Outlook Mobile clients have started to highlight messages received from unverified senders. But what does “unverified” mean and what can be done to fix the problem? The issue lies at the sender’s end, so the administrators of the sending system must verify their email configuration to make sure that Exchange Online can validate inbound messages from their domain. The same visual markers are available in Outlook classic, OWA, and the new Outlook.
Microsoft Defender for Office 365 (MDO) requires shared mailboxes to be licensed but doesn’t extend the same requirement to Microsoft 365 Groups. Given that Microsoft 365 Groups have group mailboxes and can function very much like shared mailboxes, the difference in licensing is remarkable. Why does this happen? It could be due to internal Microsoft politics, omissions, or just a preference for Groups. Who knows?
Microsoft plans to remove the ability of users to perform mobile device management (for their devices) from the OWA and new Outlook for Windows clients. It’s unclear how much use these options receive, but following the update, users will only be able to disable or wipe a device remotely using features provided by O/S vendors. Administrators can still act to block or wipe lost or stolen devices.
Finally, Microsoft solved the technical issues that blocked SharePoint Online support for sensitivity labels with user-defined permissions (UDP). The feature is now generally available and it’s very welcome because support opens access for Office files and PDFs with UDP labels for search and Purview solutions like DLP and eDiscovery. Files with UDP labels applied prior to GA are not processed until they are edited, but that’s reasonable.
Purview Priority Cleanup is growing its capabilities to be able to process files stored in SharePoint Online and OneDrive for Business. Public preview begins in mid-August, and the solution should be generally available at the end of September 2025. Removing files without regard for retention holds is much more complicated than removing mailbox items. The question is who needs this feature and how will it be used?
The Connect-IPPSSession cmdlet is needed to connect to the Security and Compliance endpoint to update a Microsoft 365 retention policy. Unhappily, the Security and Compliance module doesn’t support managed identities, which makes it harder to run Connect-IPPSSession securely in an Azure Automation runbook. In the end, we use a credential stored in the automation account. And then we had to disable WAM. All explained here.
A question about shared mailboxes brought up the topic of licensing requirements when a tenant has Microsoft Defender for Office 365 (MDO). The news is not good. Once MDO is active, every shared mailbox needs an MDO license, and every user mailbox must also be licensed for MDO (those with E5 licenses are covered). At $5 per month, those MDO licenses can ramp up to a considerable cost. Ouch!
Microsoft is introducing a new KeyQL-powered capability for a revamped search box in Teams. The new implementation promises faster and more precise searching. First impressions are good, and the only doubt that I have is about how users will embrace this kind of searching. After all, some still use simple keyword searches.
Microsoft says that few customers have installed the dedicated hybrid connectivity app that’s needed to migrate from EWS. It’s time to install that app! If not, rich coexistence between cloud and on-premises components will stop working for several days when Microsoft imposes service time-outs in August, September, and October to prompt customers to take action. It’s time to install the dedicated hybrid connectivity app.
A July 14 post announces Copilot Memory, a method to personalize how Copilot responds to user prompts. Controls are available to disable Copilot memory on a per-user and tenant basis. Manipulation of the tenant controls is done through Graph resources. This article explains how Copilot memory works and how to update the tenant controls with PowerShell.
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here.
If you use the Microsoft Graph PowerShell SDK, you don’t need to worry about obtaining an access token because SDK cmdlets include automatic token management. Although you don’t need to know the details of the access token used in an SDK session, it’s possible to find and examine its contents, and even use the token with a Graph request. It’s a nice to know thing that you’ll never need in practice.
Monthly update #122 is now available for the Office 365 for IT Pros eBook. Subscribers can download PDF and EPUB files for the update from Gumroad.com. In other news, Microsoft cloud revenues keep soaring while Microsoft 365 seat growth moderates to 6% annually. Microsoft wants to give Copilot numbers but has no real data to share, and no one wants to talk about Teams active user numbers. It’s all in the mad world of Microsoft 365.
