Copilot Catch Up Fails to Impress

On August 28. 2024, Microsoft posted a revision to message center notification MC799636 (Microsoft 365 roadmap item 388746) to announce their decision to completely roll back their deployment of the new “catch up” feature for Copilot for Microsoft 365 and Teams.  The roll back operation will start on September 2. Previously, the feature was supposed to reach general availability in early August 2024.

According to Microsoft, the deployment had reached 50% of users. These are eligible accounts with Copilot for Microsoft 365 licenses. Given that many large enterprises have committed to Copilot for Microsoft 365, the number of affected users might be in the low several million range.

The Black Box of Card Determination

The blurb for the Copilot catch up feature says that it “helps users [to] take action on important updates.” In other words, Copilot had found something it deemed of interest to the signed-in user and brought the item to their attention in a series of cards that rotated through a carousel. In my case, the feature only turned up a couple of days ago. Figure 1 shows what I see. The three cards cover a Word document (chapter 2 for the Office 365 for IT Pros eBook), a calendar invitation, and a Loop workspace.

Like many elements of artificial intelligence, the process to determine what cards to display is a black box. Looking at the cards chosen by Copilot, I can see the logic of selecting the Word document because it’s a reminder that its content has changed, and I need to review the updates. The meeting is probably there because it happens later today. To help me prepare, Copilot found an email sent about a Teams service outage which frankly is of zero relevance to the meeting. The sole connection is that the word Teams appears in the subject for both the meeting invitation and email. The selection reminds me of “I must find something” instead of “I must find something useful.” I can’t account for why Copilot chose the Loop workspace because nothing has happened in it for months. Perhaps Copilot Catch Up wanted to be diverse in its choice of application sources.

I don’t think I shall miss the carousel. It seems like a modern take on the many ways that Office apps suggest documents to users or the way that the now-deprecated Delve highlights documents to users. The Viva Insights for email feature available in Outlook clients is another example of how Microsoft seeks to extract value from user data to highlight “things to do.”

Automatic Document Summaries by Copilot for Microsoft 365

The list key points link on the card for the Word document (Figure 2) appears to do what I expect to see when Microsoft deploys message center notification MC871010 (Microsoft 365 roadmap item 399921), scheduled for late August. This update promises that Copilot “will generate a summary in the window at the top of the Word document.”

MC866152 (23 August 2024) also covers the same ground for Microsoft Copilot (the version that doesn’t use the Graph).

I have some problems with the idea of generating automatic summaries because I fear it might slow down the opening of large documents based on the current performance in the Copilot chat app. It seems like a terrific demo feature that works well for 2-page documents. I can’t imagine how it will cope with the 1,300 pages of the Office 365 for IT Pros eBook source file. MC866452 says that the summary window can be collapsed to hide it. There’s no detail about what I really want to do, which is to disable automatic summaries for all Word documents.

Copilot Can’t do Everything

Figuring out what features will really be interesting and useful is an aspect of software engineering that is often very difficult. Sometimes I think Microsoft tries too hard, tries to be too clever, or utterly fails to understand how people outside Microsoft work. Applying artificial intelligence to as many aspects of Microsoft 365 as possible is madness, even if it keeps senior management happy.

The truth is that not every idea discussed around a conference table in Redmond or virtually in a Teams call is valuable. Sometimes it takes exposure in the harsh light of reality to figure out what works and what doesn’t. The demise of Copilot catch up is a reminder to us all that just because a new feature appears, its value needs to be assessed in terms of how it contributes to the success of the business.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Admin Settings API to Control Usage Reports Data Gets an Update

If you don’t follow the sometimes-anarchic world of the Microsoft Graph, message center notification MC859853 (13 August 2024) might have passed you by without comment. However, given the importance of reporting usage data to understand the activity level within tenants, this is a significant change.

The option to anonymize user information like display names in usage reports generated from the Microsoft Graph has existed since 2020. The control for the option is under Reports in the Org Settings section of the Microsoft 365 admin center and its purpose is to protect the privacy of users. The control affects all access to usage data via the Graph, including reports generated using PowerShell, such as the Teams and Groups Activity Report. In fact, if you choose to obfuscate user data, reports lose much of their value and can make it impossible to derive comparisons between different forms of usage data. For instance, the script to analyze use of different Microsoft 365 workloads by individual accounts to determine who could best use Copilot for Microsoft 365 licenses depends on being able to match user principal names.

Programmatic Access to Set the Privacy Control for Usage Reports Data

It’s useful for programs and scripts to be able to turn the privacy control off to fetch usage data and back on again when finished. Until now, programmatic access to control the privacy setting for usage reports existed in the beta adminReportSettings Graph API. What’s changed is that the API is now generally available and therefore available through the V1.0 Graph endpoint. In the past, a script might have done something like this to check if the privacy setting was on or off:

$Uri = "https://graph.microsoft.com/beta/admin/reportSettings"
$Data = Invoke-MgGraphRequest -Method Get -Uri $Uri
Write-Host ("The current report privacy setting is {0}" -f $Data.displayConcealedNames)
The current report privacy setting is False

Now that the API is generally available and fully supported, the URI is https://graph.microsoft.com/V1.0/admin/reportSettings. For instance, to update the privacy setting to set it on, you’d do:

$Uri = "https://graph.microsoft.com/V1.0/admin/reportSettings"
$Settings = @{}
$Settings.Add("displayConcealedNames","true")
Invoke-MgGraphRequest -Uri $Uri -Method Patch -Body $Settings

The Microsoft Graph PowerShell SDK has just had a refresh to V2.22 but the SDK cmdlets haven’t yet caught up with the change and remain using the beta endpoint. This means that you should use Get-MgBetaAdminReportSetting to fetch values and Update-MgBetaAdminReportSetting to switch the control from on to off or vice versa.

To update the privacy control, the signed-in account must hold the global administrator role and the app used must have consent for the ReportSettings.Read.All permission.

Backup Restore Module in V2.22 of the Microsoft Graph PowerShell SDK

One of the notable things about V2.22 of the Microsoft Graph PowerShell SDK is the appearance of a new beta module for Microsoft 365 Backup (backup and restore operations). To list the commands in the module, run Get-Command:

Get-Command -Module Microsoft.graph.beta.backuprestore

Use of the cmdlets requires consent for the BackupRestore-Control.Read.All permission (Figure 1).

Despite having the permission and an active Microsoft 365 Backup schedule in place for SharePoint Online, OneDrive for Business, and Exchange Online, all attempts to use the cmdlets met with an internal error. Oh well, Microsoft 365 backup is only just generally available, and this is a beta module. Things are expected to go wrong. It’s just another opportunity for improvement within the Microsoft 365 ecosystem.

Graph Keeps On Growing

Being able to control usage report data privacy and Microsoft 365 Backup through Graph APIs are two examples of how people might not have considered using the Graph to automate common administrative scenarios. It’s proof of the growing influence of the Graph, and underlines why Microsoft 365 tenant administrators need to become Graph literate.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

HVE and ECS Compete for Different Customers of Microsoft Cloud Email Services

I need to apologize to some of the subscribers to the Office 365 for IT Pros eBook. Over the last few weeks, I’ve been using you as the targets for emails sent using Exchange Online High-Volume Email (HVE) and the Azure Email Communication Service (ECS).

Both solutions focus on sending large quantities of email. HVE is more internal-focused but can handle external messages. HVE is part of Exchange Online and intended to help customers move off on-premises servers to handle traffic generated by multi-functional devices and applications. ECS is a standalone offering that can handle large volumes of external email such as newsletters, subject to thresholds set by Microsoft. According to Microsoft, ECS is very popular and handles large amounts of messages daily.

HVE is in preview and is free to use today. When it’s generally available, HVE will likely cost for some traffic. ECS is already a pay-as-you-go service that must be funded by an Azure subscription.

Seeking Test Email Targets for Microsoft Cloud Email Services

When setting out to test the effectiveness of emailing solutions, you need large numbers of target recipients. Little is to be learned by sending a couple of messages to a few internal recipients. To run a better trial, I decided to use HVE and ECS to send reminder messages to subscribers of the 2024 edition of the Office 365 for IT Pros eBook to ask if they wanted to take advantage of an offer to extend their subscription. Sending email to ask people to buy something or take out a subscription seemed like a pretty good scenario to test the useability of HVE and ECS.

Comparing HVE and ECS

Overall, HVE is easier to use. Less setup is required, and the PowerShell used to generate and submit messages is based on the old (deprecated) Send-MailMessage cmdlet. No shortage of articles can be found on the internet to tell you how to use Send-MailMessage. Because of the need to provide an email service for apps and devices, HVE uses a restricted form of basic authentication with the SMTP AUTH protocol. Support for modern authentication is coming, but using basic authentication for internal messages will make the switchover to HVE much easier.

HVE reporting (Figure 1) is basic. More comprehensive reporting is built into ECS. In both cases, feedback from sent messages is minimal, so figuring out what happened to messages is tough. ECS can tell you the number of messages it failed to send but HVE is silent on this point. However, HVE is in preview and Microsoft says that they will deliver better reporting when the solution is generally available.

The ECS setup is more complicated if you’re unaccustomed to dealing with Azure resources and billing. ECS uses an Entra ID app for authentication and to prove that an app (like a PowerShell script) has the right to submit messages to the service. Creating and submitting messages to ECS is similar to using Graph-based cmdlets like Send-MgUserMail. Some differences exist because a different API is used, but the basics of building a hash table of message parts and converting it to JSON before sending won’t be unfamiliar.

Throttling and thresholds were the biggest issue I encountered with both ECS and HVE. It took a little while to find where limits applied in practice and to investigate ways around them. Microsoft has a documented process for applying for higher limits for ECS but my ability to navigate the process failed and I never managed to achieve a higher threshold. Microsoft is careful with HVE while it is in preview and some limitations (like the 2,000 external recipients per tenant daily) are hardcoded and won’t change until the software reaches general availability.

Testing of both Microsoft Cloud Email Services Proves Valuable

As always, the opportunity to conduct realistic tests over a sustained period proved invaluable in gaining an understanding about how HVE and ECS work. In my case, sending thousands of reminder messages to Office 365 for IT Pros subscribers certainly taught me a lot. You can read more about my experiences in articles covering HVE and ECS in-depth. Other articles about HVE and ECS are available on the internet, but most are content to send just a few test messages and then declare success. That’s no way to exercise a high volume email system.

If you’re interested in one of these services, my advice is to spin up both and test using a sample of messages that your organization needs to send. Exchange Online tenants will, I think, select HVE, but I can see why ECS has its attractions especially if the focus is on sending large quantities of email to external recipients. Beauty is in the eye of the mail sender.

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

License Assignments Cease in Entra Admin Center from September 1, 2024

Microsoft hasn’t announced the change formally yet, but a notice posted in the Entra admin center and associated documentation proclaims that from September 1, 2024, administrators won’t be able to assign any form of license to user accounts or groups through the Licenses page of the Entra admin center (Figure 1). In addition, it will no longer be possible to assign or update licenses by editing user account properties in the Entra admin center. Instead, administrators must make license assignments through the Microsoft 365 admin center.

Following the switchover, it will still be possible for administrators to view license assignments in the Entra admin centre. Only license assignments and updates for current assignments are blocked.

According to Microsoft documentation, the change will “streamline the license management process within the Microsoft ecosystem.” A case can certainly be argued that it’s better to centralize license management in one place, even for Entra P1 and P2 premium licenses. Given that Microsoft 365 consumes most licenses, it is logical to focus licensing activity on the Microsoft 365 admin center.

PowerShell Remains Unaffected

The change only affects the GUI in the Entra admin center. Licenses can still be assigned to users and groups via the Microsoft Graph PowerShell SDK or Graph API requests. Any tools written based on the SDK or Graph requests such as the Microsoft 365 Licensing Report remain unaffected.

Microsoft 365 Admin Center Updates

License management has been present in the Microsoft 365 admin center for a while. Group-based license management is a relatively new addition (Figure 2) and supports the same feature set as the Entra admin center.

One nagging doubt that I have about the move is that the Microsoft 365 admin center is invariably slower at dealing with anything to do with licensing than the Entra admin center is. Perhaps folks who work on the Microsoft 365 admin center need some help about efficient license management techniques from their Entra colleagues. Another is that the Microsoft 365 admin center doesn’t support administrative units in the same way as the Entra admin center does (albeit requiring Entra P1 licenses). Hopefully, administrative unit support will appear in the Microsoft 365 admin center soon.

Overall, I don’t think making the Microsoft 365 admin center the fulcrum for license assignments will discomfort anyone except people who write about license assignments. Proving the value of ePublishing, we’ll document this change in the September 2024 update of the Office 365 for IT Pros eBook (2025 edition).

Self-Service Purchases Get a GUI

A change that might have more impact is the one announced in message center notification MC853238 (6 August 2024). For years, tenant administrators have complained about the way Microsoft opened up self-service purchases to users and the need to use the awful MSCommerce PowerShell module to disable the ability for users to buy licenses.

MC853238 says that in mid-September 2024, the Microsoft 365 admin center will have a new Self-service trials and purchases option under Org Settings (Figure 3) to enable or disable self-service license purchases previously only manageable through PowerShell.

Administrators can choose to:

• Allow self-service trials and purchases: Users are allowed to apply for trial licenses and buy self-service licenses.
• Allow trials only. Even after a successful trial, the user cannot purchase a license.
• Do not allow purchases: Users cannot purchase self-service licenses.

It’s surprising that Microsoft has taken so long to introduce the GUI to manage self-service purchases, but at least it’s happening now.

Friday Happiness

These changes are good examples of the kind of updates that flow through Microsoft 365 on an ongoing basis. Neither are earthshattering. They won’t cause processes to stop working unless you really depend on the Entra admin center for license assignments. Even if you do, the switch to the Microsoft 365 admin center is easy. Everyone should ignore some of the breathless hype around these changes and have a nice weekend, which is what I plan to do.

Removal of Microsoft 365 Admin Center Option to Send Password in Email

In a change that surprises only because it took so long to be made, message center notification MC837081 (29 July 2024) announces that administrators will lose the option to send user passwords inemail after August 30, 2024. Although the detail in the post is hazy, I assume that this change refers to the email the sign-info info to me option after changing a user account password in the Microsoft 365 admin center (Figure 1).

Sending Passwords in Email is a Terrible Idea

The option to send a changed password by email has always existed in Office 365/Microsoft 365, possibly because it’s difficult to remember system-generated passwords. Sending email to the administrator to remind them about the password is possibly a lesser evil than writing down a system-generated password.

Users should always be forced to change their password when they first sign in after an administrative process changes their password. Even if a secure system-generated password is used, it’s unlikely that the user will remember it and they’ll either write the password down on a sticky note or request another password change. It’s better to let the user use the self-service password reset (SSPR) feature to choose their own password, providing it meets password complexity requirements.

An argument can be made that passwords don’t matter all that much anymore. This might be true if strong multifactor authentication (like the authenticator app or passkeys) protected every Microsoft 365 account and we had reached the stage where passwordless operation was possible everywhere, but there’s more work to be done before Microsoft 365 gets to that point.

Overall, sending password information in unencrypted email is a terribly bad idea that encourages people to treat passwords with less respect than they should. Purview Data Loss Prevention (DLP) includes sensitive data types for Azure AD (Entra ID) user credentials, User login credentials, and All credential types to help organizations block emails and Teams messages containing usernames and passwords.

The Print Option

Microsoft’s suggested replacement is to use “the new Print option in the Microsoft admin center to save the user account details and share them in a secure manner with your users.” I don’t see any trace of a new Print option in the Microsoft 365 admin center and the advice in the documentation is to use the print to PDF feature (CTRL/P). This works, even if it creates too many pages in the output PDF, and the method has the advantage that the PDF can be protected by a sensitivity label. I imagine that in most cases the PDF will be sent as an email attachment to someone like the user’s manager instead of being printed off and carried by an administrator direct to the user.

How best to get a new password to a user in a secure manner is a good discussion for tenant administrators to have. Given that many users work from home, it seems like making a phone call to communicate the new password is the most practical method. That is, if you can reach the user. Another idea I have heard include using Azure Key Vault to store updated credentials that a user can access through an Azure function.

Moving On

I doubt that many will mourn the passing of the option to send a user’s password to administrators via email. It’s a legacy artifact from a simpler time when passwords weren’t treated with as much respect as they deserve. It’s time to move on toward a future where user passwords are less important than they are now.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

But No New Numbers for Office 365 and Teams Users in Microsoft FY24 Q4 Results

As has become the norm, Microsoft delivered another solid set of quarterly results (FY24 Q4) on July 30. 2024. The headline number was the $36.8 billion for Microsoft Cloud, a 21% growth year-over-year equating to an extra $6.5 billion earned in FY24 Q4 compared to the same quarter the previous year. The annualized run rate for Microsoft Cloud is now $147.2 billion. The gross margin for Microsoft Cloud decreased two points to 69% but Microsoft expects it to go back up in the current quarter.

Also following its norm, Microsoft successfully obscured the numbers for segments like Teams (no updated number provided, so the official number remains at 320 million monthly active users claimed in October 2023). Teams Premium now has 3 million users, or less than 1% of the total Teams installed base. Microsoft said that the seat growth was up 400% year-over-year, proving once again that impressive growth figures are always possible from a low base.

Office 365 Numbers and Growth

Amy Hood said that Office 365 commercial seats grew 7% year-over-year, but this isn’t helpful without a base number to compare it against. The last we heard was the “over 400 million paid seats” cited in January 2024 or the 382 million number given in April 2023. Possibly the unwillingness to share precise numbers is to disguise a slowdown in new user acquisition over the last year or so. Office 365 Commercial revenue increased 13% (14% in constant currency). The same level of growth is expected to continue in Q1.

More impressively, Enterprise Mobility and Security now has 281 million paid seats. That’s an increase of 13 million over two quarters. Another number is that Power Platform now has 48 million monthly active users. I assume most of these people are Office 365 users. If so, has Power Platform really reached 12% of the Office 365 base? I guess it’s possible and Microsoft is certainly doing all that it can to encourage more use, such as retiring the Office 365 connectors in favor of workflows.

GitHub Everywhere

The Transcript of the call with market analysts illustrates Microsoft’s intention to discuss Copilot and AI at every opportunity and the continued fascination in the market about whether the huge investment in datacenter capacity will ever generate a return. CFO Amy Hood said that Microsoft spent $19 billion on capital expenditure during the quarter, almost all of it related to Cloud and AI. The spend breaks down roughly 50/50 between infrastructure and servers. In a response to a later question, Satya Nadella said that “the kit” for a datacenter represented about 60% of the total spend. Either way, Microsoft is spending heavily to support Cloud and AI.

Microsoft reported that the number of customers using Copilot for Microsoft 365 grew 60% quarter over quarter. Microsoft also said that the number of customers with over 10,000 Copilot for Microsoft 365 seats doubled quarter over quarter. However, in neither case did they give a firm number, preferring instead to mention some marquee names, such as the decision by EY to deploy Copilot for Microsoft 365 to 150,000 seats.

Given the huge marketing effort by Microsoft to push Copilot for Microsoft 365, it’s unsurprising to see substantial customer interest in the product. Everyone is curious about how generative AI can help people do their job smarter and better, so many tests are ongoing. One thing I hear time after time is the difficulty of measuring saved time or better outcomes, plus how to assess if people use saved time in a productive manner. After all, being able to save five minutes to draft and send an email isn’t much good if the time saved is devoted to non-essential tasks.

Satya Nadella said that GitHub Copilot used by more than 77,000 organizations (up 180% year over year). GitHub Copilot now represents 40% of GitHub Revenue. By itself, GitHub Copilot is larger in revenue terms than the entire GitHub was when Microsoft bought it. I don’t think this is surprising. I use GitHub Copilot with Microsoft 365 PowerShell every day and consider it to be an absolute bargain for what it delivers. Even though it is capable of creating some odd code, GitHub Copilot is a great example of how AI can be very effective when given limited goals.

New Fiscal Year, Continued Growth

It seems clear that the Microsoft Cloud will continue to grow revenue during Microsoft’s 2025 fiscal year. The growth probably won’t come from vast quantities of new Office 365 users. Instead, it will come from convincing customers to upgrade to more expensive licenses (like Office 365 E3 to E5), premium licenses, and AI.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Rename General Channel with a “Meaningful Name”

Message Center notification MC814583 (July 16, 2024, Microsoft 365 roadmap item 395931) announces that team owners can soon rename the General channel (or the local language version of General when Teams isn’t run in English). For years, Microsoft resisted this request because the General channel is (in effect) the heart of a team. A team must have at least one channel and General is the default channel created in every team.

In the early days of Teams, it seemed like the General channel had a protected status where only team owners could post messages to the channel. The idea was to reserve the General channel for important announcements and the like and offload discussions to other channels dedicated to different topics. There’s value in this idea but perhaps not as much as people thought. It takes a certain discipline to always use the General channel for announcements.

Now Microsoft says that team owners can rename the General channel and give it a “meaningful name” to reflect the core role the channel has within a team. Renaming the General channel updates the channel’s display name, which can be up to 50 characters long. Some restrictions on characters that can be in the name do exist, but just like any other channel name, you can include emojis if you like (Figure 1). This must surely count as a meaningful name.

The warning shown in Figure 1 that once a team owner renames the General channel to some other name, they can’t reverse the process and use the General name again. “General” is a reserved name that can’t be assigned to any channel except when a team is created. I guess Microsoft could have created some extra code to track renames for General channels to allow channels to become General again, but it’s easier to say that the word General can never be used for a channel name.

Availability of Rename General Channel

The new feature is available in the Teams 2.1 desktop and browser clients. Microsoft plans to roll out the update to targeted release tenants in early August 2024. General Availability for commercial tenants will follow in mid-August 2024. GCC, GCC-High, and DOD tenants should get the update in September 2024.

Programmatic Ability to Rename General Channel

Current versions of the Graph Update Channel API block renames of the General channel (“General channel cannot be patched”), so the Update-MgTeamChannel cmdlet from the Microsoft Graph PowerShell SDK doesn’t work either. When the restrictions are lifted, you should be able to run a command like this to rename the General channel:

Update-MgTeamChannel -ChannelId '19:L2cxcx_ObbZSwEuRcwo1jEjIGZoxhAR-Fchi-PSujiM1@thread.tacv2' -DisplayName 'Everyone is a Winner' -TeamId $TeamId

A Small But Important Change in the Evolution of Channels

As I noted earlier this year, Microsoft is emphasizing better use of channels in an attempt to reduce the number of inactive or underused teams. With a team now capable of supporting a mixture of 1,000 regular, shared, and private channels, there’s certainly lots of potential to explore in maximizing the use of channels. Perhaps being able to rename the General channel will make it less of a special place than it’s been in past and make it into what the General channel is becoming: just another regular channel in a team.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Prevent Inactive Channels from Cluttering User Views

In another step in Microsoft’s overhaul of Teams channels, message center notification MC804771 (24 June 2024, Microsoft 365 roadmap item 325780) announces the implementation of a new housekeeping function to clean up user channel lists by hiding unactive channels (Figure 1).

The change will only be effective in commercial and government tenants. Education tenants won’t have their channels cleaned up. The update to the Teams 2.1 client for Windows, MacOS, and browsers will appear in mid-July for targeted release tenants and reach general availability for commercial tenants in mid-August 2024 with worldwide deployment scheduled to complete by mid-September. GCC, GCC High, and DoD tenants will see the update about a month later.

Channel clean up happens for both member and guest user accounts.

The Chaos of Inactive Channels

Tenants are well aware of the problem of digital rot caused by too many teams. Each team can now have up to 1,000 channels, and Microsoft is keen for customers to create channels rather than teams to reduce the amount of digital debris in their tenants. A shared or private channel can often replace a team, especially as both come with a dedicated SharePoint Online site to store documents.

It would be nice if those who created channels always maintained those channels, but this doesn’t happen in the real world. Like teams, channels can be created only become inactive or uninteresting to users quickly. It might be that the channel isn’t needed, that people discuss the topic created for the channel in a group chat instead, or that the topic simply isn’t worth a separate channel. For whatever reason, people lose interest and inactive channels find their way into user channel lists.

To solve the problem, Teams will automatically detect and hide inactive channels that users have not interacted with recently. Microsoft hasn’t said what period is used of inactivity Teams uses to make the determination or what interaction means. Based on experience with the preview version of the feature, interaction seems to mean open a channel to view conversations. Microsoft says that 45 days is the point used to decide if a user is active in a channel. It seems like Teams checks for inactive channels every couple of weeks.

When Teams detects inactive channels, it offers the chance for the user to review the set and make the call to unhide some of the channels (Figure 2).

It’s a good idea to review the set of inactive channels selected by Teams because useful channels that are temporarily inactive will appear in the list.

Settings for Channel Cleanup

The Teams Settings app includes the ability for users to opt out of automatic channel cleanup as well as an option to initiate the cleanup process on demand (Figure 3).

If you opt to clean up now, Teams checks the current channel list and displays any that it believes to be inactive.

The important thing to remember is that a hidden channel is still available to a user and can be unhidden at any time by viewing the set of channels for a team and unhiding any that they want to see.

Inform Users About Channel Clean Up

Automatic clean up processes are usually a good idea and hiding inactive channels is an example of one that’s worthwhile. However, like anything else that affects users, some explanation is necessary for people to understand why and what is happening. No one wants a bunch of help desk calls asking where a favorite (but inactive) channel has gone.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Eleventh Edition of the Most Comprehensive Book About Office 365 and the Microsoft 365 Ecosystem

After some late nights finishing up the book content before building the PDF and EPUB files, the Office 365 for IT Pros team is happy to announce the publication of Office 365 for IT Pros 2025 edition. This is the eleventh book in a series going back to May 2015 and is the 109th monthly update issued in that time. The new book is now online on Gumroad.com.

We have emailed an upgrade code to subscribers of the 2024 Edition to allow them to upgrade for $16.95 (the same price as last year). We also sent a code to people who subscribed during June 2024 to allow them to claim a free upgrade. This is in line with our normal policy of offering anyone who subscribes in the last month of an edition the chance to automatically extend their subscription to cover the next edition.

A New PowerShell Book

Office 365 for IT Pros (2025 Edition) does not have a companion volume. We made the decision to discontinue the companion volume because the information it contains is now quite old. Please keep the 2024 companion volume if you wish to retain access to its content.

This year, we launched a new 240-page four chapter book called Automating Microsoft 365 with PowerShell. We have strong PowerShell content in the 2024 edition. Given all the changes in Microsoft 365 PowerShell modules and growing usage of Microsoft Graph APIs, it seemed like a good idea to create a book focusing on this area. There are still hundreds of PowerShell examples in the main book where they are used to explain how to accomplish specific tasks. The PowerShell book allows us to dedicate more in-depth coverage to this critical area, especially about using PowerShell with Microsoft Graph APIs and the Microsoft Graph PowerShell SDK.

The Office 365 for IT Pros (2025 edition) subscription includes Automating Microsoft 365 with PowerShell in both PDF and EPUB formats. Like our other content, we will update the PowerShell eBook monthly.

In addition to including the new eBook in the Office 365 for IT Pros subscription, we sell Automating Microsoft 365 with PowerShell separately. People who don’t want to buy the full Office 365 for IT Pros subscription can purchase a copy of the PowerShell book from Gumroad.com or as a paperback version available from Amazon.com. This is the first time that we have produced a print book since the original edition of Office 365 for Exchange Professionals appeared at the Ignite conference in May 2015. At that time, Microsoft paid for 500 print copies, all of which were distributed at the conference. Anecdotal evidence since is that some of our readers have printed the PDF version to have a hard copy. The size of the main book (now about 1,220 pages) means that online print services can’t handle it, but splitting off a section to create a separate book allows opens up the possibility of print copies again.

In the future, we might split off other books, such as ones covering Teams or compliance, and make them available in the same way. That decision depends on how people like the PowerShell book.

Why New Editions Appear on July 1

Some ask why we choose to introduce new editions on July 1. We’ve done this since 2016 to align with Microsoft’s fiscal year. That might sound strange, but it’s an undeniable fact that many Microsoft engineering groups aim to ship new functionality before the close of their fiscal year. There’s a rush within Microsoft to finish new software and make it available to customers before June 30. Afterwards a relative lull sets in as many Microsoft engineers take vacation. In a strange kind of way, this helps us to frame a new edition in a way that wouldn’t be possible at the end of the calendar year.

CoreView is Our New Sponsor

After a terrific year’s support from CodeTwo Software, including some excellent t-shirts made by Szymon Szczesniak and his team, CoreView is the sponsor for Office 365 for IT Pros (2025 Edition). We like having an alignment with our sponsors and believe that this exists with CoreView, who are deeply involved with Microsoft 365 management and automation. We look forward to a great year working with the CoreView team.

Seven Books in One

We like to think that Office 365 for IT Pros is seven books in one:

• Exchange Online.
• Entra ID.
• SharePoint Online.
• Teams.
• Purview Compliance.
• Information Protection.
• Automation (Power Automate and PowerShell).

Office 365 for IT Pros (2025 Edition) strengthens our claim. The two books covered by the subscription contain a huge amount of knowledge. Our work isn’t perfect, but it’s our honest and best effort to communicate our experience of working with Exchange Online, Entra ID, SharePoint Online, Teams, OneDrive for Business, Planner, Stream, Purview, Power Automate, and associated technologies. The rate of change across these products means that the advantage of publishing an eBook is more evident now than ever before. In the 24 hours before publication, we updated five chapters of the Office 365 for IT Pros (2025 Edition) eBook and one chapter for the Automating Microsoft 365 with PowerShell eBook.

Stay tuned for our email announcing when the new book is released and available. Thank you for your support for the Office 365 for IT Pros project. We hope that you like the books as much as we enjoyed working on them. And stay tuned to what we publish here. You never know when we might say something valuable!

Calendar Notifications Appear in Teams Activity Feed

Introduced by MC704955 (last updated 2 April 2024, Microsoft 365 roadmap item 314355), after several weeks, I have come to the conclusion that I hate the calendar notifications that now arrive in the Teams activity feed. According to the deployment schedule, almost all tenants should have the feature by now.

Calendar notifications arrive for

• Meeting invitations (including channel meetings where the organizer sends personal invitations).
• Meeting updates, including cancellations.
• Meeting forwards (that the user organized).

Calendar events pop up as unread notifications in the activity feed, cluttering the feed that’s already heavily trafficked by @mentions, replies, invocations to renew expiring teams, and the like. In fact, I get two sets of notifications because Outlook notifies me about new invitations and updates too. At least, Outlook would if I had not configured its calendar long ago to accept invitations automatically.

Suppressing Calendar Notifications in Teams

The good news is that you can suppress calendar notifications in Teams too. If you hover over the timestamp for a calendar notification (like 16:22 in Figure 1), an ellipsis menu appears. Select the “turn off calendar” option and the activity feed becomes a more pleasant place again.

This experience reminds me once again of the value of paying attention to the notification settings in the Teams client. As obvious from this 2021 post, it’s an ongoing battle because new sources of notifications (like the calendar) appear over time.

“Turn off calendar” disables most calendar notifications in the settings app (Figure 2). It doesn’t disable notifications for when people forward meetings that you organize. You can turn that setting off too if you like.

Reduced Filters in the Activity Feed

After sorting out calendar notifications, let’s turn our attention to message center notification MC793967 (17 May 2024), a candidate for the worst written message center post of the year. This feature, rolling out to general availability soon, removes much of the filtering capability for the activity feed. Microsoft explains that they’re doing this “To solve for discoverability and ease of usage of @Mentions in activity” (whatever that means) by introducing two “selectable pills” (normal people call these “buttons”) to filter for @mention and unread notifications (Figure 3).

The other filters previously available are retired. These include replies, reactions, apps, and voicemail, all of which seem pretty useful. No doubt Microsoft’s wonderous telemetry will prove otherwise.

To replace the retired filters, Microsoft says “we recommend the utilization of upfront mentions pill, which address the bullseye of filtering needs in Activity feed.” I have no idea what this mangled attempt at an English sentence means. Surely Copilot could have rewritten the text for clarity and conciseness? You could interpret the words to mean that Microsoft believes that @mentions are the most important notifications for users (probably true) with unread a close second. Hence the two filter options.

It’s also worth noting that a secondary filter option exists. Press CTRL+Shift+F (Windows) or click the funnel icon and you can input some words to filter the current list of notifications. For instance, if the selected filter is for unread notifications and you input “Paul” as a filter, the activity feed shows you unread notifications from users with Paul in their display name and notifications with Paul in their text.

Cleaning up Teams

All of this is part of Microsoft’s efforts to clean up what had become a cluttered Teams client. They want the Teams 2.1 client to be easy to use with the most important elements highlighted to users. I’ve no problem with that aspiration, but it would be good if communication was better.

Keep up to date with developments in Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Make Your Tenant More Manageable by Tightening User Role Permissions

The ability of non-privileged user accounts to perform certain administrative tasks in an Entra ID tenant (Microsoft 365 tenant) is controlled by the user role permissions policy. This policy exists in every Entra ID tenant, and it comes with some default settings that are just plain silly for all but test tenants.

The settings I’m concerned about are found in the User settings page (Figure 1).

Apps, Tenants, and Security Groups

Three settings are up for debate. Should users be able to create registered apps, tenants, and security groups.

Only administrators should add registered apps to a tenant. Registered apps are enormously useful, especially the creation of an integrated Entra ID identity configuration that can authenticate against the Graph and other APIs. Attackers love apps too, and they like creating apps within compromised tenants and then assigning those apps the necessary permissions to exfiltrate data. The potential for app abuse is too high to allow “normal” users to create new apps might have made sense when attackers weren’t quite so interested in their use as an attack vector. The current threat horizon is such that it’s unwise to allow non-administrators to create new apps.

The same is true for tenants. What regular Microsoft 365 user sets out to create a new Entra ID tenant as part of their daily activities? The answer is none. Creating new tenants might be something that’s useful as part of a development project, but tenants created from the Entra admin center have no licenses and aren’t particularly useful. Developers are better off working against a Microsoft 365 development tenant. They’ll get 25 licenses to work with and the tenant will automatically renew if they work with Graph APIs. If someone can make a good case to create a new tenant, let them make it to a tenant administrator.

I’m less strict about restricting users from creating security groups. However, because security groups are used to control access to resources, it seems to make sense to restrict their creation too. And most Microsoft 365 tenants suffer from a surplus of groups caused by unrestricted creation of Teams. Why add to the debris accumulating in a tenant?

I suspect that Microsoft chose the default settings with the best intentions at a time when threat was less evident. It’s regrettable that the settings remain so permissive. My position is therefore that tenants should update the default settings and impose control over creation of apps, tenants, and security groups. Feel free to disagree.

Using PowerShell to Update User Role Permissions

It’s easy to correct the settings in the Entra admin center. To make sure that the settings are not changed, you could use an Azure Automation scheduled runbook to update the settings periodically. Changes to the authorization policy require consent for the Policy.ReadWrite.Authorization permission. Here’s the necessary Microsoft Graph PowerShell SDK code to disable the ability for users to:

• Create new Entra ID registered apps (AllowedToCreateApps)
• Create security groups (AllowedToCreateSecurityGroups)
• Create new tenants (AllowedToCreateTenants)

Connect-MgGraph –NoWelcome -Scopes Policy.ReadWrite.Authorization
# Create hash table for body
$BodyParameters = @{}
# Create hash table to hold role permissions for tenant users
$RolePermissions = @{}
$RolePermissions.Add("AllowedToCreateTenants", $false)
$RolePermissions.Add("AllowedToCreateApps", $false)
$RolePermissions.Add("AllowedToCreateSecurityGroups", $false)
# Add the role permissions to the body
$BodyParameters.Add("DefaultUserRolePermissions", $RolePermissions)
# Update default authorization policy
Update-MgPolicyAuthorizationPolicy -BodyParameter $BodyParameters 
# Check the results
Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List Allowed*

AllowedToCreateApps                      : False
AllowedToCreateSecurityGroups            : False
AllowedToCreateTenants                   : False
AllowedToReadBitlockerKeysForOwnedDevice : True
AllowedToReadOtherUsers                  : True

For a detailed description of the user role permissions, see this page. Note the admonition not to change the allowedToReadOtherUsers to false. Doing so will have “unfortunate effects.”

Take Control Over Your Tenant

The temptation exists not to change default settings in an administrative portal unless the obvious need exists. That’s a reasonable position to take, but the simple fact is that the three default settings discussed here are outdated and illogical. Take control of your tenant and make sure to disable these capabilities. There’s no point in allowing people create objects unless there’s good reason to do so.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Microsoft FY24 Q3 Results Demonstrates Continuing Cloud Strength

Microsoft cloud revenues had an annual run rate of $140.4 billion based on the quarterly revenue of $35.1 billion. A year ago, the comparable figures were $114 billion and $28,5 billion, meaning that Microsoft grew cloud revenues by 23% year over year. Cloud revenues represented just over 50% of Microsoft overall revenues of $69.1 billion. From a profitability standpoint, the gross margin for Microsoft cloud was 72% ($25.27 billion), or 58.23% of Microsoft’s overall gross margin. That’s a healthy margin at a time when Microsoft is investing heavily in its datacenter infrastructure to accommodate the demands of AI-based services.

More details about the FY24 Q3 results are available on Microsoft’s website.

Office 365 Seat Growth Slows in Percentage Terms

In their FY24 Q2 results, Microsoft said that the number of Office 365 paid seats had reached “over 400 million.” Given that Office 365 has so many customers, it’s unsurprising that the percentage growth in seats is slowing. Over the last year, the year-over-year rate has decreased from 11% to 8% (Figure 1). Still, 8% of 400 million is still an additional 32 million seats annually. Microsoft said that seat growth was driven by their “small to medium business and frontline worker offerings,” implying that larger companies have mostly moved to the cloud at this point, 13 years after the launch of Office 365.

Given that large enterprises tend to be better at keeping on-premises servers up to date, I wonder if the campaign to stop obsolete Exchange on-premises servers (Exchange 2013 and below) sending email to Exchange Online is convincing small to medium businesses to move to the cloud. If so, that’s a good thing. If you can’t maintain an Exchange server, it’s time to use a cloud-based email service.

Microsoft notes that revenue growth is ahead of seat growth driven partially by higher average revenue per user (ARPU). This comes about when Microsoft sells add-ons and higher-priced plans to customers. Copilot for Microsoft is particularly notable here because not only is Copilot a high-cost add-on ($360/user/year) but Microsoft does its level best to convince customers that they get better Copilot results with higher-priced E5 plans.

Microsoft expects Office 365 revenue growth to get an uptick to 14% in the coming quarter with progress with “adoption of Copilot for Microsoft 365” being cited as a reason.

Numbers

Microsoft didn’t reveal new numbers for users or paid seats for Office 365 or Teams. However, they did say that Power Apps has reached 25 million monthly active users, and that Teams Rooms hit the one million mark. They also shared that 20 million people use Teams Phone for PSTN access.

They also reported that GitHub Copilot has 1.8 million paid subscribers. I’ve been using GitHub Copilot for several months and consider it a bargain at $10/month. I write PowerShell scripts in Visual Studio Code and find the GitHub Copilot plug-in works well. At times, it is uncanny at its ability to predict the code to insert. I guess I must be very predictable…

Speaking of Copilot, Microsoft said that 60% of the Fortune 500 use Copilot for Microsoft 365. That seems impressive but given that an organization can run a trial with exactly one Copilot license, it might represent just 300 seats. Given the size of these companies and their relationship with Microsoft, I know that the number is far higher (and Microsoft cited some examples of customers with over 10,000 seats), but it does prove that you shouldn’t take a statistic at face value without thinking through what it might mean.

A sign of Microsoft’s current focus is that Copilot appeared regularly in the transcript of the earnings call with analysts. Of the 8,797 total words spoken, Copilot was mentioned 41 times compared to Microsoft 365 (14) and Office 365 (7). Azure scored highest at 46 mentions. Even if Copilot isn’t yet generating the kind of revenue Microsoft aims for, there’s no doubt that driving Copilot sales to increase the usage of Azure to offset the massive capital investment in datacenter infrastructure is top of mind for their senior leadership.

Next Week in Orlando

Next week I shall be at the M365 “community conference” in Orlando. If you’re at the event, be sure to come by either of my sessions:

• Mastering the Microsoft Graph PowerShell SDK (Tuesday at 11:30AM in the Mockingbird 2 room in the Swan hotel). We’ll discuss how the SDK leverages Graph APIs to get to all parts of Microsoft 365.
• Don’t let Copilot for Microsoft 365 be a vanity project (Wednesday at 8AM in the Pelican 2 room in the Swan hotel): Navigating through the hype surrounding Copilot for Microsoft 365 to seek measurable business results by deploying Copilot. Or something like that.

Don’t be slow to say hello at either session!

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

M365 Conference Next Week in Orlando

Next week, I shall present two sessions at the M365 conference in Orlando (if you still want to attend the event, here’s a $100 off discount code). It’s the first time for me to present at this conference. A previous commitment to speak fell through due to a family event and then the pandemic and other reasons prevented the M365 conference from getting onto my agenda.

I have two sessions:

• Mastering the Microsoft Graph PowerShell SDK (Tuesday, April 30, 11:30am).
• Don’t Let Copilot for Microsoft 365 Be a Vanity Project (Wednesday, May 1, 8am).

Please come along if you’re interested in these topics. Heckling is welcome, but only if it’s intelligent and interesting.

Seeking Joy in the M365 Conference Schedule

One of the things I like to do in the period leading up to a conference is figure out which sessions to attend. There’s always a chance to learn from someone else’s take on a subject that you might think you know well.

Browsing the session schedule, the effect of Microsoft sponsorship is evident. There’s lots of sessions covering topics that are important to current Microsoft initiatives, especially those associated with the OneDrive and SharePoint organization (ODSP). As expected, Copilot for Microsoft 365 features prominently, including the interesting topic of extending Copilot to cover tenant-specific content. Teams, SharePoint, Online OneDrive for Business, and Purview all get slots, with the number assigned to Teams much reduced compared to previous events.

I guess the all-embracing focus on Copilot detracts from the attention Microsoft pays to Teams, and that’s reflected in the conference schedule. On a positive note, Teams has 320 million monthly active users. Microsoft can certainly extract more revenue from the installed base by selling $10/user/month Teams Premium licenses, but they’d prefer to sell $30/user/month Copilot for Microsoft 365 licenses instead.

The session schedule is rounded out with slots for topics like Viva Suite, Viva Connections, Viva Amplify, and Viva Engage. These products are not in the same major workload category as SharePoint Online and Teams, but they have a relatively small fan base who will be happy to see this content.

Entra ID and Exchange Online Missing from the M365 Conf Schedule

What’s missing from the conference is any mention of two major technologies that exert massive influence over Microsoft 365: Entra ID and Exchange Online. I cannot understand how any conference asserting itself to be the “biggest and most exciting Microsoft 365 community event of the year” can ignore these workloads. Simply put, if you don’t get Entra ID right, your Microsoft 365 tenant is at risk of compromise. And if you don’t pay attention to Exchange Online, the workloads that depend on email will experience problems.

It’s not as if there is nothing to discuss in these areas. The recent Midnight Blizzard attack against Microsoft’s own tenant resulted in exfiltration of email from executive mailboxes and caused an upswing of interest in better management of OAuth apps. Microsoft has an ongoing campaign to increase the percentage of Entra ID accounts protected by multifactor authentication (now around 38%) and makes substantial investments in tools like conditional access policies, authentication method, and the Authenticator app (now previewing support for passkeys). Sessions helping people understand the risk environment, how to manage inbound connections into tenants, and how to use tools to secure tenants and trace bad actor actions would be invaluable to anyone involved with a Microsoft 365 tenant.

Relating to Exchange Online, there has been much comment about Microsoft’s plans to stop old on-premises Exchange servers sending email to Exchange Online over connectors in hybrid organizations. Microsoft recently announced plans to introduce a high-volume email service, the deprecation of Exchange Web Services in Exchange Online (forcing developers to use Graph APIs instead), the deprecation of SMTP AUTH client submissions, and a new way of controlling how much external email can be sent from mailboxes. There’s also the introduction of a new version of a subscription-based Exchange Server to consider. And on the client side, there’s the ongoing fuss and bother around the Outlook Monarch client to discuss.

The folks who choose sessions to appear on a conference schedule can justifiably claim that the reason why Entra ID and Exchange Online sessions are not there is that speakers don’t submit sessions for consideration. This is true, but potential speakers take guidance from conference organizers about what topics the conference wishes to feature. And naturally, speakers are influenced by the priorities set by Microsoft, which leads to large numbers of sessions featuring the technology du jour. In this instance, it’s Copilot.

The point is that technologies like Entra ID and Exchange Online are essential to Microsoft 365 success. Every one of the 400 million plus Office 365 paid seats uses Entra ID and the number of Exchange Online mailboxes is in the billions. A tenant can run perfectly well with low-end Office 365 licenses and ignore Copilot for Microsoft 365 and the entire Viva Suite. But if users cannot connect and sign-in securely, the tenant will fail. And if users can’t access their email, they won’t be slow to let the tenant administrators know.

No Conference Gets it Perfectly Right

No technology conference ever offers the perfect mix of sessions to inform and inspire attendees. However, I think that the program teams responsible for choosing sessions should do a better job of selecting topics that reflect the real-life concerns of customers instead of sessions aligned with Microsoft marketing priorities. Achieving a better balance between coverage of new initiatives and the technology everyone works with daily would make conferences more attractive and valuable, even if it might annoy some of the marketing fraternity.

