The Ultimate Guide to Mastering Microsoft 365
A change to a Graph beta API meant that some data used to create the user password and authentication report was no longer available. A script update was required. The experience underlines the truth that developers should not rely on the Graph beta APIs because the APIs are prone to change at any time as Microsoft moves them along to become production-ready.
The Office 365 for IT Pros team is happy to announce the availability of the October 2025 update for the Automating Microsoft 365 with PowerShell eBook. Subscribers can download the latest PDF and EPUB files from Gumroad.com. In other news, a new eBook about Exchange Server Subscription Edition (SE) is available. It’s always nice to see new sources of knowledge open up!
The rollout of the Copilot Chat integration with the Microsoft 365 apps has started, with the intention of making it easier to use AI in peoples’ work. Nice as the integration is, the news that an Open in Word action button is coming (soon) to allow content generated by Copilot to be edited in Word is even better. And we round out the week with a note about a change to the domain used by Teams.
Guest account management should be a part of every Microsoft 365 tenant administrator’s checklist, unless the tenant has no guests. That’s possible but given the way that workloads like Teams and SharePoint Online create new guest accounts, the average tenant is likely to have quite a few guests. The question is how to manage guests – with Microsoft’s tools or using tenant-designed PowerShell scripts?
The Entra ID Keep Me Signed In (KMSI) feature creates persistent authentication cookies to allow users to avoid sign-ins during browser sessions. Is this a good or bad thing and should Microsoft 365 tenants enable or disable KMSI. I think KMSI is fine in certain conditions and explain my logic in this article. Feel free to disagree!
Microsoft 365 Copilot now has some SharePoint skills to deploy in the SharePoint admin center. The problem is that the skills aren’t very good and don’t do much to help hard-pressed SharePoint Online administrators cope with the vast explosion of sites that exist in many tenants today. The problem is data. If Copilot doesn’t have the information to reason over, it can’t answer questions or give advice.
Microsoft plans to deploy an update to change how transcription behaves for Teams meetings where Copilot is enabled. New meetings will not generate a transcript unless the meeting organizer explicitly enables transcription or the Microsoft 365 tenant deploys custom meeting policies that enable transcription with Copilot. The AI features work even without a transcript. But no transcript means no searchable artifact, and that’s what some want.
This article describes the prerequisites and how to run cmdlets from the Teams PowerShell module in Azure Automation runbooks. We also consider when you’d want to consider using Teams PowerShell cmdlets instead of Graph API requests or cmdlets from the Microsoft Graph PowerShell SDK. The bottom line is that it’s possible, but maybe not a frequently-used option.
A new SharePoint Site content and policy comparison report is available to tenants with Microsoft 365 Copilot or SharePoint advanced management licenses. The idea is that you choose some reference sites to compare other sites against to detect deviations from the reference site. It seems like a good idea if you’re trying to impose standards to control Copilot. Unhappily, attempts at running the report turned up zero results.
Microsoft 365 users see the profile card and might wonder where the information displayed on the card comes from. Entra ID is the obvious source, but the people platform that Microsoft is developing is another and could include information imported through a Copilot connector to build out a complete picture of users and contacts within a Microsoft 365 tenant. It’s early days yet, but beta code is available.
A new policy setting is available to force Microsoft 365 enterprise (Office subscription) applications to save to cloud locations and ignore the local disk. The idea is to increase cloud usage and improve compliance by storing all Office files in OneDrive for Business or SharePoint Online. Like a network PC, creating a dependency on a network connection only makes sense when a network connection is dependable, which might not always be the case.
Microsoft announced a new Copilot license check diagnostic for the Exchange Connectivity Analyzer. Sounds good, but the test is very simple, and its results don’t tell you anything more than a few lines of PowerShell can deliver. To prove the point, we wrote a quick script to show how to perform a Copilot license check with the Microsoft Graph PowerShell SDK.
MC1134747 describes a new permissions requirement for Entra apps that run Teams PowerShell cmdlets. Fixing apps to meet the new requirement is easily done with PowerShell. First, find the apps that use Teams PowerShell (we show two ways), and then assign the two required permissions to the apps. All done with a few lines of Microsoft Graph PowerShell SDK code.
