I dislike the Microsoft 365 self-service purchase mechanism and disable it in any tenant where I can. Global and Billing administrators for tenants that allow self-service purchases will soon receive notifications when self-service purchases occur to allow them to take action to allow, cancel, or change the purchased subscription. Or they can do what I do and avoid the problem in the first place by prohibiting self-service purchases.
On July 17, Microsoft announced the public preview of inbound SMTP DANE with DNSSEC for Exchange Online, a welcome step forward to improve messaging security. A previous attempt to launch the preview foundered because Microsoft wanted to insist on Microsoft 365 E5 licenses for the feature. Mature reflection prevailed and inbound DANE with DNSSEC is available to all, which is how it should be.
In what seems to be a small change, team owners can rename general channels (naturally with ‘meaningful names.’ The change is more important than it seems because it’s associated with an effort to make users think about using channels as the basis for collaboration instead of always creating a new team. Being able to rename the General channel might make the channel more useful. After all, it’s just a regular channel.
A reader wanted to know why the Purview Compliance portal doesn’t show who last updated sensitivity label policies. The reason why is unclear, but what’s for sure is that Purview doesn’t record the data anywhere. But PowerShell and the audit log soon reveal who last made changes to labels and policies. It’s yet another example of how PowerShell fills gaps Microsoft leaves behind.
The Teams and Groups activity report is a popular script that helps administrators identify inactive teams and groups within a Microsoft 365 tenant. The script code has been developed over the years. The last version converted to Graph API requests to improve performance. This time, the upgrade is to use the Microsoft Graph PowerShell SDK to make the code easier to maintain.
It’s common to be asked which is the best mobile email client for Exchange Online. My view is that Outlook Mobile is the only client to use (if possible). I know that this opinion is unpopular with devotees of clients like the Apple iOS mail client, but the simple facts are that Outlook mobile is more functional and better integrated into the Microsoft 365 ecosystem. That’s the defining factor for many.
Microsoft says they will remove the Remove-SPOExternalUser cmdlet starting July 29. They recommend using Remove-AzureADUser as a replacement. It’s a bad call because that cmdlet is part of a now-retired and soon to be deprecated module. Overall, recommendations like this make you think that Microsoft doesn’t know what’s happening across the whole of Microsoft 365. And you might be right.
In June, Microsoft retired Office Connectors for SharePoint Online and Microsoft 365 Groups. Starting on August 15, they’re retiring connectors for Teams. The problem is finding out which teams and channels have configured connectors. That’s when PowerShell comes in handy, as we prove with a script to report which teams have connectors.
A cloud policy setting enables a delay for evaluating message content and allows Outlook DLP Policy Tips to be displayed after detection of a policy violation. The setting works by pausing message sends until Outlook has had time to check the content for DLP policy violations Pop-up messages inform users about the pause and the result of the check.
A new Outlook Mobile synchronization setting allows users to select a window of between 1 and 90 days to download copies of email and attachments. The new setting allows organizations who worry about corporate data being on mobile devices to limit exposure to one day while enabling people who like having their entire mailbox on their device get closer to that point. Everyone wins.
In a welcome update, the Teams development group have provided a new policy setting to control the display of some in-product messages in Teams clients. The policy can only be updated with PowerShell. Some other Microsoft 365 development groups need to follow Teams and offer paying customers a way to suppress the annoying in-product ads.
A very useful update to support sharing links expiration for all link types used by SharePoint Online and OneDrive for Business is now rolling out and should be available in all Microsoft 365 tenants soon. Until now, expiration dates were only available for anyone links. Many organizations don’t allow anyone links, so enabling the feature for company-wide and specific people links will be much appreciated.
From mid-July 2024, Teams will begin hiding inactive channels for users. The inactive channels can be unhidden, and users can opt out of the automatic process. The new clean up routine can be invoked whenever users want and if a mistake is made, it’s easy to unhide a channel. Given the number of channels in use, it’s likely that a few in everyone’s channel list are inactive and deserve to be hidden.
Some folks wonder why they can’t use documents shared with them using company-wide links with Copilot for Microsoft 365. As it turns out, the answer is simple. People must redeem a sharing link before SharePoint validates their access to a shared file. Copilot cannot use a document unless it has access to it. All of which brings up the point if it’s a good idea to use company-wide sharing links.