But Will a Password Expiration Report be Obsolete Soon?

The advice not to force users to change passwords regularly comes from both Microsoft and independent security agencies. Forcing people to change passwords creates friction for people without delivering better security. The consensus is that better security is attained by moving away from passwords to protect accounts with stronger authentication methods like multifactor authentication or passkeys. Evidence of progress in this direction is Microsoft’s recent announcement of support in Entra ID for device-bound passkeys based on the Authenticator app.

The direction of travel seems clear, but progress is slow. The percentage of Entra ID connections using multifactor authentication reached 38% in early 2024. It takes time to change, which is why I still receive requests for how to create a report showing when Entra ID accounts last updated passwords and details of when the next password change is scheduled.

Setting the Password Expiration Policy

My tenant doesn’t force password changes. The password expiration policy for the tenant is set to never expire. This is easily done through the Org settings section of Microsoft 365 admin center (Figure 1).

The accounts in the tenant are not a great test case for reporting password changes. I’m more concerned about how to report the multifactor authentication status for accounts. With that thought in mind, let’s examine how to approach creating a report with PowerShell.

Steps to Create a Password Expiration Report

Generating a password expiration report is straightforward. In this discussion, I used the Microsoft Graph PowerShell SDK to create a script to:

• Connect to the Graph endpoint by running the Connect-MgGraph cmdlet. Three permissions are needed (If you wish, Directory.Read.All is a higher privileged permission that can be used instead of the first three permissions).
  • Domain.Read.All to read the domain information.
  • User.Read.All to read account information.
  • Organization.Read.All to read information about the tenant (fetch the display name).
  • AuditLog.Read.All to read the sign-in activity information for user accounts.

• Find the password expiration policy for the tenant. This can be done by using the Get-MgDomain cmdlet to fetch details of the default domain and retrieving the password validity period from it. If the value is 2147483647, the tenant does not expire passwords. Date calculations won’t work with 2147483647, so the script adjusts the value to 20000 to calculate a notional password expiration date.
• Find the set of licensed member accounts in the tenant. It’s important to use a server-side filter here to maximize performance. Running a command like Get-MgUser -All fetches all the known accounts in a tenant, but a client-side filter will be necessary to remove guest accounts and unlicensed member accounts such as those used for room and shared mailboxes. Master the art of filtering to make sure that scripts that work with Entra ID accounts perform well. I’ll cover filtering in some depth during my Microsoft Graph PowerShell SDK session at the M365 Conference in Orlando.
• For each account, retrieve details like the date and time of the last password change, the password profile for the account, and to compute a date when the password should be renewed. In tenants that don’t force password renewal, this date will be somewhere long after you retire.
• Generate a report.

A good case exists for using the beta version of the Get-MgUser cmdlet in the script. Apart from fetching a wider set of properties by default, the Get-MgBetaUser cmdlet returns an additional timestamp for the last successful interactive sign-in (which might be different than the last sign-in).

Figure 2 shows a sample password expiration report generated by the script. In this case, the tenant password expiration policy sets password to never expire, so the reported expiration dates are years into the future and no warnings about impending expiration appear in the status column.

You can download the script from GitHub. Remember, the code is intended to illustrate a principle. Use it as you see fit.

Onward to a Passwordless Future

I don’t think there is any doubt but that the time will come when passwords disappear, and we will use more phishing-resistant technologies to prove our identities and sign into applications. Until then, perhaps some will want to report password expiration, and now you have a script to do the job.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work. The PowerShell chapter includes hundreds of examples of using the Microsoft Graph PowerShell SDK.

Resolving Tenant Identifiers

Every Microsoft 365 tenant has a unique identifier (a GUID) that’s used within the Entra ID ecosystem to identify the tenant and its objects. This post is an update for a previous article published three years ago. Much has changed in the intervening period, including a renaming of Azure AD to be Entra ID and the introduction of new Graph APIs to resolve tenant identifiers in different ways.

The tenant identifier is used in many places, such as to identify the tenant to connect a Microsoft Graph PowerShell SDK to:

Connect-MgGraph -TenantId "72f988bf-86f1-41af-91ab-2d7cd011db47"

The identifier for your tenant is available in the Overview section of the Entra admin center (Figure 1). Usefully, you can copy the value from the admin center and keep it for other purposes.

To find the identifier for your tenant with PowerShell, run the Get-MgOrganization cmdlet after connecting to the Microsoft Graph PowerShell SDK.

Connect-MgGraph -Scopes Organization.Read.All -NoWelcome
Get-MgOrganization | Format-List Id, DisplayName

Id          : a662313f-14fc-43a2-9a7a-d2e27f4f3478
DisplayName : Office 365 for IT Pros

The responses for many Graph requests and PowerShell cmdlets return the GUID identifying the tenant. Usually, the tenant identifier points to your own tenant, and you’ll recognize it. Sometimes APIs return identifiers from other tenants. For instance, the Get-AssociatedTeam cmdlet from the Microsoft Teams module includes the identifier for external tenants that host shared channels that users have direct membership in. This is why it’s useful to resolve tenant identifiers programmatically.

Resolving a Tenant Identifier GUID

It’s useful to be able to resolve the GUID for a tenant identifier and find the display name. For example, few people will recognize 72f988bf-86f1-41af-91ab-2d7cd011db47, but most will understand “Microsoft.”

To resolve a tenant identifier, use the findTenantInformationByTenantId Graph API to look up the tenant information published on the internet. There doesn’t seem to be a cmdlet in the latest version of the Microsoft Graph PowerShell SDK, so it’s necessary to use the Invoke-MgGraphRequest cmdlet. This example takes a tenant identifier and calls the API to return the tenant information. The code then extracts the tenant display name from the information to use for reporting or other purposes.

$LookUpId = $TenantId.toString()
$Uri = ("https://graph.microsoft.com/V1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{0}')" -f $LookUpId)
$ExternalTenantData = Invoke-MgGraphRequest -Uri $Uri -Method Get
$ExternalTenantName = $ExternalTenantData.displayName
Write-Host ("The tenant with identifier {0} is {1}" -f $LookupId, $ExternalTenantName)

Resolving a Tenant Display Name to the Tenant Identifier

To do the reverse and find the tenant identifier for a Microsoft 365 tenant using its domain name, use the findTenantInformationByDomainName API. The code is similar to resolving a tenant name by identifier:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='{0}')" -f $Domain) 
[array]$DomainData = Invoke-MgGraphRequest -Uri $Uri -Method Get -ErrorAction SilentlyContinue
If (!($DomainData)) {
    Write-Host ("Whoops - can't find a Microsoft 365 tenant for {0}" -f $Domain)
} Else {
    Write-Host ("The tenant id for {0} is {1}" -f $DomainData.displayName, $DomainData.tenantId)
}
What domain should I lookup: Microsoft.com
The tenant id for Microsoft is 72f988bf-86f1-41af-91ab-2d7cd011db47

Both examples use the tenantRelationships Graph API to lookup tenant information by identifier or name. To gain access, the calling app (such as the Microsoft Graph PowerShell SDK) must have consent for the CrossTenantInformation.ReadBasic.All Graph permission.

The Graph APIs are relatively recent. It’s also possible to use the federationProvider web API to read the published information about tenants from the internet. Because this API is not part of the Graph APIs, use the Invoke-RestMethod cmdlet instead of Invoke-MgGraphRequest. For example:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain={0}" -f $domain)
$DomainId = Invoke-RestMethod -UseBasicParsing -Uri $Uri | Select-Object -ExpandProperty TenantId -ErrorAction SilentlyContinue

This is the approach used by websites like What is My Tenant Identifer (a ShareGate property – Figure 2).

Knowing Tenant Identifiers is a Good Thing

GUIDs are difficult to remember, and I don’t bother trying. When I think about the number of times I have had to find a tenant identifier over the years, the amount must be in the hundreds. Being able to find a tenant identifier without reverting to the Entra admin center is a good skill to have, especially if you want to use the information in a script.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Use Audit Records to Track Usage of the Loop App

Following last week’s announcement about external access support for the Loop app, thoughts might turn to understanding how many people within a tenant use the app. In fact, there are two categories of users: those with a license that includes the Microsoft Loop service plan (identifier c4b8c31a-fb44-4c65-9837-a21f55fcabda), and those who do not. The latter category includes anyone without a Microsoft 365 E3, E5, or Business Standard or Premium license. For now, these users can create new workspaces with the Loop app, but from June 30, 2024, they lose that capability when Microsoft enforces license requirements (Figure 1).

Identifying Usage of the Loop App

The task then is to identify who’s using the Loop app and if they have the right license. Thinking about the problem, you could use the approach explained in this article to report Loop workspaces. The PowerShell script reports workspaces and members and doesn’t tell us who is actively using the Loop app. A different approach is necessary to detect actual usage, and as normal in these situations, the unified audit log is a good place to look for information.

The Loop app supports a wide range of compliance features and logging its activities in the audit log is included. This shouldn’t be surprising because the Loop app uses SharePoint embedded and the audit log captures its actions to add, update, or remove workspaces just like it does for “normal” user file actions in SharePoint Online and OneDrive for Business.

It’s therefore possible to search the audit log to look for file actions performed by the Loop app (identifier a187e399-0c36-4b98-8f04-1edc167a0996) to understand who’s using the app.

Interrogating the Audit Log for Loop App Activities

I therefore wrote a PowerShell script (downloadable from GitHub) to do the following:

• Connect to Exchange Online and the Microsoft Graph (Connect-MgGraph).
• Find the set of users licensed to use the Loop app.
• Find the set of users not licensed to use the Loop app.
• Run the Search-UnifiedAuditLog cmdlet to search the unified audit log to find SharePoint file events like FileModified or FileModifiedExtended.
• Filter the retrieved set of audit events to find the set applicable to the Loop app.
• Sort the set by user principal name to find a unique set of users who have used the Loop app over the last 15 days (the period is customizable).
• Check against the set to find licensed and unlicensed users who have used the Loop app. Also find licensed users who haven’t used the Loop app. This is a perfectly normal situation. The users might not have wanted to use the app, or they have been absent during the review period.
• Report everything (using the Out-GridView cmdlet and by exporting to a CSV file).

It was a fun script to write. Between the two approaches (usage activity and workspace information), you have enough information to know exactly what’s happening with the Loop app within a Microsoft 365 tenant (Figure 2).

Next Steps

An immediate action is to assess if the people using the Loop app without a license are doing so in a productive manner. If they are and they want to continue using the app after June 30, 2024, they need to be assigned an eligible license (perhaps swapping with someone who has an eligible license but isn’t using the licensed features). After that, it’s a good idea to acquaint the Loop users with new capabilities. Perhaps you can create a Microsoft 365 group or distribution list to inform people when features like external access are available. Proactive communication is always better than reactive updates.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Office Apps Get Better Grounding in Copilot for Microsoft 365

Message center notification MC734281 (12 March 2024) might have passed by without too much attention unless you’re particularly interested in Copilot for Microsoft 365. The notification informs tenants that Word, Excel, PowerPoint, and OneNote will ground user prompts by reference to enterprise data and the web. As Microsoft notes, this is like what happens when users interact with Copilot for Microsoft 365 chat.

Grounding against enterprise data means that when Copilot responds to user prompts, it will seek additional context by attempting to find relevant information in Microsoft 365 repositories using Graph requests. Web grounding means that Copilot will use Bing search to find relevant information from sites within and outside the enterprise. The fact that major apps will start to use grounded requests from April 2024 might come as a surprise. After all, Microsoft has long cited Copilot’s ability to use the “abundance of data” stored in Microsoft 365 as a major advantage of Copilot for Microsoft 365 over other AI tools that don’t have access to Microsoft 365 repositories.

The roll out starts with Word (Windows and Online) and progresses to PowerPoint, Excel, and OneNote. Microsoft expects to complete the deployment by September 2024.

The Importance of Grounding

Microsoft explains that grounding is “the process of using large language models (LLMs) with information that is use-case specific, relevant, and not available as part of the LLM’s trained knowledge.” In other words, if you ask Copilot for Microsoft 365 to do something and grounding doesn’t happen, it relies on the user prompt to query the LLM.

Until now, users have been able to ground prompts in apps like Word by including up to three reference documents in the prompt. Let me illustrate the importance of grounding by showing an example of two briefing notes generated by Copilot in Word about the Midnight Blizzard attack against Microsoft in January 2024. Copilot generated the first briefing note without any reference documents. Because it couldn’t search the Graph or web for relevant information, the grounding of the prompt was poor, and Copilot could only use whatever information is in the LLM.

As shown in Figure 1, the generated text included several inaccurate statements (hallucinations), including the remarkable assertion that the attack led to a drop of $400 billion in Microsoft’s market value together with a declaration had deprived millions of Microsoft cloud users from accessing services.

If some relevant reference documents are included in the prompt, Copilot’s generated text becomes more accurate and balanced (Figure 2).

The important point here is that after Microsoft updates Copilot to allow the Office apps to ground prompts using Graph and web material, the chances of Copilot generating absolute rubbish lessen considerably. That is, if Copilot can find relevant information through its searches. Adding reference documents to prompts in Copilot for Word will generate even better results because the reference documents should give Copilot a more precise context to work with.

Microsoft says that Graph grounding is enabled for all user prompts and that Copilot requests will use “the file context” (whatever file is open at the time) plus web searches as well. Copilot for Microsoft 365 chat uses Graph and web lookups today.

The Quality of AI-Generated Text

In some respects, I was shocked that it has taken so long for Microsoft to ground Copilot requests in these important apps. Copilot for Microsoft 365 is evolving rapidly, but the ability to generate high-quality text at general availability seems like an essential rather than a nice to have feature. I’ve always been suspicious about the quality of the text generated by Word and this revelation certainly explains a lot.

Take Your Time

The advice of Directions on Microsoft analyst Wes Miller that organizations should pace themselves and understand exactly what they are buying before they invest in expensive Copilot licenses is accurate. Things are changing, and the hyperbole around Copilot is like a dust storm that obscures detail. Why rush in where angels fear to tread?

Before making your mind up about Copilot, take the time to read the article posted by MVP Joe Stocker where he reports a drop-off of Copilot activity after the novelty effect of asking the AI to perform tasks wears off. Although the sample size was small, this emphasizes the need to support users on their Copilot journey, especially as important new functionality like Graph and web grounding appears.

And if you attend the Microsoft 365 Conference in Orlando at the end of April, make sure that you come to my session about not letting Copilot for Microsoft 365 become a vanity project. You might even enjoy what I have to say!

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem, including in Copilot. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Microsoft 365 Backup Costs Based on Per Gigabyte of Protect Content

In my last article about Microsoft 365 Backup, I explained that I liked the ease of use of the product but had problems restoring data to SharePoint Online sites and OneDrive for Business accounts. Here I want to discuss the cost of using Microsoft 365 Backup (preview).

Microsoft charges for backups on a pay as you go basis at a rate of $0.15/month per gigabyte of protected content. The costs are paid through an Azure subscription The documentation includes a calculator to help estimate how much it will likely cost to use Microsoft 365 backup. An essential part of that is to know the size of the sites, accounts, and mailboxes chosen for backup.

Getting Sizes for Protected Content

Storage usage information for workloads can be obtained using PowerShell cmdlets or the Graph usage reports API. Unhappily, some problems prevent easy access to storage usage data for SharePoint Online sites through the Graph. However, the data is available through the SharePoint Online management module (here’s an example script) or by checking the storage data reported in the SharePoint admin center.

The same problem doesn’t affect Graph usage data for Exchange Online or OneDrive for Business, so you could use that approach or cmdlets from the Exchange Online and SharePoint Online management modules. Here are examples of scripts to report Exchange mailbox sizes and OneDrive for Business account sizes.

Microsoft warns that “Mailboxes are the size of the user’s mailbox plus their online archives plus deleted items held for Backup.” The Exchange mailbox size calculation is therefore the size of user-accessible folders in the primary and archive mailboxes (if enabled) plus the size of the Recoverable Items folders in the primary and archive mailboxes.

Computing Microsoft 365 Backup Costs

In my tenant, the outcome for the locations selected for backup protection was:

• SharePoint Online 109 GB * $0.15 = $16.35
• OneDrive for Business 71 GB = $10.65
• Exchange Online: 20 GB = $3

Overall, the estimated Microsoft 365 backup costs for my tenant came to $30. Growth is expected to accommodate new information added to the target locations, so the actual cost over a year might go from $30 to $36 (20% growth).

Your mileage will vary depending on the growth experienced in the selected locations and how aggressive the tenant is in clearing out older data using retention policies. Archive mailboxes grow by holding information moved from the primary mailbox by Exchange mailbox retention policies. Archived data tends to remain for longer periods. For this reason, it’s not unusual to see archive mailboxes that are several times larger than primary mailboxes (up to the 1 TB limit for expandable archives).

In the first month, Microsoft 365 backup cost EUR 12.88 or $14.03 (Figure 1), or about half the expected cost. I assume that some startup processing takes place in the background that resulted in the lower outcome.

The invoice for the second month increased backup costs to EUR 25.18 or $27.42 (Figure 2), so it’s tracking closer to the expected level. Microsoft 365 Backup is processing more data. However, the extra data does not reflect a doubling of costs over the previous period. Overall, this points to some stabilization in the calculation of backup costs. I imagine that when Microsoft 365 Backup is generally available, the costs incurred for Azure subscriptions will be at the predicted levels very soon after commencement.

Driving Toward General Availability

Microsoft 365 Backup is certainly worth considering for tenant data protection. The big issue that traditional backup products point to is that the data remains in Microsoft datacenters and therefore breaks the classic backup principle of keeping a copy of the data in a separate location. While true, the counterargument is that given the petabytes of data created in Microsoft 365 tenants daily, it’s hard to move such a volume of data offsite to a remote backup and even harder to restore data in an acceptable time. Microsoft’s datacenters have a robust record of availability, and I don’t see a problem with the backup data being kept alongside the live data. After all, if the Microsoft 365 datacenters are unavailable, what is the restore target for the offsite copies of sites and mailboxes?

A compromise might be to combine traditional and Microsoft 365 Backup into a hybrid where the traditional backup satisfies the need to move data to a remote location while Microsoft 365 backup satisfies the requirement for fast restore. Given that several backup vendors are building support for the Microsoft backup API into their products, I imagine that we will see some interesting innovation in this space.

In the meantime, we await the general availability of Microsoft 365 Backup. In that version, I anticipate that Microsoft will address the problem with restoring sites under compliance holds. I hope that they add properties to show when sites and mailboxes are protected by Microsoft 365 Backup that’s available through PowerShell and a Graph API. Properties like last backup time, the technology used for backup (including ISV products), and the size of protected data would be nice. In fact, a Graph API for setting up and managing backups and restores would be even nicer.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Two-Phase Plan to Lift Loop App External Sharing Restiction Starts in Late April 2024

The Loop app reached general availability in late 2023. The Loop app is licensed through a service plan included in the Microsoft 365 E3 or E5 enterprise subscriptions. SME accounts can use the Loop app with a Microsoft 365 Business Standard or Premium license. The ability to use individual Loop components (like a bulleted list) in applications like Teams and Outlook is included in the licenses for those applications, but if you want to organize your thoughts in Loop workspaces, you must use the Loop app.

Workspaces are the organizational unit for the Loop app. Inside workspaces, information is divided into pages, which are in turn composed of Loop components. Microsoft is gradually building out the set of components supported by Loop, the most recent being a Planner plan.

Microsoft says that the Loop app is “built for the new way of work.” Strong as it might be as a platform for collaborative creation, Loop suffers from the lack of support for sharing outside a tenant. This deficiency has always struck me as strange. Loop is built on SharePoint Embedded (or as it was once called, Syntex Repository Services). It’s an example of an application that uses SharePoint for storage while providing a unique user interface. That is very different from the traditional SharePoint UX.

Because Loop uses SharePoint Embedded, it’s logical to assume that it would support the same kind of external file sharing for its workspaces as in SharePoint Online and OneDrive for Business. But that wasn’t the case and the Loop app didn’t support Entra ID B2B Collaboration (guest accounts), which is the basis for control over content shared externally. Individual Loop components created by apps like Teams and Outlook are stored in the OneDrive for Business account of the component owner and can be shared by the owner with external users, just like any other file.

Microsoft 365 message center notification MC736437 (13 March 2024) announces that external access to Loop workspaces, pages, and components will come in late April 2024 with full deployment due by early June 2024. Lifting the restriction on external access to content managed by the Loop app is very welcome news. It will certainly help me work more collaboratively with people in other Microsoft 365 tenants.

Two Deployment Phases to Implement Loop App External Sharing

The kicker is that only tenants without sensitivity labels can use the initial stage of external access. This restriction should only affect enterprise tenants who use sensitivity labels for container management, protection, content marking, or a combination of these features. It seems like Microsoft is delaying roll-out of external access for Loop in tenants that use sensitivity labels until it has incorporated support for sensitivity labels in the Loop app.

MC736437 says that “Sensitivity labels will begin rolling out in the first half of 2024.” This doesn’t make sense because sensitivity labels have been around for years. I read the sentence to mean that support for sensitivity labels in the Loop app will come in the first half of 2024. Given that we’re already in mid-March and the initial deployment to tenants that don’t use sensitivity labels won’t complete until early June, it’s a reasonable bet that the second phase of external access for the Loop app will come around then.

How the Loop App External Sharing Might Support Sensitivity Labels

While Microsoft hasn’t said how the Loop app will support sensitivity labels, it’s likely to include:

• Container management for Loop workspaces to mark the workspaces with a level of confidentiality. Given its tight connection to SharePoint Online, the Loop app will probably apply the external sharing settings defined in sensitivity labels to workspaces. MC736437 points out that the Loop app will respect the organization sharing policy defined for SharePoint Online and OneDrive for Business. For instance, the policy might restrict sharing to guest accounts that already exist in the tenant directory.
• Protection and marking for Loop pages. In this respect, a Loop page is like a Word document stored in SharePoint. Applying a sensitivity label with encryption to a page would protect the page content when it leaves the tenant so that only external users with access rights can open and interact with the page. It might also be possible to protect an individual Loop component in the future. However, to make this happen, Microsoft would have to make sure that protected component can be read in other Office applications. No Office application currently supports the assignment of a sensitivity label to a Loop component.

No doubt more precise information will become available in product documentation as the time approaches for the roll-out of full-blown external access to Loop workspaces, pages, and components.

Loop App External Sharing is A Nice Step Forward

The Loop app is a great way to share ideas and work together. It’s not OneNote and it’s not Teams. It’s not like sending email around with a link to a shared document. The Loop synchronization model means that everyone who shares a component, page, or workspace sees the update in near real-time. That’s just different and it takes time for collaborators to become accustomed to how things work. Most of my work is with people outside my tenant. I’m intrigued to see how the Loop app copes with external access and sensitivity labels.

Keep up to date with developments like sensitivity label support for the Loop app by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

The Evolution of Microsoft 365 Backup to its Current Preview Status

Paul Robichaux, a longstanding MVP and someone who knows much more than I do about backup technologies, wrote an interesting review of the public preview of Microsoft 365 Backup for Practical365.com. I don’t need to dive into the details of what Paul covered about the mechanisms used by Microsoft 365 Backup to protect SharePoint Online, OneDrive for Business, and Exchange Online data. Instead, I decided to focus on how restore operations work. I did this on the basis that it’s straightforward for a backup product to stream data from a repository to create a copy of one form or another. The trick is to be able to restore copied data to the right place at the right time in the right way.

For background, I’ve been tracking the progress of Microsoft 365 Backup for several years, including discussions with the Microsoft engineers who built the product. When Microsoft began to discuss the product in public, I concluded that it was something I needed to test and potentially use over the longer term to protect my tenant’s data.

Until now, I have largely eschewed backups for Microsoft 365 and relied on native data protection (for Exchange Online) and retention policies. I consider many of the arguments advanced by companies selling backup solutions to be firmly rooted in FUD, especially when it comes to Teams. Unsurprisingly, because Teams is the most difficult Microsoft 365 workload to backup (and even harder to restore), Microsoft hasn’t included it in its set of target workloads.

When Microsoft launched the preview of Microsoft 365 Backup, I configured backup policies for all workloads and opted to protect the most active (and probably) valuable sites, accounts, and mailboxes in the tenant, including the site holding the source files for the Office 365 for IT Pros eBook. Backups have progressed since early January. Apart from adding extra mailboxes and accounts to the backup policies, I haven’t had to do anything since the original configuration.

Restoring Microsoft 365 Data

The big selling point for Microsoft 365 Backup is that it makes it fast and easy to restore data. The data for backups is stored in the Microsoft Cloud and is almost instantly accessible, or so the story goes. Backup professionals don’t like all their eggs stored in one cloud basket and don’t consider Microsoft 365 Backup to be a true backup. However, having everything in the Microsoft cloud makes backup and restore operations much faster than if the data must transit the internet to storage in a backup vendor’s datacenter.

There’s no doubt that Microsoft created a simple and easy to use UI for backup. The downside is that there’s no log to help you understand what happened during a restore or more importantly, where problems might have been met. Before beginning, it’s wise to read the latest set of limitations documented by Microsoft. Apart from anything else, you might discover that you must do something before a restore is possible, such as removing in-place holds from Exchange mailboxes. The number of documented limitations is likely to decrease as Microsoft develops the product from its current preview statis to a point where Microsoft 365 Backup is generally available.

You can learn the details of restore operations from Microsoft’s documentation. Creating a restoration task follows much the same path for all workloads:

• Select the workload.
• Select the protected locations (site, account, or mailbox) to restore.
• Select the restore point (Figure 1).
• Confirm everything and launch the restoration task.
• Wait for the restoration task to complete.

My experience is that Exchange Online restores are quicker than SharePoint Online or OneDrive for Business. That’s likely due to the way Exchange uses an existing copy-on-write mechanism to tag items. In all tests, Exchange restored data within a few minutes. As a quick and simple test to ensure that the data was restored, I used PowerShell to note the contents of important folders before and after a restore.

For example, here are the folder statistics at the time that I wanted to restore to:

Get-EXOMailboxFolderStatistics -Identity "James.Ryan@office365itpros.com" | where-object {$_.ItemsInFolder -gt 0 -and $_.Name -in $Folders} | Format-Table Name, ItemsInFolder, FolderSize

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             0 0 B (0 bytes)
Inbox                  1038 248.5 MB (260,572,313 bytes)
Sent Items               19 794.1 KB (813,182 bytes)
Deletions                 6 3.689 MB (3,868,185 bytes)
Purges                    1 1.904 KB (1,950 bytes)

I then removed some items from the Inbox and emptied the Deleted Items folder. The increased number of items in the Deletions folder matches the number of items removed from the Inbox and those emptied from Deleted Items (5).

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             0 0 B (0 bytes)
Inbox                  1033 247 MB (258,973,507 bytes)
Sent Items               19 794.1 KB (813,182 bytes)
Deletions                11 5.214 MB (5,467,162 bytes)
Purges                    1 1.904 KB (1,950 bytes)

I then created a restore task using the restore point closest to the time when I first noted the folder contents. When the restore finishes, I checked the data reported by Exchange. We can see that it roughly matches what was there at the start. One item from Sent Items was deleted, so it’s in Deleted Items. This emphasizes that Exchange Online uses a roll forward mechanism for restore, meaning that items that aren’t affected (a refile to another folder doesn’t affect the item status, a deletion does) are left intact.

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             1 19.28 KB (19,745 bytes)
Inbox                  1038 248.5 MB (260,572,377 bytes)
Sent Items               18 774.9 KB (793,459 bytes)
Deletions                 6 3.689 MB (3,868,185 bytes)
Purges                    1 1.904 KB (1,950 bytes)

Naturally, this is an imperfect way to validate restore operations. A visual check of mailbox contents confirmed that everything that I expected to be there was in place. Exchange Online logs audit records for the New-MailboxEnhancedRestoreBatch and New-MigrationBatch operations when it starts a restoration task. The details of the audit event only tell you that a restore began for a user called “NT AUTHORITY\\SYSTEM (w3wp).” Some of the data logged in the events might be useful to a Microsoft support representative, but the information isn’t detailed enough to help a tenant administrator understand what happened.

Happy that I could restore mailboxes, I went ahead to try to restore data for a SharePoint site.

Restoring SharePoint Online

Both SharePoint Online and OneDrive for Business use a roll back process for restores. In other words, you decide what restore point to use, and Microsoft 365 Backup rolls back the site or account to have the content stored at that time. Restores can be to the same site or to a new site. If you restore to the same site, the possibility currently exists that people working in the site might have their work overwritten. Microsoft plans to lock sites against changes to avoid this issue in the future. Exchange uses a roll-forward process, meaning that unchanged items since the chosen restore point are unaffected and only changed or deleted items are brought back. In any case, my experience with SharePoint restores didn’t go so well.

I added a bunch of files to a site and then tried to roll back to a point beforehand. The idea was to replicate infection by malware when you need to restore a site to the last good backup before the malware arrived. SharePoint accepted the restore task and about fifty minutes later politely failed. Nothing happened to the restore destination and the detail available about what happened to cause the restoration task to fail was non-existent (Figure 2).

Many attempts to restore the site failed and the last restoration task failed after nearly three hours (the second task listed in Figure 3). SharePoint Online does not log any audit records for administrators to check nor is any other log available to consult to discover why the task failed. Despite rereading the documentation several times and checking all the settings, I could make no progress. Perhaps it’s just me, but I failed in my initial attempts to successfully restore SharePoint Online sites or OneDrive for Business accounts.

Without Microsoft 365 Backup generating a log file or revealing more details about failure symptoms it’s hard to diagnose what’s happening. I put the problem to Microsoft and learned that the problem is due to the holds applied by retention policies. This limitation is documented for OneDrive and mailboxes but not for sites. For now, the solution is to restore files to a new site. This works and restoring files to a different site allows them to be copied to the original site as necessary. However, it’s not quite the smooth recovery operation that I anticipated, even in a preview product.

My biggest concern is that the holds imposed by retention policies block restoration tasks. When things go wrong, administrators want to restore sites or accounts back to good health as quickly as possible. Speed, after all, is the promise extended by Microsoft 365 Backup. Altering settings for Microsoft 365 retention policies to remove holds on sites, including the potential need to adjust adaptive scopes, is not speedy. It can take days before changes are fully respected by SharePoint Online. How then are fast restores possible?

Remember It’s a Preview

Microsoft 365 Backup is a preview solution, but it’s a paid-for preview and I expected what appears to be a straightforward restore request to happen without trauma. After talking to Microsoft, I think they understand that problems exist that must be sorted out before the product reaches general availability. As noted above, these issues include speed of restore, faster detection of problems in restoration tasks, better error handling and logging, and much more elegant handling of sites under control of retention policies.

Entra ID Usage Insights for Premium Licenses

A February 20 Microsoft Technical Community post covering the introduction of Microsoft Entra License Utilization Insights began by saying that over 800,000 organizations use Entra ID before announcing the preview of a new Entra ID License utilization portal. When I read this first, I assumed that the new portal would help customers manage all licenses assigned to Entra ID accounts but that’s not the case. Instead, the new portal (or rather, a new page in the Entra admin center) focuses on Entra ID premium licenses.

Entra ID premium licenses are available separately or as part of a package such as Enterprise Mobility and Security or Microsoft 365 E3 or E5. Although these licenses enable access to a range of features, the most common reason why Microsoft 365 tenants need Entra ID premium licenses is for conditional access policies. Currently, Microsoft says that 38% of Entra ID accounts use multifactor authentication. Demand is likely to grow in the future when Microsoft deprecates the per-user multifactor authentication capabilities available in Office 365 E3 and E5 and forces tenants to use conditional access policies instead.

Microsoft says that the new page (Figure 1) allows administrators to view usage details for Entra ID premium licenses. The preview is limited to support for conditional access (P1) and risk-based conditional access (P2).

Microsoft expects to add support for more features when the feature reaches general availability. They claim that usage insights will help tenants to understand the number of available premium licenses and the value gained by users from these licenses. And of course, if any over-usage is detected, Microsoft will be happy to bring that salient fact to the attention of tenant administrators.

A More Restrictive Regime Coming?

At present, I Microsoft does not enforces licensing requirements for Entra ID premium features with the same precision as happens for Microsoft 365 licenses.  For instance, Entra ID processes connections that require multifactor authentication no matter if the account has a premium license. The advent of this license utilization page might be a pointer to a more restrictive regime that’s coming, including for premium features consumed by guest users (which should now be covered by Monthly Active User (MAU) pricing).

For instance, my tenant has five Microsoft 365 E5 licenses among the licensing mix, so that means that the tenant has five Entra ID P2 licenses. The insights page tells me that there are 11 accounts using conditional access and 45 users using conditional access B2B (guests). Costs for the guests are covered by MAU pricing tied to an Azure subscription, but I seem to have a deficit of six Entra ID P1 licenses to license multifactor authentication for the excess user accounts. Obviously, this is something that I will deal with immediately.

Graph Access to Entra ID Usage Insights

In addition to the page in the Entra admin center, Microsoft has a Graph API to access the usage insights (through the beta endpoint because it’s a preview feature). Here’s how to access the data using the Microsoft Graph PowerShell SDK:

[array]$Data = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/reports/azureADPremiumLicenseInsight" -OutputType PSObject

$Data

@odata.context            : https://graph.microsoft.com/beta/$metadata#reports/azureADPremiumLicenseInsight/$entity
entitledP1LicenseCount    : 0
entitledP2LicenseCount    : 5
entitledTotalLicenseCount : 5
p1FeatureUtilizations     : @{conditionalAccess=; conditionalAccessGuestUsers=}
p2FeatureUtilizations     : @{riskBasedConditionalAccess=; riskBasedConditionalAccessGuestUsers=}

To get the counts of user accessing the licensed features, we can do something like this:

Write-Host ("The tenant has {0} member accounts and {1} guest accounts that use conditional access" -f $Data.p1FeatureUtilizations.conditionalaccess.usercount, $Data.p1FeatureUtilizations.conditionalaccessguestusers.usercount )

The tenant has 11 member accounts and 45 guest accounts that use conditional access

Here’s how to find which accounts actively use multifactor authentication to access your tenant.

Entra ID Usage Insights Serve Microsoft More Than Tenants

It’s natural that the Entra ID development group should take care of their license consumption and revenue, so the provision of a page to make tenants aware of the consumption is unsurprising. I think this is a forerunner of a more restrictive regime for Entra ID premium licensing, which again is unsurprising. I just hope that it doesn’t put tenants off from using multifactor authentication to protect user accounts. Given today’s threat horizon, multifactor authentication is more of a must-have than an added extra and it would be nice if Microsoft supported tenants to use more multifactor authentication rather than putting barriers in the way.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Viva Topics Retirement Propelled by More Lucrative Copilot Opportunity

In a surprise announcement posted in Microsoft 365 message center notification MC718486, Microsoft said that they will retire Viva Topics on February 22, 2025 and will stop new feature development as of February 22, 2024. Originating as part of Project Cortex, Microsoft launched Viva Topics as one of the four modules in its new Viva employee experience platform in February 2021. Support documentation covering the retirement is available online as is a FAQ.

The idea behind Viva Topics is that organizations could leverage their investment in SharePoint Online by creating curated knowledge network about topics important to the business. Knowledge editors would maintain the topics and link them to sources. Users could consume the information in the knowledge network by inserting topics into the natural flow of communications created in Outlook messages, Teams chats and channel conversations (Figure 1), or SharePoint documents. The latest development was to expose topics in the Microsoft 365 user profile card.

There’s some great technology in Viva Topics. Alas, great technology doesn’t always survive in the acid test of the market. Some Microsoft 365 tenants use Topics, but I don’t see any evidence of a major groundswell of projects. The level of discussion about Topics is low in online forums and it’s not a subject for sessions submitted to major Microsoft 365 conferences. Although hardly a test that could be stood over, it is undeniable that potential speakers submit sessions for technology that interests them or that they work on. I cannot recall seeing a submission for a Viva Topics session in the last year.

Knowledge Management is Hard

Knowledge management is hard. Anyone who set up and managed a knowledge network for Viva Topics will appreciate that the AI-powered harvesting of topics from content stored in SharePoint Online can generate hundreds or thousands of topics to curate, refine, and publish, all of which takes time. The work of the knowledge managers might not be appreciated by end users, or even recognized if end users don’t receive education about how to use Topics.

Even though they announced lightweight management for Topics through Viva Engage in July 2023 and Copilot in Viva Topics in April 2023, the benefit of hindsight shows that Microsoft’s heart had been snatched by Copilot and the clarion call to development groups to create Copilot-branded experiences.

Copilot Wins the Game and Forces the Viva Topics Retirement

Apart from being swept along by the Copilot wave, I think hard business logic is a major driving factor behind Microsoft’s decision to retire Viva Topics. Copilot for Microsoft 365 brings in $30/user/month plus the opportunity to upsell customers to more expensive Office 365 or Microsoft 365 licenses. Microsoft’s pricing for Viva Topics varied over the years. According to Copilot, a Viva Topics license brings in $4/user/month (Figure 2).

Even when included in the Viva Communications and Community license, Topics cannot contribute anywhere close to the revenue that Copilot will likely deliver over the next five years. In addition, Viva Topics is usually a much harder project to sell, and its implementation lacks the excitement and glamor currently associated with Copilot. I mean, topic refinement compared to AI-generated email and documents?

Looking at the situation through the business lens, it makes absolute sense for Microsoft to retire Viva Topics and realign the engineering resources from that program to work on other AI-related projects, such as the “new AI-powered knowledge management experiences” promised in the announcement.

Third Time Lucky

Microsoft’s record in knowledge management is not stellar. The next-generation knowledge portals promised at Ignite 2015 vanished as soon as the attendees left Chicago and its infamous baloney conference lunches behind. Now Viva Topics is being retired. Microsoft has put all its knowledge management eggs in the Copilot basket. Let’s hope that the next round of knowledge applications powered by Copilot demonstrate once again that Microsoft has the habit of getting things right third time around.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes to understand why the Viva Topics retirement happened. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering the Microsoft 365 ecosystem.

Outlook Win32 Copilot Support Coming. Teams Gets a Better Integration

After removing the major barriers blocking adoption of Microsoft 365 Copilot last month, Microsoft has quietly dropped its insistence that Copilot would only support the Outlook Monarch client. The latest version of the Microsoft 365 Copilot requirements documentation (2 February 2024) says that Copilot works with the new Outlook client on Windows and Mac (Outlook mobile is also supported) and then notes that “Microsoft Copilot for Microsoft 365 will be supported on classic Outlook for Windows (Win32 desktop app) in the future.”

A link to the Microsoft 365 roadmap lists three items relating to the introduction of Copilot functionality in the classic Outlook client together with dates when the rollout is supposed to start:

• Coaching by Copilot (190927) –February 2024
• Draft by Copilot (190937) – March 2024. Figure 1 shows the draft created by Copilot in OWA.
• Summarize by Copilot (180900) –November 2023

According to the items, Microsoft added 190927 and 190937 on 6 December 2023, and 180900 on December 10, 2023. Don’t pay too much attention to the purported rollout dates until you see a Microsoft 365 message center announcement describing when the new functionality will be available in the preview and other Office channel. Even then, announced dates are often optimistic and end up being delayed. I’m pretty sure that Outlook Win32 support will only extend to the subscription version of Outlook packaged in Microsoft 365 enterprise apps, but we’ll see when Microsoft shares more details.

No Formal Announcement for Outlook Win32 Copilot Support

Speaking of details, I can’t find a formal Microsoft announcement about the change in direction. Ever since the original Copilot for Microsoft 365 announcement in March 2023, Microsoft held to the line that Monarch was the only supported Outlook desktop client. As I noted in August, this position applied despite the fact that Microsoft’s One Outlook program includes the ability for Outlook desktop to use code developed for Monarch/OWA. The only logical conclusion is that Microsoft hoped to use Copilot to drive customers to embrace Monarch.

The sad fact is that Monarch is still not fit for purpose in the eyes of many Outlook users. The lack of offline access and PST support are just two issues that must be addressed before Monarch has a chance to replace the classic client.

Although they’re rolling Monarch out as a replacement for the standard Windows mail and calendar client, Microsoft knows that the software lacks many features needed for success in commercial environments. All the missing functionality is on a list for development, but the fact remains that it’s very hard to force people to change to a client that doesn’t do what they need, and this became a blocking factor for Copilot adoption.

Given that making it easy for customers to use Copilot is much more important for Microsoft than achieving an earlier switchover to Monarch is, the choice for senior management must have been simple, and that’s probably why the restriction is gone. Customers will applaud the new reality.

New Copilot Experience in Teams

Meanwhile, on February 12, Microsoft announced a new Copilot experience in Teams. Like the rest of Teams, the experience is in the form of an app that administrators can control through setup policies. According to Microsoft, the major changes are better prompts, access to Copilot Lab to see prompts that you might use, and a list of your Copilot chat history.

The app delivers a chat experience, so it should come as no surprise that Teams can store and reveal previous interactions with Copilot. The chat messages are captured for compliance purposes, just like personal and group chats, and can be retrieved by content searches for eDiscovery.

Just to be sure that Copilot support for Outlook Win32 is a reality, I asked Copilot in Teams (Figure 2) about Outlook Win32 Copilot support. After thinking for a bit, Copilot duly responded to confirm support and noted two references, one being the requirements documentation, the other a document stored in a SharePoint Online site. Website content is only available to Copilot if enabled for the tenant and the user chooses to enable it for searches.

More Change Coming

I suspect that the Copilot for Microsoft 365 journey will have other ups and downs as customers identify and Microsoft removes barriers to adoption, problems, bugs, and other issues. Like the initial development of Teams in the 2017-2020 period (albeit accelerated in some part by the Covid pandemic), I expect lots of change. Stay tuned.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Microsoft 365 Licensing Report Details Costs Per User to Find Optimizations

Recently, I released an update to my Microsoft 365 Licensing Report PowerShell script to include the ability to assign costs to user accounts. The idea is to give administrators information about how much the cumulative annual license charges are for each account. Combining cost data with insight about account activity in a tenant (generated with the user activity report script or by reference to the individual workload usage reports in the Microsoft 365 admin center), administrators can figure out if users have the right licenses they need to work and no licenses are assigned to inactive accounts.

Managing the cost of Office 365 and Microsoft 365 licenses has always been important. As Microsoft puts more focus on driving revenue through high-priced add-ons such as Teams Premium ($120/year) and Copilot for Microsoft 365 ($360/year), it’s even more essential to keep close tabs on license assignments. There’s no point in assigning a Copilot license to someone who’s inactive or whose usage pattern indicates that they might not take advantage of the license. No one is rewarded for overspending on licenses.

Adding Cost by Department and Cost by Country to the Microsoft 365 Licensing Report

Almost immediately after releasing the updated script, calls came in to ask if it was possible to generate an analysis of licensing cost by country and by department. My initial response was “sure” and I set to figuring out the best way to implement the change.

Because the report script tracks license costs per user, the simple method is to:

• Find the sets of departments and countries in user accounts.
• For each department (or country), calculate the sum of license costs.
• Include the information in the report.

The same approach works to analyze license costs for any user account property fetched by the initial Get-MgUser command at the start of the script. If the set of regular account properties don’t work for your organization, you could use an Exchange custom attribute to store the required values. For instance, you could include a cost center number in a custom attribute. Here’s how to access Exchange custom attributes with Get-MgUser. You’ll need to extract the information from the custom attribute before you can use it in the script.

The Problems Caused by Inaccurate Directory Data

The obvious problem is that sometimes the properties of user accounts don’t include a department or country. Account properties should hold accurate properties, but unfortunately this sometimes doesn’t happen because administrators fail to add properties to accounts, or a synchronization process linking a HR system to Entra ID encounters problems, or something else conspires to erode directory accuracy. The point is that inaccurate or missing user account properties result in bad license accounting.

The first order of business is therefore to validate that the account properties that you want to use for license cost reporting exist and are correct. This article explains how to detect user accounts with missing properties. Making sure that properties are accurate requires an extra level of review. The value of the country property assigned to user accounts shouldn’t change frequently, but properties like department and office might.

Reporting Licensing Costs for Country and Department

After making sure that all the necessary user account properties are in place (and accurate), the code to generate cost analyses based on department and country worked like a dream. The script also required an update to insert the new data into the output report, including warnings for administrators when costs cannot be attribute to countries or departments because of missing account properties. Figure 1 shows the result.

The code changes are in version 1.6 of the report script, which you can download from GitHub. If you haven’t run the script before, make sure that you read the previous Practical365.com articles to understand how the script works and how to generate the two (SKU and service plan) CSV files used by the script.

Remember that this script is intended to demonstrate the principles of interacting with and interpreting Entra ID user account and license information with the Microsoft Graph PowerShell SDK. It’s not intended to be a bulletproof license cost management solution. Have fun with PowerShell!

Learn how to exploit the data available to Microsoft 365 tenant administrators (like licensing information) through the Office 365 for IT Pros eBook. We love figuring out how things work.

Use the Microsoft Graph PowerShell SDK to Analyze Service Update Messages

In November 2020, I wrote an article about the number of Microsoft 365 message center posts about new features that ended up being delayed. At the time, 29.27% of message center posts needed to adjust their published date for feature availability. Being of a curious nature, I wondered if Microsoft is better at predicting when they can deliver software across the spectrum of Microsoft 365 applications.