The Org Settings section of the Microsoft 365 admin center has a new People Settings section where you can choose properties for the Microsoft 365 profile card instead of using PowerShell. The kicker is that the old method of using Exchange custom properties to customize what appears on the profile card is being replaced with standard Entra ID properties. A migration is needed, and it’s easily done with PowerShell.
Copilot memory is a term that refers to different things, including Copilot communication memory, a method to use the Graph to personalize responses for users. The idea is to use all the sources of information available through the Graph as Copilot responds to user prompts in Microsoft 365 apps instead of limiting sources to whatever the app works with. It’s a good idea, providing the Graph sources are accurate.
Microsoft has depreciated the Microsoft Graph CLI and Graph Toolkit. It’s nice to see some rationalization, but the real need is for better quality and coverage across all the Microsoft 365 administrative actions. Even after fourteen years of development, too many undocumented and private APIs exist today, which is an unacceptable situation. You should vote for a feedback portal item to ask Microsoft to do better.
Monthly update #123 is available for the Office 365 for IT Pros eBook. Subscribers can download updated EPUB and PDF files for the main book and the Automating Microsoft 365 with PowerShell book from their Gumroad.com account. As with every month, the update touches most chapters as we continue to make sense of the changes that occur across the Microsoft 365 ecosystem. Subscribe today!
A custom runtime environment is a way of defining a specific job execution environment for Azure Automation runbooks, including Microsoft Graph PowerShell SDK runbooks. In this article, we create a new environment for PowerShell V7.4, load in some SDK modules, switch a runbook from a system-generated environment, and run some code.
The Office 365 for IT Pros eBook team is proud to announce the availability of update 15 for the Automating Microsoft 365 with PowerShell eBook. The book includes extensive coverage of how to work with Microsoft 365 workloads through standard modules, Graph APIs, and the Microsoft Graph PowerShell SDK, including hundreds of practical examples over 350-plus pages. No fluff, just real-world code.
In late August, Microsoft plans to release the Copilot summarize email thread feature in Outlook clients without the need for a Microsoft 365 Copilot license. This news might seem surprising, but it’s simply a matter of business. If Microsoft doesn’t make basic AI features available in Outlook, ISVs (including OpenAI) will fill the gaps with add-ons. And that might make it harder to sell Microsoft 365 Copilot licenses.
Microsoft will impose a throttling limit for external recipients for tenants that use MOERA domain addresses to send outbound email. The limit is designed to stop tenants using mailboxes with primary SMTP addresses from MOERA domains from sending email, a technique that’s often used by spammers. This shouldn’t cause a problem for legitimate organizations who already have vanity domains, but it might stop some spam.
After a report to the MSRC about some missing file data from Copilot audit records, Microsoft fixed the problem and audit records now contain details about the SharePoint Online files reviewed by Copilot to construct answers to user prompts. Having solid audit and compliance data is a good thing, unless you’re a lawyer charged with defending an eDiscovery action who might be asked to produce the files.
Three new Graph API resources provide easy access to Entra ID authentication method summary data. The information is helpful to understand the type of sign-ins that happen, and the authentication methods used by user connections. The article includes a script based on the MFA sign-in summary to highlight non-MFA connections and the apps users connect to.
This article discusses how to use PowerShell to find obsolete mobile device partnerships in Exchange Online (or Exchange Server) and remove the obsolete devices. Users won’t be able to remove obsolete mobile devices after the settings to manage mobile devices are removed from OWA and the New Outlook, so cleaning up the mess is the responsibility of administrators (like it usually always is).
Outlook Mobile clients have started to highlight messages received from unverified senders. But what does “unverified” mean and what can be done to fix the problem? The issue lies at the sender’s end, so the administrators of the sending system must verify their email configuration to make sure that Exchange Online can validate inbound messages from their domain. The same visual markers are available in Outlook classic, OWA, and the new Outlook.