DLP diagnostics were announced in October 2024, and it’s taken quite a while for Microsoft to make the four DLP diagnostic tests available. In truth, none of the tests are earthshattering and the kind of checking done by the tests could be performed quite easily by an experienced tenant administrator who knows the DLP solution. But those administrators are unlikely to be the target audience for these tests.
Microsoft suggests that tenants wanting to block access to OWA while allowing people to use the new Outlook should deploy a conditional access policy. That’s good advice if a tenant has the necessary Entra P1 licenses and is willing to accept the loss of browser access to Teams. Microsoft 365 is a complicated interconnected place, and blocking one app can have consequences for another…
A banner posted in the Entra admin center informs administrators that Entra ID governance features used by guest accounts incur charges from June 2025. This only affects Microsoft 365 tenants that use ID governance for features like inactive guest access reviews, but unexpected charges might come as a surprise. This article explains a PowerShell script to find chargeable events in audit logs and how to calculate likely charges.
The August 2025 update for the Automating Microsoft 365 with PowerShell eBook is available for subscribers to download. The eBook now includes over 350 content-rich pages packed full of practical examples of how to use PowerShell to automate Microsoft 365 operations. It’s an essential tool for anyone who needs to use PowerShell in a Microsoft 365 environment.
The new Outlook for Windows now supports the NoSignOnReply control for inheritance of S/MIME signatures from messages to replies. It’s an update to match the feature that’s been in Outlook (classic) for a long time. The new setting is only available for Exchange Online and isn’t supported by OWA.
Linkable token identifiers is a new Entra ID feature that adds a GUID to all the audit events for a session. The new identifiers make it easier to track all user actions taken during a session, and should be of great advantage to security investigators who need to know if an account is performing suspicious actions, possibly due to an attacker compromise.
After writing about how to copy group memberships from one user to another, the question arises about removing members from groups. The answer is straightforward when dealing with members of distribution lists and mail-enabled security groups, but things become more complicated when working with Microsoft 365 groups and it’s important to handle group owners correctly.
Retention policies and retention labels have been around for about 8 years. Some of the older retention settings might use file created dates to remove items. No doubt basing retention on creation dates made perfect sense at the time, but experience shows that maybe basing retention on the last modified date can be better. All explored here together with a script to update retention labels in OneDrive.
The Microsoft Authenticator app gets two important changes in September 2025 to make the app easier to use for average users. The current number matching mechanism is modified to make it less likely that notifications will fail to be seen and the first run experience is changing to give priority to Entra ID accounts. Hopefully, the changes will encourage adoption of MFA in Microsoft 365 tenants.
The news that people can customize Teams by choosing one of ten accent colors for use in the Teams UX might or might not be positive, depending on your view. While it’s nice to see things in your chosen color, the thought might cross your mind that engineering could focus on other more important tasks… But that’s being very critical.
The Exchange Extended Security Update program is a 6-month lifeline for organizations struggling to upgrade servers to Exchange Server SE. Although it’s easy to upgrade a server to , many things might get in the way before the Setup program can run. Small things like vacations, buying new hardware, or deploying a new O/S. From August 1, organizations can sign up to receive security updates from October 2025 to April 2026.
A July 15 announcement says that Exchange Online is reducing the Delicensing Resiliency threshold from 10,000 to 5,000 mailboxes. That’s fine, but this feature should be available for all Exchange Online tenants. It’s a sticking plaster for how group-based licensing works and is inconsistent with how OneDrive for Business deals with unlicensed personal user data.
Security researchers documented a prompt injection vulnerability in an agent created with Copilot Studio that allowed the exfiltration of customer data. Microsoft has fixed the problem, but the researchers figure that natural language prompts and the way that AI responds means that other ways will be found to cause agents to do silly things. Microsoft 365 tenants need to think about the deployment and management of agents.
Microsoft 365 Copilot Search is the second iteration of Copilot Search. It borrows heavily from the older Microsoft Search in Bing feature in terms of how it presents different types of results. Copilot Search is unmatched when it comes to searching Exchange, SharePoint, and Teams, but its ability to search the web is hindered by the dependency on Bing and the preference given to Microsoft.com sources.