The code I used in 2020 is now obsolete. Microsoft moved the service communication API from the old manage.office.com endpoint to the service communications Graph API and access to message center posts is through the service update message resource. Because the service communications API is a full-fledged Graph API, cmdlets in the Microsoft Graph PowerShell SDK are available to work with message center posts. For instance, the Get-MgServiceAnnouncementMessage cmdlet retrieves message center posts. This command shows how to retrieve posts for the last seven days:

$SevenDaysAgo = (Get-Date).AddDays(-7)
$CheckDate = (Get-Date($SevenDaysAgo) -format s) + "Z"  
[array]$MCPosts = Get-MgServiceAnnouncementMessage -filter "StartDateTime ge $CheckDate"

Adding the “Z” to the sortable date generated by the Get-Date cmdlet is important for the filter to work.

Updating the Code

The code written in 2020 uses a registered Entra ID app to obtain an access token and fetch the message center posts. Updating the script involved:

• Removing the code to obtain an access token and replacing it with a call to the Connect-MgGraph cmdlet specifying the ServiceMessage.Read.All scope (permission).
• Run the Get-MgServiceAnnouncement cmdlet with the All parameter to fetch all available message center posts.
• The data returned for message center posts using the service communications Graph API differs from that returned by the old API. Some adjustment was necessary in the script to update property names and the content returned for some properties.
• Addition of some code to calculate the percentage of delayed feature announcements. In 2020, this was done using Excel. The basic test for a delay is the presence of the string “(Updated)” in the title for a message center post. No attempt is made to compute the length of the delay because message center posts don’t contain a structured property with this information. Instead, information about delays is conveyed in the text. For example, “We will begin rolling out in mid-September 2023 (previously late August) and expect completion by mid-February 2024 (previously late January).”

Comparing Results

In 2020, the results looked like this:

 		Notifications	Updates		Percent updated
Teams		58		22		37.93%
SharePoint	37		14		37.84%
Exchange	30		9		30%
Yammer		10		4		44.44%
Intune		8		0		—-
Power Apps	5		0		—-

On February 5, 2024, the Get-MgServiceAnnouncement cmdlet fetched 552 message center posts for my tenant. This is a higher amount than in 2020 because the tenant subscriptions now include some Microsoft 365 E5 licenses covering more apps. The number of message center posts available in a tenant vary depending on the active subscriptions that exist within the tenant.

Figure 1 shows the results. Nearly a third of all message center posts are delayed. Teams remains the workload that issues most message center posts (83), but its performance in terms of avoiding delays has worsened from 38.93% to 57.24% This might be due to the transition from the classic Teams client to the new Teams client (due to be complete by the end of March), or it might be that the Teams product managers have real difficulty in predicting when software might be ready for deployment.

Some message center posts cover multiple workloads and it’s hard to know where the responsibility lies for a delay. The data is therefore indicative rather than definitive. To be sure about where delays lie, you’d need to examine the text of each message center post and extract and collate the details.

You can download the updated script from GitHub.

Easier to Work with Message Center Posts

Being able to work with service communication data through Microsoft Graph PowerShell SDK cmdlets makes the information more accessible than before. Some of the improvements introduced by Microsoft for message center posts since 2020 aren’t available. The relevance property appears to have disappeared from the Microsoft 365 admin center and the number of active users for a workload, which does show up in the message center, is missing from the properties returned by the SDK cmdlet. But the rest of the information you might want is available and ready to be sliced and diced as you want.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Is Hiding the General Channel Important?

I can imagine that many who read message center notification MC711019 (29 January 2024, Microsoft 365 roadmap item 324840) to discover that Microsoft Teams is making it possible to hide the General channel for a team experienced a “so what” moment. The change rolls out to targeted release tenants in early February and reaches standard release in mid-February. By the time you read this, you might be able to indulge in the joy of hiding a general channel.

The General channel is present in all teams. It cannot be removed or renamed. Because it’s omnipresent, the General channel is regarded as the basis of a team. Teams now supports the addition of up to another 999 channels in a mixture of standard, shared, and private channels. I don’t recommend that you create such a monster unless absolutely necessary and justified with good reason, but it is possible.

Limiting General Channel Posts

With so many channels available to segregate conversations, team owners often limit posting to the General channel (Figure 1) and keep interaction there to announcements of general interest. This tactic serves to force members to consider which of the available channels is best suited to their topic and prevents a mishmash of unrelated conversations accruing in the General channel.

If posting is restricted to the General channel, the channel occupies unnecessary space in the teams and channel list. This didn’t matter so much in the past, but the teams and channels list can include many more channels now and if every team in the list has a General channel, it’s obvious that less space is available to display more important channels. This is the logic behind the change.

Hide and Restore the General Channel

Team owners cannot hide the General channel for all members. Instead, individual members (both tenant users and guests) decide if they want to show or hide the channel. To hide the channel, select the […] menu beside the General channel in the list of teams and channels and then choose Hide (Figure 2). Teams then removes the channel from the displayed list.

If the General channel is the only channel in the team, hiding General moves the team into the list of hidden teams and displays an informational message (Figure 3). I guess this is logical. If the General channel is the only channel in a team, hiding it and keeping the team in the visible list of teams doesn’t make sense. It’s better to move the entire team to the hidden list from where users can select and show the team if necessary.

To restore the channel, select See all channels link at the bottom of the channel list, select General, and click Show (Figure 4).

Alternatively, use the Channels tab in the Manage team option to unhide the channel.

The option to hide the General channel is not supported in the classic Teams client. However, if you switch from the new Teams client to the classic client and back, hidden channel settings are respected.

Reasonable and Sensible Change

Allowing users to hide the General channel is a reasonable and sensible change. There’s no doubt that not much activity happens in many General channels and removing these underused containers from the teams and channels list frees up space for more important information. A nice enhancement might be an option to remove the General channel for all teams in the Your teams (exposed) list. Then again, it’s not hard to do a one-time cleanup to hide the General channels for selected teams in that list. I must be getting lazy.

Learn about using and managing Microsoft Teams and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Graph-based Service Communications API is now the Route to Service Health Data

In January 2021, I wrote about how to use the Office 365 Service Communications API to programmatically retrieve the service health information that’s available in the Microsoft 365 admin center (Figure 1).

At the time, the API used the manage.office.com endpoint. In December 2021, Microsoft deprecated the manage.office.com endpoint and introduced the Service Communications Graph API as the replacement. In this article, I explain how to use the API with Microsoft Graph PowerShell SDK cmdlets to retrieve service health information.

Retrieving Service Health Data

As shown in Figure 1, the active items Microsoft is working on are those that impact the service in some way, usually by removing the ability of users to do something. To find these items, run the Get-MgServiceAnnouncementIssue cmdlet and filter for items classified as advisory with a status of ‘serviceDegration’:

[array]$ServiceHealthItems = Get-MgServiceAnnouncementIssue -All `
    -Filter "classification eq 'Advisory' and status eq 'serviceDegradation'" | `
    Sort-Object {$_.LastModifiedDateTime -as [datetime]} -Descending

$ServiceHealthItems | Format-Table Id, Title, FeatureGroup, LastModifiedDateTime

If you don’t filter the service health items, the Get-MgServiceAnnouncementIssue cmdlet, including those where Microsoft resolved the issue (as with many SDK cmdlets, the All switch tells the cmdlet to fetch everything). This data reveals the areas where most issues occur. In my tenant, the 346 available issues broke down as follows:

$Data = Get-MgServiceAnnouncementIssue -All
$Data | Group-Object FeatureGroup -Noelement | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize

Name                                    Count
----                                    -----
Teams Components                           80
Administration                             39
E-Mail and calendar access                 27
SharePoint Features                        25
Portal                                     23
Management and Provisioning                22
Microsoft Defender for Endpoint            21
Cloud App Security                         13
Viva Engage                                10

Another interesting grouping is by service:

$Data | Group-Object Service -Noelement | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize

Name                                      Count
----                                      -----
Microsoft Teams                              80
Microsoft 365 suite                          64
Exchange Online                              60
Microsoft Defender XDR                       32
SharePoint Online                            30
Microsoft Defender for Cloud Apps            25
Microsoft Viva                               12
OneDrive for Business                         8

The start date for the oldest issue was March 1, 2023. The oldest last modified date for an issue was July 31, 2023. This suggests that Microsoft might keep about six months of service issue data online. Your mileage might vary.

Fetching Overall Service Health Data

Underneath the advisory items, the Microsoft 365 admin center displays an overview showing the health for individual services like Exchange Online, Teams, SharePoint Online, and so on. This information is accessible by running the Get-MgServiceAnnouncementHealthOverview cmdlet. In my tenant, this generates a list of 32 individual services, some of which (like Sway and Microsoft Managed Desktop), I’m not interested in. I therefore amend the output by filtering the services that I consider most important:

[array]$ImportantServices = "Exchange", "Teams", "SharePoint", "OrgLiveID", "Planner", "microsoftteams", "O365Client", "OneDriveForBusiness"
[array]$ImportantServiceStatus = Get-MgServiceAnnouncementHealthOverview | Where-Object {$_.Id -in $ImportantServices}
$ImportantServiceStatus | Sort-Object Service | Format-Table Service, Status -AutoSize

Service            Status
-------            ------
Exchange Online    serviceDegradation
Microsoft 365 apps serviceOperational
Microsoft Entra    serviceOperational
Microsoft Teams    serviceDegradation
Planner            serviceOperational
SharePoint Online  serviceDegradation

Using Service Health Data to Highlight Current Advisories

Many people will be perfectly happy to access service health information via the Microsoft 365 admin center. The advantage of using an API to retrieve the same information is that you can then use it in whatever way you think appropriate. As a working example to demonstrate what’s possible, I wrote a script that can run interactively or as an Azure Automation runbook using a managed identity.

The script retrieves the open service health advisories and creates an email with an HTML-format report containing the service data that is sent to nominated recipients (any mixture of mail-enabled objects, including individual mailboxes, distribution lists, and Microsoft 365 groups). The idea is to keep the recipients updated about progress with open issues that Microsoft is working on. Figure 2 shows an example email generated using the service advisories published in my tenant.

After it’s extracted, the report can be disseminated in other ways. For instance, you could publish it as a Teams channel message.

You can download the script from GitHub.

Disrupted Change

Changing the details of an API is always disruptive. It’s not just the new endpoint. It’s also the way that the API returns data. Everything must be checked and verified. At least now the Service Communications API is part of the Microsoft Graph. As such, the level of change should be minimal in the future and we have the added benefit of PowerShell cmdlets to work with.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Office 365 Reaches 400 Million Paid Seats

Microsoft reported revenue of $62 billion and operating income of $27 billion for the second quarter of their FY24 fiscal year. Emphasizing the importance of cloud computing to Microsoft, almost 55% of their revenue ($33.7 billion) came from the “Microsoft Cloud,” an amorphous term for a collection of cloud products including Office 365, Azure, LinkedIn, and Dynamics 365.

A year ago, the number was $25.7 billion. Growing quarterly revenue by $8 billion in a year is pretty special. The annualized run rate for the Microsoft Cloud is now $134.8 billion.

Copilot Optimism

Microsoft didn’t comment about any impact on Microsoft Cloud revenues generated by the Copilot products they have released to date. They said that 10,000 organizations use Copilot Studio to create add-ons for Copilot for Microsoft 365 and that Copilot for Microsoft 365 had “faster adoption than either our E3 or E5 suites.” However, they didn’t give any comparative data to prove the point. Anyway, it’s impossible to compare the adoption rate for a product introduced to an installed base of 400 million users against a new product like Office 365 E3 that had to cope with the initial inertia of moving from on-premises systems to the cloud.

We heard once again that “Copilot for Microsoft 365 users were 29% faster in a series of tasks like searching, writing, and summarizing.” What Microsoft didn’t say is that your mileage will vary depending on the quality of the user interaction and the data available in your tenant. Interestingly, Satya Nadella spoke about his own experience of Copilot and the value he gains from summarization of Teams meetings email, and documents. He said that summarization “has become a big deal.” I agree. I think summarization is a way people can get immediate value from AI that’s just harder to achieve with generated text.

My recommendation is to ignore the ongoing hype around Copilot for Microsoft 365 and focus on a hard-nosed assessment of what the technology can and cannot do in your environment.

Office 365 News

Microsoft said that Office 365 commercial seats grew 9% year over year, “driven by small and medium business and frontline worker offerings.” Satya Nadella said that the growth put the number of paid Office 365 seats at “over 400 million”. It seems like they have been at or around this number for the last few quarters. In April 2023, Microsoft reported 382 million Office 365 paid seats. For years, Office 365 has grown at around 2.5 million seats per month. Adding 22.5 million to the 382 gives 404.5 million. Microsoft didn’t give a figure for the number of active Office 365 users, so it’s hard to do an apples-to-apples comparison against the data available for years before FY22. Even so, the interesting thing is that Office 365 active users continue to grow at a reasonable rate.

• April 2017: 100 million.
• October 2019: 200 million.
• December 2021: 300 million.
• January 2024: 400 million.

CFO Amy Hood continued to emphasize the increased expansion of average revenue per user (ARPU), meaning that Microsoft extracts more money per user. They do this by selling add-ons like Teams Premium and convincing customers to upgrade licenses to more expensive packages such as Microsoft 365 E5. In an answer to an analyst question, she also said that the new seats being added come from small to medium organizations and so are “lower RPU seats.” However, they are new seats, and the opportunity exists to sell upgrades to those seats, including Copilot (either the new Copilot Pro for individual users or Copilot for Microsoft 365).

EMS Reaches  268 Million

Microsoft has reported a number for active Enterprise Mobility and Security (EMS) users over the last few quarters. In FY24 Q1, the number was 259 million. Now it’s 268 million. Growing by nine million in a quarter is better than the three million achieved between FY23 Q4 and FY24 Q1, but as I noted last time round, I suspect that the FY23 Q4 number was a glitch.

The Remarkable SLA Performance of Office 365

Another recent statistic is the 99.996% performance against the Office 365 SLA during the last quarter of 2023. The last time Microsoft had any kind of dip in performance against the Office 365 SLA was the first quarter of 2013, when they achieved 99.94%. So much for all the fears about the reliability of cloud services.

This doesn’t mean that Microsoft’s cloud services are perfect because they are not. Outages happen all the time and some outages affect hundreds of thousands of users. However, the distribution of tenants across multiple datacenter regions and the availability features incorporated into services like Exchange Online, SharePoint Online, and Teams means that an individual problem seldom has any impact on the SLA.

On to the next quarter – and the next hundred Office 365 seats.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Too Many Meetings – Perhaps an Opportunity for Copilot for Teams

We live in a world of perpetual meetings. At least, it seems like that at times. Microsoft has invested substantial effort to make team meetings more useful (and bearable) through innovations like avatars and the Meet app. To help people manage their calendars more intelligently, since 2015, enterprise Office 365 SKUs include analytics information about meeting habits (now in Viva Insights – Figure 1) based on calendar events. Humans are creatures of habit, so whether anyone uses analytics to moderate how they participate in meetings is quite another matter.

Generating Meeting Content from Transcripts

This brings me to Copilot for Teams (part of Copilot for Microsoft 365) and its ability to generate meeting notes for Teams meetings and allow people to ask questions about what happened during a meeting. This aspect of Copilot for Microsoft 365 is one of its most compelling features.

Copilot uses the meeting transcript to generate notes and summaries. The transcript captures spoken contributions to meetings, including speaker attributions, in the form of short snippets. The transcript later becomes the basis for the captions for the meeting recording.

Copilot needs about five minutes of transcript capture before it can make sense of what’s happening in a meeting. After this point, participants can query Copilot to prompt for information about topics, action items, and contributions based on what’s happened in the meeting so far. This is all very nice, but if you’re paying attention to the meeting, you’ll probably be able to figure out how to move the meeting forward or end discussion about a topic. On the other hand, people who nod off (as I have) in a meeting or pay more attention to email or chat while others are talking will appreciate the ability to catch up.

True magic happens once the meeting is over. I really like the AI notes generated from the transcript. The overall accuracy of the notes is reasonably high, but it’s important to check the notes before accepting that AI-generated text is a full and faithful account of meeting proceedings. Some errors are simple (like referring to Michel de Rooij as Michelle – Figure 2). Other errors are more fundamental when the AI misunderstands what was said.

What’s really good is using Copilot for Teams to interrogate the meeting notes. Microsoft’s documentation suggests some questions to ask, like what was the mood of a call. I asked Copilot to summarize the mood of a recent call about the Office 365 for IT Pros eBook (Figure 2), and was told:

The mood of the meeting was mostly friendly and cooperative, with some jokes and banter among the participants. There were no signs of conflict or tension, and everyone seemed to respect each other’s opinions and contributions. The only exception was when Tony made a sarcastic remark about Paul’s airplane being stuck in the snow, which Paul did not appreciate. 1 However, this did not seem to affect the overall tone of the meeting, which was positive and productive.

I’m not sure that I was being sarcastic when I asked Paul about his airplane being grounded by 7 inches of snow in a Kentucky municipal airport, but there you are. Like other aspects of Copilot for Microsoft 365, extracting full value from meeting notes with Copilot can only occur when users receive education about how to interact with the AI.

The intelligent recap feature available in Teams Premium includes some of the capabilities used by Copilot for Teams like AI-generated notes. The big difference between the two is that intelligent recap only includes a static transcript that can’t be interrogated after the event.

Using Copilot Without a Meeting Transcript

Originally, meetings had to be recorded and transcribed for Copilot to work. This is a suitable arrangement for most meetings, but sometimes people don’t want to record sensitive meetings. A Teams meeting option is available to allow Copilot to work without recording a meeting. Essentially, instead of capturing a permanent transcript that’s stored for eDiscovery purposes, Teams uses Microsoft Audio Services to create a temporary transcript that Copilot can use during the meeting. Once the meeting concludes, Teams discards the transcript.

Chasing Value from Copilot

Hype surrounds Copilot for Microsoft 365. Despite the removal of previous limitations, investment in a Copilot deployment still involves a $30/user/month investment with a year-long commitment. In other words, a ten-user test will cost $3,600 for Copilot licenses. Figuring out to extract value for that investment is important unless you like throwing money away. Extracting information from Teams meeting transcripts can be extraordinarily valuable for some people (I wish I had had this capability available when I worked as a Vice President in HP). Whether it’s sufficient to justify the investment in Copilot is a question that only you can answer.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Extract Value from Copilot for Microsoft 365 Deployments

Microsoft’s January 15 announcement removing the limitations on Copilot for Microsoft 365 purchases sparked an avalanche of commentary. Regretfully, many of the words published merely recycled text and added nothing to the debate, perhaps because the authors really don’t know too much about how Copilot for Microsoft 365 works and what it does. A knowledge vacuum often appears following the debut of new technology with a high ratio of noise to signal sprouting across many blogs and articles. I think we’re in that kind of environment now. Hopefully, the Copilot hype will calm down as knowledge takes root. We’ll see.

Lower Cost Copilot for Microsoft 365 Deployments

As a recap, the announcement boils down to two points:

• The previous requirement to purchase 300 Copilot for Microsoft 365 licenses is gone. You can buy any quantity from one up at $30/user/month. Following its usual pattern, Microsoft insists on a year-long commitment, so you sign up to pay $360/user.
• Office 365 E3 and Office 365 E5 are now eligible platforms to host Copilot for Microsoft 365. As I pointed out last August, making Microsoft 365 E3 and E5 the only eligible platforms for enterprise customers was a somewhat cynical exercise in product packaging.

Taken together, the result of the announcement makes it much easier for organizations to run Copilot for Microsoft 365 in their own environment to measure if generative AI makes sense for them. Instead of a minimum $108,000 spend in the first year plus the potential costs of upgrading base licenses to Microsoft 365 E3 or E5, an Office 365 E3 tenant can spend $3,600 for a ten-user test. That level of expenditure is much more palatable and makes it more likely that tenants will sign up to kick the Copilot tires. Currently, trial licenses are unavailable for Copilot for Microsoft 365.

Aspects to Consider About Copilot for Microsoft 365 Deployments

Until now, the organizations contemplating Copilot deployments have largely been at the high end of the enterprise sector. Usually, those organizations have large staffs available to research and plan steps in a comprehensive deployment plan. Smaller tenants might not have the same resources. If your tenant is considering signing up for Copilot for Microsoft 365, here are a few points to consider when thinking about a Copilot for Microsoft 365 deployment:

• Office 365 E3 is enough to support Copilot for Microsoft 365. E3 includes Purview solutions like sensitivity labels, retention policies, eDiscovery, and auditing, all of which are supported by Copilot operations. E5 introduces more automatic processing like auto-label policies and better eDiscovery. You do not need to upgrade to a higher-cost Office 365 or Microsoft 365 license unless you find a good reason and value to do so. Likewise, you don’t need add-on products like Viva Pulse to be successful with Copilot for Microsoft 365.
• App upgrades might be necessary. Copilot for Outlook only supports the Outlook Monarch and OWA clients. Microsoft could have implemented Copilot in such a way to support the Win32 client, but they haven’t. Copilot for Teams supports the new Teams client. Given that Microsoft will retire the old Teams client and automatically upgrade users to the new client on March 31, 2024, this shouldn’t be an issue.
• The concepts of “data in use” and “data available for use” are important. Data in use is information Copilot processes when working with an open file, including local files, files stored on a network share, or files from a third-party repository. Data available for use describes the information stored in Microsoft 365 repositories like SharePoint Online sites and OneDrive for Business accounts. Storing as much data as possible in Microsoft 365 creates an abundance of information for Copilot to interrogate when it responds to user prompts. Only items accessible to the user through search can be used by Copilot. This includes information loaded into a tenant through a third-party connector. Figuring out what data is available to Copilot, where the data is stored, and the accuracy of the data is a big part of any deployment. Cleaning up an existing SharePoint Online/OneDrive for Business environment will probably take longer than you think.
• Copilot depends on the semantic index. Think of the semantic index as a tweaked version of Microsoft Search that’s optimized for interrogation by generative AI tools like Copilot. When users create or import new information and store it in a Microsoft 365 repository, the content ends up in the semantic index.
• Good prompting is a skill for users to acquire. Prompts instruct Copilot what to do. When you ask Copilot to do something, its input to the Large Language Model includes the user prompt and implicit or explicit references to ground (add context to) the prompt. Implicit references are documents and files found by Copilot through Graph searches. Explicit references are documents specified by users when they create a prompt. In my experience, explicit references help ground Copilot better because they create a more precise set of information for the AI to work with. Implicit references can find incorrect or invalid information that finds its way into Copilot responses. Everything good flows from well-crafted prompts, so make sure that users are prepared to interact with Copilot.
• If your tenant uses sensitivity labels to protect confidential information, review the usage rights assigned in labels to ensure that Copilot can’t access documents stamped with highly sensitive labels. It’s been common practice to add rights to labels to allow anyone in an organization to have read access to documents (Figure 1). The content of protected documents are accessible by Copilot if the rights assigned to the signed-in account include View (see the content) and Extract (use the content). Now is a good time to review the rights assigned in labels and decide if the rights should be more specific (assigned to accounts and groups rather than everyone) and limited. This article explains how to generate a report of sensitivity label settings with PowerShell.

No Silver Bullet

In the deployment of any technology, it’s critical to have a clear idea of why the technology is needed, how it will be used, the expected benefits, how to measure success, and the expected user group. Microsoft’s removal of limitations surrounding Copilot for Microsoft 365 are very welcome, especially because of the reduced cost. But widening Copilot availability does not make it a silver bullet. Like any other technology, Copilot brings its own strengths and challenges. I look forward to learning more about them during 2024.

Enhancements to Stream Browser App Make it Easier to Consume Video

Stream’s proclaimed mission is to make video as easy to work with inside Microsoft 365 as documents and email are. We’re in the final stages of the transition from Stream Classic to Stream on SharePoint. The reminder published in message center notification MC703758 says that Microsoft will close down Stream classic on April 15, 2024 and remove any remaining videos stored in that platform after that date. In other words, it’s way past the best time to migrate.

With that cheery thought in mind, let’s do a quick fly-past of recent developments in Stream.

Changes to Stream Browser App

Although Stream is embedded in many places within Microsoft 365, the browser app is the most obvious instantiation of Stream. It’s the app launched when users select Stream from the app menu. A bunch of small but important changes have appeared in Stream that might have escaped your attention. For instance, Microsoft has given the Stream browser app a visual makeover (Figure 1) to include new choices for filtering and a screen recording capability (the old ‘recording’ option is now ‘camera recording’). The filtering options include fast access to Teams meeting recordings and the videos you’ve shared with others.

Stream in Teams

Examples of where Stream shows up elsewhere in Microsoft 365 include the Stream web part for SharePoint pages, the Stream app in Teams (really just a version of the Stream browser app), and being able to preview and play Stream videos inline in Teams chat and channel conversations. The latter functionality is covered by MC649917 (last updated 15 December 2023, Microsoft 365 roadmap item 127596) and it’s taken a while to deploy. The latest update is that deployment should complete worldwide by the end of January 2024.

What this means is that people can copy a link for a video from the Stream browser app and insert it into a Teams message. In the example shown in Figure 2, the video is stored in a SharePoint document library. The nice thing is that the viewers don’t need to know anything about where a video comes from (the location is shown beneath the video if someone really wants to know). The important thing is if the link allows access, users can play the video inline and have access to features like the transcript, chapters, and comments.

Share but No Download

Speaking of sharing, message center notification MC699712 (December 19, 2023) announced a change to the sharing link setting with the addition of the “Can view, but not download” option to the permission drop down. This change is supposed to hit targeted release tenants in mid-December, but I haven’t seen it yet and still have the old sharing experience (Figure 3).

Some folks are unaware that you can send sharing links which block downloads, so that’s why I include it here. Stay tuned for the improved version.

Analytics and the Timeline

Stream has supported access to video analytics for a couple of years. The latest addition is the ability to superimpose details of viewer retention on a video as it is viewed by its owner. Previously this functionality was available as part of the analytics available in the flyout panel. As shown in Figure 4, as a video advances through its timeline, analytics shows the percentage of engaged viewers at any point.

Clearly the aim is to retain viewers until the end of a video but it’s natural to see some drop-off toward the end, which is why it’s important to communicate important messages early.

Preview Mode

Another new feature is the ability to preview a video so that the owner sees the content as others do when they view it. This option is available when playing a video. Previewing allows access to the transcript, analytics, and comments but not video settings. Oddly, the route back to owner mode is to click the Edit button.

It seems like preview mode is associated with the update described in message center notification MC698135 (December 14, 2023, Microsoft 365 roadmap item 124992). The notification covers the difference between View mode and Edit mode and says that the default mode will be View to prevent inadvertent changes to video metadata happening when users with edit access open videos. At the time of writing, I see videos open in edit mode so the change hasn’t reached my tenant (deployment is due to be complete by the end of January 2024).

Hyperlinks and Forms in Videos

More changes are described in MC688631 (last updated December 14, 2023, Microsoft 365 roadmap item 180795) where video owners can add a hyperlink or text callout to videos. The callouts are associated with specific points in the video timeline and appear when viewers reach those points. MC688632 (9 November 2023, Microsoft 365 roadmap item 180796), describes much the same except that the timeline insertion covers surveys, quizzes, or polls created with Microsoft Forms.

Large Video Files and Automatic Transcript Generation

MC635989 (last updated 5 October 2023, Microsoft 365 roadmap item 124932) promised that automatic generation of transcripts for videos uploaded to SharePoint Online, Viva Engage (Yammer), and Office.com would be complete for standard tenants by the end of December 2023.

That is, unless your videos are too large. I noticed that a video of a podcast I recorded with the CodeTwo Software team at the European SharePoint Conference didn’t have a transcript. When I tried to generate a transcript manually, Stream informed me that transcript generation only caters for videos with a maximum size of 4 GB. That’s a good limitation to know because many professional high-definition videos can generate very large files (11.8 GB in this case).

Odd Video Search

While working with videos in the Stream browser app, I noticed the availability of Visual Search option button when hovering over videos (Figure 5). I hadn’t seen this button before, but that could be the result of my inability to find options.

But I suspect it’s related to the announcement in MC681879 (16 October 2023, Microsoft 365 roadmap item 117552) covering improvements in video search for Office.com and SharePoint. In any case, clicking the button causes Stream to perform a visual search. I’m not sure what criteria Stream uses for the search but it generated some odd results from YouTube (Figure 6). At least, results that I couldn’t correlate with the selected video.

Stream Evolving Fast

Because Stream is available in places like SharePoint and Teams it’s easy not to have a reason to go near the browser app for months at a time. The experience gained here revealed that because Stream is evolving fast it’s wise for tenant administrators to keep an eye on what’s happening, just in case you’re asked if a capability is available for video files. It’s just plain embarrassing when a feature exists and you aren’t aware of it.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Beta API Can Create and List a Viva Engage Community

Message center notification MC701523 (24 December 2023, Microsoft 365 roadmap item 178311) marks the start of Graph API support for Viva Engage with a beta Community API to create and list Viva Engage communities. The API is limited to modern Viva Engage (Yammer) networks. All new networks are modern. The key point is that modern networks use Microsoft 365 groups to manage community membership.

This step marks the initial Graph API support for Viva Engage. Yammer has long had its own APIs but embracing the Graph is an inevitable part of integrating with the wider Microsoft 365 ecosystem (Graph support for Viva Engage activity data is already available). For whatever reason, the old Yammer engineering group resisted integration with Microsoft 365 for many years following the 2012 acquisition. That tactic didn’t work well in terms of driving Yammer use. Fortunately, Microsoft saw sense some years ago and began down the path to transition Yammer to Viva Engage in 2022.

PowerShell Code to Create a New Viva Engage Community

Creating a new Viva Engage community is simple. The API supports both delegated and application permissions. To make things easy, I used an interactive session with the Microsoft Graph PowerShell SDK. These commands:

• Connects to the Graph SDK endpoint with the necessary scope (permission).
• Defines the URI for the Communities endpoint.
• Creates a hash table containing the parameters for the new community.
• Converts the hash table to a JSON-format variable.
• Posts to the Communities endpoint using the JSON variable as the request body.

Connect-MgGraph -Scopes Community.ReadWrite.All -NoWelcome
$Uri = "https://graph.microsoft.com/beta/employeeExperience/communities"
$VivaCommunityParameters = @{
  "displayName" = "Viva Engage Technical Discussions"
  "description" = "A community where everyone gets together to discuss the technology that drives Viva Engage and its communities."
  "privacy" = "Public"
}
$VivaCommunityBody = $VivaCommunityParameters | ConvertTo-Json
Invoke-MgGraphRequest -Uri $Uri -Method POST -Body $VivaCommunityBody -StatusCodeVariable "Status"

Figure 1 shows the new community as it appears in the Viva Engage web app.

Because Viva Engage communities depend on Microsoft 365 groups to manage their membership, creating a community also creates a Microsoft 365 group with a single owner and single member (the signed-in account). The current version of the API doesn’t support specifying a different account as the owner or additional members in the request body. This issue is easily addressed by running the New-MgGroupOwnerByRef and New-MgGroupMember cmdlets after creating the community. See this article for more information.

The API does not support creating a community using an existing group. You can only create a new community with a new group.

Points About Creating a Community

Specifying the StatusCodeVariable parameter when running the POST request with Invoke-MgGraph to create a new community returns a status value in a variable with the name of the passed string (in this case, $Status). A 202 value means that the request successfully created the community.

The unfortunate thing is that the value returned doesn’t include the Viva Engage identifier used with the Get method to retrieve details of the new community. The Viva Engage (Yammer) identifier is not the same as the Entra ID group identifier. Instead, it’s a Base64 value like eyJfdHlwZSI6Ikdyb3VwIiwiaWQiOiI4MzIxMjc1In0 (equating to {“_type”:”Group”,”id”:”8321275″}). The Get method requires the identifier to fetch details of a community and doesn’t support fetching details of all communities. That seems like an oversight that Microsoft should fix before the API attains general availability.

Another bug is that if you specify “public” (lowercase p) in the parameters, the API sets the new community to be private. You must set the value to be “Public” if you want to create a public community.

Interaction with Microsoft 365 Groups

The new API can create a group but it cannot update group properties (like its photo) or group membership. Most group properties are still controlled by Yammer APIs and are inaccessible through the Graph. In addition, you’ll find that most attempts to update group settings like the access type (public or private) using the Set-UnifiedGroup or Update-MgGroup cmdlets fail.

However, you can run the Add-UnifiedGroupLinks to populate the new community with owners and members. Here’s an example of adding four members to a community:

$GroupId = (Get-UnifiedGroup -Filter {displayName -eq 'Viva Engage Technical Discussions'}).ExternalDirectoryObjectId
[array]$Members = "Lotte.Vetler", "James.Ryan", "Chris.Bishop", "Andy.Ruth"

A Start Along the Road to Fully Embracing the Graph

All beta APIs tend to exhibit imperfections and bits that are incomplete. Being able to create new Viva Engage communities using the Graph is a good step forward but it’s only the start of the transition from the old Yammer APIs. We look forward to seeing more progress on this point in the future.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Copilot for Word Reference Documents Can be Too Large to Process

I’m happily using Copilot for Word to generate, refine, and summarize text when I run into an issue that afflicts all AI technologies based on large language models (LLMs): the prompts generated for the LLM to process support a limited number of characters. I can’t say precisely what that limit is because I can’t find any documentation for the issue, but I can say that incorporating a large reference document into a prompt causes Copilot some difficulty.

Take the prompt shown in Figure 1. As a reference document, I added a 518 KB 27-page Word document which happens to be the first chapter of the Office 365 for IT Pros eBook. I asked Copilot to use the information to help it generate a brief overview of the value Office 365 brings to customers.

Copilot worked away and began to generate text. After several seconds, the output was ready but came with the caveat that Copilot couldn’t process the reference document fully (Figure 2). The output generated by Copilot is “based only on the first part of those files.” In some cases, this might not make a difference, but the latter half of the reference document contained information that I thought Copilot should include.

The question is why can’t Copilot use the full content of large reference documents. Here’s what I think is happening.

Grounding and Retrieval Augmented Generation

Copilot for Word uses reference documents to help ground the prompt entered by the user with additional context. In other words, the content of the reference document help Copilot understand what the user wants. Copilot uses a technique called Retrieval Augmented Generation (RAG). According to an interesting Microsoft article about grounding LLMs, “RAG is a process for retrieving information relevant to a task, providing it to the language model along with a prompt, and relying on the model to use this specific information when responding.”

Limits exist in grounding large language models. Copilot allows users to include a maximum of 2,000 characters in their prompts. Copilot adds content extracted from the reference documents and other information found in the semantic index to the prompt to provide the context for the LLM to process. The semantic index holds information about documents available to the user stored in SharePoint Online or OneDrive for Business or ingested via a Graph Connector. The maximum size of a prompt must cover whatever the user enters plus the information extracted from reference documents during grounding.

I have very large Word documents of well over 1,000 pages, but it would be unreasonable to tell Copilot to use these files to ground prompts. There’s too much content covering too many varying topics for Copilot to make much sense of such beasts.

Good Copilot for Word Reference Documents

A good reference document is one whose content is adjacent to the topic you ask Copilot to generate text about. Ideally, the document is well structured by being divided into clear sections that cover different points. A human should be able to scan the document quickly and tell you what it’s about. My tests indicate that Copilot for Word generates the best results when reference documents are structured, contain material pertinent to the prompt, and are less than 10 pages. Your mileage might vary.

Although chapter 1 of the Office 365 for IT Pros eBook is packed full of useful and pertinent information, it’s just too much for Copilot to consider when attempting to respond to the user prompt. Copilot would be much happier if I provided it with a five-page overview of Office 365.

Other Copilots Have Limits Too

Encountering difficulties using long reference documents is similar to the limit that exists when Copilot for Outlook attempts to summarize a long email thread. According to the support article covering the topic, “In the case of a very long thread, not all messages may be used, as there are limitations of how much can be passed into the LLMs.”

Copilot for GitHub also has limits, as attested in many questions developers ask about its use (here’s an example).

In other Copilots, the type of information being processed might reduce the possibility that Copilot might run into issues. For instance, when Copilot for Teams summarizes the discussion from a meeting, it uses the meeting transcription as its basis. Even a very long meeting is unlikely to trouble Copilot too much because (assuming the meeting has an agenda), the discussion flows from point to point and has a reasonable structure.

Preparing for Copilot

All of which brings me back to a central point about preparing for a Copilot for Microsoft 365 deployment. You can deploy all the software you want, including the tools available in Syntex (soon to be SharePoint Premium) to prepare content and Microsoft Purview to protect content. But at the end of the day, Copilot will be asked to process documents created by human beings. Whether those documents make good reference documents remains to be seen.

It’s a hard nut to crack. Humans never wrote documents to be processed by AI. They created documents to meet goals, explain projects, lay out solutions, and so on. Sometimes the documents are well-structured and easily navigated. Other times they’re a challenge for even their authors to interpret, especially as time goes by. Some documents remain accurate even after years and some are outdated in the weeks following publication. It will be interesting to see how Copilot copes with the flaws and imperfections of human output.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Microsoft to Retire Delve in December 2024

Posted on December 14, 2023, message center notification MC698136 announces the sad news that Microsoft will retire the Delve web app (“Office Delve” was the original name) from Microsoft 365 on December 16, 2024. The demise of Delve (Figure 1) isn’t altogether surprising because the app never achieved much traction.

Launched as codename “Oslo” at the SharePoint 2014 conference, Delve was the first of a planned set of Office 365 next generation portals. In the case of Delve, Microsoft said that it would “reimagine search.”  While this mightn’t have happened, Delve introduced some interesting and worthwhile functionality. It was the first app to exploit the power of the Office Graph (now the Microsoft 365 Graph) to calculate and expose relationships between people and their work.

Delve Exposed Documents

When Delve used the Graph to calculate popular documents and display that information users, it caused n uproar in some quarters because people saw information that they shouldn’t. The problem wasn’t due to Delve. Instead, it happened because of inconsistent, inaccurate, or missing permissions on SharePoint Online sites that allowed the software to find interesting documents. The same issue might recur with Microsoft 365 Copilot with the big difference that documents accessible to Copilot can be used to generate text. There’s quite a difference between suggesting documents to users and ingesting documents to create new content,

On a more positive note, Delve allowed users to edit their profile and update their photo at a time when that experience was dreadfully fragmented across Exchange, Lync, and SharePoint. Microsoft is only now moving to an Entra-ID based solution that they hope will deliver consistent user photos across Microsoft 365. And Delve introduced a way for users to highlight documents by pinning them to boards. Overall, Delve seemed important enough to warrant a dedicated chapter in the Office 365 for IT Pros eBook over several editions.

Chipping Away at Delve Functionality

Time moves on and technology evolves. Delve’s problem was that it didn’t evolve quickly enough (or at all). Some of its functionality, like blog publishing, vanished in 2020 followed by its desktop app (killed in March 2021). Delve Analytics (always more of an add-on rather than an integrated component) broke away to become MyAnalytics (now exposed through the Viva Insights app and add-in). Microsoft’s attention turned elsewhere, and Delve didn’t occupy a compelling and important role in the Microsoft 365 ecosystem, and that’s what brings us to its demise in 2024.

No Replacement for Delve Features

Microsoft doesn’t think that there is a need to replace the functionality currently available in Delve. To help users manage their profiles, Microsoft says that they plan to deliver a new edit profile capability in mid-2024 that is “tightly coupled with profile cards.” I’m unsure why they feel the need to assert the closeness of the connection given the pervasiveness of the user profile card across Microsoft 365 apps. A replacement for the Delve organization view is available in the user profile card and the Org Explorer (with the necessary licenses). Unsurprisingly given the sad lack of development since 2015, there’s no replacement for Delve Boards.

Lack of Functionality and Development

Even though I never had much use for Delve, I think Microsoft got some value from the app. We didn’t know much about the Graph in 2014-15. An app had to demonstrate what Microsoft meant by reimagining the way people searched for information together with the value of discovering information that could be useful to a person by reference to the connections that exist between that person and others within an organization. Delve did both, but I guess its flaw was that there wasn’t much else that users could do aside from pinning documents to boards.

It seems like Microsoft lost interest in Delve some years back. For whatever reason, it’s going to join other apps like StaffHub, Cortana Scheduler, Kaizala, and Sway in the Microsoft 365 wastebasket. All had some interesting aspects, but all eventually failed to appeal to the masses.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Copilot for Word Will Help Many Authors Create Better Text

As folks might know, I write quite a few articles about technical topics. Recently, I’ve had the assistance of Microsoft 365 Copilot in Word. Not because I felt the need for any help but rather in the spirit of discovering if Copilot lives up to its billing of ushering in “a new era of writing, leveraging the power of AI. It can help you go from a blank page to a finished document in a fraction of the time it would take to compose text on your own.”

Good technical articles tell a story. They start by introducing a topic and explaining why it’s of interest before progressing to a deeper discussion covering interesting facets of the topic. The final step is to reach a conclusion. Copilot for Word aims to help by assisting authors to structure their text, write concise sentences, and start drafting based on a prompt submitted by the author.

Starting Off with Copilot for Word

Writing the first few sentences can be the hardest part of an article. To help, Copilot for Word can generate text by responding to a user prompt. A prompt is how to tell Copilot what to do. It can be up to 2,000 characters.

Crafting good prompts is a skill, just like it is to build good keyword searches of the type used to find information with Google or another search engine. Figure 1 shows my first attempt at a prompt for this article.

I wasn’t happy with the content generated by Copilot because it read like the text of a marketing brochure. This isn’t altogether surprising given two facts. First, my prompt wasn’t precise enough. Second, generative AI tools like Copilot can only create text based on previous content. The response obviously originated from Microsoft marketing content that lauded the powers of Copilot.

A second attempt was more concise and precise (Figure 2) and produced more acceptable text (Figure 3).

Although better, I would never use the text generated by Copilot. It has value (especially the last three points), but it’s just not my style. The point to remember is that Copilot supports refinement of its output through further prompts. The text shown in Figure 3 is the result of asking Copilot to “make the text more concise.”

Using Reference Documents

A prompt can include links (references) for up to three documents, which must be stored in a Microsoft 365 repository. Copilot uses references to “ground” the prompt with additional context to allow it to respond to prompts better. When starting to write about a new topic, you might not have a usable reference, but in many business situations there should be something that helps, such as a document relating to a project or customer. The prompt shown in Figure 4 asks Copilot to write an article about the January 2024 update for the Office 365 for IT Pros eBook and includes a reference document (an article about the December 2023 update).

The generated text (Figure 5) follows the structure of the reference document and I no complaints about the opening paragraph. Copilot even figured out that the January update is #103. The problems mount swiftly thereafter as Copilot’s generated text promises a new chapter on Microsoft Viva and an updated chapter on Copilot for Microsoft 365, neither of which exist. I also don’t know what the integration between Teams and Syntex refers to, and the new Teams Pro license is a predecessor of Teams Premium. Later, we’re told that Microsoft Lists will launch in February 2024. These are Copilot hallucinations.

This experience underlines the necessity to check everything generated by Copilot. You have no idea where Copilot might source information and whether that data is obsolete or simply just wrong. Tenants can limit Copilot’s range by preventing it from searching internet sources for information, but even the best corporate information stored in SharePoint Online or OneDrive for Business can contain errors (and often does).

Rewrites with Copilot for Word

Apart from generating text, Copilot for Word can rewrite text. Figure 6 shows a rewrite of the second paragraph from this article. The version generated by Copilot uses the “professional” style (the other styles are “neutral”, “casual”, “concise,” and “imaginative.”

The two versions are reasonably close. I prefer mine because it’s written in my style, but the alternative is acceptable.

Rewrite is useful when reviewing someone else’s text. I often edit articles submitted to Practical365.com for publication. Because authors come from many countries, their level of English technical writing varies greatly. Being able to have CoPilot rewrite text often helps me understand the true intent of an author.

The Usefulness of Copilot for Word

I’ve tried many different text proofing tools in Word, from the built-in ones like Microsoft Editor to external ones like Grammarly. They all have their pros and cons, and their own quirks. Copilot for Word is more user-friendly and intuitive than any existing tool. If they remember to check the generated text carefully, Copilot will help many people write better. The downside is the $30/user/month cost for Microsoft 365 Copilot licenses (currently, you can’t buy a Copilot license just for Word).

Microsoft 365 Copilot obviously covers much more than generating better text with Word. That being said, it’s nice that the integration of AI into one of the more venerable parts of Microsoft 365 works so well.

Summarizing Copilot for Word

It seems apt to close with the summary generated by Copilot for this article (Figure 7). Copilot summarizes documents by scanning the text to find the main ideas. What’s surprising in this text is the inclusion of ideas that are not in document, such as “What Copilot for Word cannot do.” Copilot cites paragraphs five and six as the source, but neither paragraph mentions anything about weather or visuals, or that Copilot for Word is limited to outputting text in bullet points or paragraphs. This information must have come from the foundational LLMs used by Copilot.

I’m sure Copilot included the information to be helpful but it’s jarring to find the AI introducing new ideas in summaries. Oh well, this kind of stuff gives people like me stuff to write about…

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Who Bot Was One of the Original Teams Bots

Message center notification MC687849 (7 November 2023) is a terse announcement of the demise of the Teams Who bot, an app in the Teams app store. This is a pity. I rather liked the Who bot and even included it as an example app in an article about Teams setup policies. Oh well.

Microsoft created the Who bot in the early days of Teams development as a sample to demonstrate how to create a Teams bot. The purpose of the app is to help users find information about others in the organization based on the information stored in Entra ID and the Graph. Users could chat with the bot to ask questions like who in the organization might know about a certain topic. Figure 2 shows a query from January 2018 when I asked “who works for me?” It’s the kind of helpful information that befuddled managers like to receive.