Office 365 for IT Pros 2025 edition, the 11th edition of the most comprehensive and in-depth book covering the Microsoft 365 Office servers, is now available. Office 365 for IT Pros subscriptions include a new 240-page book titled Automating Microsoft 365 with PowerShell covering PowerShell, Microsoft Graph APIs, and the Microsoft Graph PowerShell SDK. No Microsoft 365 tenant administrator should be without a copy of Office 365 for IT Pros!
The old Files tab in Teams chat is being replaced by the Shared tab. The new tab exposes both files and hyperlinks and Microsoft says that the Shared tab will support more types of objects in the future. No dates are given for the future enhancements, but the new Shared tab will roll out for Teams chat users in early July 2024. I like the new tab because I tend to share many hyperlinks in chats.
Microsoft is moving to block federated communications with trial Microsoft 365 tenants to cut off a potential exploitation route for attackers. The new block goes into force on July 29, 2024, and is controlled by the ExternalAccessWithTrialTenants setting in the tenant federation configuration policy. We’ve been saying for years that tenants should clamp down on federated chat. It seems that Microsoft now agrees.
The Outlook settings API is a unfinished Graph API that can read and update some but not all mailbox settings. It’s a pity that the API is incomplete because it would be nice to have a comprehensive API that supported every mailbox setting, including some of the more recently introduced tweaks seen in OWA. The current state of the Outlook settings API is usable but not for much, but at least it can update auto-reply settings.
V1.2 of the User Passwords and MFA report includes the names of authentication methods registered for user accounts. V1.3 expands the amount of detail reported for each method, such as the phone number used for SMS challenges, or the email address used for SSPR. It’s a small but important detail that’s useful to administrators. However, it also comes with a potential privacy issue, so the script must handle that too.
Microsoft has announced the formal renaming of the Win32 version of Outlook to be Outlook (classic). It’s preparing for the general availability of the new Outlook for Windows, expected very soon into the new Microsoft fiscal year starting on July 1, 2024. The change doesn’t affect the status of Outlook (classic) or the commitment to support the client until at least 2029.
The Set-PlannerUserPolicy cmdlet allows Microsoft 365 tenant administrators stop users deleting tasks created by other users. However, an undocumented consequence of setting the policy for user accounts is that it stops those accounts removing plans too. The unexpected block imposed by Set-PlannerUserPolicy caused me problems when attempting to delete a plan with PowerShell. It would be nice if the modules created by Microsoft worked as expected (and as documented).
The Microsoft 365 Licensing Report is a popular PowerShell script that’s just been updated to V1.9 with a bunch of changes to highlight different aspects such as license costs for disabled user accounts and inactive user accounts. Copious use of some very dubious color choices makes the HTML report created by the script look very nice (if you’re color blind) and the new version can generate an Excel worksheet.
Microsoft wants users to upgrade from legacy Outlook clients. The biggest impact for Microsoft 365 tenants might be the loss of OWA light, but consumer users are in for the same kind of change that enterprise users experienced when Microsoft blocked basic authentication for Exchange Online. The announcement wasn’t very clear about what’s happening, so we’re happy to clarify matters.
The Set-MailboxFolderPermission cmdlet is usually used to set calendar permissions, including the permission for the default user to allow everyone in an organization to see each other’s calendars. But you can use cmdlets from the Microsoft Graph PowerShell SDK too. The Graph SDK cmdlets are faster, but not enough to warrant replacing the Exchange cmdlet in scripts. We explain why here.
The incoming webhook connector is a popular method to post information to Teams channels, but Microsoft seems set on retiring the Office connectors. The Teams post to channel workflow when a webhook request is received seems like is a possible replacement, but it’s not just a matter of switching mechanisms. Some PowerShell magic is needed to create a suitable adaptive card to post to the channel, which is exactly what we explain how to do here.
A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on.
Our review of the Videos chapter for the Office 365 for IT Pros eBook found a Teams meeting policy setting we hadn’t documented to block downloads for channel meeting recordings. Naturally, this was a disaster, so we spent some time investigating what the policy setting does and if it’s useful in practice. It works, but do you want to block downloads of channel meeting recordings?