Version 2.29 of the Microsoft Graph PowerShell SDK can now be downloaded from the PowerShell Gallery. Initial tests show that the release is stable. However, it’s recommended that you deploy V2.29 on a few workstations to test essential scripts before proceeding to a full-scale roll-out. V2.29 does not address the issue with PowerShell runtime in Azure Automation, but overall, first indications are that V2.29 is a good release.
The Microsoft Authenticator app is a secure authentication method for MFA. The app is getting an easier way for backup and recovery, which should make it easier for people to move to new iOS devices. Instead of a Microsoft recovery account, Authenticator will use the iCloud keychain. The update is expected to roll out in September 2025.
A sometimes overlooked 2024 update delivers easier access to protected messages delivered to shared mailboxes. Instead of direct assignment of Full Access to user mailboxes, access can be controlled through membership of a mail-enabled security group. It’s a small but very nice change, just like any update that eases the life of tenant administrators.
Sometimes tenants need to copy group membership from one user to another. Often PowerShell is used, but with the demise of the Azure AD module you might need to update the script that you use. Things are a little more complicated when using the Graph, but where there’s a will, there’s a way. Here’s how to use the Graph PowerShell SDK to do the job.
Microsoft 365 Copilot users can generate audio overviews from Word and PDF files and Teams meeting recordings stored in OneDrive for Business. Copilot creates a transcript from the file and uses the Azure Audio Stack to generate an audio stream (that can be saved to an MP3 file). Sounds good, and the feature works well. At least, until it meets the DLP policy for Microsoft 365 Copilot.
July 1 marked the general availability of Exchange Server SE (subscription edition), the latest in a long line of server releases going back to Exchange 4.0 (1996). Exchange Server SE will soon be the only game in town after Exchange 2016 and 2019 reach end of support in October 2025. In other news, Defender for Office 365 now boasts protection against email bombs.
The New Outlook for Windows supports an export to PST function. Unfortunately, exporting mailbox items is very slow – roughly ten times slower than Outlook (classic). But a bigger question is whether Microsoft 365 tenants should allow the use of the export to PST function because of the potential effect on tenant compliance and governance. Fortunately, it’s easily blocked.
The MCP server for Microsoft Learn is available in public preview. It can be installed to allow AI agent real-time access to Microsoft documentation. The problem with any AI technology is that it depends on the accuracy of its sources. And sometimes the accuracy of Microsoft Learn is not as good as people assume, which then means that the AI responses aren’t so good.
Office 365 for IT Pros (2026 edition), the 12th in an eBook series going back to May 2015, is now available. Covering all the essential aspects of Microsoft 365 tenant management from Entra ID to Exchange Online, SharePoint Online, OneDrive for Business, Teams, data lifecycle management, information protection, and more, Office 365 for IT Pros is an indispensable companion for tenant administrators who want to understand how Microsoft 365 really works.
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads. Existing subscribers can download the second edition now free of charge.
Agent governance is the framework that allows tenants to deploy agents safely, securely, and under control. A new ISV offering from Rencore helps to fill some gaps in Copilot agent governance that currently exist in what’s available in Microsoft 365. It’s good to see ISV action in this space because the last thing that anyone wants is the prospect of Copilot agents running amok inside Microsoft 365 tenants.
The conditional access policy condition for token protection now extends to Microsoft Graph PowerShell SDK interactive sessions. Any account within the scope of a CA policy that requires token protection can use Web Account Manager (WAM) to sign in and check that everything is secure and ready to go. It’s a protection that might be of interest to administrators and developers that access sensitive data in Graph SDK sessions.
Recent problems with Microsoft 365 PowerShell modules afflicted the ability of Azure Automation runbooks to execute cmdlets Microsoft Graph PowerShell SDK and Exchange Online Management modules. The root cause is a decision to remove support for .NET6, but the worrying point is the lack of awareness within Microsoft engineering that Azure Automation is where many critical scripts run. Better pre-release testing is definitely needed.