As you can see, the Who bot used chats to interact with users. In today’s Microsoft 365, the role of AI-based helpful communication is assigned to Microsoft 365 Copilot or rather, the implementation of Copilot within Teams. Microsoft says that they are working to improve the functionality delivered in the Who bot and will deliver a better user experience within Microsoft 365 Copilot sometime in the future.

Knowing What’s Happening

The deprecation is due in mid-December 2023 but already the Who bot knows about its fate. I fired the bot up on November 9 and was prompted for consent to perform searches (a refinement from the original version). After giving consent, the response was a bunch of messages heralding the depreciation. And although the Who bot reassured me that it was ready to start chatting (Figure 3), no further interaction was possible.

Indeed, some folks in the Microsoft Technical Community noticed that the Who bot was declining in late October. Microsoft might have been trying to deprecate the bot on the quiet, but were forced to come clean when people noticed! I don’t know if this is the case, but perhaps low usage data convinced Microsoft that they could remove the Who bot without causing any problems for users.

No Way Back

In any case, there’s no way back for the Who bot. Microsoft’s attention is fully focused on adding Copilots to every piece of software that it can, no matter if the software benefits from receiving a splash of artificial intelligence.

The bad thing is that the Who bot was a free app available to all 320 million Teams users. The new route that Microsoft has taken will restrict access to whatever replacement functionality they build to people with Copilot licenses. Right now, that’s a large investment (minimum of $108,000 for 300 users for a year) that limits exposure to organizations that can afford to pay for licenses. Losing the Who bot isn’t a big deal because it was really only ever a demo app, but it’s always sad when functionality disappears behind a licensing barrier. Microsoft tends to go down that path too often these days.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Compliance through Sensitivity Labels, Audit Events, and Compliance Records

Now that the fuss around the general availability of Microsoft 365 Copilot (November 1) is fading, organizations face the harsh reality of deciding whether to invest a minimum of $108,000 (300 Copilot licenses for a year) to test the effectiveness of an AI-based digital assistant is worthwhile. Before deploying any software, companies usually have a checklist to validate that the software is suitable for their users. The checklist might contain entries such as:

• Training available and suitable for users and administrators.
• Requisite software (like Outlook Monarch) and licenses in place.
• Users to receive licenses are identified.
• Success factors quantified and documented.
• Support for compliance technology available.

In MC686593 (updated 6 November, 2023), Microsoft addresses the last point by laying out how Purview compliance solutions support the deployment of Microsoft 365 Copilot. Rollout of the capabilities are due between now and mid-December 2023.

Sensitivity Labels Stop Microsoft 365 Copilot Using Content

Microsoft 365 Copilot depends on an abundance of user information stored in Microsoft 365 repositories like SharePoint Online and Exchange Online. With information to set context and provide the source for answering user prompts, Copilot cannot work. The possibility that Copilot might include sensitive information in its output is real, and it’s good to know that Copilot respects the protection afforded by sensitivity labels. The rule is that if a sensitivity label applied to an item allows a user at least read access, its content is available to Copilot to use when responding to prompts from that user. If the label blocks access, Copilot can’t use the item’s content.

Audit Events Record Microsoft 365 Copilot Interactions

Recent changes in the Microsoft 365 unified audit log and the surrounding ecosystem have not been good. The Search-UnifiedAuditLog cmdlet doesn’t work as it once did, a factor that might impact the way organizations extract audit data for storage in their preferred SIEM. Some will not like the removal of the classic audit search from the Purview compliance portal in favor of the asynchronous background search feature. Both changes seem to be an attempt by Microsoft to reduce the resources consumed by audit searches. This tactic is perfectly acceptable if communicated to customers. The problem is the deafening silence from Microsoft.

On a positive note, the audit log will capture events for Copilot prompts from users and the responses generated by Copilot in a new Interacted with Copilot category. These events can be searched for and analyzed using the normal audit retrieval facilities.

Compliance Records for Microsoft 365 Copilot

The Microsoft 365 substrate captures Copilot prompts and responses and stores this information as compliance records in user mailboxes, just like the substrate captures compliance records for Teams chats. Microsoft 365 retention policies for Teams chats have been expanded to process the Copilot records. If you already have a policy set up for Teams chat, it processes Copilot records too (Figure 2).

Although it’s easier for Microsoft to combine processing for Teams chats and Copilot interactions, I can see some problems. For example, some organizations like to have very short retention periods for Teams chat messages (one day is the minimum). Will the same retention period work for Copilot interactions? It would obviously be better if separate policies processed the different data types. Perhaps this will happen in the future.

Because the substrate captures Copilot interactions, the interactions are available for analysis by Communication Compliance policies. It should therefore be possible to discover if someone is using Copilot in an objectionable manner.

Block and Tackle Support for Microsoft 365 Copilot

None of this is earthshattering. SharePoint Online stores protected documents in clear to support indexing, but it would be silly if Microsoft 365 Copilot could use protected documents in its response. Gathering audit events treats Copilot like all the other workloads, and compliance records make sure that eDiscovery investigations can include Copilot interactions in their work. However, it’s nice that Microsoft has done the work to make sure that organizations can mark the compliance item on deployment checklists as complete.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Download new Office 365 for IT Pros Files Now

The Office 365 for IT Pros eBook team is delighted to announce that the 101^st monthly update is now available for download. Subscribers to the PDF/EPUB version can download the updated files from Gumroad.com using their account or the link contained in the receipt emailed to them when they subscribed. People who bought the Kindle edition from Amazon can ask Amazon support to make the update available to them.

Office 365 for IT Pros Monthly Update 101

As in any month, the latest update covers a variety of topics. For example:

• New data about user numbers released in Microsoft’s FY24 Q1 results (Teams now has 320 million monthly active users).
• Deprecation of the Set-UserPhoto and Get-UserPhoto cmdlets.
• A new organization setting to allow tenants avoid roaming signatures until Microsoft fixes the problem with OWA signatures.
• The storage consumed by Loop workspaces (but not Loop components used in apps) will count against tenant SharePoint storage quotas.

During the month, we also published details of how to use the Microsoft Graph PowerShell SDK (and PnP.PowerShell) create and update Microsoft Lists. This led to the addition of a small paragraph in chapter 23 and is an example of the kind of research the writing team does to improve the quality and coverage of the book.

We also expressed our annoyance at the number and persistence of the annoying pop-up messages Teams insists on displaying to users.

For more information about changes in the 101^st update, please see our change log. Details of how to download updates can be found in our FAQ.

New Teams Client Becomes the Only Teams Client in March 2024

The biggest change for many Microsoft 365 tenants is the launch of the new Teams client, which attained general availability on October 5, 2023. There’s no doubt that the new Teams client is an advance over the “classic” client in terms of performance, resource consumption, and some functionality (like guest access to multiple tenants). Microsoft still has some work to do to attain full feature equivalence across the two clients, but this will come in time. A useful web page explains where Microsoft hopes to make progress and where functionality differs across the two versions.

Nice as it is to have the new client, I think people were surprised when Microsoft issued message center notification MC686187 on October 31 to tell customers that Microsoft plans to remove the classic client on March 31, 2024. People using the classic client at that time will receive an automatic upgrade to the new client, even if they’d really prefer to stay with the old version.

The new Teams client isn’t available yet for Virtual Desktop Infrastructure (VDI), so VDI users are unaffected by the deprecation and will not be automatically updated. The same is true for Teams Room and Surface Hub devices, which need a special version of the new client to deal with their environments.

I fully understand Microsoft’s desire to remove the classic client. They’ve invested a ton of engineering effort to move away from the Electron-based roots of the old client to develop a new client that answers many of the criticisms expressed over the years. They don’t want to be forced to keep two very different client code bases functionally equivalent as new features roll out, (like using Microsoft Designer to generate custom images for announcement channel posts).

Maintaining two client code bases is an expensive proposition, as Microsoft knows well from their experience with Outlook. Reducing engineering and support costs is one of the prime motivating factors in the effort to deliver the Monarch “One Outlook” client. Microsoft is already pushing customers away from the old Win32-based Outlook for Windows desktop client with tactics like insisting that only Monarch will support Microsoft 365 Copilot.

No Votes for Customers

Forced client transition to gain new functionality is part of living with a cloud service. It happens. Customers don’t get to vote (unless you want to return to an on-premises deployment). Oh well, upward and onward toward the 102^nd monthly update for the Office 365 for IT Pros eBook, due on December 1.

Teams Number of Users Keeps On Growing, Like the Rest of the Microsoft Cloud

On October 24, 2023 Microsoft reported their FY24 Q1 results. As usual, there was an upward bounce for Microsoft Cloud revenues to $31.8 billion (annualized run rate of $127.2 billion – Figure 1), an increase from $30.3 billion reported in the last quarter.

Some of the growth comes in an increase in overall user numbers, some comes from Microsoft’s success in extracting additional revenue from existing customers. As CFO Amy Hood noted, “Office Commercial, revenue growth will again be driven by Office 365 with seat growth across customer segments and ARPU growth thru E5.” ARPU is average revenue per customer and it increases when customers upgrade their basic licenses (for instance, from Office 365 E3 to Microsoft 365 E3) or buy add-ons.

Talking Copilot

Microsoft also highlighted some numbers that they want people to focus in on. For example, Satya Nadella was keen to talk about Microsoft 365 Copilot, noting that customers say that they “can’t imagine work without it.” This might be the case for the test users in the 40% of the Fortune 100 that Microsoft say are in the Copilot preview (including Visa, KPMG, Bayer, Suncorp, and the Mayo Clinic), but it remains to be seen how many will stump up the $30/month price for a Microsoft 365 Copilot license (plus the potential cost of upgrading to an eligible Microsoft 365 license) when it becomes generally available on November 1.

$30 seems like a high monthly charge, but if the Wall Street Journal is correct that Microsoft is losing money on GitHub Copilot because of the operational costs of AI-powered recommendations, then maybe the price of Microsoft 365 Copilot is reasonable.

Teams Keeps Growing

Microsoft certainly hopes that Copilot will be a hit, just like they hoped that Teams Premium will convince customers to upgrade from Teams standard. Microsoft said that 10,000 “paid” customers use Teams Premium. Last quarter, Microsoft said that there were 600,000 Teams Premium users, so it could be that they’re simply reporting numbers a different way and that each customer has 60 Teams Premium users. But I’m sure that this isn’t the case.

Last April, Microsoft reported that Teams had 300 million monthly active users. This time round, they increased the number by 20 million to 320 million (Figure 2).

320 million is a big number and it means that Teams is now used by roughly 80% of the entire Office 365 base. Microsoft said that the number of Office 365 commercial seats grew 10% year over year, which puts it at around 400 million. The 80 million who don’t use Teams must use Slack or something else, or perhaps the different user counts don’t quite match up.

Either way, Teams exerts enormous influence over Microsoft 365 with apps like OneDrive for Business and SharePoint Online experiencing huge growth in usage because of how Teams consumes their services.

EMS Grows By Three Million

The EM+S people succeeded in getting another mention for their progress. In FY23 Q4, Microsoft said “the enterprise mobility and security installed base grew 11% to over 256 million seats.” This time round, they said “the enterprise mobility and security installed base grew 11% to over 259 million seats.” The three million extra seats in a quarter definitely made a difference. Oddly, the current version of the earnings transcript available online makes no mention of EM+S, so maybe I was dreaming…

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Using Container Management Sensitivity Labels to Force Specific Teams Privacy Mode

Yesterday, I wrote about how to control the creation of Microsoft 365 groups (and teams) using Microsoft Graph PowerShell SDK cmdlets to update the directory object setting used for the tenant groups policy. This led to a question from a reader who referred to a Microsoft Technical Community discussion about how to force those allowed to create new teams to only create private groups. A private team is one where the team owners control the membership. By contrast, anyone can join a public team.

I’m not quite sure why this is any better than allowing people to have a choice between private and public (Figure 1) in terms of preventing group sprawl, but it is an interesting example of using sensitivity labels for container management.

The technique outlined here only affects new groups created through Teams, Outlook, OWA, and SharePoint Online clients. It doesn’t affect existing groups nor will it stop an administrator creating a new public group through an administrative interface like PowerShell or the Graph APIs.

Implementing the Block on Public Teams

The steps to block new public teams starts with creating or selecting a container management sensitivity label (one that exerts control over teams, groups, and SharePoint sites). I have a well-populated set of sensitivity labels in my tenant, so I choose to use one called Confidential Access.

It’s critical that the privacy settings for the label dictate that groups and teams assigned the label can only have private access (Figure 2).

Next, create a label policy to publish the selected label to selected users. For instance, you could decide to publish the policy to the same users who are allowed to create new groups or limit publication to a subset. Unfortunately, you can’t choose a security group for the target set, so you’ll need to include each user separately (Figure 3) or use a Microsoft 365 group or distribution list to establish the scope for the policy.

Make sure that the label policy requires users to apply a default label to sites and groups. Because only one label is covered by the policy, this is the only one that can be assigned by default (Figure 4).

Make sure that the label policy has the highest priority so that it takes precedence over any other label publishing policy. This is the usual state for the most recently-created label policy but it’s wise to check and adjust if necessary.

Wait for Effect

Publication is not immediate. Behind the scenes, Microsoft Purview processes the new label publishing policy and makes the label available to the target set of users. It could take up to 24 hours before the user account and relevant applications learn about the new policy and its settings.

When the label policy is in force, the dialog to create a new team prepopulates the sensitivity label with the default label specified in the policy. Because the label specifies that private access is the only permitted option, this action disables the choice of public access (Figure 5).

Changing Other Teams to Private Access

As mentioned above, implementing a sensitivity label for container management in the manner explained here does nothing to existing teams. If you want to make all teams private, you must search for teams with public access and update them to private access. Here’s some based on the Microsoft Graph PowerShell SDK to do the job.

Connect-MgGraph -Scopes Group.ReadWrite.All
[array]$Teams = Get-MgGroup -Filter "resourceProvisioningOptions/any(x:x eq 'Team')" | Where-Object {$_.Visibility -eq 'Public'} | Sort-Object DisplayName
If ($Teams) {
   Write-Host ("Processing {0} teams with public access..." -f $Teams.count)
}
ForEach ($Team in $Teams) {
   Write-Host ("Updating team {0} to private access..." -f $Team.DisplayName)
   Update-MgGroup -GroupId $Team.Id -Visibility 'Private' 
}

I’m still unconvinced that forcing all teams to be private will address the problems of group sprawl, or unused and obsolete teams. But it’s an interesting approach. Maybe it’ll work for you.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Use Graph SDK Cmdlets to Manage User and Group Photos

According to message center notification MC678855 (2 October), effective November 30, 2023, Microsoft will retire the Exchange Online management cmdlets to manipulate photos for mailboxes (Get-, Set-, and Remove-UserPhoto). This is part of the work to improve the way Microsoft 365 manages and displays user photos and moves the photo storage location away from Exchange Online to Entra ID. Microsoft says that this will create “a coherent user profile image experience by retiring legacy profile photo services.”

Basically, this effort resolves the inconsistencies that crept into user photo handling through Exchange and SharePoint doing their own thing, largely because of their on-premises roots. Delve attempted to fix the problem in 2015 but never really went anywhere. After that, Microsoft started to use Exchange Online to host photos and synchronize from there, but it’s a better idea to use Entra ID and have all workloads come to a common place for photo data.

Replacement User Photo Cmdlets

The replacement cmdlets for user photo management are in the Microsoft Graph PowerShell SDK:

• Set-MgUserPhotoContent: Add a photo to an Entra ID account. You can add JPEG or PNG files of up to 4 MB. Entra ID can store photos with a large pixel count. I have commonly uploaded photos sized at 8256 x 5504 pixels. When applications fetch photos to use, they can specify what sized photo they wish Entra ID to provide ranging from a thumbnail (48 x 48 pixels) to a high-definition photo as used in Teams meetings.
• Get-MgUserPhoto: Check if an account has photo data in the profilePhoto property.
• Update-MgUserPhoto: According to the documentation, this cmdlet “updates the navigation photo in users.” That doesn’t make much sense, so I asked the SDK development group to ask what the text really means. As it turns out, this cmdlet is a duplicate of Set-MgUserPhotoContent, so you can ignore it.
• Remove-MgUserPhoto: Remove user photo information from an account.

For example:

Set-MgUserPhotoContent -Userid Jim.Smith@office365itpros.com -Infile "c:\temp\Jim.Smith.jpg"

Updating Scripts

From an administrator perspective, the impact of the change is a need to review scripts that call the old cmdlets to replace them with the SDK cmdlets. The changes to the script are likely to involve:

• Call the Connect-MgGraph cmdlet to connect to the SDK.
• Find target user accounts instead of mailboxes.
• Remove the references to Get-UserPhoto and Set-UserPhoto.
• Use the Get-MgUserPhoto cmdlet to find if a target mailbox has a photo and the Set-MgUserPhotoContent cmdlet to update the photo if necessary (and a suitable file is available).

To provide a working example, I updated the script mentioned in this article. You can download the full script from GitHub. Remember that Graph permissions work differently to the permissions granted when an account holds the Exchange administrator or Global administrator roles for a tenant. Using the SDK in an interactive session to update photos will only work if the signed in account holds one of the two roles mentioned above and consent is granted for the SDK app to use the Directory.ReadWrite.All permission.

Group Photos

Because it’s a mailbox cmdlet and supports the GroupMailbox switch, the Set-UserPhoto cmdlet can set photos for Microsoft 365 groups. The Set-MgUserPhotoContent cmdlet only handles user accounts. To update the photos for Microsoft 365 groups, it’s necessary to use the Set-MgGroupPhotoContent cmdlet. Alternatively, for team-enabled groups, you can use the Set-TeamPicture cmdlet from the Microsoft Teams module.

I wrote an article describing how to update photos for Microsoft 365 groups. Updating the associated script wasn’t quite as simple because the Get-MgGroupPhoto cmdlet doesn’t return a thumbnail identifier. The foundation of the original script is that the thumbnail identifier could tell the script if the group already had a photo. This is now not possible, so the updated script (available from GitHub) is a rewritten and simplified version of the original.

Another Example of Change

This transition is yet another example of recent change in the Microsoft 365 PowerShell space. Exchange Online has just turned off Remote PowerShell and we’re on the final stretch of deprecation for the Microsoft Online Services module (the cmdlets that deal with license assignment have already stopped working). Keeping up to date with cmdlet changes can take some time but it’s an essential task.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Current Test Users Unaffected

Microsoft released the preview version of the Loop app in March 2023. At the time, anyone with an Office 365 or Microsoft 365 license could sign up to use the app providing that their administrators allowed access in their tenant. Six months later, it appears that Microsoft is preparing to make the Loop app generally available. According to message center notification MC668811 (18 September), Microsoft plans to introduce a new service plan (Loop app with workspaces) to control access to the app.

The new service plan is being introduced to a limited number of product SKUs:

• Microsoft 365 Business Standard (SME)
• Microsoft 365 Business Premium (SME)
• Microsoft 365 E3 (enterprise)
• Microsoft 365 E5 (enterprise)

The change will roll out in late September 2023 and continue into early 2024.

No Office 365 SKUs

The interesting thing is that Microsoft is not licensing the Loop app for either the Office 365 E3 or E5 product SKUs. That’s a considerable set of enterprise accounts that technically will be unable to use the Loop app. However, Microsoft says that “Customers using the Loop app in preview … will continue to be able to create and view Loop workspaces for the immediate future.”

In other words, if your account has an Office 365 E3 or E5 license and you used the Loop app during its preview, you can keep on using your Loop workspaces (stored in Syntex repository services) until Microsoft decides restrict access to accounts with access to the new service plan at some point in the future. Licensing through the new Loop with workspaces service plan covers the creation of new workspaces. Users with other Office 365 or Microsoft 365 licenses can continue to contribute to a Loop workspace, including pages in a workspace.

Microsoft says that they will “share more information about the pricing and availability of the Loop app in the coming months.” At that point, it might be possible for users with an Office 365 or Microsoft 365 plan that doesn’t include the Loop with workspaces service plan to buy access through an add-on.

Unless they restricted access to specific users via a cloud policy, there’s no way for tenant administrators to discover the level of Loop app activity within user accounts. Unlike normal SharePoint Online sites, tenant administrators don’t have access to statistics or other information about content stored in Syntex repository services.

If you’re worried about the potential exposure to additional license upgrade costs, you could proactively disable access to the Loop app through a setting in the Microsoft 365 admin center (Figure 1).

Continued Access to App-Level Loop Components

It’s important to emphasize that the licensing requirement for the Loop app only affects the Loop app, its workspaces, pages, and components. Access to Loop components in Teams chat, Whiteboard, Word Online, or Outlook continues as before. Storage for these components is in the owner’s OneDrive for Business account. Disabling access to the Loop app in the Microsoft 365 admin center doesn’t affect app-level use of Loop components either.

Pushing to Microsoft 365

Unfortunately, restricting access to the Loop app to a small number of Microsoft 365 product SKUs is another example of Microsoft driving customers to upgrade to Microsoft 365 subscriptions. The same tactic is seen with Microsoft 365 Copilot, which is also restricted to the same set of Microsoft 365 product SKUs.

There’s no technical reason for the restriction. It’s simply a matter of Microsoft deciding to package their software in a way intended to convince customers that upgrading to a more expensive Microsoft 365 subscription is a good deal. It’s a great way for Microsoft to increase their cloud revenues.

In some cases, moving to Microsoft 365 is the right thing to do. In other circumstances, you might not get the anticipated return on your investment. It’s definitely a decision that requires careful consideration.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Enterprise Customers Can Buy Microsoft 365 Copilot on November 1, 2023

Originally unveiled last March and then put through a testing program involving 600 customers (who paid a substantial amount for the privilege), Microsoft announced (September 21) that Microsoft 365 Copilot will be generally available for enterprise customers on November 1, 2023. Although they didn’t expand what they mean by “enterprise customers,” I’m sure that Copilot will be available for tenants running the two “eligible” SKUs targeted at small businesses (Microsoft 365 Business Standard and Business Premium). This page covers Copilot for the SME segment.

Time to Prepare Budgets

After checking their IT budgets to see if they can find the funds necessary to upgrade to one of the eligible products and then pay the hefty $30/user per month charge for Copilot, interested customers can contact Microsoft sales to buy licenses.

The agenda for this week’s The Experts Conference (TEC) event included several sessions about using artificial intelligence with Microsoft 365. Interestingly, when polled, none of the conference attendees indicated that their companies were interested in deploying Copilot. Cost is a big issue, but so is the work necessary to prepare tenants for Copilot, including user training and support. For more information, see the Microsoft 365 Copilot overview page.

The lack of interest at TEC might be misleading. For instance, software is more interesting when it’s available and companies can learn about real-life scenarios from other customers to understand how to justify the spend. It’s also true that the Microsoft sales force hasn’t yet gone into high gear to sell Copilot. Now that a general availability date is known, that pressure can be expected to increase.

Copilot Lab the Most Interesting Part of Announcement

When I talk about Copilot, I refer to it as an inexperienced artificial assistant that needs a lot of coaching to achieve good results. Users provide coaching through the prompts they input to tell Copilot what to do. Good prompts that are concise and provide context are much more likely to generate what the user wants than fuzzy requests for help.

The average user is not an expert in prompt formulation. Even after 25 years of using Google search, many struggle to construct focused search terms. The same is true for people searching for information within a tenant using Microsoft Search. Some know how to use document metadata to find exactly what they want. Others rely on being able to find items using document titles.

Without good prompts, Microsoft 365 Copilot will fail utterly. The AI cannot read user minds to understand what someone really wants. It’s got to be told, and it’s got to be told with a level of precision that might surprise.

All of which means that the announcement of Copilot Lab is a really good idea. Essentially, Copilot Lab is a learning ground for people to discover how to construct effective prompts (Figure 1), including being able to share prompts that they create.

The implementation seems very like the way that Power Apps allows users to create apps from a library of templates. Anyone facing into a new technology appreciates some help to get over the initial learning hurdle, and that’s what I expect Copilot Lab will do.

Microsoft Copilot Chat

The other new part of the Microsoft 365 Copilot ecosystem is a chat application that looks very much like Bing Enterprise Chat (Figure 2). The big differences are that Microsoft Copilot Chat has access to information stored in Microsoft 365 repositories like SharePoint Online that are available to the signed-in user. Microsoft 365 chat is available through https://www.microsoft365.com/copilot and in Teams chat.

The Monarch Issue

Another issue raised at TEC was the insistence Microsoft has that the Outlook Monarch client is the only version that will support Copilot. While it’s true that Microsoft wants customers to move to the new Outlook, user resistance is palpable and could become a barrier to adoption. Although there’s value to be gained by Copilot summarizing notes from a Teams meeting or creating a Word document or PowerPoint presentation based on existing content, many people still organize their working life around Outlook. And that’s Outlook classic, not a web-based version that’s still missing functionality like offline access (coming soon, or so I hear).

If Microsoft really wanted to, I think they could create an OWA Powered Experience (OPX)-based plug-in for Outlook classic (like the Room Finder) to integrate Copilot. Where there’s a will, there’s a way. In this instance, the will seems to be missing. And that’s just a little sad.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Time to Review Mailbox Auditing Configurations

Updated 8 November 2023

Paul Robichaux’s recent article describing five errors Microsoft made which led to the Storm-0558 attack made me think about the MailItemsAccessed event. This was the first “premium” or high-value audit event launched by Microsoft in an attempt to monetize auditing through the introduction of what is now Microsoft Purview Audit (Premium) (aka Microsoft 365 advanced auditing). Purview Audit Premium is included in Office 365 E5 and Microsoft 365 E5 and other add-on licenses. Purview Audit Standard is available to Office 365 E3 and Microsoft 365 E3 customers.

Update: Microsoft says that Office 365 E3 customers won’t see the MailItemsAccessed event until the summer of 2024.

In his article, Paul points out that tenant administrators for a federal executive civilian branch agency noted unusual activity captured in MailItemsAccessed events. Exchange Online captures these events (Figure 1) when mailboxes belonging to licensed accounts access mail messages. Being able to know that someone (or some process) other than the owner accessed messages in a mailbox is a good indication that something’s wrong.

To emphasize the point about how important MailItemsAccessed events can be, Microsoft’s documentation explains how to use the events in a forensic investigation. This is what might have happened to detect some of the Storm-0588 infiltration. According to a Cybersecurity and Infrastructure Security Agency (CISA) report analyzing Storm-0558, “The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.”

The Cost of Security

As Paul notes, some organizations don’t use MailItemsAccessed because they didn’t want to pay for enhanced auditing. Although avoiding cost is a reasonable perspective, it does raise the issue of why Microsoft insists that customers pay extra to log events that are so important for investigation of potential incidents. Some feel it’s an example of extracting additional revenue from a captive market. After all, the 400 million Office 365 monthly active users don’t exactly have a choice of auditing provider.

On July 19, Microsoft decided that it was best to reverse course and announced that they would make enhanced logging available to Office 365 E3/Microsoft 365 E3 tenants, saying “customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.”

Audit Updates Coming in September 2023

According to Microsoft, they will deploy the necessary updates to expose the additional audit events and to increase audit event retention to 180 days to all commercial and government customers during September 2023. The update hasn’t reached my tenant yet because any attempt to enable the MailItemsAccessed event for a mailbox with an Office 365 E3 license fails as follows:

Set-Mailbox -Identity Lotte.Vetler -AuditOwner @{Add="MailItemsAccessed"}

Set-Mailbox: |Microsoft.Exchange.Management.Tasks.RecipientTaskException|Auditing of MailItemsAccessed event is only available for users with appropriate license. Please visit the documentation to know more about this.

When the update lands, Microsoft hasn’t said if they will retrospectively enable the MailItemsAccessed event for mailboxes with Office 365 E3 or Microsoft 365 E3 licenses. It’s entirely possible that Microsoft will not update mailbox audit configurations to add the MailItemsAccessed event for existing mailboxes. We also don’t know if Microsoft will enable new mailboxes for the event in the same way that they enable the event automatically for mailboxes licensed for Purview Audit Premium. A arguable case exists that managing mailbox audit configurations is an operation best left to tenants, especially if tenants use non-standard mailbox auditing configurations.

My advice is to take control of the situation and:

• Check that mailbox auditing is enabled for all mailboxes. This note in Microsoft documentation implies that mailboxes with Purview Audit Standard still need to enable auditing to force flow of mailbox audit events from Exchange Online to the unified audit log. This was certainly the case, but a quick test with a new mailbox created today saw mailbox events appear in the unified audit log. In any case, it’s best to be sure.
• Include the MailItemsAccessed event in the audit configuration for all mailboxes. Some years ago, I wrote a script to make sure that auditing was enabled for all mailboxes. It is easy to adapt the script to update mailbox audit configuration with the MailItemsAccessed event.
• Consider a more automated approach to maintain mailbox audit configurations. Using a scheduled PowerShell runbook managed by Azure Automation is a mechanism well suited to this kind of task. If the runbook operated on a weekly basis, the user accounts created during the last week can be found with code like this:

$LastWeek = (Get-Date).AddDays(-7)
$T = Get-Date $LastWeek -format "yyyy-MM-ddThh:mm:ssZ"
[array]$Users = Get-MgUser -Filter "createdDateTime ge $T" -Property Id, UserPrincipalName, CreatedDateTime, DisplayName

The MailItemsAccessed Event Really is High-Value

No one likes being caught on the back foot when things go wrong. But if problems occur, it’s good to have as much data as possible. The MailItemsAccessed event increases the amount of information available about what attackers might have done inside Exchange Online mailboxes. That’s one good reason to make sure to capture the events and know how to use them during forensic investigations.

Create a task for yourself to check mailbox audit configurations at the end of September 2023 and make sure that the MailItemsAccessed event is captured. You know it makes sense.

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Collaboration to Develop Code in Loop

On May 23, 2023, Microsoft hinted in a tweet that they would soon bring code blocks to Loop. The idea is that users can insert code blocks in Loop workspaces and pages to collaborate with other people to develop ideas, fix bugs, and otherwise explore code. Last week, code blocks finally showed up in the Loop app (still in preview). The new type doesn’t appear in the set of Loop components currently available in Teams chat and Outlook. This is probably a timing issue and upcoming builds are likely to include the code component soon.

Writing PowerShell in the Loop App

The Office 365 for IT Pros eBook contains over 1,200 PowerShell examples, so I decided to use the Loop app to write some PowerShell. In a page, I typed “/” to see the set of blocks available and chose “Code” from the list. I then started to write PowerShell code (Figure 1).

The editor used for the code block is very simple. It’s like the editor invoked by Teams when people insert code snippets in chat or channel messages. Don’t expect to find code syntax checking of the type available in Visual Studio Code because none exists. Cmdlet parameters and variable names don’t autocomplete either.

But having a simple way to input rough code might be OK. The purpose of the code block is to share code with others to develop a collaborative solution to a problem. Once those involved have collaborated to find an answer, the resulting code can be copied into a development environment to check for syntax errors before testing.

Sharing Code Through Teams and Outlook

Astute observers will note that the code shown in Figure 1 is in a Loop component. That’s because I wanted to share the code with others through Outlook and Teams. Because the Loop integration with these apps only supports Loop components, it’s necessary to create a Loop component from the code block. This action results in the creation of a shareable file in Syntex Repository Services. You can then copy the component (or rather, generate a link to the component) and paste it into Teams chat (Figure 2) or an Outlook message.

It’s possible that by the time you read this text, you’ll be able to create a Loop code component in Teams and Outlook and do the reverse by including that component in a page in the Loop app.

Will People Use Code Blocks in Loop

Although it’s nice to be able to create code in the Loop app, a big question remains whether anyone will use Loop as the basis for collaboration for code-based projects. If the code block was more intelligent and incorporated syntax checking, then I would be more positive. For now, the code block is a good way to jot down some rough approximate ideas in pseudo code with the big caveat that whatever’s produced must be copied to a development environment for validation and testing.

The fact that Loop remains an internal-facing application with no ability to share outside a tenant is also problematic. Many of the folks I ask questions of when I run into a coding issue work outside of my tenant. I can’t drop some code into Loop and ask those people to collaborate with me in a code block or code component because they can’t access the code. I guess I’ll continue to paste code into Teams federated chat or email when I need an external answer to a problem.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

New Microsoft 365 EEA Licenses Available on October 1

Microsoft’s 31 August announcement of a new licensing structure for Office 365 and Microsoft 365 enterprise licenses in the European Economic Area (EEA) and Switzerland makes common sense. It recognizes that it makes no sense for Microsoft to clash with the European Union over an anti-competition complaint made by Slack in July 2020 because Microsoft includes Teams in many of its Office 365 and Microsoft 365 SKUs.

The new Microsoft 365 EEA License arrangement comes into force from October 1, 2023. In a nutshell, customers who have current SKUs that include Teams don’t have to do anything and can continue to use and renew these licenses (including Teams) as before.

After October 1, new customers in the EEA can only buy Office 365 and Microsoft 365 licenses which exclude Teams. The new licenses are only available to “net new” customers in the EEA, and the new licenses are priced slightly cheaper than current offerings. For example, Office 365 E3 with Teams currently costs EUR25.10. The new Office 365 E3 EEA license is priced at EUR23.10. If a customer who buys the EEA license decides that they want Teams, they must buy a separate Microsoft Teams EEA license for EUR5/user/month.

Those who excel at math can quickly see that the new Microsoft 365 EEA license combination costs EUR3 more for customers that want Teams. Such is the cost of facilitating competition and choice. See this list for full details of the new license pricing.

A Good Deal

Despite the additional cost imposed on EEA customers, this is a good deal. No one (except lawyers) would win if Microsoft had a long drawn-out dispute with the European Commission. Driving to a deal now removes the need for interminable discussions about the integration of Teams in Microsoft 365.

Slack certainly wouldn’t gain any benefit. Their original protest happened in a completely different context when Slack might have felt that they were an alternative to Teams. The simple fact is that Slack wasn’t in July 2020 and is even less so today. Teams is so embedded into the Microsoft 365 and Azure ecosystems that Slack was never really an alternative to any customer who valued the interaction between Teams and the other Microsoft 365 workloads like Exchange Online, SharePoint Online, OneDrive for Business, Planner, and so on.

Microsoft says that “We believe that business customers in Europe and around the world expect a modern work solution to include modern communication and collaboration capabilities.” This might not have been true when we first saw Teams in 2016, but it’s absolutely true today. The fact that Teams has more than 300 million daily active users is evidence of how customers use the kind of communication capabilities available in Teams. It’s also an example of how the old adage that “possession is nine-tenths of the law” holds true. Microsoft has a huge installed base for Teams that’s been acquired through the Microsoft 365 ecosystem. Cutting Teams away at this point probably won’t impact Microsoft greatly.

Better Access to Teams APIs

Slack has attempted to integrate with Teams over the years and might feel that Microsoft doesn’t expose enough APIs to allow their code to integrate deeply with Teams. The Graph APIs have improved over the years but it’s true that they can be opaque at times. On the upside, the Teams app store included 2,154 apps on September 2, 2023, so Microsoft is doing something right in terms of attracting app developers to the platform.

To address issues around API access, Microsoft says that they “will create new support resources to better organize and point application developers to the existing and publicly available application programming interfaces (APIs) and extensibility in Microsoft 365 and Office 365 apps and services that connect with Teams.” Now, this might end up as no more than better documentation and API examples (always welcome), but I doubt that will be sufficient to assuage the anti-competition doubts of the European Commission. It will be interesting to see what Microsoft does here to make Teams a more open platform for third parties.

Microsoft also made a commitment to make the Office web apps more accessible to third party apps, saying “we will develop a new method for hosting the Office web applications within competing apps and services much like Microsoft accomplishes in Teams.” In other words, a third party app should be able to call Office viewers or the Office web apps to process documents accessible to Teams (in SharePoint Online or OneDrive for Business) without leaving the app.

The European Commission has not signalled yet whether they consider Microsoft’s initiative to be sufficient to dismiss the complaint. The nature of these things is that a certain amount of behind-the-scenes negotiation happened to prepare the way, so it’s likely that this move is enough, even if it still needs final sanction.

Microsoft 365 EEA Licenses Clear the Deck for Copilot

In some respects, Copilot for Microsoft 365 is a much bigger threat to the likes of Slack than including Teams in Office 365 and Microsoft 365. Copilot explicitly requires user data to be in Microsoft 365 (natively or through Graph connectors) before it can be used to respond to user prompts. Whether the European Commission considers using artificial intelligence to process user data to be an anti-competitive tactic remains to be seen. But for now, Microsoft has done enough to clear the deck to prepare for the introduction of Copilot for Microsoft 365 without worrying too much about complaints filed three years ago.

Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates ensure that our subscribers stay informed.

Perhaps an Indication that Copilot Does a Better Job?

When I read message center notification MC668802 (18 Aug 2023), the thought went through my mind that Microsoft’s intention to retire the Reuse Files in Word feature might be a reflection of their focus on Copilot for Microsoft 365.

Starting in August 2023, users won’t see the Reuse Files option in the Word ribbon. However, you can still search for and use the feature. When you launch Reuse Files, Word uses Graph API calls to find documents that it thinks you might want to copy content from or include a link to in your current file (Figure 1).

Introduced in late 2020, I thought that the idea of being able to build new documents by reusing work previously done is good. However, Microsoft says that by January 2024, they will remove all traces of the Reuse Files feature from Word. Microsoft didn’t say anything about the availability of Reuse Files in Outlook (for Windows). Nor did they say if the Reuse Slides feature in PowerPoint will disappear sometime in the future.

Improving Your Subscription by Removing Reuse Files

In MC668802, Microsoft says that they are “committed to improving your Microsoft 365 subscription” and “we occasionally remove features and benefits that duplicate equivalent offerings.”

The comment about duplicating equivalent offerings is what brings me to Copilot. It can be argued that the reuse files feature could be replicated by simply opening a Word document and copying text from it into your file. The difference is intelligence. The Reuse Files feature uses Graph API requests to find files that the app thinks might be of use. Unfortunately, the initial set of files that it lists are usually just the last set of files that you’ve worked on, and the files found when you enter a search term don’t always seem to match the request.

At $30/user/month (plus an eligible Microsoft 365 subscription), Microsoft 365 Copilot is expensive. The required investment makes it imperative that organizations select those allowed to use Copilot with care, even if you believe the hype that users only need to get a couple of dollars value from using Copilot to offset its cost. But what we know of Copilot to date is that it applies a lot of artificial intelligence technology to find information to respond to user prompts (queries). In addition, tenants that use Copilot have a semantic index to help find appropriate information. That’s something which doesn’t exist in normal tenants.

Perhaps Microsoft is removing “AI Lite” features like Reuse Files from the playing field to give Copilot a clear run. Put another way, not having features like Reuse Files in the Microsoft 365 apps emphasizes the usefulness and capabilities of Copilot for Microsoft 365.

Maybe an Innocuous Decision

It’s entirely possible that I am reading too much into an innocuous decision by Microsoft to remove a feature that isn’t used very much. Microsoft might have decided that the engineering effort required to maintain and support the Reuse Files feature isn’t worth it because of low usage (or because the feature really isn’t very good). After all, if users don’t know about a feature, they won’t use it (OWA search refiners might be another example).

Only Microsoft knows, and they cloud the decision in words that make it seem that the removal of the Reuse Files feature is for our own good. Maybe it is. Who knows?

Clearing the Deck

Microsoft removes relatively few features from Microsoft 365. Clutter is one example, replaced by Outlook’s Focused Inbox. It’s nice to think that Microsoft removes items to improve our subscriptions. I suspect that the truth is that feature removals clear the deck and make it easier for Microsoft rather than users.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Surprise Announcement Highlights Inconsistencies Across Microsoft 365 Consoles

Microsoft’s 17 August announcement that they are not proceeding with support for dark mode in the Teams admin center (TAC) came as a surprise. Originally announced in message center notification MC567496 (2 Jun 2023), I covered the news briefly on June 6 and pointed out that dark mode for TAC had some problems with custom tenant colors. This didn’t seem like a big issue at the time. It’s the kind of fit-and-finish bug that tends to be taken care of before final release.

I don’t know why Microsoft decided not to deliver dark mode for TAC. Microsoft’s announcement simply says “We have made the decision not to proceed with this feature at this time,” which could mean anything. What’s for sure is that the toggle to enable dark mode has disappeared and won’t come back until Microsoft decides what to do next.

The news about TAC got me thinking about why Microsoft doesn’t have a common platform for Microsoft 365 administrative consoles. Despite efforts to make the consoles look and feel similar, the interfaces have their own foibles.

Authorization and Tokens

Take authorization as an example. The admin consoles use modern authentication, so the consoles need to acquire OAuth 2.0 access tokens and renew the tokens when they expire. Making token renewal a seamless experience for administrators seems to be a very complex technical challenge for the console developers.

The Microsoft 365 admin center manages things best. Behind the scenes, the console takes care of token renewal without a hitch. I seldom experience issues with this console, even after keeping the admin center open for extended periods. The SharePoint Online admin center is also pretty good. Other consoles struggle to deliver an elegant solution to token refresh.

For example, the new-and-improved Exchange admin center flashes errors up when it discovers the need to renew an expired token. Flash is the operative word because an error message appears and disappears in the blink of an eye. However, it’s there and I know it’s there and I worry that something more problematic than a brief pause in token renewal is the root cause. It seems like an issue that is highly solvable.

The Microsoft Purview compliance portal takes a more pedantic stance and insists that administrators should sign in regularly (Figure 1). At least you know where you are and what to do to proceed, and an arguable case exists that the compliance portal gives access to solutions that protect confidential information. But the inconsistency in behavior is obvious and jarring.

Teams Admin Center

And then we come to the Teams admin center. This console is fond of launching and appearing to work as normal before suddenly deciding that it should sign out the connected user (Figure 2). This action forces the user to reauthenticate before they can connect to TAC. And it can force the user to sign in again to other Microsoft 365 apps.

I’ve complained to Microsoft about TAC’s odd connection procedure several times. Each time I’m told things will improve. And to be fair to Microsoft, the issue occurs much less frequently now than it did in the past. Perhaps recent changes to the TAC contained some new code to address the problem. But I don’t trust TAC because I’ve experienced the sign-out issue within the last few weeks. I’m now keeping a watching brief on TAC to see if the issue reappears and if so, whether I can identify specific circumstances that might provoke the sign-out.

Dark Mode Support Across Admin Consoles

With the decision made not to support dark mode for TAC, the situation is that two of the five main Microsoft 365 admin consoles support dark mode while three do not:

• Support dark mode: Microsoft 365 admin center (Figure 3), Exchange Online admin center.
• Do not support dark mode: Teams admin center, Microsoft Purview compliance portal, SharePoint Online admin center.

The inconsistent implementation of dark mode is only an indication of the lack of consistency which still exists across the Microsoft 365 admin consoles. It demonstrates that Microsoft still has work to do to make Microsoft 365 administration a unified space. And when they’re doing that, making access token renewal work the same way across all consoles would be a great thing to do.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant

Get Software, Prompts, and Content Right to Make Microsoft 365 Copilot Work

Ever since Microsoft announced Copilot for Microsoft 365 last March, I’ve spent time to learn about concepts like generative AI to better understand the technology. I’ve also tracked Microsoft’s announcements to interpret their messaging about Copilot and analyzed the costs organizations face to adopt Copilot. Given the hefty licensing costs, I’ve reflected on how organizations might go about deciding who should get Copilot. You could say that I’ve thought about the topic.

Which brings me to a Microsoft partner session delivered yesterday about preparing for Microsoft 365 Copilot. I wrote on this theme last June, so wanted to hear the public messages Microsoft gives to its partners to use in customer engagements.

Get the Right Software

Mostly, I didn’t learn anything new, but I did hear three messages receive considerable emphasis. The first is that customers need the right software to run Microsoft 365 Copilot. Tenants need:

• Microsoft 365 apps for enterprise.
• Outlook Monarch.
• Microsoft Loop.
• Microsoft 365 Business Standard, Business Premium, E3, or E5.

Apart from mentioning the semantic index, nothing was said about the focus on Microsoft 365 SKUs. The semantic index preprocesses information in a tenant to make it more consumable by Copilot. For instance, the semantic index creates a custom dictionary of terms used in the organization and document excerpts to help answer queries. The idea is that the semantic index helps to refine (“ground”) user queries (“prompts”) before they are processed by the LLM.

Nice as the semantic index is, there’s nothing in the selected Microsoft 365 SKUs to make those SKUs amendable to the semantic index. Microsoft has simply selected those SKUs as the ones to support Copilot. It’s a way to drive customers to upgrade from Office 365 to Microsoft 365, just like Microsoft insists that customers use Outlook Monarch instead of the traditional Outlook desktop client.

Mastering Prompts

Quite a lot of time was spent discussing the interaction between users and Copilot. Like searching with Google or Bing, the prompts given to Copilot should be as specific as possible (Figure 1).

It’s rather like assigning a task to a human assistant. Prompts are written in natural language and should:

• Be Precise and detailed.
• Include context (for instance, documents that Copilot should include in its processing).
• Define what output is expected (and what format – like a presentation or document).

The aim is to avoid the need for Copilot to interpret (guess) what the user wants. A human assistant might know what their boss wants based on previous experience and insight gained over time, but Copilot needs those precise instructions to know what to do.

