC877369, Microsoft announced the availability of three Copilot usage reports in the Graph usage reports API to track usage of Copilot for Microsoft 365 in the apps enabled for Copilot, like Outlook, Excel, Word, PowerPoint, Loop, etc. The data available in the Copilot usage reports isn’t very informative and you might be better off using audit records to analyze what’s happening.
The Microsoft 365 Licensing Report PowerShell script has been upgraded to generate detailed license information and to deal with expired license subscriptions. You can download V1.94 of the script from GitHub. Before attempting to run the licensing report script, take the time to read previous articles to understand the basics of the script and how to generate the files used for pricing information.
The Teams feature to hide inactive channels is now fully rolled out. Another recent change suppresses notifications from hidden channels, and this could cause a problem for people who rely on notifications to know what’s happening in a channel. Both updates are good, but some differentiation or control over notifications for user-hidden and auto-hidden channels might be good.
The Microsoft 365 admin center will support continuous access evaluation (CAE) from September 2024 to help revoke access from accounts more quickly when critical events happen (like an account password being changed). Adding CAE support to an admin center is always a good idea, but it shouldn’t take away from the need to protect Microsoft 365 accounts with multifactor authentication. Stop compromise before you need to react to compromise!
eDiscovery is a calling best left to skilled investigators. But Microsoft 365 administrators need to know how to search and how the new Purview eDiscovery works. The new implementation is due by the end of 2024 and is in preview now. It unifies the three existing solutions in the Microsoft 365 eDiscovery space and promises to deliver new functionality. But will it make its dates? Who knows!
One of the things that vexes me is the need to change account to attend a Teams meeting. I forget this all the time and end up with unexpected waits in virtual lobbies, twiddling my thumbs while waiting for someone to admit me to the call. Sometimes I end up missing calls because people can’t admit participants from outside the tenant if they don’t have a guest account. The solution might come from the application of more intelligence and a change to the Teams UI.
The automatic document summary feature for Word duly turned up and Copilot for Microsoft 365 has been busy generating summaries ever since. The feature works well for documents with less than 80,000 words, which should be enough for most documents but limits summarization for documents that might use it most, like complex plans or contracts. In any case, I haven’t found a way to turn document summaries off. Maybe that’s coming.