Microsoft Defender for Office 365 (MDO) requires shared mailboxes to be licensed but doesn’t extend the same requirement to Microsoft 365 Groups. Given that Microsoft 365 Groups have group mailboxes and can function very much like shared mailboxes, the difference in licensing is remarkable. Why does this happen? It could be due to internal Microsoft politics, omissions, or just a preference for Groups. Who knows?
Microsoft plans to remove the ability of users to perform mobile device management (for their devices) from the OWA and new Outlook for Windows clients. It’s unclear how much use these options receive, but following the update, users will only be able to disable or wipe a device remotely using features provided by O/S vendors. Administrators can still act to block or wipe lost or stolen devices.
Finally, Microsoft solved the technical issues that blocked SharePoint Online support for sensitivity labels with user-defined permissions (UDP). The feature is now generally available and it’s very welcome because support opens access for Office files and PDFs with UDP labels for search and Purview solutions like DLP and eDiscovery. Files with UDP labels applied prior to GA are not processed until they are edited, but that’s reasonable.
Purview Priority Cleanup is growing its capabilities to be able to process files stored in SharePoint Online and OneDrive for Business. Public preview begins in mid-August, and the solution should be generally available at the end of September 2025. Removing files without regard for retention holds is much more complicated than removing mailbox items. The question is who needs this feature and how will it be used?
The Connect-IPPSSession cmdlet is needed to connect to the Security and Compliance endpoint to update a Microsoft 365 retention policy. Unhappily, the Security and Compliance module doesn’t support managed identities, which makes it harder to run Connect-IPPSSession securely in an Azure Automation runbook. In the end, we use a credential stored in the automation account. And then we had to disable WAM. All explained here.
A question about shared mailboxes brought up the topic of licensing requirements when a tenant has Microsoft Defender for Office 365 (MDO). The news is not good. Once MDO is active, every shared mailbox needs an MDO license, and every user mailbox must also be licensed for MDO (those with E5 licenses are covered). At $5 per month, those MDO licenses can ramp up to a considerable cost. Ouch!
Microsoft is introducing a new KeyQL-powered capability for a revamped search box in Teams. The new implementation promises faster and more precise searching. First impressions are good, and the only doubt that I have is about how users will embrace this kind of searching. After all, some still use simple keyword searches.
Microsoft says that few customers have installed the dedicated hybrid connectivity app that’s needed to migrate from EWS. It’s time to install that app! If not, rich coexistence between cloud and on-premises components will stop working for several days when Microsoft imposes service time-outs in August, September, and October to prompt customers to take action. It’s time to install the dedicated hybrid connectivity app.
A July 14 post announces Copilot Memory, a method to personalize how Copilot responds to user prompts. Controls are available to disable Copilot memory on a per-user and tenant basis. Manipulation of the tenant controls is done through Graph resources. This article explains how Copilot memory works and how to update the tenant controls with PowerShell.
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here.
If you use the Microsoft Graph PowerShell SDK, you don’t need to worry about obtaining an access token because SDK cmdlets include automatic token management. Although you don’t need to know the details of the access token used in an SDK session, it’s possible to find and examine its contents, and even use the token with a Graph request. It’s a nice to know thing that you’ll never need in practice.
Monthly update #122 is now available for the Office 365 for IT Pros eBook. Subscribers can download PDF and EPUB files for the update from Gumroad.com. In other news, Microsoft cloud revenues keep soaring while Microsoft 365 seat growth moderates to 6% annually. Microsoft wants to give Copilot numbers but has no real data to share, and no one wants to talk about Teams active user numbers. It’s all in the mad world of Microsoft 365.
DLP diagnostics were announced in October 2024, and it’s taken quite a while for Microsoft to make the four DLP diagnostic tests available. In truth, none of the tests are earthshattering and the kind of checking done by the tests could be performed quite easily by an experienced tenant administrator who knows the DLP solution. But those administrators are unlikely to be the target audience for these tests.
Microsoft suggests that tenants wanting to block access to OWA while allowing people to use the new Outlook should deploy a conditional access policy. That’s good advice if a tenant has the necessary Entra P1 licenses and is willing to accept the loss of browser access to Teams. Microsoft 365 is a complicated interconnected place, and blocking one app can have consequences for another…