Constructing good prompts is a skill that users will need to build. Given that many people today struggle with Google searches twenty years after Google became synonymous with looking for something, it’s not hard to understand how people might find it difficult to coax Copilot to do their bidding, even if Copilot is patient and willing to accept and process iterative instructions until it gets things right.

Microsoft 365 Copilot is different to other variants like those for Security and GitHub that are targeted at specific professionals. A programmer, for instance, has a good idea of the kind of assistance they want to write code and the acid test of what GitHub Copilot generates is whether the code works (or even compiles). It’s harder to apply such a black and white test for documents.

The Quality of Content

Microsoft talks about Copilot consuming “rich data sets.” This is code for the information that users store in Microsoft 365 workloads like Exchange Online, Teams, SharePoint Online, OneDrive for Business, and Loop. Essentially, if you don’t have information that Microsoft Search can find, Copilot won’t be able to use it. Documents stored on local or shared network drives are inaccessible, for instance.

All of this makes sense. Between the semantic index and Graph queries to retrieve information from workloads, Copilot has a sporting chance of being able to answer user prompts. Of course, if the information stored in SharePoint Online and other workloads is inaccurate or misleading, the results will be the same. But if the information is accurate and precise, you can expect good results.

This leads me to think about the quality of information stored in Microsoft 365 workloads. I store everything in Microsoft 365 and wonder how many flaws Copilot will reveal. I look at how coworkers store information and wonder even more. Remember, Copilot can use any information it can find through Microsoft Search (including external data enabled through Graph connectors), which underlines the need to provide good guidance in the prompts given to Copilot. Letting Copilot do its own thing based on anything it can find might not be a great strategy to follow.

Lots Still to Learn

Microsoft 365 Copilot is still in private preview (at a stunning $100K fee charged to participating customers). Until the software gets much closer to general availability, I suspect that we’ll have more questions than answers when it comes to figuring out how to deploy, use, manage, and control Copilot in the wild. We still have lots to learn.

If you’re in Atlanta for The Experts Conference (September 19-20), be sure to attend my session on Making Generative AI Work for Microsoft 365 when I’ll debate the issues mentioned here along with others. TEC includes lots of other great sessions, including a Mary-Jo Foley keynote about “Microsoft’s Priorities vs. Customer Priorities: Will the Two Ever Meet?” TEC is always a great conference. Come along and be amused (or is that educated?)

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

A New Method to Handle GDPR DSRs

This one is for the compliance purists, or at least, those concerned with dealing with GDPR data subject requests (DSRs). Message center notification MC664475 (3 Aug 2023) announces that Microsoft is retiring the User data search tool (previously called the Data subject requests tool) with effect from August 30, 2023. Active cases will move to eDiscovery (standard) and can be processed to completion there.

DSRs came about when GDPR gave individuals (the data subjects) the right to recover any information an organization held about them. A DSR is a formal request for that information which the receiving organization must respond to within a month. Microsoft’s user data search solution is a wizard that creates a special form of a standard eDiscovery case with a search designed to find the relevant information.

Microsoft says that there’s been an increase in DSRs and note that the User data search tool is not as functional as eDiscovery standard. The tool doesn’t take advantage of changes and improvements added to eDiscovery standard recently, so it makes sense to replace the tool and concentrate on a single set of features.

Search Query to Find All User Data

To help with the transition, Microsoft published a sample Keyword Query Language (KQL) query to find emails and documents authored by the subject of a user data search. The query is:

participants:"<user name>" OR author:"<user name>" OR createdby:"<user name>"(c:c)(ItemClass=IPM.Document)(ItemClass=IPM.Note)(ItemClass=IPM.Note.Microsoft.Conversation)(ItemClass=IPM.Note.Microsoft.Missed)(ItemClass=IPM.Note.Microsoft.Conversation.Voice)(ItemClass=IPM.Note.Microsoft.Missed.Voice)(ItemClass=IPM.SkypeTeams.Message)

The query can be used with a content search or eDiscovery case search. The important thing is to make sure that the search covers all Exchange Online and SharePoint Online locations.

I tested the search query with a content search. I made three changes. First, I entered the user principal name of the user to search for. Second, I removed the “(c:c)” entry from the search as this term is usually only inserted by the query editor when it checks the syntax and completeness of queries. Finally, I removed the trailing double quotation mark as it wasn’t needed. Figure 1 shows the query as input into the KQL editor. The syntax check advises that the query is quite dense and difficult to read, but that doesn’t affect the effectiveness of the query.

Figure 2 shows the search statistics. Remember that content searches always perform an initial estimate based on search indexes, which is what we see here. The final output for a search is generated when exporting search results. However, the estimate creates a good picture of where content related to the user is present. In this instance, it’s mostly in Exchange Online mailboxes, which implies that the user didn’t create many documents stored in SharePoint Online or OneDrive for Business.

Searching is Only the Start

Running a search to find information is only the start of satisfying a DSR. Among points that should be considered are:

• Content searches and eDiscovery standard can only find information in cloud locations. In hybrid environments, you might need to run searches against on-premises servers.
• Because of the way that Exchange Online delivers separate messages to recipient mailboxes, there’s likely to be many duplicates in the search results.
• When you export search results, Exchange Online decrypts protected messages. Only eDiscovery premium decrypts protected documents when exporting those files, so some other arrangements might be needed to remove sensitivity labels from protected documents before their content is checked and the files can be passed to the user.
• Searches do not address the need to remove information about a data subject (the right to be forgotten defined in Article 17 of the GDPR). However, the reports generated for a search tell you where data matches are found and act as a guide for checking individual locations and items to decide whether items are relevant and what content should be removed. Remember, not all data found for a data subject needs to be removed from locations as it is legally permissible to keep data under certain circumstances, such as the requirement to comply with a legal obligation.

The work to prepare to handover information to the person who requested the DSR starts when the search export finishes. Unlike the search and export operations, reviewing the exported material is a manual process that can become very time consuming, especially for people who aren’t accustomed to responding to DSRs.

Sensible Change

Compliance nerds (like me – as evident in this article about using targeted collections in content searches) will understand why Microsoft removed a specialized tool in favor of a more generic approach. Let’s hope that the engineering resources released by the move help to improve content searches and eDiscovery standard. Better performance for content searches would be a start. They haven’t improved much in that respect since the introduction of the new UI in 2021.

One Click to Make the Loop App Available to All Users

In an unannounced August 7 change (no blog post, no message center notification), Microsoft pushed an update to the Microsoft 365 admin center to introduce a one-click control in the Microsoft 365 admin center to enable Loop for a tenant. The new setting is located in the Services section of Org settings (Figure 1).

Selecting the option displays the screen shown in Figure 2. Click the option Microsoft Loop workspaces are available to all users in my organization and the job is done. There’s no need to configure SharePoint Online with PowerShell or deploy a cloud policy to enable users.

As explained in the Microsoft documentation, organizations now have two options to deploy Loop.

1. Use the one-click approach to make Loop available to everyone.
2. Use a cloud policy to restrict access to the set of user accounts specified in a group.

I’m all for making things easier, so view the new setting as a good change. It’s also indicative of the kind of change that happens as an app makes its way through preview toward general availability. When Loop reaches general availability, the app is likely to be available to all users by default. This is the normal approach taken by Microsoft and there’s no reason to believe that they’ll do something different for Loop.

One thing that might change with general availability is how to exert granular control over Loop so that some users can use the app and others cannot. Today, control is via a cloud policy. In the future, it might be via a service plan that’s part of the license assigned to user accounts.

What Happens Behind the Scenes

If you opt to enable Loop for everyone, the code behind the Microsoft 365 admin center option enables all the prerequisites for Loop and sets a tenant setting to allow Loop for all. It then checks if a cloud policy already exists. If a policy is in place, Microsoft updates its settings to allow the tenant setting to take precedence (Figure 3).

Loop PWA in Microsoft Store

Speaking of Loop, another recent change is the appearance of a Loop app in the Microsoft Store (Figure 4). This is a PWA wrapper around the Loop web app that allows Loop to install as a desktop app.

The good news is that the Loop PWA works well. I’ve been using it for a couple of weeks and haven’t run into any issues. It’s not a desktop app in the traditional sense, but it’s more than a good enough alternative.

Loop Everywhere

Apart from the Loop app, Loop components are available in Teams chat (but still not channel conversations), Teams meetings (agenda, notes, and to-do lists), OWA, Outlook desktop, and Outlook Monarch. The ecosystem is building out and appears to be on the way to replacing OneNote eventually. I’d like to make more use of Loop in my day-to-day work, but as most of my projects involve external people who don’t have user accounts in my tenant, the inability of Loop to accommodate collaboration with anyone except internal users is a block. Hopefully, Microsoft will lift that restriction soon.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Why Some Deleted User Accounts Store License Assignment Information And Some Do Not

A reader asks why the Microsoft 365 admin center displays a license for a deleted user account (Figure 1). The follow-up question is how they can remove the license and reassign it to another user.

The answer is that they don’t need to do anything. When an administrator removes a user account, Entra ID moves the account into its deleted items container (aka the wastebasket). The deleted account remains there for 30 days, during which time an administrator can restore the account (see the big blue button in Figure 1). The ideal situation is for a restored account to come back with all its settings intact, including assigned licenses. Entra ID tracks the licenses that the deleted account once had so that it can reassign the licenses to the newly-restored account.

Any licenses assigned to a deleted user account become available following the account’s deletion. This includes accounts used for shared mailboxes where assigned licenses exist to enable features like archiving. No one wants to keep expensive licenses on ice pending account restores, so often the licenses end up being assigned to other accounts.

It Depends on How User Accounts Are Deleted

The interesting thing is that the presence of assigned licenses for deleted accounts depends on the method used to delete the account. When an administrator deletes an account through the Microsoft 365 admin center, the process removes license assignments before removing the account, which means that if you examine the properties of the deleted account afterward, no licenses are present (Figure 2).

However, if you use PowerShell or the Microsoft Entra admin center to remove an account, the deleted account object retains license information. The licenses are not assigned, but the license information is present in the properties of the deleted user object. This is why Figure 1 shows that a deleted account has a license.

The reason why the Microsoft 365 admin center removes licenses and other administrative interfaces do not is due to the multi-phase process the Microsoft 365 admin center uses for account removal. The process includes steps such giving another user access to the user’s OneDrive for Business account (Figure 3) to allow for the recovery of any important information before the permanent removal of the user account.

PowerShell and the Microsoft Entra admin center only concern themselves with the removal of the user account object, and that’s why some deleted user accounts have license assignment information and others do not.

Care Needed When Restoring Deleted Accounts

The Microsoft 365 admin center user restore process warns administrators to:

• Assign licenses after restoring the account.
• Change the account password.

A user account has no access to Microsoft 365 services after it is restored until these steps are complete.

By comparison, if you restore a deleted account through the Microsoft Entra admin center or PowerShell, the license assignments noted in the account properties become active again. This can lead to an over-assignment condition where too many user accounts have licenses for specific products, like Office 365 E3. In this situation, administrators must buy additional licenses or remove licenses from other accounts (or delete other accounts).

To check if the properties of any deleted accounts include license assignments, you can run these Microsoft Graph PowerShell SDK commands to fetch details of deleted accounts and report if any license data exists:

Connect-MgGraph -Scope Directory.Read.All
[array]$DeletedUsers = Get-MgDirectoryDeletedItemAsUser -Property DeletedDateTime, Id, displayName, userPrincipalName, assignedlicenses | Sort-Object DeletedDateTime -Descending
ForEach ($User in $DeletedUsers) {
  If ($User.assignedLicenses) {
     $Licenses = $User | Select-Object -ExpandProperty assignedLicenses
     [string]$Skus = $Licenses.SkuID -Join ", "
     Write-Host ("Deleted user {0} has license information noted in their account properties {1}" -f $User.displayName, $Skus ) }
}

If you use PowerShell to script the recovery of user accounts, you should check for license assignments and validate that available licenses are available before recovering the account. This article explains how to fetch subscription information using the Get-MgSubscribedSku cmdlet and the subscriptions API, including the count of assigned and available licenses. It’s easy to check if a license for a SKU is available before assigning it to a recovered account.

Alternatively, go ahead and recover the account and fix the licensing problem later through the Microsoft 365 admin center.

Processing Differences Exist

This discussion reveals a difference in behavior between the raw processing performed by Graph APIs and the wrapper around the APIs implemented in the Microsoft 365 admin center. Sometimes the differences bubble up to the surface and the reasons for the differences aren’t immediately clear until you poke around to discover why things happen the way that they do. Isn’t that often the case in IT?

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Making Sharing of Files and Folders Easier

Apart from Microsoft 365 roadmap item 124933, I can’t find a formal announcement about the Simplified Sharing Experience, but I have been aware that Microsoft recently updated the share dialog used by Microsoft 365 apps to make it easier and more straightforward to use. According to a LinkedIn post, (Figure 1) Microsoft ran an A/B experiment to test the new dialog. I guess I was one of the testers! In any case, the new sharing dialog is now available in all Microsoft 365 tenants. Users of OneDrive consumer will see the upgraded dialog in the second half of 2023.

The Role of the Share Dialog

The share dialog is what people see when they share a document or folder with others inside or outside their organization. According to Microsoft, the dialog is used over 800 million times monthly across 52 different Microsoft 365 experiences (desktop, browser, and mobile). In other words, Microsoft 365 apps offer users the opportunity to share in 52 different places across the suite. The most common of the experiences are likely in SharePoint Online, OneDrive for Windows, and Teams.

Microsoft says that they focused on creating a dialog that makes it simpler for users to perform core sharing tasks. When someone invokes the new screen (Figure 2) to share a file or folder, they see a simpler layout pre-populated with the default sharing link as specified by the tenant or site policy (in this case, the sharing link allows access to people within the organization). The name of the sensitivity label assigned to the document is also shown to provide a visual indicator about its relative confidentiality.

To complete the link, add the people to notify and enter a note to tell them what to do, and click Send to have the message sent by email or Copy link to copy the sharing link to the clipboard.

If you need to change the type of sharing link, select the cogwheel to expose the link settings (Figure 3). Again, everything is very straightforward and simple. If you choose a link that allows external sharing, I’m told that the new design “makes users more comfortable with sharing.” I’m not quite sure what this means, but any of the sharing that I’ve done with people outside the organization has worked smoothly.

Microsoft has also overhauled the Manage access dialog to help people manage the set of users and groups that have access to a file or folder (Figure 4).

Microsoft says that customer feedback about the new dialog is very positive. It’s worth noting that this is not the first time that Microsoft has revamped the sharing dialog. The last major overhaul was in 2020-21 when Microsoft rationalized on a common sharing dialog for all apps, notably for Teams.

The Importance of Sharing

Getting sharing right is clearly important. When Microsoft launched the Delve app in 2015, it resulted in a crescendo of protest from tenants who suddenly found that Delve suggested documents to users when the organization thought that Delve should not. Of course, the software did nothing wrong. Delve respected the access rights given to users when it computed the set of interesting documents to suggest (using an early version of Graph document insights). The problem was entirely down to poor management and access control, often at the level of complete SharePoint Online sites. Users might not have realized that they had access to the documents in poorly-protected sites, but software can’t be blamed if it goes looking for documents to suggest to a user and finds some that are available.

We’re heading for a similar situation with Microsoft 365 Copilot. The Copilot software depends on finding information with Graph queries to help satisfy user prompts. Like Delve, Copilot will find files that are available to the user who prompts for help, and the results generated for the user might include some confidential. And if the user doesn’t bother to check the content generated by Copilot, the information might then be revealed with people who shouldn’t have it. This is the danger of oversharing, and it’s certainly an issue for organizations contemplating Microsoft 365 Copilot need to resolve before implementation.

Simplified Sharing Experience One Step Along the Path

The new sharing dialog won’t solve oversharing. It’s just one step along the path to help users share information with the right people in the right way.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Clipchamp for Work, but Only for Microsoft 365 Commercial Customers

In a July 31 announcement, Microsoft says that they will make Clipchamp for Work available to Microsoft 365 commercial customers through the targeted release program in the coming weeks. The news is covered by Microsoft 365 roadmap item 124826.

Although the advent of Clipchamp for Work is good news, it’s tempered by Microsoft’s statement that

“Clipchamp will be added to the following Microsoft 365 SKUs: Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Business Standard, and Microsoft Business Premium. Clipchamp will not be added to Office 365 SKUs.”

Ignoring the Office 365 enterprise SKUs is part of Microsoft’s tactics to force customers to upgrade to Microsoft 365 SKUs to drive the average revenue per user (ARPU) and increase the profits flowing from its cloud business past the $111.6 billion mark announced for Microsoft’s 2023 fiscal year.

The same method is being used with Microsoft 365 for Copilot, which only supports the Microsoft 365 E3 and E5 enterprise SKUs. Moving from Office 365 E3 to Microsoft 365 E3 costs an extra $13/user/month. Although a case can be argued that features like Windows 11 Enterprise and Enterprise Mobility and Security which are bundled into the Microsoft 365 enterprise SKUs represent good value for the extra cost, the fact remains that some customers don’t want to be forced to upgrade. Adding a very capable video editor to the Microsoft 365 enterprise SKUs probably won’t make any difference when it comes to deciding whether to upgrade, but it is one more factor to consider.

Adding on to Stream

Making Clipchamp for Work a new Microsoft 365 service plan makes sense. Like Stream for SharePoint, Clipchamp for Work stores its videos in SharePoint Online and OneDrive for Business, so it’s very different to the Clipchamp consumer version. Microsoft won’t provide a migration mechanism to move videos from the consumer to commercial version.

Stream for SharePoint added features steadily since its release, recently adding inline playback in Teams, automatic transcript generation, and a teleprompter when recording videos. However, Stream for SharePoint lags behind Stream classic in terms of video editing capabilities. Stream classic never offered much, but at least it could trim some excess from the start and end of videos.

Clipchamp fills the void and adds a lot more functionality besides such as a gap remover (merge videos together seamlessly) and a video cropper. Microsoft also promises that “Filters, effects, and text overlays give your editing a professional and personalized look. With the green screen filter in Clipchamp, you can adjust your backgrounds to suit your professional context and environment. Transitions can easily be added as a finishing touch to give your video that high-quality look.”

Clipchamp for Work includes an in-browser video editor. You’ll be able to create a new video by launching Clipchamp from the Microsoft 365 app launcher or from OneDrive for Business. Clipchamp can edit videos stored in OneDrive for Business and SharePoint Online, including Teams meeting recordings. The point about using SharePoint storage for videos is to take advantage of integration with the rest of the Microsoft 365 suite such as sharing, compliance, data lifecycle management (retention), and information protection.

Clipchamp Brings Proper Video Editing to Microsoft 365

When Microsoft bought Clipchamp in September 2021, the speculation was that Microsoft would add Clipchamp quickly to Office 365. Well, that hasn’t happened. Apart from needing to get used to the Microsoft 365 ecosystem so that single sign-on works and Clipchamp can process videos stored in SharePoint Online, the delay in reaching this point is likely due to waiting for Stream on SharePoint to mature and the migration from Stream classic to complete, which it now mostly is.

I’m glad to see a proper video editor in Microsoft 365. Video communications are becoming more important all the time. It’s just a pity that Microsoft won’t make the Clipchamp functionality available to their loyal Office 365 enterprise customers. We’ll just have to keep on using Camtasia instead.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

More Details Revealed About Microsoft 365 Backup and Microsoft 365 Archive During Inspire session

A week or so after the launch of Microsoft 365 Backup and Microsoft 365 Archive at their annual Inspire conference (for partners), I took the time to listen to the recording of the session covering the topic delivered at the event. It’s hard to get much detail from a 14-minute session after filtering out all the marketing messages delivered by the avuncular Chris McNulty, but I found some interesting points to ponder.

As a reminder, these products are not yet available. They might be toward the end of 2023. Then again, product dates have an unfortunate habit of slipping, especially when they’re for solutions in a new area. This is doubly true when dealing with solutions targeted at backup and restore and touted as a great solution for ransomware because of their “unprecedented speed and scale.”

McNulty started with some statistics:

• Microsoft 365 users add two billion documents and emails daily. I assume this figure includes Office documents, PDFs, Loops, OneNote notebooks, emails, Teams messages, and everything else that can be stuffed into SharePoint Online, OneDrive for Business, and Exchange Online. In September 2022, Microsoft said that Exchange Online processes 9.2 billion messages daily, 2.4 billion of which are spam. However, it’s unclear if these figures include system messages that are transient and not stored.
• Microsoft 365 user activity consumes 200 petabytes of storage monthly. Much of the data is unstructured. I assume that imports from SharePoint Server and other non-Microsoft 365 sources consume some of this storage. While providing such a large amount of storage is a heavy expense for Microsoft, its existence inside Microsoft 365 creates opportunities. For instance, it is the raw material for Microsoft 365 Copilot.

Microsoft also said that the estimated annual cost of ransomware is $20 billion (2021). They also noted a 74% increase in password attacks in one year, which is yet another good reason for Microsoft 365 tenants to make better use of multi-factor authentication even if attacker tactics like password sprays are less effective due to the removal of basic authentication.

Microsoft 365 Backup

The basic value proposition for Microsoft 365 Backup is simple: the ability to backup and restore data more rapidly than any other backup solution. This is because the data remains within Microsoft 365 and therefore doesn’t have to be copied across an internet connection. Partners have access to the Microsoft APIs for backup, restore, and archiving to allow them to integrate Microsoft 365 in their solutions. In this context, Microsoft will take care of the background processing and the partner looks after the user interface and integration with backup and restore solutions that handle other non-Microsoft workloads to create a single pane for all backup and restore operations.

Of course, keeping backups of your SharePoint Online, OneDrive for Business, and Exchange Online data within the Microsoft trust (security) boundary is a double-edged sword. Keeping all your data eggs in the one Microsoft basket is convenient, enables fast restore, and easy to use because operations are integrated in the Microsoft 365 admin center.

Jacklynn Hiranaka’s demonstration of backup and restore showed how easy it is to configure full backup for a tenant (Figure 1). She made the point that once backup is enabled, it becomes effective immediately. This is likely because Microsoft can utilize techniques like capturing SharePoint changes in the Preservation Hold Library or Exchange changes in Recoverable Items to generate backup items. You can imagine how restores operate like a supercharged version of the SharePoint Restore this library feature or Exchange’s Recover deleted items.

Even more impressive was the assertion that Microsoft 365 Backup can perform parallel restores for SharePoint Online, OneDrive for Business, and Exchange Online to restore information very quickly.

Microsoft 365 Archive

Brad Gussin covered details of Microsoft 365 Archive. This is a SharePoint Online option (Exchange Online has its own archiving). You can already archive Teams and put the associated SharePoint Online sites into a read-only mode. Microsoft 365 Archive puts inactive SharePoint sites into a state where administrators can still manage the sites (to bring them back into an active state) but the data is no longer “hot” (available for immediate user access).

The major advantage gained by moving sites to an archived state is that the storage they consume is no longer charged against the tenant’s SharePoint storage quota. The data is still in SharePoint, but just like the storage consumed by Syntex Repository Services to hold Loop app data, it’s not accessible in the normal way.

Administrators will be able to search for inactive sites and decide which sites to archive. Site owners can protest this action and negotiate with administrators to keep their sites online. Once the final decision to archive, the process to archive sites takes a couple of hours. Actions to archive or reactivate sites are available through the SharePoint Online admin center (Figure 2) or PowerShell. Microsoft hasn’t specified how the PowerShell option will work, but it could be through an updated Set-SPOSite cmdlet or perhaps dedicated cmdlets to archive and reactivate sites. Long-term, Microsoft plans to enable finer granularity by supporting archival at the file level.

Microsoft 365 features such as data loss prevention, data lifecycle management (retention processing), information protection, and search remain in place for archived sites. eDiscovery can find items in archived sites (using the search indexes) and retrieve items using search exports.

A cynic might say that Microsoft created the need for an archive solution by restricting the amount of storage made available to tenants (1 TB plus 10 GB per eligible license) and the way that retention processing consumes quota. The more intelligent versioning planned for document libraries might help restrain storage consumption, but overall it’s still true that SharePoint Online storage is expensive when compared to the abundant storage made available to OneDrive for Business accounts.

No Pricing Available

Microsoft hasn’t revealed how much Microsoft 365 Backup and Microsoft Archive will cost. I’ve been surprised by some recent Microsoft pricing decisions (like the $7/user/month demanded for slightly more intelligent Entra ID access reviews). The good thing is that backup for Microsoft 365 is a competitive market. Microsoft has some strong advantages, but if it goes too far in terms of inflated pricing, customers will vote with their wallets and go elsewhere.

Learn about using SharePoint Online, Exchange Online, and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Stream Video Playback Inline in Chats and Channel Conversations

Fresh from the artificial intelligence mysteries of the Maybelline beauty app and the prospect of losing content in teams with a thousand channels, Teams users can take advantage of the change announced in MC649917 (Microsoft 365 roadmap item 127596). The change means that videos stored in Stream for SharePoint play inline within messages posted in a chat or channel conversation.

Enabling better Stream video playback within Teams might not sound very exciting, but it avoids the need for Stream to open a browser window and launch its client to play the content (Figure 1). Most people might even consider the capability to be better than boasting red lips in a meeting.

Microsoft is currently rolling out the update and expects all tenants to have it by late August.

Some Stream Issues with Teams

While checking out the new functionality, I ran into some problems with the links between Teams and Stream. First, the Stream app in Teams still connects to Stream classic. Given that the migration to Stream on SharePoint started last October, I’m surprised that app only accepts URLs for videos on the old platform. It would seem easy to detect if a tenant uses Steam on SharePoint and take appropriate action.

Second, the sharing options available in Stream includes the chance to share a video to a Teams chat or channel. The options works like the Share to Teams feature in Outlook in that it allows the user to select a target in Teams to share with. Unfortunately, Share to Teams in Stream couldn’t find many of the teams and chats that I use, including the test team I created to host 1,000 channels (Figure 2).

When Stream managed to share to a team channel, it created a simple link to the video  (Figure 3) that launches the Stream player when invoked. There’s no sign of enhanced Stream video playback here.

Obviously, the Stream team needs to do some more work to make the connection with Teams as seamless as it should be. I’ve reported both issues to Microsoft.

SharePoint Sorts Out its User Photos

Finally for the week, it’s interesting to read the message center notification MC653734 (July 21) covering “image coherence for SharePoint Online” (a truly horrible title). The update addresses user photo management for accounts that don’t have Exchange Online licenses or use Delve to update their photos to fix the problem where user photos displayed in SharePoint are different to those shown elsewhere in Microsoft 365 (hence “image coherence”).

In August 2023, Microsoft will roll out a fix to force SharePoint Online to display images fetched from the “Microsoft People System (MPS)”, just like all the other Microsoft 365 apps. In practical terms, this means that SharePoint will fetch the thumbnail photos stored in Entra ID accounts via the Graph profilePhoto API.

The impact on  users is that they will have to upload photos via Delve or using the avatar at the top right-hand corner of SharePoint pages (Figure 4). Admins can continue to update user photos via the Entra ID admin center or with PowerShell.

I don’t imagine that this change will affect many people. It removes a lingering piece of functionality that originated in SharePoint server and brings the app in line with the norms of the rest of Microsoft 365, and that’s good.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Microsoft FY23 Q4 Continues Strong Microsoft Cloud Revenues

As has become customary, Microsoft enjoyed another strong quarter of Microsoft Cloud revenues in the final quarter of their FY23 fiscal year. The headline numbers for the quarter have been reported and analyzed in depth elsewhere. I want to focus on the data relevant to the Microsoft 365 ecosystem. For those interested in following up, I suggest reading the transcript of the analyst briefing together with the other information released by Microsoft.

Microsoft Cloud Hits $110 Billion

The first point is that annual revenues for the Microsoft Cloud exceeded the $110 billion mark. The figures for the four quarters are:

• Q1: $25.7 billion.
• Q2: $27.1 billion.
• Q3: $28.5 billion.
• Q4: $30.3 billion.

Total: $111.6 billion.

On annualized run rate basis (taking the last quarter and multiplying by four), the run rate is now $121.2 billion, up $21.2 billion since the results reported for FY22 Q4. Figure 1 shows the steady growth in Microsoft Cloud annualized revenues since 2015.

The really interesting bit of information revealed by Satya Nadella was that “Azure all-up accounting for more than 50% of the total” ($110 billion). Microsoft is notoriously slow at giving out firm data about product revenues. A year ago, I tried to estimate how much Office 365 contributes to Microsoft cloud revenues. Taking numbers revealed in the briefing we can say that:

• Azure (50% of $110 billion) = $55 billion.
• Dynamics (“surpassed $5 billion in revenue over the past fiscal year”) = $5billion.
• LinkedIn (“surpassed $15 billion for the first time”) = $15 billion.
• Office 365 ($111.6 billion – ($55 + $5 + $15) = $36.1 billion. Microsoft said that “Office 365 commercial revenue increased 15% and 17% in constant currency, a bit better than expected with particular strength in E5.” Microsoft expects revenue grpwth of 16% for Office 365 in FY24.

The Office 365 outcome is less than I expected, but the Azure number is far higher than I thought.

Microsoft Cloud Revenue, Profitability, and Copilot

Microsoft CFO Amy Hood said that “Microsoft Cloud gross margin percentage increased roughly 3 points year-over-year to 72%.” The Microsoft Cloud is obviously a rich source of profit for Microsoft, even if they have substantial capital expenditure to equip their datacenters with computing and network equipment needed to deliver the service and prepare for new services, like Microsoft 365 Copilot.

Hood was confident that Microsoft’s “upsell and attach motions, particularly with Microsoft 365 E5.” She has made much the same comment to analysts for the past several quarterly briefings. Microsoft is very focused on driving the annual revenue per user (ARPU) to fuel growth in overall cloud revenues and profitability.

An interesting remark from the CFO observed that “Growth of new business continued to be moderated for products sold outside the Microsoft 365 suite including standalone Office 365, (and) EMS.” This isn’t surprising because the Microsoft sales force is focused on selling Microsoft 365 rather than the traditional Office 365 or EMS licenses.

Speaking of Microsoft 365 Copilot, they said “We are now rolling out Microsoft 365 Copilot to 600 paid customers through our early access program, and feedback from organizations like Emirates NBD, General Motors, Goodyear, and Lumen is that it’s a game changer for employee productivity.” Of course, as Hood acknowledged, Microsoft is unable to book revenue for Microsoft 365 Copilot until the product is generally available. No one knows how customers will respond to the pricing strategy both in terms of the high $30/user/month license cost and the need for enterprise customers to move to Microsoft 365 E3 or E5 to become “eligible” for a Copilot deployment.

Some Other Numbers

Microsoft always embellishes its results with some numbers for product usage. Often, the numbers are

• Power Automate now has 10 million monthly active users.
• Teams Premium has more than 600,000 seats (Microsoft likes to use the word “surpassed” when discussing results). Six hundred thousand seats sounds like a big number, but it’s only 0.2% of the Teams 300 million monthly active user count, which puts the number into perspective.
• “Teams Phone is the market leader in cloud calling, with more than 17 million PSTN users, up 45% year-over-year.” Sounds like a lot of customers are junking traditional PBXes to move to Teams Phone.
• “Viva now has 35 million monthly active users.” Microsoft didn’t say what parts of the Viva Suite attract this usage. It would be interesting to know if usage comes from repurposed bits (like Viva Engage/ex-Yammer) that don’t bring in any extra revenue, or newer components (like Viva Topics or Viva Learning) where customers need to buy new licenses.
• The newly rebranded Microsoft Entra ID (ex-Azure AD) now has “more than 610 million monthly active users.”
• “The enterprise mobility and security installed base grew 11% to over 256 million seats.”

Microsoft didn’t give new numbers for Office 365, but given that “paid Office 365 commercial seats grew 11% year-over-year,” the number for Office 365 paid seats is likely around 400 million. It looks as if Microsoft Cloud revenues are heading for another good year in FY24.

Keep up to date with developments like Microsoft 365 Copilot by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Microsoft Enters a Completive Microsoft 365 Backup Market

One of the big announcements at the Microsoft Inspire (partner) conference marked Microsoft’s debut into the Microsoft 365 backup market. At least. It’s an intention to participate in the market with a public preview of a Microsoft 365 Backup product for SharePoint Online, OneDrive for Business, and Exchange Online in the last quarter of 2023. At the same time, Microsoft plans to deliver a public preview of a Microsoft 365 Archive product to move “inactive or ageing” SharePoint Online data from “hot” (online) storage to cold storage. I can’t wait to “automate scaled mass archiving by running PowerShell scripts” to move SharePoint Online files to cold storage.

Seriously, both initiatives are welcome. Microsoft has some unique advantages (and some disadvantages) when it comes to moving data around from Microsoft 365 repositories, and it’s about time that Microsoft took some responsibility for protecting customer data with backups.

The Microsoft Advantage

Microsoft’s advantage over ISV backup partners is twofold. They have instant access to customer data stored in their datacenters and they control the APIs that allow access to the data.

ISV alternatives typically copy information from Exchange Online, SharePoint Online, and OneDrive for Business (and sometimes Teams messages) from their native repositories to their datacenter. Many issues come into play:

• Shipping large quantities of data across the internet from Microsoft’s datacenter network to the ISV’s target datacenter. This process takes time and can be resource intensive, especially for restore operations.
• Lack of suitable APIs to stream large quantities of data from Microsoft to the ISV datacenter. For instance, Exchange Web Services (EWS) is the foundation for many ISV backup solutions for Exchange Online. EWS was never designed for this purpose, but it works. Some ISVs use EWS to copy Teams compliance records and call it a Teams backup. Microsoft wants to move ISVs to use the Teams export API, but that comes with its own complications.

Microsoft 365 Backup doesn’t use another repository. Everything stays inside Microsoft 365, so restores (when necessary) happen extremely quickly, even at massive scale. The idea is that if a Microsoft 365 tenant is compromised by ransomware, it can very quickly switch back to the status that pertained at a point in time before the attack happened. It’s a compelling proposition, especially when integrated into the Microsoft 365 admin center (Figure 1). Of course, it would be even better if the tenant stopped the attack by taking steps such as implementing multi-factor authentication everywhere, but that’s another matter.

Microsoft hasn’t said what licenses or costs are likely to be incurred with Microsoft 365 backup. I imagine that they will charge on a consumption basis, meaning that tenants will pay using an Azure pay as you go subscription based on how much data they process.

The Microsoft Disadvantage

The big disadvantage for Microsoft 365 Backup is that all data remains in Microsoft datacenters. Keeping all your eggs in one (datacenter) basket is not deemed to be a good thing because the remote possibility exists that the datacenter might suffer a catastrophic failure that leads to data loss. I don’t consider this to be something likely to happen, but I understand why companies like to maintain a separate copy of their data at a different location, just in case.

The ISV Play

Microsoft was careful to launch with ISV support. It doesn’t make sense to go to war with ISVs that have been serving Microsoft 365 customers for years. Microsoft has several launch partners that are signed up to use the backup and archive APIs so that “partners can integrate our capabilities into their data management and protection apps. With Microsoft 365 Backup and Microsoft 365 Archive APIs, our partners can uniquely provide a single and seamless experience that protects your data estate, whether inside or outside of Microsoft 365, in combination with our speed and storage innovations.” In other words, ISVs can use the APIs (and pay Microsoft for the privilege) to take advantage of faster backup and restore for Microsoft 365 data. We’ll see how this transpires in terms of costs and how the ISVs adopt Microsoft 365 backup APIs in their solutions.

No Teams Backup and Restore

Microsoft has deliberately targeted the easiest workloads for backup. Emails and documents are relatively easy objects to backup and restore. Microsoft has unfettered access to the data and can tweak APIs to make backup and restore operations easier so their implementation is faster and smarter. However, Microsoft 365 archive does not take on the biggest challenge that exists for backup today, and that’s to deliver seamless backup and restore capabilities for Teams.

Teams borrows from multiple Microsoft 365 and Azure services. It integrates data drawn from multiple sources and applications. This, and the lack of APIs to perform comprehensive backup and restore for Teams, is what creates the challenge. Given that Teams now has over 300 million monthly active users, it’s a pity that Microsoft hasn’t cracked a nut that they are uniquely positioned to take on. Perhaps full Teams backup and restore will come in time.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

New Method to Retrieve Renewal Dates for Microsoft 365 Subscriptions

As part of my campaign to help people move off the old MSOL and AzureAD PowerShell modules to use the Microsoft Graph PowerShell SDK before Microsoft deprecates the modules, I wrote a script to demonstrate how to use the Graph SDK to create a licensing report for a tenant. One of the replies to the article observed that the output of the Get-MgSubscribedSku cmdlet didn’t provide the same information as the old Get-MsolSubscription cmdlet. Specifically, the SDK cmdlet doesn’t tell you the renewal date for a product (SKU).

Relief is now available, but not yet in an SDK cmdlet. Instead, you can fetch the renewal information using a new beta Graph subscriptions endpoint described in Vasil’s blog. This is different to the SubscribedSku API, which is what I think is the base for the Get-MgSubscribedSku cmdlet.

Practical Example of Displaying Renewal Dates for Microsoft 365 Subscriptions

As an example of how you might use the information, I took the output generated by the Get-MgSubscribedSku cmdlet and reformatted it so that it looks like the output from the Get-MsolSubscription cmdlet. The cmdlet lists the SKU part number, active units (available units), warning units (licenses that have expired or have another problem), and consumed units (licenses assigned to user accounts). I wanted to add the renewal date and number of days until the renewal date.

To fetch the renewal dates, I then use the Invoke-MgGraphRequest cmdlet to query the https://graph.microsoft.com/V1.0/directory/subscriptions endpoint. If a SKU has a renewal date, it is in the nextLifecycleDateTime property. Some SKUs that don’t expire (like Power BI standard) don’t have renewal dates. Here’s an example of the information for a Viva Topics subscription that has a renewal date.

Name                           Value
----                           -----
skuId                          4016f256-b063-4864-816e-d818aad600c9
skuPartNumber                  TOPIC_EXPERIENCES
createdDateTime                05/02/2021 18:09:21
totalLicenses                  25
id                             de6eac24-b4b7-4f7e-abeb-9e4f10b36883
serviceStatus                  {System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hasht...
ocpSubscriptionId              eeda0292-642e-4901-9825-aa7dfc9b0efc
isTrial                        True
status                         Warning
nextLifecycleDateTime          30/07/2023 14:53:22

To make it easy to lookup the renewal data for a SKU, I created a hash table to store SKU identifiers and renewal dates. The final step is to loop through the SKU information and add the renewal date. Here’s the code:

Connect-MgGraph -Scopes Directory.Read.All -NoWelcome
# Get the basic information about tenant subscriptions
[array]$Skus = Get-MgSubscribedSku
$SkuReport = [System.Collections.Generic.List[Object]]::new()
ForEach ($Sku in $Skus) {
 $DataLine = [PSCustomObject][Ordered]@{
   SkuPartNumber = $Sku.SkuPartNumber
   SkuId         = $Sku.SkuId
   ActiveUnits   = $Sku.PrepaidUnits.Enabled
   WarningUnits  = $Sku.PrepaidUnits.Warning
   ConsumedUnits = $Sku.ConsumedUnits }
 $SkuReport.Add($Dataline)
}

# Get the renewal data
$Uri = "https://graph.microsoft.com/V1.0/directory/subscriptions"
[array]$SkuData = Invoke-MgGraphRequest -Uri $Uri -Method Get
# Put the renewal information into a hash table
$SkuHash = @{}
ForEach ($Sku in $SkuData.Value) { $SkuHash.Add($Sku.SkuId,$Sku.nextLifecycleDateTime) }

# Update the report with the renewal information
ForEach ($R in $SkuReport) {
  $DaysToRenew = $Null
  $SkuRenewalDate = $SkuHash[$R.SkuId]
  $R | Add-Member -NotePropertyName "Renewal date" -NotePropertyValue $SkuRenewalDate -Force 
  If ($SkuRenewalDate) {
   $DaysToRenew = -(New-TimeSpan $SkuRenewalDate).Days
   $R | Add-Member -NotePropertyName "Days to renewal" -NotePropertyValue $DaysToRenew -Force 
 }
}

$SkuReport | Format-Table SkuPartNumber, ActiveUnits, WarningUnits, ConsumedUnits, "Renewal date", "Days to renewal" -AutoSize

Figure 1 shows the output.

Future SDK Cmdlet Will Probably Come

Obviously, it would be much better if an SDK cmdlet exposed renewal dates for Microsoft 365 subscriptions. Given that the subscriptions endpoint is new, it’s likely that a new SDK will appear after Microsoft’s AutoRest process runs to process the metadata for the endpoint. I’d expect this to happen sometime in the next few weeks.

In the interim, if access to subscription renewal dates is holding up the migration of some old MSOL or AzureAD scripts, a solution is available.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

AES256-CBC Will Protect Office Documents and Email

Last year, some researchers expressed worries that the AES 128 ECB (Electronic Cookbook Mode) cipher used by Microsoft Information Protection to encrypt documents and emails could be compromised. Microsoft uses the cipher to ensure backward compatibility with older Office versions.

The need for backward compatibility appears to have lifted. Announced in MC590144 (June 15, 2023, Microsoft 365 roadmap item 117576), Microsoft Information Protection will start using AES 256 in Cipher Block Chaining (AES256-CBC) mode from late August 2023 with full deployment expected by the end of September 2023.

Sensitivity Labels Apply Better Protection

In practical terms, if you apply a sensitivity label (Figure 1) to an Office document, export an Office document to a PDF, or email (including meetings), or use the Purview Message Encryption feature (previously Office 365 message encryption or OME) to set Do Not Forward or Encrypt-Only for emails, the level of encryption protecting those items will increase. Items previously protected will receive the upgraded protection the next time the items go through an encryption/decryption cycle. For instance, if someone edits a protected document stored in a SharePoint Online document library, SharePoint will apply the improved encryption when it saves the file. Full details are available in this Microsoft Technology Community post.

Enhanced protection is available in the Microsoft 365 apps for enterprise, SharePoint Online, Exchange Online, Purview Message Encryption, the Azure Information Protection (AIP) unified labelling client (version 2.17 or later), AIP PowerShell module (2.17 and later), and the Purview Information Protection Scanner for on-premises repositories.

Third-party applications built using the Microsoft Information Protection SDK 1.13 or later support items protected with AES256-CBC. This includes the paid-for versions of Adobe Acrobat that can apply and manage sensitivity labels. It might take a little time for ISVs to issue upgraded versions of their products that support AES256-CBC.

Impact on Four Groups

Although the transition to AES256-CBC should be seamless for Microsoft 365 tenants, Microsoft calls out four groups of customers that the change will impact. These are organizations:

• Using the subscription version of Office (Microsoft 365 apps for enterprise) with Exchange Server (on-premises or hybrid). The Exchange development group is working on a patch to allow Exchange Server to support AES256-CBC that should be available in July. However, the patch will only be available for Exchange Servers with support, so that means the latest versions of Exchange 2016 and Exchange 2019. Microsoft will automatically exclude organizations using the Azure Rights Management connector from using AES256-CBC until January 2024 to allow them time to apply server upgrades.
• With applications built using the Microsoft Information Protection SDK. These organizations must upgrade their applications to V1.13 of the SDK.
• Using perpetual versions of Office (2016, 2019, and 2021 LTSC). These versions can consume items protected with AES256-CBC, but some work is needed to allow clients to create items protected with the new cipher.
• Using the current version of the AIP Viewer, PowerShell module, or Scanner. Workstations need to upgrade to the latest version of the unified labeling client to enable support for AES256-CBC for components installed by the client.

Failure to take action to upgrade installations before Microsoft rolls out the change in August 2023 will result in Exchange Server failing to decrypt protected email. More details are available in Microsoft’s Technical community post.

Moving to Stronger Encryption

Even if the potential for compromise required attackers to follow an unlikely path, Microsoft has answered the doubts expressed by researchers with this update. That’s a welcome change that will kick in during August 2023. Users shouldn’t be aware of the transition and won’t be impacted by the change if administrators of the highlighted organizations take action.

For more information about the transition to AES256-CBC, see Microsoft’s documentation.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Not Much Changes in Exchange Mobile Device Management

It’s been a while since I wrote about how to extract details of mobile devices registered with Exchange Online mailboxes. Time marches on and it’s time to take another look at how to generate a report about mobile devices used with Exchange Online, not least because there are upgraded versions of some cmdlets to use, like Get-ExoMailbox and Get-ExoMobileDeviceStatistics that didn’t arrive until late 2019.

Device management in Exchange Online goes back to on-premises management for mobile devices connected to Exchange Server via Exchange ActiveSync. Apart from making sure that everything works, Microsoft hasn’t done much to device management in Exchange Online. Most of the development activity has focused on leveraging synchronization of Outlook mobile clients with Exchange Online using the Azure-based architecture introduced in 2018 to introduce new functionality, like support for sensitivity labels.

The way Exchange ActiveSync management works hasn’t change much. A glance at the device access rules (which control what devices a tenant allows to connect) in the Exchange admin center (Figure 1) reveals entries like Acompli (the company Microsoft acquired to get Outlook mobile), Windows Phone, iOS 6, and so on. The advantage of this poor man’s mobile device management system is its simplicity. Even as Microsoft advanced to the final deprecation of the old Exchange admin center, not an iota of new functionality appeared in mobile device management.

The subtle hint here is that mobile device management is better done in a purpose-built device management framework like Intune. And so you should, if you feel the need.