Splatting is an optional PowerShell technique designed to make it easier to pass parameter values for cmdlets. It’s a personal choice whether to use splatting instead of passing values to individual parameters in the command line. Although the Microsoft Graph PowerShell SDK can be a little strange at times, you can use splatting with SDK cmdlets, even with some pretty complex parameters such as those used to filter objects.
Office 365 Connectors bring data from external sources into Microsoft 365 apps like Teams and Outlook. Workflows and Power Automate are replacing Connectors for Microsoft 365 Groups (Outlook groups) and SharePoint Online. Connectors are still available in Teams but for how long? No one knows, but it does seem like Microsoft is rationalizing no-code automation around Power Automate.
Understanding SharePoint Online storage used to be easy. Then applications like Loop arrived. Other influences like retention and archive can affect storage too. It’s a complicated situation before you throw OneDrive for Business into the mix and consider that Microsoft has removed unlimited OneDrive storage while an increasing number of apps store files in OneDrive. It’s a complicated situation.
Three years ago, I wrote a script to analyze the audit records generated for Teams meeting recordings. Then things changed in terms of how the audit records were generated and how the Search-UnifiedAuditLog cmdlet returns audit search results. All of which meant that considerable work was needed to revamp (rewrite) the script. Maybe you need to check any script that uses the Search-UnifiedAuditLog cmdlet too?
This article describes how to use the Microsoft Graph PowerShell SDK to report delegated permission assignments to user accounts and apps. Like in other parts of Microsoft 365, the tendency exists to accrue delegated permissions for both user accounts and apps over time. There’s nothing wrong with having delegated permissions in place, if they are appropriate and needed – and that’s why we report their existence.
Deciding whether to use Microsoft Graph PowerShell SDK cmdlets or Graph API requests is sometimes not easy. Some say that it’s best to use Graph API requests everywhere and avoid the complication of possibly buggy Graph PowerShell SDK cmdlets. My approach is different. I start with Graph PowerShell SDK cmdlets and only resort to Graph API requests when absolutely necessary. It works for me!
The latest technology initiative from Microsoft comes in the form of Teams custom emojis, designed to bring light and happiness to Microsoft 365 tenants. Of course, the light and happiness will only happen if tenants don’t disable the settings in Teams messaging policies that allow users to upload custom emojis. A tenant can support up to 5,000 Teams custom emojis. That’s a lot of room for people to get inventive.
Without any fuss or bother, Microsoft announced that the Teams 2.1 client has regained the Notify When Available feature. This functionality allows users to subscribe to the presence status for someone else to receive notifications when that person’s presence status changes to Available. It’s a very useful and worthwhile feature to have that goes back to Skype. It’s good to have it back!
The June 2024 update for the Office 365 for IT Pros 2024 edition ebook is available for download. We’re also announcing the availability of the 2025 edition on 1 July 2024. Office 365 for IT Pros 2025 edition drops the companion volume and introduces a new book dedicated to Automating Microsoft 365 with PowerShell. Anyone who subscribes to the 2024 edition in June 2024 will receive a free update to the 2025 edition when it is published.
Copilot audit records generated for the Microsoft 365 audit log capture details of the resources (files, emails, and documents) used by Copilot in its answers. This doesn’t sound very exciting, but it is important for forensic investigators who need to understand what information is consumed to generate AI answers. In another development, the Copilot for Microsoft 365 chat app is now available in Outlook classic.
Microsoft is deploying additional audit events to tenants with Purview Audit (Standard) licenses. Among the 15 Teams events in the set are Teams meeting audit events to capture details of meetings and participants. Unhappily, some of the data that you’d like to have for meetings, like the subject, are missing. And meeting participant information is available for some classes of user but not for others.
The Teams Activity feed received two recent major changes. First, calendar notifications now show up in the feed. Second, the set of filters that were available are reduced to just two (mentions and unread). Reducing the filters is part of Microsoft’s effort to streamline the Teams 2.1 client and remove unnecessary screen elements. I guess it’s OK, and you can disable the calendar notifications to stop that annoyance.
A request came in for a PowerShell script to report mailbox audit configurations to check that the important new events are being generated by mailboxes. After diverting into the hellhole of Microsoft licensing, normal sanity was resumed and a PowerShell script written to do the job. The script generates a CSV file or Excel worksheet for tenant administrators to review. After that, it’s up to you.