Reporting Mobile Device Status

Getting back to reporting the set of devices registered for Exchange mobile device management, the code to do the job is straightforward:

First, find the set of user mailboxes.

[array]$Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Sort-Object DisplayName
If (!($Mbx)) { Write-Host "Unable to find any user mailboxes..." ; break }

For each mailbox, check if it has any registered mobile devices with a command like this:

[array]$Devices = Get-MobileDevice -Mailbox $M.DistinguishedName

If some registered devices exist (the devices might be very old), use Get-ExoMobileDeviceStatistics to fetch information about the synchronization status of each device.

You see here that I use the distinguished name of a device to fetch its statistics. According to the cmdlet documentation, the identity parameter accepts the device Guid or identifier. I think this is a documentation error because:

• Guid works, but it’s slow.
• DeviceId returns a “cannot be found” error.
• DistinguishedName is fastest (up to ten times faster than Guid).

Which means that we do this:

$DeviceStats = Get-ExoMobileDeviceStatistics -Identity $Device.DistinguishedName

Parse the information returned by Exchange mobile device management to extract whatever seems interesting. For example:

• Operating system installed on the device.
• First date of synchronization.
• Last successful synchronization.
• Device policy applied to device.
• Last time Exchange applied a policy to the device.

An example script to generate the report about devices synchronizing with Exchange Online is available from GitHub. The script creates a HTML report (Figure 2) and a CSV file containing its output. Feel free to modify the script as you wish!

Removing Obsolete Devices

Mobile device statistics allow the identification of devices that are not synchronizing. Any device that doesn’t synchronize in 30 days is likely no longer in active use and becomes a candidate for removal (after someone checks its actual status). When their obsolete status is confirmed, you can remove devices by running the Remove-MobileDevice cmdlet. Running the cmdlet breaks the partnership (link) between the mailbox and device.

For instance, this code finds devices reported with more than 365 days since their last synchronization and deletes the first device from the returned set.

[array]$SyncDevices365 = $Report | Where-Object {$_.DaysSinceLastSync -gt 365}
Remove-MobileDevice -Identity $SyncDevices365[0].DeviceDN -Confirm:$False

No Prospect for Change

At this point, it’s hard to see that Microsoft will make any dramatic change to the Exchange device management framework. What exists now suffices for small to medium businesses, and anyone who needs something more sophisticated should head to Intune or check out third-party mobile device management solutions.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

SharePoint Embedded is a Special Form of SharePoint Online

Updated 18 March 2024

Last March, I wrote about the preview of the much-awaited Loop app, and noted that the objects generated by the Loop app “are stored in hidden SharePoint Online containers with names like https://office365itpros.sharepoint.com/contentstorage/CSP_GUID.” By comparison, the content of Loop components created in apps like Teams chat and Outlook are stored in .loop files in the author’s OneDrive for Business account.

At the time, Microsoft pointed to the support SharePoint Online gave to the Loop app but were non-specific about any detail. Microsoft revealed more information at the BUILD conference, where they said that the Loop app uses Syntex repository services, described as “the fastest way for developers to build and manage file and document centric apps that leverage the rich content platform services of Microsoft 365.” Syntex repository services are in private preview at present. Subsequently, Microsoft renamed Syntex Repository Services to be SharePoint Embedded.

Powered by SharePoint

The developer blog post on the topic gives more information. It seems like Syntex repository services (“powered by SharePoint”) is a document management services Microsoft sells to app developers. Apps developed on the platform store their files in “repository containers,” a SharePoint Online storage partition within a customer tenant (you could think of OneDrive for Business as a SharePoint partition). Repository containers created by apps remain under the control of the app that create containers and cannot be accessed through regular Microsoft 365 interfaces, including administrative interfaces like the SharePoint Online admin center. Apps access their files through Microsoft Graph APIs and present the information through their own GUIs.

The big advantage put forward by Microsoft is that by managing their files through Syntex, app developers get access to Microsoft 365 capabilities like sensitivity labels and eDiscovery in addition to the scalability of the Microsoft cloud platform. In other words, don’t worry about storing files, compliance, and all that stuff because Syntex will do that for you – focus on delivering app functionality to end users. It’s a good example of creating new capabilities off a proven platform.

Loop and Syntex Repository Services

Coming back to Loop, Microsoft asserts that the Loop app is “100% powered by Syntex repository services.” What I thought were hidden SharePoint containers are repository containers that the Loop app accesses to store and manage its workspaces and pages. Microsoft noted that the Designer app also uses Syntex repository services (Figure 1).

We’re still in the early days and everything doesn’t work as promised. Loop is in preview and Microsoft 365 content searches cannot find its content, nor can retention policies target app repository containers. The Loop app doesn’t support assignment of sensitivity labels to workspaces or pages, and data loss prevention policies don’t intervene of someone shares a Loop page link outside the organization. All of this is expected when apps and underlying services are evolving.

SharePoint Embedded is an Interesting Choice for App Developers

If Microsoft delivers what it says will happen, app developers have an interesting choice to make. Should they create everything from scratch and have total control over a solution or use Syntex repository services and get a lot of off-the-shelf functionality. Cost will obviously be part of the equation. There’s no information available about who pays for Syntex repository services when it’s used to host app content.

Backup is another aspect to consider. Microsoft 365 tenants are accustomed to backing up documents and other elements stored in SharePoint Online. How will they backup documents and lists stored in app repository containers? Will backup vendors be able to read a list of app containers in a tenant and stream their contents out to a backup target? This is an example of an issue that needs better understanding before a new service becomes 100% operations-ready.

In passing, I note that the Syntex backup solutions for SharePoint Online, Exchange Online, and OneDrive for Business announced in November 2022 still haven’t made an appearance. Developing and bringing new cloud services into production is hard, even for Microsoft.

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Edge is the Default Browser for Side-by-Side Viewing

Quite a backlash ensued when Microsoft announced that Outlook would open embedded links in email using the Edge browser instead of the system default browser (Figure 1). Apparently, this allows people to “stay in your flow” because side-by-side viewing allows the user to read and respond to the message with the link open, According to Microsoft, Outlook for Windows supports side-by-side viewing from build 16.0.16227.20280. I’m using build 16.0.6505.20002 on one PC and build 16.0.16501.20098 on another and don’t see the functionality in either. Some bits must still be en route.

Message center notification MC531738 (last updated 20 April 2023) describes an associated change for Outlook Mobile clients where the client will prompt users to choose between Edge and the system browser to open links. Microsoft says that these arrangements improve the user experience and has nothing whatsoever to do with their desire to drive increased usage for Edge.

Being able to open a web link in a seamless way makes a lot of sense and is a useful development. Microsoft caused the problem by presenting the feature as an Edge exclusive instead of saying that people could use other browsers. Microsoft plans to implement side-by-side viewing for “other Microsoft 365 apps” with Teams lined up to implement the feature next (presumably in both the classic and the preview of the new Teams 2.1 client).

Configure Cloud Policy for Browser Selection

The good news is that Microsoft documentation is available to instruct Microsoft 365 tenant administrators how to configure the browser used for side-by-side viewing. All that’s required is a change to the Microsoft 365 cloud policy assigned to users.

Head to the Microsoft 365 apps admin center and choose Go to Microsoft 365 cloud policy. This reveals the set of policies defined in the tenant. Select the policy to update. Make sure that the policy has the correct scope (the set of users it applies to) and move on to the policy settings. Search for the “Choose which browser opens web links” setting (Figure 2) and then select either Edge or the default system browser (set by the user). Remember to apply the setting and save the policy.

The big thing to remember is that if you don’t update the cloud policy, the default for Microsoft 365 apps is to use Edge. In other words, take action to update the policy or don’t complain afterward when Outlook wants to call Edge to display web pages.

The documentation also explains how to deploy the setting using Microsoft 365 administrative templates.

User-Driven Choice

Microsoft says that users will have an option to configure Outlook desktop settings to choose their preferred browser there (File > Options > Advanced > Link Handling). Teams respects the choice a user makes in Outlook. If an organization deploys policy settings to control the feature, the option to select a browser is grayed out in Outlook. I don’t see the option in either version of Outlook desktop I use.

The client-side option exists not only to allow choice for users in Microsoft 365 tenants but also to serve people with Microsoft 365 Personal or Family subscriptions where facilities like cloud policy management aren’t available. In addition, those using Microsoft 365 for business plans can only use the cloud management policy when it supports side-by-side viewing in Teams. Microsoft’s documentation for for the Family and Personal subscriptions says that Outlook only tries to use Edge on Windows 10 and Windows 11 PCs.

Poor Communications Get in the Way of a Good Idea

In summary, side-by-side viewing is a good idea that Microsoft mishandled in terms of communications. The controls to allow organizations to exert choice over the browser used in side-by-side viewing are available, and users can make their own choice if an organization policy is unavailable. If Microsoft had said that when they introduced the concept instead of focusing on Edge, no one would have been concerned and fuss and bother avoided.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

Organization Messages Serve a Single Purpose – Drive Microsoft 365 Adoption

Last month, I covered Microsoft’s unfortunate choice to begin running in-product ads in SharePoint Online. The ads highlighted the joys of attending the Microsoft 365 conference in Las Vegas at the start of May. Publicizing this conference was a reasonable choice given the heavy Microsoft sponsorship for the event and the line of Microsoft speakers from the SharePoint development group on the schedule, led by Jeff Teper.

Microsoft’s support for the conference wasn’t the point. The argument raged about the ethics of Microsoft running in-product ads directed at end users who would never attend such an event in software paid for by customer organizations. The tactic might be appropriate for no-charge consumer software; it’s not when you pay to consume a service. If you agree with this position, please consider upvoting the feature request to quash in-product ads.

Microsoft 365 Organization Messages

Enter organization messages, available through the Adoption Score (under Reports) section of the Microsoft 365 admin center, which seems to be an analogous technology. This time the messaging is under the control of the tenant, which is how it should be. The advent of organization messages for Microsoft 365 Office apps shouldn’t come as a surprise because Microsoft launched organization messages for Windows 11 (Intune) in preview in November 2022. That project continues, albeit still in preview. All these efforts have the same goal: send messages to end users as they work to prompt them to do something.

Organization messages are currently available to encourage people to:

• Encourage people to create files in SharePoint or OneDrive.
• Encourage users to email files with cloud attachments.
• Encourage people to communicate using Teams.
• Encourage people to use @mentions in Outlook.
• Encourage people to use Outlook mobile.

When a message is active, the targeted apps display the message tooltip in the business bar in the Word, Excel, PowerPoint, and Outlook desktop apps (aka, the “product surface”). The usual outcome is that the user either dismisses the message with a button often labeled “Got it” or they click another button to go to documentation for the suggestion made by the tooltip.

Creating an Organization Message

I decided that @mentions in Outlook would get the best response from users in my tenant, so opted for that message. The admin center launched a wizard to guide through the steps to create and schedule the message, starting with picking the message appearance (Figure 1). Your account must be a global administrator or hold the new Azure AD Organizational Messages Writer role to create, schedule, and monitor organizational messages.

The next step is to select message recipients (“the audience”). The easy option is to select everyone, but more granular filters are available to:

• Omit priority users (often executives, and you wouldn’t want to disturb their ponderings).
• Omit users by group (why bother the IT department with hints they already know about?).
• Apply filters based on group-level insights (like departments and locations) derived from Azure AD.

Before you can apply filters based on group-level insights, you must enable organizational insights through the org settings for Adoption score (Figure 2).

Next, you add a schedule for the message by setting start and end dates for the apps to display the message, which must be at least 48 hours in advance. You also set an interval for the message to reappear if the user dismisses the message without taking the recommended action (the nagging user parameter).

Finally, you either save the message as a draft or go ahead and submit it for scheduling (Figure 3). After scheduling a message, Microsoft 365 takes care of processing its display by prompting apps when a user within scope for a scheduled message connects.

Viewing Organization Message Tooltips

Due to the mandatory 48-hour lead-in period, a certain leap of faith ensues as those who schedule messages wait for the tooltips to appear in apps used by the target audience. Eventually, the tooltips show up in the targeted Office app to impress users (Figure 4).

You can’t customize the appearance or text in a tooltip in any way. Tooltips generated by organization messages use the same format as the other annoying prompts that Microsoft surfaces in the Office apps. I’m particularly taken by the way that Word offers me a tour of its facilities. Perhaps Word wants to show me features that I’ve never explored since starting to use Word 2.0 in 1992. More likely it’s just a sloppy implementation that results in unwanted tooltips appearing without good cause.

Monitoring Organization Messages

When organization messages are active, it’s possible to monitor the success of Microsoft 365 in delivering the message (tooltip) to users through a rudimentary (half-finished) dashboard (Figure 5). You can’t resize the columns, so you must scroll across to see the columns revealing the total for messages seen (shown to users) and total clicks (on a tooltip button). Clicking the name of a message does nothing.

If you feel the need to plan another communication campaign, you can clone an active message and schedule it for different dates and target audiences. For instance, you could start off with a test campaign focused on members of the IT department (identified by an Azure AD group) and then broaden communications to a wider audience after seeing user response to the tooltips.

Do You Need Organization Messages?

On the one hand, it’s good that Microsoft built a framework for delivery of administrator-authored messages to users via the Microsoft Office apps. There are times when administrators need to communicate on a broad basis with tenant users and doing so in the applications people work with most often seems like a promising idea. However, the downside is that the implementation (in preview) is terribly limited to the messages that Microsoft wants administrators to send. Being able to send custom messages would make this facility so much better and more valuable.

Pop-up messages can be like old-fashioned MFA challenges: easy to dismiss. The value gained by bombarding end users with helpful advice is doubtful. If anyone gains, it’s Microsoft. I’m unsure where any value exists for customers here, just like I doubt the value of in-product advertising of even apparently benign items like Microsoft 365 conferences you might like to attend.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Use Entra ID Administrative Units to Scope Compliance Administrator Responsibilities

In a development designed to give complex organizations extra flexibility in managing Purview solutions, Entra ID (Azure AD) administrative units can now be used to assign segregated responsibility for policy management. This feature is available in information protection and data loss prevention, and now (Microsoft 365 message center notification MC541152 (13 Apr 2023, Microsoft 365 roadmap item 117354) data lifecycle management (retention and label policies). The functionality is in preview and is expected to roll out in June 2023. For now, the functionality is only available in commercial tenants.

Limiting Scope for Administrators

Microsoft Purview uses administrative role groups to define what the members of each group can do. Each role group has a set of one or more roles to break down the scope of what an administrator can do into smaller tasks. For instance, the compliance administrator role group includes roles like “compliance search” (needed to run eDiscovery searches) and “retention management” (needed to work with retention labels and policies).

The default situation for a Microsoft 365 tenant is that compliance role groups have an organization-wide scope. In other words, once someone is in a role group, they can use the roles assigned to the group to perform administrative operations across the entire organization. This approach works well for small to medium organizations. It becomes less satisfactory as the size and complexity of organizations grow. For instance, a company might have IT administrators based in separate countries or assigned to handle work for different departments or operating units. In these situations, it might not be appropriate to have an administrator whose primary focus is dealing with French operations handle retention policies for German accounts.

Administrators and Entra ID Administrative Units

Administrative units allow an organization to logically organize directory objects into smaller units for management purposes. User accounts can be in multiple administrative units. For example, a user account could be in an administrative unit for their department and another for their country.

It’s very easy to create an administrative unit and add user accounts to it manually. It’s even easier and more powerful to use dynamic administrative units where Entra ID maintains the membership of the administrative unit based on object properties. And once you set up and populate the administrative units, you can assign them to members of Purview compliance role groups. In Figure 1, two members of the role group can work across the organization while the other three are limited to one or more administrative units.

Entra ID Administrative Units and Adaptive Scopes

Data lifecycle management already has adaptive scopes, introduced in late 2021. Adaptive scopes allow organizations to target specific users, groups, and sites based on certain properties like a user’s country or department. It seems like an overlap might exist here but that’s not the case. Administrative units are all about limiting what an administrator can do when managing policies. Adaptive scopes are all about limiting the scope of processing when background jobs come to process the policies.

Looking back to Figure 1, Jessica Chen is an administrator whose limit is defined by the United States administrative unit. Any retention policy created by Jessica can only apply to accounts within that administrative unit. Figure 2 shows how to scope a retention policy to an administrative unit.

By contrast, my account is scoped for the organization, meaning that the policies I work with apply to everyone in the organization. Remember, an account can come within the scope of multiple retention policies, including Exchange Online mailbox retention polices and individual items can have retention labels. The background jobs which apply policies follow principles of retention to decide how to resolve the retention requirements for items.

Behind the scenes, the introduction of administrative units into the mix means that the background jobs (like the Exchange Managed Folder Assistant and the Retention assistant) make sure that a policy scoped to administrative units is not applied to accounts that are not in those administrative units.

One way of thinking about this is that all data lifecycle management use adaptive scopes and that the background jobs enforce the scopes when they run. In terms of flexibility, scoping runs from least adaptive to most adaptive:

• Organization-wide with static locations (the default, available in Office 365 E3)..
• Organization-wide with adaptive locations (requires Office 365 E5).
• Administrative-unit with static locations.
• Administrative unit with adaptive locations.

Policies that use administrative units only process locations (like a mailbox) belonging to the administrative unit even if administrators add other locations to the policy.

Support for Entra ID Administrative Units in Other Purview Solutions

Administrative unit support is available in the following Microsoft Purview solutions:

• Data Loss Prevention (DLP): Management of DLP policies, including restricting the visibility of DLP alerts to administrators.
• Information Protection: Management of sensitivity label publishing policies. This includes the ability to see label actions in the Activity Explorer.

Licensing

To use administrative units, you need Entra ID Premium P1 licenses for every account in an administrative unit. Given that Enterprise Mobility and Security (EMS) now has 250 million users, the large enterprises likely to want to use administrative units have these licenses.

To assign administrative units to Purview administrators, you need (Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, or Microsoft 365 E5/A5/F5 Information Protection & Governance) licenses for each administrator. This requirement is as surprise as usually Office 365 E5 is sufficient to cover advanced functionality.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Word Send to Kindle Option Makes Document Transfer Easy

As you might know, the Office 365 for IT Pros eBook is available for Amazon Kindle. We don’t sell many copies on Kindle. The price is the same (a regulation imposed by Amazon), but it’s easier to download updates for the EPUB/PDF version. Amazon’s publishing mechanisms are built for novels that don’t change often. They don’t cope well with a book like Office 365 for IT Pros when updates appear monthly. Another fact is that it’s possible to transfer the EPUB file to a Kindle, meaning that people who subscribe to the EPUB/PDF version get all the benefits of easy updates while being able to access the content on Kindle when needed.

In any case, since 2016 we have accumulated lots of experience dealing with the Kindle model as we publish monthly updates. Our preferred tool is Calibre eBook management, which does a nice job of turning Word documents into EPUB format. We then update the EPUB file to Amazon’s Kindle publishing platform to generate a file that Amazon publishes in its store.

Sending Word Documents to Kindle

All of which means that Microsoft’s announcement about a new Send to Kindle feature in Word in MC519245 (last updated 21 Mar 2023, Microsoft 365 roadmap item 117542) attracted my attention. The plan is to make the feature available in Word desktop for Windows and Mac (subscription version) and Word Online. The documentation says that the web version is “coming.” It is available in the Current Channel (Preview) of the Windows app (Figure 1). I tested the feature using version 2304 (build 16327.20200).

Transferring Word Documents to an Amazon Account

To send documents to Kindle, you must have an Amazon account that’s linked to a Kindle device. Documents sent to Kindle become available for download to any device registered to the Amazon account. Dating from 2011, my Kindle is antique at this stage. However, if documents sent from Word worked on this device, they will work on any Kindle.

When you send a document, you sign into the Amazon account and decide which of two formats to use (Figure 2):

Here’s how Microsoft’s support documentation describes the two options:

Kindle book: This formatting style enables adjustable font sizes and page layouts. It also supports handwritten sticky notes with Kindle Scribe. It works well for storing documents with simple text formatting for better readability on smaller screens.

Word document format: This formatting style preserves the page layouts and text formatting of your Word document. Your content will display in Kindle as it would appear when printed (except tracked changes and comments, which will not appear).

After selecting the format to use, Word sends the document to an Amazon service to prepare the content for viewing on Kindle.

Reading Word Documents on Kindle

After a while, the file synchronizes with the Kindle and is available for reading. Testing with a few trial documents worked well, and then I decided to send the full current version of Office 365 for IT Pros (Figure 3). The source Word document is a 33.1MB file spanning 1,380 pages complete with many tables, embedded web links, graphics, and a table of contents. We do not use footnotes. Interestingly, selecting the Kindle format created a 33.3MB file, very close to the size of the Word document, while the Word format (like a printed document) option generated a 28.4MB PDF file.

I first tried the Kindle book format. This worked except for graphics. Everything else was fine, including the formatting of PowerShell code examples. As expected, the formatted PDF file looks like a printed document and preserves graphics and other formatting. It’s been possible to transfer PDFs to Kindle for several years and it appears that Word uses a modified version of these techniques to convert to PDF and copy the file to Amazon.

Word Send to Kindle is Simple Inbuilt Transfer

The value of Word’s Send documents to Kindle feature is that it’s built into the app and makes it easier for people to transfer documents to Amazon for synchronization to their Kindle devices. There outcome is no better than with previous methods, but the simplicity of the operation and reduced friction is welcome.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology, even if we decide not to mention features like Word Send to Kindle.

Expertise Noted in Viva Topics Now Appears on Microsoft 365 User Profile

I consider Viva Topics to be the most interesting part of the Microsoft Viva Suite. Viva Topics allows organizations to mine knowledge from documents stored in SharePoint Online to extract topics of interest to the organization. Knowledge managers then decide which topics to publish to appear in applications and who within the organization have expertise in the topics. The idea is to allow end users to find information more easily, including people that they should consult if they need additional information.

Since its introduction in 2021, Microsoft has gradually expanded the set of apps that highlight topics to include high-traffic apps like OWA and Teams chat. Teams channel conversations do not support Viva Topics, but the beta of the Teams 2.1 client does (Figure 1).

Showing Knowledge in People Cards

Published on 28 March 2023 in Microsoft 365 message center notification MC534310 (Microsoft 365 roadmap item 88697) and now rolling out, the Microsoft 365 user profile card now highlights details of the topics that someone has expertise in, but only if the viewing user has a Viva Topics or Viva Suite license (Figure 2).

This change is part of a process to increase the value of the profile card. The last enhancement was the addition of pronouns, another example is the inclusion of local time information, a feature that first appeared in Teams. The roadmap item specifies that the Viva Topics data appears in “profile cards displayed through Outlook” while MC534310 says that the information is available in profile cards for OWA and SharePoint web parts. Confusingly, MC534310 also mentions that you can see the information in “other Office apps.” My conclusion is that OWA is first to implement the feature and that it will gradually appear throughout Microsoft 365. Time will tell.

Navigating Viva Topics

Selecting a skill brings the user to the topic page (Figure 3). Here they can find additional information about the topic, such as its connections with other topics. You can also see the list of confirmed and suggested experts for the topic.

Skills and Expertise

Two sets of topics appear in the profile card. If you look at Figure 2, the first set (with a tick mark) contains published topics. The second set contains suggested topics that Viva Topics believes the person is knowledgeable in. However, a knowledge manager has not yet reviewed and published the topic and connected the person to it. In some ways, it’s like the verification process to receive a checkmark for Twitter.

Remember that Viva Topics derives its opinion about user expertise based on the contributions made in documents stored in SharePoint Online (all or some of the sites in a tenant can contribute). Depending on the age of the document or the review cycle for topics, the lists can reflect old product names, projects, and so on. For instance, because I write about many elements in Microsoft 365, Viva Topics considers that my account is connected to a large set of topics (Figure 3). Many of the suggestions are old and will never be confirmed. Others are candidates for updating because the name of a product has changed, and others are obsolete and should be removed. Maintaining the topics and skills is an important role for knowledge managers to ensure that users see relevant and valuable topics. Obviously, I have not been doing a good job as a knowledge manager.

Extends the Reach of Viva Topics

Including topicsin the user profile card seems like a good idea. If you have the necessary license, the organization has already taken the plunge to use Viva Topics to harness and refine knowledge, so it’s good to have the information available through as many places as possible. On the other hand, if you don’t use Viva Topics you won’t care. And that’s just fine too.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Time to Say Goodbye to Teams Wikis

In July 2022, Microsoft announced the cessation of support for the Teams Wiki. In January 2023, they said that an app would be available to move content from Wikis to OneNote. That app took a while to arrive, but it’s available now (as per the revised date noted in MC496248). If you’re unsure if any wikis exist to be migrated, you can run a script to find wikis in standard channels.

Microsoft’s support documentation explains the process of moving a wiki to OneNote. This post summarizes some points about the migration not covered there.

Migrating Wiki Content

When you migrate a Teams wiki, the target is the shared OneNote notebook that’s part of the resources provisioned in the team’s SharePoint Online site. Figure 1 shows the contents of the Site Assets document library in a site used by the Office 365 for IT Pros authors to store the chapters and other contents for the eBook. You can see that the notebook file dates from February 19, 2016, which is when we started using the Microsoft 365 group to organize our files, The notebook name reflects the original name of the eBook.

A team channel can have multiple wiki tabs (Figure 2). Each channel has a folder in the Teams Wiki Data document library in the team’s SharePoint site which holds the wiki content. This article explains how SharePoint stores Wiki content.

After running the migration app, the wiki content is set to be read-only and a copy of the content moves into the OneNote notebook. Each channel becomes a notebook section while each wiki tab becomes a page within the channel section. Team members can access the content through:

• The Notes tab that the migration app automatically adds to the channel (Figure 3). Some people find that removing the old Wiki tab and renaming the Notes tab to Wiki makes it easier for users to find content that they work with.
• The OneNote web app (accessed from the Office 365 app launcher)
• The OneNote desktop app.

The text in content moved to OneNote remains indexed and discoverable by a content search. OneNote items are not supported by content search preview but are accessible when downloaded by a content search export. The preview function of Microsoft Purview eDiscovery Premium does support a basic preview of OneNote items. However, there’s no indication of where in the notebook the text is found by the content search,

There’s no way to migrate all wikis in a tenant at one time. Users must move wikis over individually (any team member allowed to add a channel tab can do the migration).

Wikis in Private and Shared Channels

Microsoft’s migration utility doesn’t handle wikis for private and shared channels. If you use a wiki in those channels, the easiest way to dela with them is to:

• Open the wiki.
• Copy the information.
• Paste it into a Word document stored in the document library of the site used by the private or shared channel. Alternatively, paste the content into the notebook belonging to the team site.

Easy Transition

According to MC496248, Teams wikis will be inaccessible in January 2024. Moving to OneNote isn’t onerous. It just takes a little planning and user education. Isn’t that always the case?

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Microsoft Cloud Revenues Increase On as Office 365 Users Reach 382 Million Paid Seats

On April 25, Microsoft released their FY23 Q3 results and reported some interesting news. The highlight is the continued growth in Microsoft Cloud revenues to $28.5 billion, an annualized run rate of $114 billion, By comparison, the equivalent quarterly result was $17.4 billion for FY21 and $23.4 billion in FY22. The steady growth (22% year over year) in cloud revenues happened despite some bleak employment headwinds that some commentators thought would blunt progress for products like Office 365. The two-point increase in Microsoft Cloud gross margin to 72% is an indication of how profitable (and critical) this business now is to Microsoft.

The more interesting data for Microsoft results is often found in the transcript from the meeting with market analysts. It’s worth a read.

Office 365 Results

In February, I calculated that Office 365 represents about 47% of Microsoft Cloud revenues. Office 365 is still growing, albeit at a slower rate. Microsoft reported that paid Office 365 commercial seats grew 11% year over year to 382 million (up from 345 million in FY22 Q3, or an increase of 37 million in a year). To take two previous data points, in January 2023, the reported growth rate for Office 365 was 12% while in October 2021, it was 15%. Office 365 has added about 3 million (or thereabouts) new seats for as long as I have tracked these numbers and it’s impressive to see that growth continue.

Paid seats aren’t the same as monthly active seats or daily active seats. Microsoft hasn’t given a number for active seats for several years. Usually, that number is a few points behind paid seats to account for deployments paid for but not yet complete.

In terms of revenue, Microsoft said that “Office 365 commercial revenue increased 14% and 18% in constant currency, slightly better than expected with the strong renewal execution mentioned earlier and E5 momentum.” They also reported that the expansion of the installed base happened across all workloads and customer segments and that they expect average revenue per user (ARPU) growth to continue into Q4. In other words, Microsoft is succeeding in selling higher-end Office 365 licenses and add-ons like Teams Premium and Syntex-SharePoint Advanced management to their installed base.

Teams Reaches 300 Million Users

Speaking of Teams, Microsoft provided an updated number for Teams. Now at 300 million monthly active users, Teams gained 20 million over the 280 million reported in January 2023. Microsoft also said that 60% of Teams enterprise customers buy Teams Phone, Teams Rooms devices, or Teams Premium. The assertion is almost meaningless because we don’t know how many enterprise customers exist for Teams.

Interestingly, on April 24, the Financial Times reported that Microsoft has agreed to stop bundling Teams with Office in an attempt to avoid a formal European Union anti-trust investigation following a 2020 complaint from Slack. Whether this will stop the growth in Teams users tracking the growth in Office 365 users remains to be seen.

Other Interesting Numbers

Microsoft reported that revenues from Azure and other cloud services grew 27%. They didn’t break out numbers for individual services.

The installed base for Enterprise Mobility and Security (EMS) grew 15% and is now nearly 250 million seats (an increase of 32 million over the last year). These seats all have access to Azure AD Premium licenses, so have no excuse for not embracing multi-factor authentication and increasing the overall percentage for MFA-protected accounts above its current sorry level.

Potential Copilot Pricing

As you might expect, artificial intelligence and the slew of Copilot-branded products were top of mind for the Microsoft executives. Satya Nadella responded to a question about “Copilot monetization” and whether Microsoft can uplift prices above current levels (basically, can they charge more for something like Copilot for Microsoft 365).

Nadella responded by saying “The CoPilot that’s priced, and it is there, is GitHub Copilot. That’s a good example of incrementally how we monetize the price lists out there, and others are to be priced, because we are in preview mode. But you can expect us to do what we’ve done with GitHub Copilot pretty much across the board.”

Today, GitHub Copilot is available in personal and business versions. Microsoft charges $19/month for a business subscription. Nadella’s response indicates that Microsoft is likely to charge for Copilot through an add-on license, perhaps using the model established by the Syntex-SharePoint Advanced management license, which can be added to any SharePoint plan, meaning that Copilot for Microsoft 365 could be added to any Office 365 or Microsoft 365 plan rather than be included in the base functionality covered by Office 365 E5 or another SKU.

Pricing tends to be one of the last things decided for a product, so we probably won’t have final details until much later in 2023.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

In-Product Messaging Highlights Microsoft 365 Conference in Las Vegas

Ever since the earliest days of Office 365, Microsoft has assured customers that they control the data in their tenant. Largely, I think Microsoft has respected that aspiration, but there have been times when Microsoft product managers feel the need to reach out to end users. That’s just not right. Communicating with tenant administrators is fine, but Microsoft should only ever communicate with the people who work in an organization and use the services available to a tenant with the explicit approval of that organization.

The latest example is in-product messaging featuring ads for conferences, which I encountered yesterday when editing a SharePoint Online page. A notification popped up to tell me that I should expand my SharePoint skills by learning from experts at the Microsoft 365 conference in Las Vegas in May (Figure 1). I’m not sure if this was an A/B kind of feature test but I know that many other people suffered the same interruption.

I also don’t know if this kind of thing will happen in other Microsoft 365 web applications like OWA, Planner, and Viva Engage.

Many Things Wrong with In-Product Messaging

There are so many things that are wrong here. For instance:

• No notification appeared in the Microsoft 365 admin center to inform administrators that these notifications would appear. The experience seems like a large-scale experiment to see how people will react to in-product ads.
• Microsoft shouldn’t disrupt user workflow with unnecessary and unwanted notifications. Microsoft talks about removing friction from its apps and reducing context switches to allow people to work better. Popping up useless and unwanted notifications is distracting and intrusive.
• People pay for Microsoft 365 as an enterprise app. Microsoft 365 is not a consumer app funded by advertising.
• Blasting out notifications without administrator oversight (where’s the control in the Microsoft 365 admin center to block these ads?) might be considered to infringe user privacy.
• Telling someone who works in Ireland about a conference in Las Vegas next month seems like a no-op. There’s very little trace of artificial intelligence and Microsoft’s famed telemetry here. I imagine that 99.9999% of the people who saw this pop-up have neither the budget nor the interest to go to a conference in Las Vegas, even if it is wall to wall with “experts.”

The only saving grace is that the link in the notification didn’t take the user to a portal to buy a conference ticket. Instead, it opened Microsoft’s post about their conference guide. Things could have been worse.

[Update: If you don’t like what Microsoft is doing with in-product ads, please upvote this feature request for SharePoint]

Why The Microsoft 365 Conference

I don’t understand why Microsoft tested in-product messaging with an ad for a third-party conference. The only reason I can think of is that Microsoft heavily invests in the Microsoft 365 conference with direct sponsorship payments and providing speakers for keynotes and sessions. In addition, the conference is coming up soon, so a certain rationale exists that this event was a good one to test.

I personally don’t like the Microsoft 365 conference very much because I think it focuses too heavily on certain parts of the ecosystem (like SharePoint and Teams) and focuses too much on new features. For instance, if you attend the conference, you’ll hear a lot about Microsoft 365 Copilot, the Loop application, the Viva suite, and the new Teams client. That’s all very well and the content satisfies the need for many in the technical community, but the coverage of Exchange Online (the largest workload in Microsoft 365) and Azure AD (the underpinning of all authentication in Microsoft 365) is poor. I think other conferences, like the European SharePoint, Office 365, and Azure Conference or The Experts Conference achieve better balance in their coverage of Microsoft 365 technology.

What’s Next?

I hope Microsoft decides that in-product messaging is a horrible idea for Microsoft 365. I hope that customers tell Microsoft that they hate pop-ups about random conferences or anything else. I don’t want to be interrupted with “important messages” about random happenings as I work in Microsoft 365 browser apps. Life has quite enough interruptions without software surfacing more unnecessary distractions.

Use a Verified Domain to Send Microsoft 365 Service Messages

Announced as Microsoft 365 message center notification MC531211 (21 March 2023, Microsoft 365 roadmap item 103628) and now rolling out to tenants, organizations can choose one of the verified domains available for their tenant as the domain used for product advisory emails (Microsoft 365 service messages).

Microsoft 365 apps that support the feature include:

• SharePoint Online
• OneDrive for Business
• Office
• Stream
• Planner
• Project
• Viva Connections
• Viva Topics
• Viva Amplify

Microsoft 365 apps use email addresses like no-reply@sharepointonline.com and no-reply@planner.com when they generate informational messages to communicate alerts, events, or digest information to users. For instance, when someone stores a document with a higher-level sensitivity label in a SharePoint Online site, SharePoint generates an email to tell them about the potential problem caused by the label mismatch. Figure 1 shows an example of such a message after selecting the office365itpros.com domain to send service messages.

The messages don’t cover service alerts (when a service has an outage), nor do they cover One Time Passcodes (OTP) generated by sharing actions from OneDrive and SharePoint Online. Sharing notifications continue to use no-reply@notify.microsoft.com to ensure delivery of these emails.

Using a Verified Domain

The steps to select a verified domain for service messages are laid out in the Microsoft documentation. In essence, tenant administrators use the Send email notifications from your domain option in the Organization profile section of Org Settings in the Microsoft 365 admin center to select a username and domain (Figure 2).

The domain must be one of the verified domains for the tenant. After saving the new configuration, the Microsoft 365 apps switch to use the selected username and domain instead of their default domains when they send email. Messages are now routed by Exchange Online on behalf of the organization. Just like any of the verified domains used for mail routing, the DNS records for the chosen domain should be configured for SPF, DKIM, and DMARC. This is especially important if email is relayed to Exchange on-premises or an external email service.

The Username for Service Messages

By default, the username is set to no-reply. The intention of a no-reply address is that users know that replying to the address will result in an undeliverable message. However, it’s possible to change the username to one for a routable address such as a shared mailbox so that users can get a response to questions about why they received a service message. Be careful if you do this because service emails then appear to be like any other email sent by the chosen address. Figure 3 shows an example of a message sent by SharePoint Online to report updates to documents in a site. The message appears to come from a shared mailbox because that’s what matches the configured address for service messages.

Not External Messages

Because the tenant’s instance of Exchange Online routes the service messages, they are now internal rather than external and therefore will not be tagged with the external indicator. In some respects, this is a major advantage of choosing to use a verified domain as users might better accept the content of the messages if they don’t come from an external source. The downside is that users might need to adjust inbox rules to process service messages correctly.

If you use a mail flow rule to protect administrator accounts from external email, remember to update the rule to deal with messages from your chosen domain.

Not a Change to Worry Too Much About

After using this option for a couple of weeks, I don’t see any great downside to using a verified domain to send Microsoft 365 service messages. Something might have slipped my attention (and if so, I’d like to know), but overall I think this is a good change that all tenants should consider.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Teams Room Devices Need Proper Licenses by July 1, 2023

On March 24, Microsoft announced a major change in the licensing regime for Teams Rooms devices. In a nutshell, Microsoft wants to stop tenants assigning user subscription licenses (like Office 365 E3 or Microsoft 365 E5) to certified Teams Rooms systems like a Surface Hub. Instead, they will require tenants to assign a Teams Rooms Basic or Teams Rooms Pro license to each device (details of the licenses are available here).

In fact, you don’t assign licenses to a Teams Rooms device. Instead, you assign the license to the Exchange Online room mailbox that manages the calendar for the device. An Exchange Online room mailbox comes with an Azure AD account that holds the license.

Microsoft says that after July 1, 2023, tenants cannot assign user subscription licenses to Teams Rooms devices. More importantly, Microsoft will block sign-ins from devices with user subscription licenses until the devices receive a Teams Rooms license.

License Types

Small organizations can rely on the Basic (no cost) license. The basic license covers “core meeting experiences” meaning that the device can schedule and join meetings and share content and whiteboarding during meetings. However, Microsoft limits these licenses to 25 Teams Rooms devices per tenant and doesn’t allow tenants to assign basic licenses to Teams panels, which require Teams Rooms Pro or Teams Shared Device licenses.

After a tenant operates more than 25 Teams Rooms devices, they must buy Pro licenses (each costing $480 for the annual subscription). If you’ve assigned user subscription licenses to Teams Rooms devices in the past, this is roughly equivalent to the annual cost of an Office 365 E5 license. The extra cost pays for “enhanced in-room meeting experiences” like better audio and video and “advanced management” like remote device management. For more details about the functionality enabled by Teams Pro licenses, see Microsoft’s comparison.

Using PowerShell to Find Licensed Room Mailboxes

The process of switching from user subscription licenses involves finding devices with those licenses, removing the licenses, and assigning a new license. To help, Microsoft created a script using Microsoft Graph PowerShell SDK cmdlets to examine and report the licenses assigned to the accounts used by room mailboxes.

Microsoft’s script uses this code to find the room mailboxes.

$Room_UPNs = get-mailbox | Where-Object { $_.recipientTypeDetails -eq "roomMailbox" } | Select-Object DisplayName, PrimarySmtpAddress, ExternalDirectoryObjectId

It’s a good example of code that works perfectly in a test environment that will be horribly slow in production. First, the code uses the old Get-Mailbox cmdlet to find mailboxes. Second, it uses a client-side filter to extract room mailboxes from the set of mailboxes. That set could be tens of thousands, so deriving the set of room mailboxes will be very slow. This version is better:

[array]$Room_UPNs = Get-ExoMailbox -Filter {recipientTypeDetails -eq "RoomMailbox" } | Select-Object DisplayName, PrimarySmtpAddress, ExternalDirectoryObjectId

Apart from using Get-ExoMailbox to fetch mailboxes and taking advantage of the much better performance of the new REST-based cmdlets together with their ability to survive transient network failures, the code uses a server-side filter to force Exchange Online to do the heavy lifting of finding room mailboxes and only transmitting their details to the client. The golden rule is that time the Get-ExoMailbox cmdlet needs to filter objects, use a server-side filter.

Oddly, the original code doesn’t declare the variable to receive the result of Get-Mailbox to be an array and ends up reporting the count of room mailboxes using the Length rather than the Count property. Another golden rule is to always declare an array to receive results from cmdlets that return PowerShell objects as it makes it much easier to check the returned values.

Always Best to Be Efficient

A case exists that this script is a one-time operation that doesn’t need to be ultra-efficient. That might be so, but it’s nice when a few tweaks make the code run much faster, especially for large tenants that are likely to have many Teams Rooms devices that might need a license check.

Example of Ongoing Changes in Microsoft 365

I guess we all knew it was coming (after all, Microsoft published message center notification MC477013 in December 2022), but the news that the Microsoft Entra admin center (Figure 1) will replace the Azure AD admin center from April 1, 2023 is yet another example of the ongoing and constant changes in Microsoft 365. Those changes range from a massive introduction of fundamental new functionality, like Microsoft 365 Copilot, to a small update to how something appears.

In this instance, Microsoft portraits the replacement of the Azure AD admin center as a unification of its identity management platform (Azure AD) with its identity and access solutions. Another way of looking at the move is that it allows Microsoft to bring those identity and access solutions to the attention of some organizations who wouldn’t otherwise consider them. Every time you open the Entra admin center, identity governance and other solutions will be there to discover. To be fair to Microsoft, if you access Azure AD from the Microsoft 365 admin center, the link goes direct to the Azure AD section of the Entra admin center.

Microsoft says that the old Azure AD admin center will continue to function until May 2023. Azure customers who don’t use Microsoft 365 can manage Azure AD through the Azure portal.

Many Rebranding Campaigns

Microsoft is well known for its love of rebranding campaigns. Microsoft 365 has steadily embraced a huge ecosystem, including the subscription version of the Office apps, and we’ll probably have to rename the next version of the Office 365 for IT Pros eBook to use Microsoft 365 instead. Microsoft Purview is another example, albeit one that at least collected together a bunch of different compliance solutions under a common banner. Defender did the same for security solutions, and so on.

Sometimes, Microsoft makes changes for what appears to be no good reason. Take the announcement in MC532194 (March 23) that Teams now uses an “EA” indicator instead of “P” when users run the preview version of the software. I’m still wondering why “Early Access” is any better than “Preview.” The change appears to deliver zero added value except that it aligns with the nomenclature Microsoft uses in places like the Office Insider program. From my perspective, the change meant that we needed to update Chapter 15 in the Office 365 for IT Pros eBook and our article about Teams preview.

Naming Changes Affect the Wider Technical Community

Microsoft makes naming changes for its own reasons. I doubt that they take the wider community into consideration when they decide on these updates but the effect of a naming change or rebrand ripple through documentation and training. For instance, video training companies that have a program telling people how to use the Azure AD admin center must now update their collateral and perhaps even reshoot some or all of their video. That’s a big cost for the production company.

The same is true for books that cover Azure AD or any of the other topics affected by naming or branding changes. Switching references from the Azure AD admin center to the Entra admin center isn’t quite as simple as doing a search and replace. Microsoft often takes the opportunity to rename options in administrative consoles when they change things. Data lifecycle management is now the place in the Purview compliance portal that was once known as the location for the management of retention labels and policies. The justification is that the section of the portal now spans additional options such as adaptive scopes, policy lookup, and legacy Exchange mailbox retention policies and tags (both of which are still very useful).

Changes in Microsoft 365 Will Keep on Happening

I don’t expect Microsoft to poll the technical community before they change the name of anything inside Microsoft 365. It won’t happen and would be unreasonable. Microsoft will continue to make changes how and when they like, even if the outcome displeases some. Their decision to stop accepting inbound email from old and vulnerable on-premises Exchange servers to protect Exchange Online is a good example of a change that inflamed many opinions. However, we don’t get to vote.

Content producers like Office 365 for IT Pros simply need to be proactive and respond to Microsoft changes the best way we can. In that respect, being able to publish a complete new book every month is a major advantage, even if it takes a lot of hard work. Now back to the task of looking for all those references to the Azure AD admin center – a change that we’ll probably make in the May 2023 update.

Azure AD B2B Collaboration and Guest Accounts for SharePoint Sharing

Two recent message center notifications highlight closer integration between SharePoint Online and Azure AD. MC526130 (11 March) says that new tenants created after March 31, 2023 will automatically enable the SharePoint Online integration with Azure B2B integration. Existing tenants aren’t impacted by this change. The associated update, also scheduled for roll-out in late March, is MC525663 (10 March). The news here is that SharePoint Online site sharing will use the Azure B2B Invitation manager instead of the legacy SharePoint Invitation Manager (Microsoft 365 roadmap item 117557).

Rationalization Around Azure AD

The two updates rationalize existing sharing methods with external users and focus on Azure AD as the driving force for managing invitations. The journey toward Azure AD B2B Collaboration started in 2021, so it’s been a while coming. The project makes a lot of sense for both customers and Microsoft (their gain is through reduced engineering expenses).

Ten years ago, it was reasonable for SharePoint to manage site sharing invitations. Today, when the site collection-based architecture is replaced by single-sites and most sharing occurs through Microsoft 365 groups and Teams, it’s illogical for SharePoint Online to have its own mechanism. 280 million monthly active Teams users create a lot of work for SharePoint.

Another factor is that site sharing with external users is a relatively uncommon action today. Most external users join groups or teams and gain access to the group-connected site. Although non-group connected sites do exist, they’re in the minority and some of those sites (like hub and communication sites) aren’t candidates for sharing with external people. And of course, even site owners might be blocked from sharing sites by a sensitivity label.

Time to Review Applicable Policies

Overall, I don’t think the change will disrupt many organizations. As Microsoft notes “You may want to review your Azure B2B Invitation Manager policies.” Two policies are worthy of note. The first is the Azure B2B Collaboration policy, which includes an allow or deny list (but not both) of domains.

The policy is now found under Collaboration restrictions in the External Identities section of the Azure AD admin center (Figure 1). It is commonly used to block sharing with consumer domains (deny list) or to restrict collaboration to a set of known domains belonging to partner organizations (allow list). If the organization already supports guest accounts, it’s likely that the collaboration policy already exists. Even so, changes like this are useful reminders of the need for regular review of any policy that affects how external people access tenant resources.

Azure AD cross-tenant access policies are a more powerful and flexible mechanism to control external access through both Azure B2B collaboration and Azure AD direct connect (used for Teams shared channels). Cross-tenant access policies are still relatively new and don’t need to be implemented unless required for a specific reason, so your tenant might not use them yet.

Although the Azure AD B2B Collaboration policy is likely to dominate for the immediate future, over time, I expect a slow transition to take advantage of the granular control available in cross-tenant access policies. When an organization changes over, SharePoint Online will take advantage. Leveraging advances made in Azure AD is an excellent reason for SharePoint Online to embrace Azure AD more fully.

Review Guest Accounts Too

Azure AD B2B collaboration works but that doesn’t mean that you don’t need to manage guest accounts. As more sharing happens, more guest accounts end up in your Azure AD. Some guest accounts are used once to share a document. Others are in ongoing use as guest members of groups and teams access shared documents. It’s a good idea to keep an eye on guest accounts and remove them as they become obsolete.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Spatial Audio and Howling Detection Sound Interesting

Updated 13 April 2023

I’m no audiophile but I am interested in the changes in Microsoft Teams meetings to make the sound better for participants. Take the splendidly-named “ultrasound howling detection” feature (MC514081, February 10, Microsoft 365 roadmap item 92391) available for Windows and Mac desktop clients. In a nutshell, if multiple people (each with their own workstation) are in a physical room join a meeting, Teams allows the first person to join as normal and then advises the others that someone using a Teams device is nearby and is already in the meeting with an audio feed. To avoid a feedback loop (echo), Teams mutes the microphones and speakers of those users. If the muted participants want to, they can unmute their microphones and speakers (maybe after connecting headsets) or listen to the existing audio.

It’s a neat feature that is rolling out to commercial and GCC tenants. GCC-High and DoD tenants will see it in May.

Spatial Audio

Another interesting idea is spatial audio in Teams meetings (Microsoft 365 roadmap item 107783). According to Sonos, spatial audio “is an immersive, three-dimensional listening experience. Using multiple channels projecting outwards from each speaker, it can place individual sounds (or “objects”) with greater precision and variety than traditional stereo sound.” Sounds good.

Although the feature is still a while away (according to MC540153, targeted release clients should see it at the end of April 2023 with roll-out to standard release tenants due to finish by mid-June), Microsoft has published some documentation to put the feature into context. When users enable spatial audio for a Teams meeting, users will “hear their [other meeting participants] voices coming from their relative positions on the meeting screen.”

Conferencing provider Bluejeans figure that spatial audio helps participants minimize meeting fatigue, an assertion backed up by Forbes. The problem with claims like this is that they are highly subjective. I suspect that individuals will find different levels of benefits depending on the type, length, and content of meetings you attend. Plus the ability of people in the meeting to keep it interesting and worthwhile. If things get too boring, it might be possible to turn on an avatar (due to be available in May 2023) and tune out for a while.

To make the magic happen, you enable spatial audio before a meeting through the Devices section of Teams settings (Figure 1). Alternatively, you can enable it for a suitable device during a meeting.

You can opt for spatial audio only if the selected device meets the requirements of being USB-wired stereo headphones or speakers or the workstation’s built-in stereo speakers. Stereo (to highlight audio from individual speakers) and not Bluetooth are the key words here. It’s kind of disappointing that I can’t use my Microsoft Surface 2 headphones.

Meetings must run in gallery view rather than together mode. The reason here is that the feature attempts to figure out the relative position of the speaker from you and that isn’t possible when participants are framed in a special view. Another thing to pay attention to is that spatial audio consumes system resources. Teams will throttle back on spatial audio if it detects that the system comes under strain. Throttling is automatic and you can’t control it. The same is true for other features (like noise suppression) that process video or audio feeds for Teams meetings.

Making Better Meetings

There’s no guarantee that either feature will create better Teams meetings. Even spatial audio won’t improve what people say, but they will sound clearer and more distinct which can’t be a bad thing. That is, unless you do want to drift off to sleep..

Keep up to date with developments like Teams meeting enhancements by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

An Unreasonable Azure AD Sign-in Frequency Creates a Barrier to Productivity

I had an unpleasant surprise this week when the security team for one of the companies where I have a guest account decided to improve tenant security. I strongly support any effort to improve tenant security, especially when the effort means better use of multi-factor authentication. It’s a topic I’ll cover during the TEC Europe 2023 tour in London, Paris, and Frankfurt in April. Registration for those events is now open.

It’s always important to take a pragmatic and practical view of security and not to implement anything that has a significant impact on user productivity. All change can impact users, but most of the time people learn to live with change and it’s not disruptive. Unfortunately, deciding to increase the user sign-in frequency for Azure AD accounts can be extraordinarily disruptive if you go too far.

Azure AD sign-in frequency is the period before a user must sign in again when attempting to access a resource, like opening a SharePoint Online document, creating a message with OWA, or accessing a Teams channel. By default, Azure AD uses a rolling 90-day window for its sign-in frequency. In other words, once you successfully sign-into a tenant, Azure AD won’t ask you to sign-in again for another 90 days.

Revoking User Account Access

Ninety days sounds like a long time, and it is. But this period needs to be viewed through the prism of how Azure AD and Microsoft 365 applications work. For example, in early 2022, Microsoft enabled Continuous Access Evaluation (CAE) for all tenants. CAE is a mechanism that allows Azure AD to notify applications of a critical change in the directory, such as an updated password. Applications that understand CAE, like SharePoint Online, revoke existing access for the account to require the user to reauthenticate.

The Microsoft 365 admin center also includes an option to sign users out of all current sessions (Figure 1) to force them to reauthenticate.

Of course, you might want to do more than sign a user out. In some cases, like employee departures, you might want to block future sign-ins. This is an operation that’s easily scripted with PowerShell. For example, this code:

• Retrieves the identifier for an Azure AD user account.
• Disables the account.
• Sets a new password.
• Revokes all refresh tokens.

$UserId = (Get-MgUser -UserId Lotte.Vettler@Office365itpros.com).Id
# Disable the account
Update-MgUser-UserId $UserId -AccountEnabled:$False
# Set a new password
$NewPassword = @{}
$NewPassword["Password"]= "!DoneAndDusted?"
$NewPassword["ForceChangePasswordNextSignIn"] = $True
Update-MgUser -UserId $UserId -PasswordProfile $NewPassword -AccountEnabled:$True
# Revoke refresh tokens
$Status = Invoke-MgInvalidateUserRefreshToken -UserId $UserId

It might take a little time for the full block to be effective because tokens must expire, and clients recognize the need for reauthentication, but it will happen.

How Conditional Access Can Make Guest Accounts Miserable

The reason I had a problem was that the security team updated the conditional access policies for guest users to enforce a 60-minute sign-in frequency (Figure 2). This change had a horrible effect. Guests switching to the tenant with Teams inevitably resulted in an MFA challenge. Opening a document stored in SharePoint Online or OneDrive for Business in that tenant brought an MFA challenge. My day was filled with MFA challenges, except when sending email to people in the tenant to complain about the new policy. Email isn’t affected by conditional access policies.

As Microsoft notes in their documentation, “Based on customer feedback, sign-in frequency will apply for MFA as well.” They understate the matter. Sign-in frequency does apply for MFA too.

I understand the motivation on the part of the security team. Forcing people to reauthenticate before they can access resources is a good thing. Using MFA is a good thing. Forcing MFA challenges every hour must be a brilliant change to make.

Only it isn’t. As an external person working with another company, the change made my productivity much worse, and I doubt that it added one iota to the overall security effectiveness of the tenant. The tenant did not use number matching and additional context for MFA challenges, so the constant MFA challenges were a great example of how user fatigue creeps in as I clicked and clicked again to say “yes, it’s me.” System-preferred authentication wasn’t used either, so while I used the Authenticator app, other guests might use relatively insecure SMS challenge/response.

Overall, the change made it unpleasant to work with the tenant and that’s bad. A one-hour sign-in frequency is just too rigid and strict. I don’t know of any other tenant (where I am a guest) that uses such a short frequency. Most tenants I know of use the 90-day default. Some use 7 days. The most security-conscious (before now) uses a 1-day frequency.

No Best Answer for All Tenants

In truth, I don’t know the best user sign-in frequency to use for either tenant or guest accounts. It all depends on the security posture that an organization wants to assume. But I can say that most tenants would be better off making sure that all accounts use MFA and eliminating the use of the less secure authentication methods before reducing the sign-in frequency. If you’re concerned about guest hygiene (in this case, how secure a guest account is), have a different and more restrictive conditional access policy for guest access while remembering the need to get work done through Azure B2B collaboration. And review guest accounts annually to remove unwanted and obsolete crud.

To me, bringing users along on the journey to better security is a better tactic than ramming heightened security down their throats. It’s always been that way.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Multiple Ways to Make Teams Bulk Policy Assignments

It’s amazing what slips by in the torrent of changes that occur within Microsoft 365. Message center notification MC397476 (last updated 27 July 2022, Microsoft 365 roadmap item 90705) is an example. This is the unassign policies from users in bulk feature that completed roll-out in August 2022.

Revert User Accounts to the Global Policy (Bulk Unassignment)

The idea is simple. Over time, it’s possible that the Teams policies assigned to users become less appropriate. It’s a pain to select user accounts individually to update policy assignments, so this is a method to reset accounts back to the global tenant policy for the following policy types:

• Messaging policy.
• Meeting policy.
• Calling policy.
• Live events policy.
• App setup policy.
• App permission policy.
• Teams policy.

To use the bulk unassign policy feature, go to the Users section of the Teams admin center. The Unassign policies in bulk option is in the top right-hand corner in the Actions drop-down menu. Select the policy type to work with and the Teams admin center displays the set of policies of that type (Figure 1). The greyed-out policies are default policies that don’t currently have any assigned users.

When you select a policy, Teams loads information about the assigned accounts. Click the Unassign button and confirm the action. Teams doesn’t tell you which accounts it processes, just the number of accounts that it successfully reverts to the default (Global) policy for the policy type. Bulk policy unassignments are supported for up to 500 accounts at a time.

Using View Users to Perform Teams Bulk Policy Assignments

Nice as it is to be able to remove (unassign) a non-default policy from a bunch of accounts, the Teams admin center includes what might be a better way to reassign policies (including to revert to the Global policy). MC445744 (13 October 2022, Microsoft 365 roadmap item 97253) covers the change made to allow administrators to view the users and groups covered by a policy.

Many of the major policies managed through the Teams admin center include the Assigned to users and Assigned to groups columns when they list policies (Figure 2).

The links in the columns reveal the set of users assigned the selected policy (Figure 3).

Select the Edit settings option and you can edit the policies assigned to the set of selected users, just like you’d update policies for an individual user or a set of selected users. Direct policy assignments to accounts like this take precedence over group policy assignments.

Other Ways to Process Teams Bulk Policy Assignments

Apart from the options available in the Teams admin center, the other ways to perform Teams bulk policy assignments include:

• Using batch jobs to process policy assignments for up to 5,000 accounts.
• Using Azure Automation runbooks to process policy assignments. The advantage of this method is that you could have a scheduled job to find and process policy assignments for new accounts.

Of course, you can also use PowerShell to find a set of accounts based on some criteria and perform policy assignments on that basis. Here’s an example of assigning a Teams feedback policy (PowerShell is the only way to manage feedback policies) to a set of user accounts based on their department:

Connect-MgGraph -Scopes User.Read.All
[array]$Users = Get-MgUser -Filter "department eq 'IT' and UserType eq 'Member'" | Select-Object UserPrincipalName, DisplayName
ForEach ($User in $Users) {
  Write-Host ("Assigning the feedback policy to {0}" -f $User.DisplayName)
  Grant-CsTeamsFeedbackPolicy -Identity $User.UserPrincipalName -Policy "Tenant Bar Feedback Policy" }

Keep Tracking Change

So much ongoing change happens within the Microsoft 365 ecosystem that it’s impossible to keep up to date with everything. Reviewing older message center notifications (we synchronize message center notifications to a Planner plan) is a good way to catch changes that you missed first time round. After all, no one is perfect.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Intelligent Technology Depends on Machine Learning Access to User Data

Some years ago, I wrote about how Outlook uses machine learning to predict words to insert in messages. This was an early example of machine learning in Outlook. Text prediction is common practice today and we almost expect applications to include machine learning to help us compose notes, documents, and responses. Given the introduction of ChatGPT and Bing’s AI Bot, some worry about the prospect of increasing amounts of machine-generated text and its effect on human creativeness. It’s definitely a story to follow.

Over the last few years, Microsoft has steadily increased the use of “intelligent technology” in Outlook. Currently, the range of features covers features like birthday detection to text predictions to suggested replies, controlled through OWA settings (Figure 1). Regretfully, the Set-MailboxMessageConfiguration cmdlet doesn’t currently support updating these settings for a mailbox.

The combination of Microsoft Research and product engineering groups has driven the introduction of intelligent technology in OWA. For example, Outlook’s suggested replies feature is underpinned by the Azure Machine Learning Service.

Outlook Desktop Lags in Intelligence

Outlook desktop clients receive the intelligent technology features after OWA. This lag has always existed, but at least we can respond to email with an emoji. Oddly, there’s been a few recent reports of Outlook for Windows failing to display the “show text predictions while typing” setting in its options (here’s an example). I don’t see the setting on one PC and do on another, both of which run the same build of Outlook click to run. I even updated the system registry at HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings to set the InlineTextPrediction DWORD value to 1 to enable text predictions with no effect.

Microsoft Processing of User Data

One thing that people get worried about is the notion that Microsoft “reads” their email to create suggested replies and to build models for text predictions. It’s true that Microsoft processes email to create the suggestions and predictions used by Outlook, but the important thing is that the data used by the learning models constructed to help machine learning understand how individual users work with text remain in user mailboxes. Microsoft doesn’t gather information from the 380-odd million active Office 365 users to improve its detection algorithms. The general foundation for the models come from public data (and I imagine, messages circulating within Microsoft), but the tweaks to make those models personal remain private to the user.

In its user documentation for suggested replies, Microsoft says that “Suggested replies are generated by a computer algorithm and use natural language processing and machine learning technologies to provide response options.” It also says that “Outlook uses a machine learning model to continually improve the accuracy of the suggestions. This model runs on the same servers as your mailbox within your organization. No message content is transmitted or stored outside of your organization.”

These statements don’t mean that the machine learning code runs on 300K Exchange Online mailbox servers. Instead, Microsoft uses a concept called Privacy Preserving Machine Learning (PPML) to transfer data to specialized AI computers in the Microsoft cloud. After processing, Microsoft erases the source information from the AI computers and background agents update mailboxes with user-specific results. It is this information that Outlook consumes locally when dealing with messages.

Email is worldwide, but the structures and syntax used by different languages means that Microsoft’s machine learning processes is limited to certain languages. For instance, at the time of writing, suggested replies are available in only 22 languages.

I’ve heard (but can cite no public evidence) that AI processing occurs on a tenant basis to allow some consolidation of generic results at the tenant level. For instance, if many users in a tenant use “OK” as a standard response, it’s likely that machine learning will consider “OK” as a prime candidate to be a suggested response for everyone in that tenant. The consolidated generic data remains in the tenant.

Viva Insights Processes User Email Too

In addition to the way Microsoft processes user email to understand text patterns, Viva Insights looks through email to detect commitments made by users. Its MyAnalytics predecessor started to scan emails for commitments in 2018. When users open the Viva Insights add-in or use the Viva Insights app in Teams, they see recommendations and insights derived from the contents of the calendar and inbox folders from their mailbox.

Among the information Viva Insights highlights are messages that might contain commitments that the user needs to follow up. Viva Insights displays details of the messages it has found and prompts the users to either note the potential task as complete or add it as a personal To Do task (Figure 2).

Viva Insights also finds messages where the user asks recipients to do something and prompts them to either follow up or mark the task as done.

There’s lots of deep research into finding commitments in email and highlighting those commitments to users. But again, the important thing is that the data used by Viva Insights remains in user mailboxes and is under the control of users.

Worrying About the Data Used by Machine Learning in Outlook

Those with responsibility for compliance and privacy in an organization are usually the people most worried about the processing of user data. With the growth of machine learning and AI-powered “experiences” and the resultant need for access to user data to learn from, this is a good concern to have. In the case of Microsoft 365, many “connected experiences” exist where people consume a cloud service without realizing where data comes from or is consumed.

Personally, I’m not concerned about how machine learning processes my email as the outcome is useful (when it works), but I realize that others have different feelings. It’s a topic for every organization to work through and figure out how happy they are to have Microsoft process their data to create new features.

To finish off, Figure 3 shows how Bing chat answered my question about how Outlook uses machine learning…

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Users Can Decide What Pronoun to Display in Profile Card

Updated March 30, 2023

Announced in message center notification MC515531 (last updated 21 February 2023), the ability to enable pronouns in Microsoft 365 profile cards is available in the Microsoft 365 admin center. Once enabled, users can set their preferred Microsoft 365 pronouns using the preview version of Teams. The pronoun feature is covered by Microsoft 365 roadmap item 86352 (Teams) and 115511 (OWA).

I have been able to update pronouns in Teams, OWA, and the latest build of the Monarch (“One Outlook”) client.

Employee Engagement

Microsoft’s documentation for the pronoun feature says that “the simple act of using the right pronouns for one another can help build trust and improve communication among colleagues.” Microsoft goes on to highlight that “Whether or not to share or publicly display pronouns is always up to an individual. Pronouns should never be assigned to one person by another person. It should be up to the person using them to decide when, where, and which pronouns are used – including whether to use this feature.”

In other words, organizations should do some thinking and employee engagement before they implement pronouns for profile cards.

Implementing Pronouns on the Microsoft 365 Profile Card

The first step is to enable pronouns for the organization. Go to Org settings in the Microsoft 365 admin center and select the Security & privacy tab. Pronouns is one of the listed options (Figure 1).

Microsoft says that it can take up to 7 hours before users can change their pronouns. In practice, expect the change to take a day before it is effective. If you disable pronouns, it will take the same length of time before pronouns disappear from view for all users. Microsoft 365 removes pronoun data if an organization disables the feature. Like most deletions in Microsoft 365, deletion is not immediate and if you reenable pronouns, previously set values will reappear.

After the software change is effective, users will see the option to update pronouns on their profile card. For instance, I clicked on my photo for a message posted to a Teams channel to reveal my profile card and see the option to add pronouns (Figure 2).

Remember Microsoft’s point that pronouns are a personal decision for users? To enable freedom of choice, you can add whatever text you like for a pronoun. The profile card suggests the commonly-used values such as “She/Her,” but you can ignore these values and use whatever text you prefer (up to 30 characters).

The important thing to remember is that pronouns are visible to all members of the organization. There’s no way to restrict pronoun display to a certain segment, such as members of a group. Guest members and external members of shared channels can’t see pronoun information on profile cards.

Building the Profile Card

Microsoft 365 stores user pronouns in a hidden folder in user Exchange Online mailboxes. Apps that support the profile card retrieve the information from the mailbox along with other properties (including custom attributes) to display the profile card (Figure 4).

A Change to Plan

Microsoft’s FAQ for pronouns contains some other useful information to consult before implementation. Displaying pronouns in the profile card is obviously something that an organization should think through before implementation. For example, some organizations also add pronouns to account display names, meaning that the information shows up in address books and other places where people see display names, like email headers, listings of documents in SharePoint Online and OneDrive for Business, and so on. Don’t rush to deploy just because someone (maybe a vocal proponent) thinks that pronouns are a good idea. Pause, consider, and then decide.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Even pronouns deserve analysis…

Get Ready to Deploy the New Teams Client to End Users

Updated March 27, 2023: The preview of the new Teams client is available.

With all the speculation that Microsoft will release a public preview of the new Teams (V2.1) client in late March 2023, it’s time to review how users can access the preview code once Microsoft makes it available.

Teams uses update policies to dictate which users have access to preview features. Teams also allows tenants to align with Office preview channels if they wish. The first job is therefore to define the user group to test the new Teams client and make sure to assign a Teams update policy that allows them to access preview features to their accounts. Once the policy is effective, users can switch between preview and production versions as they like.

A New Option in the Teams Update Policy

A hint that Microsoft will provide controls to allow customers to roll out the new Teams client at their own rate is in the PowerShell Get-CsTeamsUpdateManagementPolicy cmdlet. This reveals a UseNewTeamsClient setting. Microsoft added the setting in version 4.9.1 of the MicrosoftTeams PowerShell module in November 2022. The values accepted by the Set-CsTeamsUpdateManagementPolicy cmdlet are:

• MicrosoftChoice: Microsoft controls the use of the new client. This is likely how Microsoft will force customers to eventually move from the old to the new client.
• UserChoice: Individual users can choose to use the new client.
• AdminDisabled: The organization disables the new client for users assigned the policy.

The interpretations of the options are mine and are not formally confirmed by Microsoft. The point is that it will be possible for organizations to control when users get the new client and which users get the new client.

Building a New Teams Architecture

Microsoft has been working on the new Teams client architecture for a long time. Some hints came in my May 2021 discussion with Rish Tandon (the then VP for Teams Engineering). At the time, Rish acknowledged that client performance wasn’t where Microsoft wanted it to be. A further hint came when Microsoft revealed the Teams consumer client for Windows 11. The consumer client uses the new Teams client architecture based on ReactJS and the WebView2 Edge component.

Of course, the Teams consumer client is a pale shadow of its enterprise counterpart when it comes to features and functionality, as people will discover when they move from Teams Free (classic) to the new Teams (free) version. There are no channels to deal with (regular, private, or shared), the number of users is limited, there’s no Phone system or Teams room devices, and so on. Acknowledging these limitations, the Teams consumer client (2.0 in the architecture) proved a useful step to proving the concepts and components used in the next generation of the Teams enterprise client (2.1).

Microsoft’s recent press briefings have emphasized benchmarks like a 50% reduction in memory, less demand for CPU, and a consequent extended battery life for laptops. Cynics might say that all of this comes from removing the overhead imposed by Electron. Certainly there’s some truth in that assertion but the overall engineering effort required to move the Teams desktop and browser clients to the new architecture spans more than simply swapping code libraries.

When Production Software Arrives

After running the public preview for the new version of the Teams client for several months, Microsoft will make the client generally available (GA). At that point, a recent change will affect when organizations see the GA software.

Microsoft 365 message center notification MC510331 (February 2, Microsoft 365 roadmap item 117577) announced that Teams will support targeted release for commercial cloud customers. In other words, if your tenant opts in to use targeted release for some or all users, you’ll be amongst the first to get the new Teams client. Release preferences are in the Org settings section of the Microsoft 365 admin center (Figure 1).

Those who choose to remain with the standard release will receive the software later. Given the size of the Microsoft 365 infrastructure, the difference between first and last tenants receiving the new client could be several months.

A Big Moment Approaches for Teams

People have complained about the performance and memory consumption of the Teams client for years. Despite much tweaking and filling in performance gaps since 2016, it’s obvious that the road has run out for the original Teams client. Launching a new Teams client is an important point for Microsoft. They only have 280 million monthly active users to please. No pressure then!

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Azure AD App Property Lock Feature Blocks Updates to App Credentials

In a relatively unpublicized move, the Azure AD development group has closed a hole exploited by attackers who add their own credentials to registered apps. The new app instance property lock feature (preview) allows developers to lock sensitive properties of apps. It’s intended for use by enterprise apps, which are the way that developers like Microsoft and Adobe install apps in other Azure AD organizations. The enterprise app stores app properties while the service principal created by Azure AD in the host organization holds the permissions assigned to the app in that organization. After provisioning the app into a new tenant, the developer can lock the app against change.

Why Attackers Go After OAuth Apps

In the past, attackers have been able to hijack an enterprise app by adding a credential like a X.509 certificate to the app. Unless the organization monitors the audit events created for application updates, the new credential will exist undetected and the attacker can use it to request Azure AD to issue an access token containing the permissions assigned to the app. Apart from its permissions, attackers don’t need any further access to the app. Instead, the attackers use the access token to access whatever data the permissions allow. In some cases, the attackers might access items in mailboxes; in others they might go after sensitive documents stored in SharePoint Online sites. Once they’ve compromised the target repository, the attackers can exfiltrate or wipe the data (potentially a Microsoft 365 “wiperware” attack).

Hijacking OAuth permissions assigned to apps is not a theoretical attack vector. It’s what was used in the Solarwinds campaign in 2021. The attackers generated an X.509 certificate and added it to Azure AD apps and used highly-permissioned apps to access data. Another example of OAuth app abuse is the September 2022 instance when attackers used an OAuth app to create an inbound connector to send spam.

Applying an Azure AD App Property Lock

The property lock feature allows developers to block any changes to some or all the sensitive properties for an app (the properties used in authentication flows). It’s important to emphasize that the property lock is not mandatory. Developers must apply it to their apps before the apps are used in other tenants.

You can lock properties for a registered app but cannot update enterprise apps created in your tenant by another organization (because an external organization owns the app). For instance, you cannot change the iOS accounts enterprise app used by Apple for some iOS device management, like the change needed to force the iOS mail app to use modern authentication.

To start, go to app registrations, select the app to lock and then access the authentication tab. The App instance property lock option is toward the bottom of the screen (Figure 1).

Click Configure and select the properties to lock (Figure 2).

Save the changes and the property lock is in force. Any subsequent attempt to update credentials will fail anywhere outside the home tenant.

Checking for App Credential Updates

Azure AD feeds audit information to the unified audit log, including events logged for app credential updates. Unfortunately, the information in the audit records follows an esoteric format that makes the data harder to interpret than it needs to be. Here’s a code snippet showing how to run the PowerShell Search-UnifiedAuditLog cmdlet to retrieve and report audit records for app credential changes.

$StartDate = (Get-Date).AddDays(-90)
$EndDate = Get-Date

[array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -Operations "Update application – Certificates and secrets management "
$Report = [System.Collections.Generic.List[Object]]::new() 
ForEach ($Record in $Records) {
 $AuditData = $Record.AuditData | ConvertFrom-Json
  $Mods = $AuditData.modifiedproperties.NewValue
  $ReportLine  = [PSCustomObject] @{
     Timestamp        = $Record.CreationDate
     User             = $AuditData.UserId
     AppName          = $AuditData.Target[3].Id
     Modified         = $AuditData.modifiedproperties.NewValue }
 $Report.Add($ReportLine)
}

The same information is available in the Azure AD audit log (Figure 3).

Attacks Don’t Stop When a Hole Closes

Although regrettable that the holes existed in the first place, it’s good that Microsoft is closing off one of the vulnerabilities exploited by attackers with the Azure AD App property lock. It’s an example of the chess game played out between the attackers and defenders around the protection of cloud services. Now that this hole is closing, attackers will consider their next move. Stay vigilant and keep checking the audit log to detect suspicious events!

Learn about protecting your Microsoft 365 tenant by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand features like the Azure AD app property lock and the most efficient ways to protect your data.

Classic Version of Teams Free Retires in April

On April 12, 2023, Microsoft will retire the Teams Free (classic) version that they launched in 2018 (Figure 1). I still have the Azure AD tenant created to support Teams Free and the software continues to work quite happily. The question is what to do when Microsoft brings the curtain down.

There’s been some ill-informed commentary about the retirement and what it means for users. Let’s discuss what’s happening.

Migration Options

The options presented by Microsoft are:

• Switch to the new free version of Teams, confusingly named Microsoft Teams (free). The big downside is that none of the information currently in Team Free (classic) will transfer.
• Upgrade to a paid version of Teams, such as Teams Essentials ($4/month) or the entry-level Microsoft 365 Business Basic subscription ($6/month). The big advantage of going for the Microsoft 365 subscription is access to the web and online versions of the Office apps.

When Microsoft retires Teams Free (classic), administrators will have until July 12, 2023, or 90 days the tenant was last used (whichever is earlier) to recover data. After the drop-dead date, Microsoft will remove the tenant and permanently remove the data.

No Migration for Free Versions

Unless you choose to upgrade to a paid-for version of Teams, it’s up to you to recover data created in Teams Free (classic). Essentially, if you want to continue using a free version of Teams, you’ll have to manually download the files shared in chats and channel conversations to a workstation and upload them to the new version. Given that Teams stores its files in OneDrive for Business and SharePoint Online, you can use the OneDrive sync client to synchronize the files to a workstation and download them that way. The Teams Wiki still features in Teams Free (classic). You’ll need to cut and paste information from wikis to OneNote or another document because Microsoft’s wiki migration tool might not run for the free version.

There’s no way to save the messages in channel conversations unless you use a third-party ISV product designed for tenant-to-tenant migrations (or write your own code with the Teams export API). However, if you’re using a free version of Teams, you’re unlikely to want to cough up for a migration product or start to write code using an API that you’ve got to pay for. At the most basic level, you can rescue important conversations by copying them to a Word or OneNote document.

Why No Migration Tools are Available for Teams Free

You might wonder why Microsoft is not offering migration tools to move from Teams Free (classic) to Teams (Free). Both a financial imperative and a technical limitation exist:

• There’s no revenue opportunity for Microsoft. The upside is to encourage people who’ve used Teams Free (classic) since 2018 to move to a paid-for version. Why encourage them to stay on a free platform? Making it easy for people to pay nothing does nothing to increase the average revenue per user from Microsoft 365.
• The new Teams (free) is based on Teams for Home. Microsoft is closing the infrastructure that serviced Teams Free (classic). This isn’t surprising because Teams Free (classic) came along quite soon after the launch of Teams and shared the same platform accessed through the teams.microsoft.com endpoint. Teams for Home uses a different infrastructure, accessed through teams.live.com. Teams (free) doesn’t have teams. Instead, it uses group chats to host conversations for the up to 300 people that a Teams (free) organization can host. Teams (free) doesn’t use SharePoint Online either. There’s no teams to organize discussions. Instead, Teams (free) offers communities, announced in January 2023 and currently available only for mobile clients. In a nutshell, the dramatic difference in the implementations of Teams Free (classic) and Teams (free) is the basic reason why Microsoft doesn’t support migration.

On the other hand, if you choose to upgrade to a paid-for version of Teams, your existing Azure AD tenant will remain in place and you’ll get licenses to allow you to continue to use Teams. No migration is necessary.

Less Functionality for Teams Free

It’s not surprising that Microsoft should want to move the free version of Teams off their production paid-for infrastructure to join their existing free Teams for Home offering. The change won’t affect those who simply want to use Teams for chat and calls. However, the new Teams Free represents a substantial downgrade in functionality that might affect how some organizations use Teams. If that’s your situation, maybe it’s time to think about using the paid-for version.

Learn about using Microsoft Teams (the paid-for version) and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Collaboration Platform Looks for More Success Under as Viva Engage

In a predictable development, Microsoft decided to dump the Yammer name and rebrand the app as Viva Engage. The first hint of the change came in August 2022 when Microsoft renamed the Yammer Communities app for Teams as Viva Engage (Figure 1). The next came in November 2022 when Yammer introduced video and photo stories to its Storyline feature and revealed that the files used for stores ended up in the VivaEngage folder in user OneDrive for Business accounts. Not everyone is quite as nerdy as the Office 365 for IT Pros team is when it comes to tracking change, but there you have it.

Microsoft’s PR announcement says that “For over 10 years, Yammer has been the social fabric for Microsoft’s productivity cloud, bringing community and conversations into the apps that people work in daily.” That’s wishful thinking of the kind often engaged in by Microsoft marketing people attempting to make more of Yammer than it ever achieved.

More correctly, since the acquisition of Yammer in June 2012, Microsoft has tried on many occasions to make Yammer more than an also-run in the Microsoft 365 app stakes. After being told that Yammer would make email redundant, the Exchange community ignored the prediction. Exchange Online powers Microsoft 365 at an ever-increasing rate with usage that Yammer could only dream about. Teams came along in 2016 and ate the lunch Yammer wanted and is the social fabric for Microsoft’s productivity cloud. At least, 280 million Teams users can’t be wrong, can they?

Year of Yammer

Despite loudly proclaiming that (insert any year from 2012) would be the “Year of Yammer,” it’s only recently that Microsoft started to make some headway, helped in no small part by Microsoft’s determination to build Yammer into as many places in Teams as possible. Nice as it is to have Yammer power the Q&A app for Teams, true progress only really started when Microsoft decided to embrace Microsoft 365 groups and to bring Yammer networks into alignment with the rest of Microsoft 365 with networks configured in Microsoft 365 native mode.

Native mode networks date back to 2020, but it was only on September 1, 2022 that Microsoft bit the bullet to set a retirement date for older Yammer networks (MC424414). Upgrades are happening now and due to continue through October 2023. All the Yammer networks I access within Microsoft’s own infrastructure have still not transitioned, largely because they’re used by external people.

What Now for Yammer

Microsoft is now beginning a rebranding exercise to eliminate Yammer from the Microsoft 365 vernacular and replace it with Viva Engage. Yammer fans who engaged in “YamJams” and the like will have to find a new term to describe their meetups, but the basic technology will remain the same. Microsoft describes some new functionality in their blog, most of which is incremental and builds on existing capabilities (for example, Answers seems to be like the Teams Q&A app on steroids).

Customers won’t have to pay more to use the rebranded Viva Engage/Yammer.

Microsoft did make one odd reference when they talked about “the existing Communities app for Outlook.” I had no idea what this app was until MVP Kevin Crossman pointed out the Yammer logo in the OWA app rail. Basically it’s a way to have the Viva Engage app display in OWA. The app doesn’t feature in Outlook desktop and I have never used it in OWA. If your organization uses Yammer/Viva Engage, I can see how that capability would be both interesting and beneficial. For most Outlook users, discovering Viva Engage in their app rail will be a “mah” moment of the kind when Microsoft introduced the ability to respond to email with an emoji.

A New Chance to Make a Difference

I always thought that Yammer was a missed opportunity for Microsoft. Had they dumped the Yammer database soon after the acquisition and replaced it with the Exchange (ESE) or SQL databases, the task of aligning Yammer more closely with the rest of Microsoft 365 and picking up features like compliance, retention, data loss prevention, and so on would have been much easier.

Maybe Microsoft would never have developed Teams if Yammer had been a fully-functional part of Microsoft 365. But it never was and Yammer became a sideshow. It’s been an important app for some customers but you’d wonder about its long term future as a supplier of software components to Teams and Viva. The Yammer superpowers (note to self, no software has superpowers) proclaimed by Microsoft marketing have waned. Perhaps the change and refocus will make Yammer more valuable. We’ll know after another decade.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Teams User Numbers Slow as Office 365 Grows 12%

One thing that’s obvious from the Microsoft FY23 Q2 results released on January 24 is that the woes of the wider economy is affecting the growth of the Microsoft Cloud. This is despite headline growth to achieve $27.1 billion in quarterly revenue ($108.4 billion annualized run rate), up 22% year over year (or 29% in constant currency, reflecting the recent strength of the dollar). However, Microsoft had “slower than expected growth in new business” in Office 365 and EMS.

Revenue for Office 365 commercial increased 11% YoY (18% in constant currency). Microsoft said that this reflected “healthy renewal execution” and growth in annual revenue per user (ARPU) because “E5 momentum remains strong.” A cynic might say that Microsoft is now sweating its massive installed base. Customers have no real choice but to renew as the costs and technical difficulties involved in getting off Office 365 are massive. Microsoft drives ARPU by making sure that new features appear in the high-end SKUs. For example, if you want any automation for compliance or security functionality, you need an E5 SKU.

Driving users to buy E5 to get better security functionality is one reason why Microsoft was able to announce that its security business surpassed $20 billion (annually) in revenue. The security business includes products commonly used with Office 365 like Microsoft Purview, Microsoft Entra (think Azure AD), Microsoft Sentinel, Microsoft Intune, and Microsoft Defender. Some of these capabilities are bundled with Office 365 E3, but high-end Purview security and compliance functionality like adaptive scopes or automatic label policies or Defender Plan 2 require Office 365 E5. And Azure AD Premium P1 and P2 licenses are needed for features like conditional access policies and privileged identity management.

Office 365 User Base Approaches 400 Million

Probably deliberately to obfuscate comparisons, Microsoft hasn’t given a firm number for Office 365 active users since October 2019 when they reported 200 million monthly active users. Since then, they’ve focused on reporting growth percentages and paid seats, like the 345 million paid seats highlighted in April 2022. This time round, they said that Office 365 commercial seats grew 12% YoY and observed that small-to-medium business and frontline worker offerings drove the growth. Microsoft also said that they “saw some impact from the slowdown in growth of new business” and that they expect revenue growth to be lower in the coming quarter by about one percentage point.

During the analyst Q&A, Brad Reback from Stifel put forward a 400 million seat number for Office 365 and asked if Microsoft would concentrate on growth in seats or ARPU. In his response, CEO Satya Nadella acknowledged “moderating seat growth” balanced by increased ARPU due to more customers taking up E5 licenses. Nadella also points to Teams Premium (referred to as Team Pro in the transcript) as an opportunity for increased ARPU.

I think the number of paid Office 365 seats is a tad below 400 million (maybe around 385 million) but it’s hard to know. The number of actual real-live human beings who use Office 365 daily is lower at maybe 360 million. Either way, it’s a big number of users that is still growing albeit slower than before.

Teams User Number Reaches 280 Million

Speaking of Teams Premium, Microsoft gave an updated number for the user base that they can sell the new product to when Teams Premium becomes generally available in February 2023. A year ago, Microsoft said that Teams had 270 million monthly active users. Now the Teams user number is 280 million (Figure 1).

Microsoft claimed that the 3.57% growth in the Teams user number represented “durable momentum since the pandemic.” It’s curious that Teams grew at about a third of the rate of increase in Office 365 seats (12% YoY). Perhaps this is because those who want to use Teams are using it and relatively few in the small-to-medium and frontline segments where Microsoft says the Office 365 growth came from need Teams.

Microsoft usually throws out some gee-whiz statistics about Teams to help people in games of Office 365 trivial pursuit. This time round, we learned that there are more than 500,000 active Teams Rooms devices (up 70% YoY) and the number of customers with more than 1,000 Teams rooms doubled YoY. This might mean that two customers now have more than 1,000 Teams rooms instead of one last year. Microsoft didn’t clarify the point. However, they did assert that Teams Phone continues to grow its share and is now the market leader for cloud calling. Over 5 million Teams users with licenses for PSTN calling joined the Teams user mix over the last 12 months.

Balance Between New Seats and More Money Per Seat

It’s hard to grow big numbers. Microsoft continues to add seats to Office 365, but it seems like the new seats have low-end licenses, which is why they need to sell more high-end add-ons or more expensive licenses to the installed base to offset the relative lack of revenue fgenrom the new seats. Growth in Teams users is slowing, but the same aspects are visible in selling add-ons (like PSTN) and hoping that customers like what they see in Teams Premium enough to cough up the extra $10/user/month for licenses. You’ve got to keep that quarterly revenue number growing…

If you’re a tenant administrator who looks after some of the 400 million Office 365 users, make sure that you’re not surprised about changes that appear inside Office 365 by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Restore Soft-Deleted Groups Back to Good Health

Updated 23 Feb 2024

In another article, I cover how to recover soft-deleted user accounts using the Microsoft Graph PowerShell SDK. The topic of how to restore deleted Entra ID groups (including Microsoft 365 groups) came up in discussion recently, and I realized that I don’t cover this point very well when discussing basic group management with the Microsoft Graph PowerShell SDK. This article addresses that deficiency and hopefully helps people update scripts before the deprecation of the Azure AD and Microsoft Online Services modules in March 2024.

Find Soft-Deleted Groups

The same approach used with soft-deleted user accounts applies when restoring soft-deleted groups:

1. Find the set of soft-deleted Microsoft 365 groups. Soft-deleted groups remain in the Entra ID recycle bin for 30 days following their deletion. After this period lapses, Entra ID permanently removes the groups. Remember that even after Entra ID removes the group object, if the group comes within the scope of one or more Microsoft 365 retention policies, group resources (like the group mailbox and SharePoint site) remain available until the last retention period lapses.
2. Select the group to restore. You need the group identifier (GUID) to restore a group.
3. Restore the group. Groups that don’t have any connected resources should become available very quickly after restoration. Microsoft 365 groups with connected resources like a team, SharePoint Online site, and Planner plans need more time for individual workloads to reconnect everything back to the restored group.

Here’s some code to report the set of soft-deleted groups in the recycle bin. The Get-MgDirectoryDeletedItem cmdlet returns a set of soft-deleted directory objects matching the object type (microsoft.graph.group). The cmdlet output appears blank, but the set of objects is in an array called Value in the AdditionalProperties property.

Why the cmdlet works in this manner is beyond me. Some justify the output with the statement that “it’s how the Graph API to list deleted items works.” That assertion is true, but just because an underlying API works in an odd manner is no reason to perpetuate the behavior in a cmdlet.

Update: The script now uses the Get-MgDirectoryDeletedItemAsGroup cmdlet. The code has been tested against V2.15 of the Microsoft Graph PowerShell SDK.

After we find the set of soft-deleted groups, it’s easy to extract the information and calculate how long remains before Entra ID deletes the group permanently.

Connect-MgGraph -Scopes Directory.Read.All, Group.ReadWrite.All
[array]$SoftDeletedGroups = Get-MgDirectoryDeletedItem -DirectoryObjectId Microsoft.graph.group
[array]$DeletedGroups = Get-MgDirectoryDeletedItemAsGroup -All
If ($DeletedGroups.count -eq 0) { Write-Host "No recoverable groups can be found - exiting"; break}
$Report = [System.Collections.Generic.List[Object]]::new(); $Now = Get-Date
ForEach ($Group in $DeletedGroups) {
     [datetime]$DeletedDate = $Group.deletedDateTime
     $PermanentRemovalDue = Get-Date($DeletedDate).AddDays(30)
     $TimeUntilRemoval = $PermanentRemovalDue - $Now
     $ReportLine = [PSCustomObject]@{ 
          Group                = $Group.displayName
          Id                   = $Group.id
          Deleted              = $Group.deletedDateTime
          PermanentDeleteOn    = Get-Date($PermanentRemovalDue) -format g
          DaysRemaining        = $TimeUntilRemoval.Days } 
       $Report.Add($ReportLine) 
}
$Report | Sort-Object {$_.PermanentDeleteOn -as [datetime]} | Out-GridView

Figure 1 shows some typical output. The Id property is the group identifier.

Restore Deleted Entra ID Groups

After finding the identifier of the group to restore, use it with the Restore-MgDirectoryDeletedItem cmdlet to move the group object from the recycle bin and make it available to users:

Restore-MgDirectoryDeletedItem -DirectoryObjectId 4e9393c3-67e9-4f95-a0df-70103a667c0a

It can take a few minutes before the restored group shows up in Entra ID, Teams, and OWA and a little longer before SharePoint Online fully synchronizes the new state reported by Entra ID. Depending on service load, everything should be fully connected within an hour.

Admin Consoles and Group Restoration

Remember that you don’t need to use PowerShell to restore a deleted group. The Microsoft 365 admin center and Entra admin center (Figure 2) both include options to restore deleted groups, and the Manage groups section of OWA has the option for group owners to restore a deleted Microsoft 365 group that they own. These options use the same techniques to list soft-deleted groups and restore a selected group. OWA is slightly different because it applies a filter to find groups owned by the user.

In general, I use an admin center whenever I need to restore deleted Entra ID groups and revert to PowerShell when I need to do something special, such as a mass restoration of groups or to create reports about groups due for permanent deletion in the next seven days. It’s good to understand the technology behind a GUI and always nice to have the option to perform an action with PowerShell when the need arises.

Learn how to exploit the full set of capabilities available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Report a Concern about a Message in a Teams Personal or Group Chat

Communication Compliance policies are part of the Microsoft Purview suite designed to help organizations monitor the content of messages. Originally known as supervision policies (which gives an indication of their purpose), communication compliance policies could only process email until Microsoft introduced support for Teams in early-2020.

Communication Compliance Basics

The basics of communication compliance revolve around the analysis of messages captured in special supervision mailboxes against conditions defined in policies. Settings include:

• The accounts that come within the scope of the policy (the monitored mailboxes).
• Direction of message traffic (inbound, outbound, or both).
• The percentage of traffic captured for analysis. Although it’s possible to examine every message sent and received by the accounts within a policy scope, it’s more usual to examine a percentage. Purview extracts messages at random to meet the selected percentage.
• Whether to use Optical Character Recognition (OCR) to examine attachments and images sent in email and Teams.
• The classifiers and conditions used to select messages for further review. Microsoft Purview includes a default set of trainable classifiers such as Profanity and Threat to detect these conditions in messages. Organizations can train their own classifiers as required. Conditions (like those used in DLP and mail flow rules) can focus the review to specific messages such as those coming from certain domains.
• The supervisors responsible for reviewing messages detected by the policy.

Exchange Online redirects copies of messages needed for communication compliance as email passes through the transport service. Purview uses the compliance records created by the Microsoft 365 substrate to process Teams messages.

Teams Report a Concern

In mid-2022, Microsoft introduced the ability for Teams users to report a concern with messages sent in personal and group chats. By August 31, 2022, the feature reached all tenants with Office 365 E5 or Microsoft 365 E5 compliance licenses who had communication compliance policies. It can take up to 30 days before the feature appears in tenants after they start to use communication compliance policies.

Visibility of the Report a Concern option (Figure 1) is controlled by the AllowCommunicationComplianceEndUserReporting setting in the Teams messaging policy for an account. The setting is available in the Teams admin center or PowerShell. By default, the setting is enabled. To see the setting for all messaging policies, run:

Get-CsTeamsMessagingPolicy | Format-Table Identity, AllowCommunicationComplianceEndUserReporting

When a user reports a concern (Figure 2), Teams tags the message and up to five messages preceding the reported messages and five messages afterward (if available). Many messages sent in Teams chats are short and concise. The extra messages provide the context to allow a reviewer to decide if a problem really exists.

Reviewing Reported Messages

Apart from exposing the Report a Concern option in Teams chat, the other major piece of functionality is the automatic creation of the User-reported messages policy. The only change an organization can make to the User-reported messages policy is to update the supervisors responsible for reviewing reported messages.

As with all communication compliance policies, to review reported messages, head to the communication compliance section of the Purview compliance portal (Figure 3) and select the policy to review. The policies available to a user depends on the communication compliance administrative role assigned to their account.

Select the policy and open the Pending tab to see the messages requiring investigation. The default view is to see the summary, meaning the message reported by the user. The conversation view exposes the messages before and after the reported message to give context to the reviewer (Figure 4).

Like any other message detected by a communication compliance policy, the role of the investigator is to decide if the content violates the acceptable norms for communication. Because individual users make a subjective decision to report a message, the variation in content is likely broader than in the set of messages selected using a trainable classifier. This underlines the need to understand the tone and flow of the conversation within which the problem message occurred.

After reviewing the message, the investigator can resolve the problem (for instance, decide that the user overreacted when they reported the concern), notify the user (and others) about their assessment, or escalate the issue for further investigation. The Remove message in Teams option (available through the down arrow menu in Figure 4), replaces the reported message with a notification that the message “was blocked due to organizational policy” for the recipient and “This message was blocked” for the sender (Figure 5).

This action, which is similar to the way that Teams handles messages blocked by DLP policies, allows the organization to withdraw a problem message during an investigation. However, there’s no way to withdraw the block and expose the message again if it’s deemed acceptable.

Keeping Things Clean

Report a Concern is a useful feature (Teams Free has a similar feature where Microsoft takes care of investigations) if you have the right licenses. Then again, if the organization needs something like communication compliance, the cost probably doesn’t matter. In which case, it’s nice to have a way to keep everyone polite in their Teams chat.

Keep up to date with developments like the app support for sensitivity labels by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Viva Briefing Highlights Data from Viva Insights

Microsoft’s history with the generation of personal insights for users based on their work patterns and activities goes back to the purchase of Volometrix in 2015. Volometrix helped organizations to figure out how to be more efficient based on information stored in user mailboxes and calendars, which later became Delve Analytics, MyAnalytics, and finally Viva Insights.

Viva Insights still aims to help people understand how they work so that they can make better use of their time. The Viva Insights suite includes the Viva Insights add-in for Outlook, the Viva Insights app for Teams, the twice-monthly digest email, and the daily briefing email. All surface information gleamed from user interaction with Microsoft 365 captured in the Graph.

Pausing Viva Briefings

Message center notification MC486289 (December 15) says that Microsoft plans to pause sending the Viva Briefing daily email to users who signed up to receive these messages. From an email perspective, Viva Briefing (Figure 1) and digest messages are not real email because Viva injects them directly into user mailboxes. Although the messages are mail items, they do not pass through the Exchange Online transport system and therefore are immune to processing by components like mail flow rules. Microsoft stamps the messages as coming from a trusted sender, so that makes the direct injection acceptable!

Microsoft plans to pause sending Viva Briefing messages after 15 January 2023. Following the normal time required to deploy changes within Microsoft 365, no users should receive these messages after 1 February 2023. Resumption will follow sometime later in 2023. I haven’t received a Viva Briefing message since last Monday. Perhaps my work life isn’t interesting enough to warrant a briefing, or maybe the pause kicked in early for the holiday period.

More Personalized Information

The pause is to allow Microsoft to make changes to the content of the Viva Briefing messages “to be more personalized for each recipient.” I don’t know what this means because the whole point of Viva Briefing is to deliver personalized content to the recipient. For example, Figure 2 shows items found by Cortana (lurking under the covers of Viva Insights) to remind me about things I might like to follow-up. This information comes from email in my mailbox, so it’s highly personalized.

Cortana finds follow-up items by scanning messages for key words and phrases that indicate when the recipient or sender might be committing to an action. The first item in Figure 1 is an example where Cortana highlights that fact that the mailbox owner made a commitment to take an action. The second item is a variation where the mailbox owner asked a recipient to do something.

I don’t depend on the Viva Briefing to find follow-up actions for me, but I do find the prompts to be moderately useful. Sometimes, Cortana highlights something that I have forgotten to do and proves its worth. I suspect that people who have busier calendars and take on more commitments than I do find the briefing email more valuable.

Finding Who’s Using Viva Briefing

Exchange Online automatically enables new mailboxes to receive the Viva Briefing email. However, users won’t receive briefing messages unless they are active. For instance, if you create a test mailbox and only use it from time to time, there’s no email activity for Cortana to analyze and highlight, so there’s no reason to send a briefing. Perhaps the reduced level of email traffic over the last few days is the reason why I haven’t received a briefing message since Monday.

To discover what mailboxes are enabled for Viva Briefing, run PowerShell to find the set of user mailboxes and check each mailbox with the Get-UserBriefingConfig cmdlet. Here’s an example:

$EnabledMbx = 0; $NonEnabledMbx = 0; [array]$EnabledUsers = $Null; [array]$NonEnabledUsers = $Null
[array]$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
Write-Host ("Checking {0} mailboxes for Viva Briefing status" -f $Mbx.count)
ForEach ($M in $Mbx) {
   $Status = Get-UserBriefingConfig -Identity $M.UserPrincipalName
   If ($Status.IsEnabled -eq $True) {
      $EnabledMbx++
      $EnabledUsers += $M.DisplayName
   } Else {
      $NonEnabledMbx ++
      $NonEnabledUsers += $M.DisplayName }
}
[string]$EnabledUsers = $EnabledUsers -Join ", " 
Write-Host ("Viva Briefing is enabled for {0} mailboxes and disabled for {1} mailboxes. The following mailboxes are enabled: {2}" -f $EnabledMbx, $NonEnabledMbx, $EnabledUsers)

Waiting for Briefings

Microsoft will likely describe the improvements they make to increase the personalized content in Viva Briefing messages when they relaunch the service. Until then, we’ll just have to track commitments and action items using Outlook tasks, To Do, Planner, Project, or any of the other methods available in Microsoft 365.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Release Status Only Present for Some New Notifications

Message center notification MC485549 (14 December, Microsoft 365 roadmap item 108078) brings news of a new launch status Microsoft is adding to notifications to make it clearer to administrators about the actual status of a change heading to their tenant. Until now it’s been difficult for administrators to know exactly when a software change will hit their tenant after release by Microsoft. The difficulty increases when Microsoft misses a predicted availability date, something that often happens regularly (the expanded reaction set for Teams is a notable example).

The new release status shows up as a property of new message center notifications. In Figure 1, we see that some updates have a launched status (update available to all tenant users) while the scheduled date for other updates has not arrived. The third status is “rolling out,” meaning that some users have received the update but not others.

Microsoft plans to unveil the new release status to targeted release tenants starting in mid-December 2022. All targeted release tenants should see notifications with release status by mid-January 2023. General roll-out to standard release tenants is due in mid-April 2023.

Initially, the release status will appear for Teams, Outlook, and Microsoft 365 admin center announcements. Over time, it will spread to all workloads. A release status only appears for updates that correspond to a Microsoft 365 roadmap item. Sometimes updates appear that aren’t on the roadmap. Logically, these messages won’t have a release status.

Continuum of Message Center Notification Improvements

The latest change to message center notifications is part of an ongoing continuum of improvements to customer communications for updates released to Microsoft 365. Recent examples include:

• Introduction of messages to inform tenants when data privacy incidents occur.
• Addition of a relevance tag for message center notifications to advise administrators when a change is especially pertinent to their tenant.
• Flagging how many users are likely to be affected by a change.

The project to improve communications around Microsoft 365 updates is led by Microsoft with considerable customer involvement.

Planner Tasks See the Release Status

The Planner tasks created by the Message Center-Planner synchronization capability include the release status in the Notes section (Figure 2). There’s no easy way to filter tasks with a certain release status in Planner.

I also don’t see any evidence of the release status (or the other recent enhancements like relevance and user count) in the Service Messages API. Perhaps Microsoft hasn’t had the chance to upgrade the API to output all the details now available for message center notifications.

Need for More Predictable Release Dates

The trick for Microsoft will be to make sure that the accuracy of the release status tag is high. At one point, nearly half of all the updates published in message center notifications failed to meet the scheduled dates. Software development is an inexact science when it comes to predicting when the last few bugs that hold up the deployment of a new feature will disappear.

Microsoft has become better at publishing believable and attainable dates in the recent past. Things aren’t perfect yet and are likely to never be. Perhaps a new highlight on release status will make Microsoft do even better when it comes to predicting feature availability. We can but hope!

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Chatbot Delivers Answers, But Usable Responses Are a Different Matter

The launch of the free research version OpenAI’s ChatGPT project generated lots of reactions, with some journalists predicting that using AI in this manner could mark the end of Google search results. According to Chris Johns, an economist whose podcast I subscribe to, the chatbot is capable of producing answers that meet the standard of first year university exams. Closer to home, MVP Doug Finke (author of the ImportExcel PowerShell module) thought the results generated for PowerShell questions were impressive (here’s his YouTube video).

Given the opinions voiced, I decided to sign up to test ChatGPT. My conclusion is that the chatbot is an idiot savant when it comes to technology. The answers generated by ChatGPT are plausible and cogent in some areas, but once it goes outside its area of comfort, the answers become weaker and weaker.

The Need for Good Source Material

By its very nature, AI depends on the source material used to train models. Inside Microsoft 365, a trainable classifier doesn’t work in scenarios like auto-label policies unless the set of source documents used to create the model underpinning the classifier are good enough. In the case of ChatGPT, OpenAI admit that the material used to build the model comes from 2021 or earlier. Given the nature of technology, especially cloud services, out-of-date information leads to bad answers.

A problem also arises when source material is wrong or contains information that might be accurate at a point in time but will be superseded by developments. This happens all the time in blog posts. For example, if you search for something like “How to update Azure AD accounts with PowerShell,” you’ll get a bunch of responses describing how to perform the task using cmdlets from the Azure AD or Microsoft Online Services (MSOL) modules. Posts published last week that I know of still reference these cmdlets, but people working in this space know that Microsoft plans to deprecate both modules in June 2023. The upshot is that the answer is right, works today, but is flawed because the code will stop working in six months. The lack of awareness of context is a flaw of AI and that shows through in its answers.

Asking About Azure AD Accounts

Take the example shown in Figure 1. The chatbot response to the question is inaccurate for two reasons: I asked about finding Azure AD accounts with the Microsoft Graph. The response is to use the soon-to-be-deprecated Azure AD module. There’s no trace of a Graph API request or the Microsoft Graph PowerShell SDK cmdlets.

I have no idea why my question might have violated OpenAI’s content policy. That’s just a glitch. The important thing is that the code generated by ChatGPT works. Even though I wouldn’t use the Azure AD module now, the code runs perfectly and is a valid answer to the question

The Microsoft Graph PowerShell SDK existed in 2021, so I decided to check what the chatbot knew about the SDK. Figure 2 is the result. I think this is a good example of the ability of ChatGPT to generate a reasonably cogent (if wordy) answer in response to a question. The text is rather like the response you’d get from a Microsoft marketing person, but that’s another story.

Testing a Real-Life Question

As a test of a real-life question, I took one about mailbox archiving from Practical365.com and input it to ChatGPT. The answer (Figure 3) is just plain wrong. First, only Exchange Online mailbox retention policies operate against archive mailboxes. Second, neither Microsoft 365 nor Exchange Online retention policies (there is no such thing as an online archiving policy) operate on the basis of mailbox size. Retention, including move to archive, is driven by item age. Like any assertion from a consultant, the confident nature of the response means that it might be accepted by someone who doesn’t know the technology. It seems like the text might be influenced by the way that Exchange Online expandable archives work, but the context is all wrong and the answer isn’t at all helpful.

Finally, I asked about the world’s best Office 365 book. I was amused that ChatGPT recommended Office 365 for IT Pros but got the authors wrong. I have never met Ben Curry and he’s never been involved with the book, but hey, it’s still a highly plausible answer.

Interesting but Flawed

The bottom line is captured in OpenAI’s admission that “ChatGPT sometimes writes plausible-sounding but incorrect or nonsensical answers.” This, allied to the other flaw that “The model is often excessively verbose and overuses certain phrases, such as restating that it’s a language model trained by OpenAI” means that you can’t trust the chat bot’s responses to any question about technology that evolves quickly. Answering some basic PowerShell questions is fine. Seeking help to administer Office 365 is quite another matter.

ChatGPT is interesting and worthwhile technology that points to the way we might seek information in the future. Based on a $1 billion investment, Microsoft and OpenAI have been working since 2019 and OpenAI trained the ChatGPT model on Azure. With that kind of backing, I’m sure that OpenAI will improve the model and increase the accuracy of the answers that it generates. But for now, I think I shall stick with querying Google and sorting the wheat out of whatever chaff Google replies with.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Pay as You Go Model for Microsoft 365 APIs

About fifteen months ago, Microsoft introduced the notion of metered APIs where those who consumed the APIs would pay for the resources they consume. The pay-as-you-go (PAYG) model evolved further in July 2022 when Microsoft started to push ISVs to use the new Teams export API instead of Exchange Web Services (EWS) for their backup products. The Teams export API is a metered API and is likely to the test case to measure customer acceptance of the PAYG model.

So far, I haven’t heard many positive reactions to the development. Some wonder how Microsoft can force ISVs to use an API when they don’t know how high the charges metering will rack up. Others ask how Microsoft can introduce an export API for backup when they don’t have an equivalent import API to allow tenants to restore data to Teams. I don’t understand this either as it seems logical to introduce export and import capabilities at the same time. We live in interesting times!

PAYG with Syntex Backup

To be fair to Microsoft, they plan to go down the same PAYG route with the new backup service they plan to introduce in 2023 as part of the Syntex content management suite. Customers will have to use an Azure subscription to pay for backups of SharePoint Online, OneDrive for Business, and Exchange Online (so far, Microsoft is leaving Teams backup to ISVs).

All of which brings me to the December 2 post from the Microsoft Graph development team where Microsoft attempts to describe what they’re doing with different Microsoft 365 APIs. Like many Microsoft texts, too many words disguise the essential facts of the matter.

Three Microsoft 365 API Tiers

Essentially, Microsoft plans to operate three Microsoft 365 API tiers:

• Standard: The regular Graph-based and other APIs that allow Microsoft 365 tenants to access and work with their data.
• High-capacity: Metered APIs that deal with high-volume operations like the streaming of data out of Microsoft 365 for backups or the import of data into Microsoft 365.
• Advanced: APIs developed by Microsoft to deliver new functionality. Microsoft points to Azure Communications Services as an example. These APIs allow developers to add the kind of communication options that are available in Teams to their applications.

My reading of the situation is that Microsoft won’t charge for standard APIs because this would interfere with customer access to their data. Microsoft says that standard APIs will remain the default endpoint.

However, Microsoft very much wants to charge for high-capacity APIs used by “business-critical applications with high usage patterns.” The logic here is that these APIs strain the resources available within the service. To ensure that Microsoft can meet customer expectations, they need to deploy more resources to meet the demand and someone’s got to pay for those resources. By using a PAYG model, Microsoft will charge for actual usage of resources.

Microsoft also wants customers to pay for advanced APIs. In effect, this is like an add-on license such as Teams Premium. If you want to use the bells and whistles enabled by an advanced API, you must pay for the privilege. It’s a reasonable stance.

Problem Areas for Microsoft 365 APIs

I don’t have a problem with applying a tiered model for APIs, especially if the default tier continues with free access. The first problem here is in communications, where Microsoft has failed to sell their approach to ISVs and tenants. The lack of clarity and obfuscation is staggering for an organization that employs masses of marketing and PR staff.

The second issue is the lack of data about how much PAYG is likely to cost. Few want to write an open-ended check to Microsoft for API usage. Microsoft is developing the model and understands how the APIs work, so it should be able to give indicative pricing for different scenarios. For instance, if I have 100 teams generating 35,000 new channel conversations and 70,000 chats monthly, how much will a backup cost? Or if my tenant generates new and updated documents at the typical rate observed by Microsoft across all tenants of a certain size, how much will a Syntex backup cost?

The last issue is the heavy-handed approach Microsoft has taken with backup ISVs. Being told that you must move from a working, well-sorted, and totally understood API to a new, untested, and metered API is not a recipe for good ISV relationships. Microsoft needs its ISVs to support its API tiered model. It would be so much better if a little less arrogance and a little more humility was obvious in communication. Just because you’re the big dog who owns the API bone doesn’t mean that you need to fight with anyone who wants a lick.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Document Management Par Excellence

Browsing through Twitter (as some still do), I came across a “What is SharePoint” article. Given that I’ve used SharePoint since the initial release of SharePoint Portal Server in 2001, I opened and read the content. (Fun fact: SharePoint originally used the Exchange ESE database engine. The move to SQL happened with SharePoint 2003. Around the same time, the Exchange “Kodiak” project dabbled with the idea of moving to SQL. That project never proceeded).

In any case, the article sets out to explain what SharePoint is and how people use it, which is a worthy purpose. Some good points are made, especially about the transition from the old-style SharePoint to the new UX and architecture. Inevitably, a couple of points of contention exist, so here’s what I think about the role played by SharePoint Online today inside the Microsoft 365 ecosystem.

SharePoint Online Has Always Been Part of Office 365

First, the article asserts that SharePoint Online joined Office 365 in 2012 following the release of SharePoint 2013 Server. This is inaccurate. SharePoint Online has always been part of Office 365 and was included in the beta released in April 2011 and the initial version released on June 28, 2011. Microsoft based the initial release of SharePoint Online on SharePoint 2010 Server. There’s no doubt that the subsequent upgrade to the Wave 14 servers (Exchange 2013 and SharePoint 2013) helped Office 365 enormously, but that came later.

SharePoint’s Toolbox

The article covers the attempts of SharePoint to be all things to all customers by providing features like task management and conversations. One undoubted truth for SharePoint is that it failed to be the “Swiss army knife of collaboration.” That’s a good thing because we learn through failures, and I think SharePoint learned that its strengths are in content management and not collaboration or workflow.

Then again, you can argue a good case that other developments in the Microsoft 365 ecosystem left the capabilities available in SharePoint behind. The big difference between on-premises and the cloud is that on-premises servers are often the fulcrum of a complete ecosystem. Once servers like SharePoint and Exchange become part of a cloud solution, they are no longer at the center and must instead function as a productive part of the ecosystem. Teams, Yammer, and Outlook are better points for collaboration (each with its own strengths). Planner and Project are better at task management, and Power Automate offers better workflow capabilities. A common point is that all these apps contribute to and use services from other apps and Azure, including SharePoint Online. All contribute to the ecosystem, as does SharePoint Online.

Once Teams gathered speed, there was no stopping it, especially after the acceleration in demand for its services during the pandemic. SharePoint Online wisely dropped working on solutions that were never going anywhere and concentrated on what it does best, which is to deliver an enterprise-class document management service to Microsoft 365. After SharePoint focused, its developers were able to exploit other areas based on existing capabilities, like what is now Microsoft Lists.

SharePoint and Teams

I fundamentally disagree with the article’s assertion that SharePoint is the backbone of Microsoft Teams. You could say the same about Azure (Teams uses many Azure services, including Azure Cosmos DB for its message stores), or Exchange (Teams uses Exchange Online for its calendar and to store compliance records). It’s true that every new team comes complete with a new SharePoint Online site. The same is true for private and shared channels, each of which has a site associated with the site belonging to the host team. But this simply reflects an app’s use of SharePoint Online for document management. It’s just like the way Yammer stores documents for its communities.

This brings me to the true backbone of Teams: Microsoft 365 groups. Without the identity management, membership model, and resource provisioning of Groups, Teams wouldn’t work the way the app does today.

In December 2017, I wrote an opinion piece saying that Office 365 Groups saved SharePoint Online. I was wrong: although Outlook groups demonstrated how users could have easy access to SharePoint without having to navigate SharePoint’s browser interface, it was Teams saved SharePoint Online by providing users with a reason to use SharePoint Online. I said “People don’t think about using SharePoint. They think about using Teams, or Planner, or Yammer, or Outlook” and “if they have a file to store, they put it wherever the application dictates, like in the Files section of Teams. It is a natural and easy way for people to use document management and it is the engine driving SharePoint usage. That assertion is truer now than it was in 2017. Accessing SharePoint Online files through the Teams Files channel tab (Figure 1) is an area that Microsoft has improved over the years and is now as functional as the SharePoint browser interface in practical terms.

The growth in Teams to 270 million monthly active users (likely higher now because Microsoft hasn’t updated the figure since January 2022) propelled SharePoint usage to new heights. When Microsoft announced the new Syntex backup solution at Ignite 2022, they said that “Every workday, on average, our customers add over 1.6 billion documents to Microsoft 365.” Those documents go into SharePoint Online sites and OneDrive for Business accounts, and users create many of those files using the connection between Teams and SharePoint Online (here’s Microsoft’s description of that connection).

OneDrive for Business

SharePoint Online deals with business users. OneDrive for Business is the personal side of SharePoint Online. Microsoft uses the consumer version of OneDrive as the document management solution for consumer apps, including Teams Personal.

Microsoft didn’t break out the percentage of the 1.6 billion documents added daily so we don’t know how many ended up in OneDrive for Business. I suspect that the proportion is roughly half and half. OneDrive for Business stores files shared in Teams chat and Outlook messages, including Loop components. It stores user files created in the Documents folder on Windows desktops, and so on. OneDrive for Business is everywhere.

One of the reasons why OneDrive for Business does so well is its excellent sync client. I would not have said that some years ago because the original OneDrive sync client was awful. Synchronization challenges have been encountered and overcome since and the current sync client does a wonderful job of keeping files synchronized across devices. The addition od differential synchronization in 2020 was an important step in this process. I depend on OneDrive synchronization and document auto-save to preserve my work.

SharePoint is a Basic Microsoft 365 Workload

Microsoft considers three workloads to be the foundation of Microsoft 365: Exchange, SharePoint, and Teams. SharePoint Online is the critical document management service for Microsoft 365 and it fulfils that role extremely well. As time passes, the connections and dependencies between the base workloads grow and deepen, something that never happened in the on-premises world.

It’s been interesting to observe the development of SharePoint from a small department-level server to a massive worldwide service for hundreds of millions of users. Many people never realize that they use SharePoint Online because they interact through other apps. That’s just fine. No application is the center of anything these days. Services are what’s important and SharePoint Online delivers a great service, and that’s what’s important.

But the Microsoft Cloud Juggernaut Keeps on Trucking

Another quarter, another set of Microsoft results to ponder, including the transcript of the comments made by CEO Satya Nadella and CFO Amy Hood to market analysts. The numbers showed the effect of some softening in demand and the effect of a stronger dollar, but Microsoft still posted first quarter revenue of $50.1 billion, up 16 percent in constant currency.

Microsoft reported that Office 365 commercial revenue 11 percent (17 percent in constant currency). They said that growth came from expanding the installed base across all workloads and by generating more revenue from E5 licenses. The fact that many high-end (desirable) security, compliance, and voice features is a big reason for customers to upgrade their licenses. As Amy Hood observed “we saw good upsell to E5.” She also said that “more than half of the 10-million-dollar-plus Microsoft 365 bookings came from E5.”

Microsoft Cloud revenues reached $25.7 billion (31 percent year-over-year growth in constant currency), or an annualized run rate of $102.8 billion. The increase in Q1 over the $25 billion achieved in FY22 Q4 was relatively small. Then again, a sales push always happens in the last quarter of a financial year, especially when a $100 billion ARR landmark is there to attain.

Microsoft Cloud gross margin percentage increased to 73 percent. Cloud Services is a great business to be in when you operate it at the scale that Microsoft does.

Office 365 Numbers

For years, Microsoft emphasized the success of Office 365 and Teams by regularly providing new numbers for monthly active users, or lately, paid seats for Office 365. Over the last few quarterly results briefings, they’ve become cagier about these numbers, possibly due to slowing growth.

The last reported figure for Office 365 paid seats was 345 million in April 2022. Applying 7% growth to that figure (half of the 14% growth reported by Microsoft), the number of Office 365 paid seats could now be around 370 million (plus or minus a few million).

Teams Numbers

Microsoft didn’t give any number for Teams users, so we remain at the 270 million reported in January 2022. Instead, Satya Nadella gave out some of the statistics beloved by Microsoft that lack any context to help people understand the real importance of the data. He said that “Users interact with Teams 1,500 times per month on average” but didn’t explain how Microsoft counts interactions or if different kinds of interactions are deemed more important. For instance, does clicking the activity feed merit the same level of interaction as making a VOIP call? Does reacting to a chat message with an emoji rate the same as a carefully considered text response spanning several paragraphs.

Nadella also said that “In a typical day, the average commercial user spends more time in Teams chat than they do in e-mail.” Again, no context to explain how Microsoft arrived at this conclusion. For instance, does simply keeping Teams chat open mean that a user is spending time in the app? How can you compare a chat conversation that can span multiple to-and-fro interactions with responding to an email? Microsoft might be able to gather data from their clients and their services, but holes exist when people use non-Microsoft clients like mobile clients based on Exchange ActiveSync or POP3/IMAP4 desktop clients.

Another example is “the number of users who use four or more features within Teams increased over 20 percent year over year.” Indeed, and who would be surprised at this outcome given Microsoft’s propensity to stuff as many features into Teams (like the entire Viva suite) as possible. In fact, a case can be argued that given the number of features now available through Teams, a fairer measurement might be ten or more features.

In any case, these are made statistics thrown out to impress market analysts that really don’t give any insight into how people use Teams. What was more interesting is the tidbit that “over 55 percent of our enterprise customers who use Teams today also buy Teams Rooms or Teams Phone.” The recent announcement of Teams Premium also merited a mention, perhaps because Microsoft hopes that the $10/user/month they plan to charge for this license will increase the average revenue per user (ARPU) figure Microsoft loves to highlight to market analysts.

Other Microsoft Cloud Facts and Stats

In February 2022, Microsoft said that its Viva suite had ten million monthly active users. Now the number is “more than 20 million monthly active users.” Doubling the number of Viva users in nine months is pretty good, but it’s got to be viewed in the context of the immense marketing effort Microsoft has dedicated to their employee engagement platform and the size of the Office 365 base. There’s lots of room for Viva to grow.

Microsoft noted that Power Apps (“the market leader in low-code/no-code tools”) has “nearly 15 million monthly active users, up more than 50 percent compared to a year ago.” Possibly more relevant to Microsoft 365 is the Power Automate number, now at “over 7 million monthly active users.”

Finally, one of Microsoft 365’s strengths is the worldwide data center network that hosts its services. Microsoft invested billions to build the network, and its operating expenses are massive too. An insight to the costs involved was the discussion between Amy Hood and a market analyst about the impact of increased energy costs where it was revealed that the extra cost will be over $800 million for FY23, currently running at $250-ish million a quarter. Data centers consume lots of power and cooling. In Ireland, Microsoft has applied to deploy large numbers of generators to keep its data centers running and perhaps keep those energy costs down.

The growth in Microsoft Cloud revenues is likely to keep on going. Perhaps not so much through growing its installed base, but definitely by making sure that Microsoft Cloud customers have the maximum reason to buy high-end add-on licenses to meet their security, compliance, and automation requirements. There’s nothing wrong with the way Microsoft attempts to extract more revenues from its customers. It’s just business.

Keeping Group Membership Secret

Customers expressed the desire to hide the membership of Microsoft 365 Groups soon after Microsoft launched Office 365 Groups in November 2014. Microsoft duly shipped the feature in early 2015.

Many scenarios exist to cloak the membership of a group. Some educational establishments don’t like revealing the full membership of classes; corporations engaged in confidential activities (like a merger and acquisition project) might like to hide the fact that external advisors have joined an internal team. Other organizations like to hide the membership of some committees, and so on.

Creating Groups with Hidden Memberships

Only PowerShell supports the creation of a Microsoft 365 group with hidden membership. This code creates a new group with the New-UnifiedGroup cmdlet and adds some members and a second owner with the Add-UnifiedGroupLinks cmdlet. The account that runs the New-UnifiedGroup cmdlet automatically becomes an owner:

New-UnifiedGroup -Alias "Super.Secret.Team" -PrimarySmtpAddress Super.Secret.Team@office365itpros.com -HiddenGroupMembershipEnabled:$True -Name "Super Secret Team"
Add-UnifiedGroupLinks -Identity Super.Secret.Team -LinkType Member -Links Sean.Landy, Terry.Hegarty, James.Ryan, Jackson.Hoare, Jane.Sixsmith, Michael.King
Add-UnifiedGroupLinks -Identity Super.Secret.Team -LinkType Owner -Links Michael.King

When a group has hidden membership, it means that Exchange Online only reveals details of the group membership to its members (through client interfaces) and tenant administrators (through administrative interfaces). This statement isn’t 100% true. As shown in Figure 1, when users browse an address list, they can’t see the group membership, but they can see one of the group owners, who are also group members. This means that part of the group membership is exposed.

Distribution lists also support hidden membership. Like Microsoft 365 Groups, you can set hidden membership when creating a new distribution list or you can hide membership for an existing distribution list. For example, this command creates a new distribution list with hidden membership.

New-DistributionGroup -Alias "SecretDL" -Name "Secret Distribution List" -DisplayName "Secret Distribution List" -PrimarySmtpAddress SecretDl@office365itpros.com -HiddenGroupMembershipEnabled:$True

When a Microsoft 365 group has hidden membership, its membership cannot be revealed by updating group properties. The Set-UnifiedGroup cmdlet doesn’t support updating the HiddenGroupMembershipEnabled setting. However, you can restore visible membership for a distribution list. For example:

Set-DistributionGroup -Identity SecretDL -HiddenGroupMembershipEnabled:$False

And if you make a mistake, you can reverse course and hide the membership again.

Set-DistributionGroup -Identity SecretDL -HiddenGroupMembershipEnabled:$True

Remember that Exchange Online must generate updated OAB files for Outlook to download and apply before changes to membership visibility become completely effective in Outlook desktop.

Sensitivity Labels and Hidden Group Privacy

Only a private Microsoft 365 group can have hidden membership. PowerShell and the other administrative interfaces will stop administrators changing the access type from private to public. Another thing to consider is what sensitivity label the new group should receive. Remember that sensitivity labels can control the privacy type for a group. If you assign a sensitivity label that applies container management settings, the access type set by the label must be Private. If not, you’ll see an error.

Figure 2 shows the group settings in the Microsoft 365 admin center. The group sensitivity label is Confidential Access, which is fine because it sets the access type to Private. Any attempt to use a label that sets the access type to Public will result in a cryptic error message that’s not very clear.

In addition, attempts to change the privacy (access type) through this interface won’t work because “visibility of a group with hidden membership cannot be updated.”

Hiding Groups from Address Lists

The “don’t show team email address in Outlook” setting controls the group’s HiddenFromAddressListsEnabled property. By default, the value of the property is False, meaning that Exchange Online includes the group in its address lists, including the Offline Address Book (OAB) and Global Address List (GAL). The effect of choosing this option is to stop users finding an entry for the group (and therefore being able to see its SMTP address) when they browse Outlook address lists. For example, there’s no sign of the group in the Outlook address book (Figure 3).

To make the group visible in address lists, update the setting in the admin center or run Set-UnifiedGroup to update the property:

Set-UnifiedGroup -Identity Super.secret.team -HiddenFromAddressListsEnabled $False

Remember that hiding the SMTP address of a group doesn’t stop people from sending messages to the group. It’s a visual block, not a hard block imposed in the transport service. If you want to restrict the people who can send messages to a group, use the AcceptMessagesOnlyFromSendersOrMembers property. This example stops the group accepting messages from anyone but group members.

Set-UnifiedGroup -Identity Super.secret.team -AcceptMessagesOnlyFromSendersOrMembers "Super.Secret.Team@Office365itpros.com"

Teams and Hidden Membership

Teams supports Microsoft 365 Groups with hidden membership. To team-enable our group, use the Add Teams option in the General tab of the group’s properties in the Microsoft 365 admin center. Alternatively, connect to Teams with PowerShell and run the New-Team cmdlet with the GroupId parameter pointing to the Azure AD identifier for the Microsoft 365 group:

Connect-MicrosoftTeams
New-Team -GroupId (Get-UnifiedGroup -Identity Super.Secret.Team | Select-Object -ExpandProperty ExternalDirectoryObjectId)

As only team members can access a team, they’re the only ones who can see the membership.

Impact on Reporting

Because administrative interfaces always have access to group membership data, setting group membership to be hidden might or might not affect the data returned by PowerShell cmdlets and Graph API requests. For example, the script to generate a report of Teams membership includes hidden membership because the code accesses each team to retrieve its membership. However, because the Graph TransitiveMemberOf API doesn’t include hidden membership in its results, the script to generate a report of membership of Microsoft 365 Groups (and Teams) doesn’t include groups and teams with hidden membership data.

Hidden is Good for Some

I don’t come across many situations where tenants use groups with hidden memberships and Office365ITPros.com hasn’t had many questions about this topic over the years. The feature is there, it works, and it solves a problem for some. I guess that’s all we need to say about it.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

Microsoft DART Likes the Office 365 Audit Log (Unified Audit Log)

On September 26, Microsoft’s Detection and Response Team (DART, aka the cybersecurity team you never want to meet) published an article on the Security, Compliance, and Identity blog called Forensic artifacts in Office 365 and where to find them. It’s a nice article that captures the standard and optional (requiring extra configuration or licenses) flows of data captured for Azure AD sign-in events, Azure AD admin events, and Office 365 activities (Figure 1). This data is of great help to forensic investigators as they attempt to understand what happened in cybersecurity incidents.

Regular readers of my written work or those who’ve heard me speak at conferences are well aware of my high regard for the Office 365 audit log. It’s a fantastic source of information about what happens inside a tenant and I believe that every administrator should be familiar with how to retrieve information from the audit log. I keep on coming back to the audit log to see what data shows up there for new features like reactions to Teams messages. It’s also my go-to place to find in-depth information about actions that might affect the tenant, like potential illicit consents.

Moving Office 365 Data to a SIEM

The downside of the Office 365 audit log is that data doesn’t stay there for very long. Even tenants with the Office 365 E5 plan have access to only 365 days of information. For Office 365 E3, the audit log only stores 90 days of information. In addition, Office 365 E3 tenants must enable auditing for every mailbox to make sure that Exchange Online sends mailbox events to the audit log. That’s a gap which I hope Microsoft closes soon.

A SIEM is a good place to hold audit data for longer periods. As Microsoft notes, it’s possible to ingest Office 365 audit data into Microsoft Sentinel. Not all data flows through as the connector used to transfer data to Sentinel is particular about the events it chooses, so that’s something to watch. Nevertheless, Sentinel is a good place to keep audit data if you use Azure.

As to other SIEM platforms, many PowerShell examples exist demonstrating how to use the Search-UnifiedAuditLog cmdlet to fetch audit events  (here’s an example). Once you have the data, it’s not hard to send them to a repository. Some SEIMs have more sophisticated ingestion mechanisms. For example, Splunk uses a registered Azure AD app to fetch audit data and bring it to its repository.

Poor Search Performance

I use PowerShell whenever I need to search the audit log. I have never liked the GUI Microsoft built for audit log search. It has always been unwieldly and inflexible, not to mention slow. Its sole benefit is that the GUI exposes some of the important information stuffed in the AuditData payload in audit records.

I was therefore taken aback by the enthusiasm shown about the new Audit search GUI (preview). According to Microsoft, the new GUI offers the following improvements:

• Search jobs initiated via the compliance portal UI no longer require the web browser window to remain open in order to complete. These jobs will continue to run even after the browser window is closed.
• Completed search jobs are now stored, giving customers the ability to reference historical audit searches. These search jobs are presented in the UI, listing the search name, search job status, progress %, Number of results, Creation Time, and Searched by.
• Each admin Audit account user can have a maximum of 10 search jobs in progress at a time.

I tried the new GUI with a very simple search looking for events for a single operation (someone changes a sensitivity label for a document) for the last 27 days. This search took less than three seconds by running the Search-UnifiedAuditLog cmdlet in PowerShell, but required 9 minutes and 24 seconds through the new search (Figure 2). This kind of performance is not usual in my experience.

Here’s the equivalent search in PowerShell:

Measure-Command { [array]$Records = Search-UnifiedAuditlog -Operations ComplianceSettingChanged -StartDate 1-Sep-2022 -EndDate 27-sep-2022 -Formatted -ResultSize 5000 }


Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 2
Milliseconds      : 470
Ticks             : 24701589
TotalDays         : 2.85898020833333E-05
TotalHours        : 0.00068615525
TotalMinutes      : 0.041169315
TotalSeconds      : 2.4701589
TotalMilliseconds : 2470.1589

Some overhead is expected to create and process search jobs in the background but this degradation in performance is extraordinary when you consider that both methods interrogate the same data source. You have to do more work with PowerShell when an audit search returns events, but anyone who’s worked with the event log will have that process well defined and understood, so the advantage of being able to view event details through the GUI (Figure 3) is probably only appreciated by those unfamiliar with the audit log.

Slow Interfaces are Unusable

The new audit search GUI reminds me about redesign of the content search interface, which also disappointed with its slowness and buggy nature. Microsoft introduced that redesign in May 2021 and it’s still slow. I hope that they manage to do a better job as they bring the new audit search from preview to general availability. If not, I doubt I would ever use the new audit search interface.

Microsoft DART considers that the new interface makes “large-scale data collection much simpler and more reliable.” However, that statement is softened considerably by saying that their “go-to approach here is to use PowerShell to extract the data we need.” I couldn’t agree more.

Learn more about how Microsoft 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

AI-Powered Cortana Scheduler Service Shuts on September 1, 2023

In summer 2021, Microsoft launched Scheduler, an AI-powered (Cortana) service to make it easier for users to schedule meetings. The roots of Scheduler were in the Calendar.Help service (a Microsoft Research project), and the new offering built on the experience gained with helping people to find the right time for meetings. I liked the service and thought that it worked well when I used it to schedule some meetings (Figure 1). However, I don’t ever schedule very large or complex meetings, so I’m not the target audience for the solution.

Scheduler Costs

The extra bells and whistles in Scheduler came with a $10/user/month fee for anyone who wanted to use it to schedule meetings. In addition, organizations needed to configure a special account and mailbox with an Exchange Online license, which also came with a monthly cost.

Roll forward a year and Microsoft decided that the world is not ready for Scheduler, or at least, insufficient Microsoft 365 customers consider the offering compelling enough to pay the extra fee. On September 1, message center notification MC424413 announced the retirement of the Scheduler service effective September 1, 2023.

Rationalization or Sales Effort

One way to look at the announcement is that it’s Microsoft rationalizing the (sometimes bewildering) range of add-on licenses and options they sell for Microsoft 365, like the recent notification about the retirement of Kaizala (due to take effect on August 31, 2023).

Another might be that this is simply a realization that the monthly fee was pitched too high. Microsoft emphasized that the Scheduler service wasn’t for everyone – just those who take care of scheduling complex meetings that might involve many people spread over multiple time zones. The justification for the high cost of the add-on was the amount of time Scheduler could save meeting organizers by handling meeting arrangements.

However, it’s sometimes not easy for organizations to identify the people who need add-ons like Scheduler, or if the need to use something like Scheduler exists. I imagine that the sales effort to convince customers to buy the Scheduler add-on was quite high and the outcome was that too few of the 270 million Office 365 paid seats ended up with Scheduler licenses.

Scheduler Futures

Microsoft isn’t saying what drove their decision to retire Scheduler. The sole hint in MC424413 is that they “may bundle some of these features with another offering in the future.” This could mean anything from a revamped Scheduler-like service offered at a lower per-user price to bundling Scheduler as a service plan in a high-end product like Office 365 E5 or Microsoft 365 E5. There’s already over 60 service plans bundled into Office 365 E5, so one more wouldn’t make much difference and adding a service like Scheduler to Office 365 E5 might convince more customers to upgrade existing licenses to use E5. In their FY22 Q4 results, Microsoft reported that 12% of the Office 365 base use E5. Given the scale of Office 365, adding a few extra percentage points to that figure is hugely profitable.

No Real Surprise

Apart from how soon after introduction the axe fell, I’m not surprised that Microsoft is withdrawing Scheduler. It’s useful functionality with a relatively high price tag that interests relatively few people. Those who organize big meetings will see value, but most Office 365 users don’t need to do that and therefore have no need for Scheduler. I expect it will turn up in another place, but who knows when and what guise it will take.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Bringing Microsoft 365 User Activity Data Together from Multiple Workloads

I’ve been dabbling with the Microsoft Graph usage report API for a couple of years. This is the API that powers the activity reports available in the Microsoft 365 admin center, Teams admin center, and SharePoint Online admin center, so it’s a good source of hard information.

The output of my labor is the Microsoft 365 user activity report, a PowerShell script that assembles data from SharePoint Online, Exchange Online, Teams, OneDrive for Business, and Yammer activity to build a picture of how active a user account is, with the intention of removing underused or unused accounts to save on licensing costs. The 2020 version of the script introduced a bunch of performance fixes to make it possible to retrieve data quickly and efficiently.

New Version Extends the Usage History to 180 Days

Recently, a reader pointed out that the usage report API now supports a lookback period of 180 days, doubling the previous 90 days. In other words, you can fetch information about the activities performed by an account inside Microsoft 365 for the last 180 days. I don’t know when Microsoft made this change, but it’s a good one.

The usage report API doesn’t capture data about every possible user activity, nor does it cover all workloads. For instance, there’s no usage API covering Stream and Planner activity. However, in the case of Stream, once the transition to OneDrive for Business and SharePoint Online, video activities will show up in the data for those workloads.

In any case, the usage data is sufficient to make a good assessment of just how active an account is. After all, if little or no trace of activity exists over 180 days, the account probably isn’t too active and is a candidate for removal. Measuring usage over 90 days is also a good yardstick of activity but doubling the measurement period makes the assessment even more accurate because it accommodates long absences such as sabbaticals and parental leave. This underlines the need to assess data in a wider context when deciding whether accounts really are inactive.

Example Microsoft 365 User Activity Data

The script works by extracting usage data for the supported workloads and combining them into an overall record per user. Here’s an example of a combined record. Note that usage data is always a couple of days behind real time.

UPN                     : Tony.Redmond@office365itpros.com
DisplayName             : Tony Redmond
Status                  : Account in use
LastSignIn              : 03/08/2022 18:08
DaysSinceSignIn         : 0
EXOLastActive           : 31-Jul-2022
EXODaysSinceActive      : 3
EXOQuotaUsed            : 5.91
EXOItems                : 34324
EXOSendCount            : 2572
EXOReadCount            : 4661
EXOReceiveCount         : 11158
TeamsLastActive         : 01-Aug-2022
TeamsDaysSinceActive    : 2
TeamsChannelChat        : 362
TeamsPrivateChat        : 493
TeamsMeetings           : 22
TeamsCalls              : 2
SPOLastActive           : 31-Jul-2022
SPODaysSinceActive      : 3
SPOViewedEditedFiles    : 798
SPOSyncedFiles          : 575
SPOSharedExtFiles       : 17
SPOSharedIntFiles       : 34
SPOVisitedPages         : 92
OneDriveLastActive      : 31-Jul-2022
OneDriveDaysSinceActive : 3
OneDriveFiles           : 6183
OneDriveStorage         : 27.2147
OneDriveQuota           : 1024
YammerLastActive        : 19-Jul-2022
YammerDaysSinceActive   : 15
YammerPosts             : 104
YammerReads             : 238
YammerLikes             : 1
License                 : POWER BI (FREE)+ENTERPRISE MOBILITY + SECURITY E5+BUSINESS APPS
 (FREE)+MICROSOFT POWER AUTOMATE FREE+MICROSOFT VIVA TOPICS+OFFICE 365 E5
OneDriveSite            : https://redmondassociates-my.sharepoint.com/personal/tony_redmond_office365itpros_com
IsDeleted               : False
EXOReportDate           : 31-Jul-2022
TeamsReportDate         : 01-Aug-2022
UsageFigure             : 5.2

Very importantly, if your organization chooses to obfuscate usage data (Figure 1), it isn’t possible to generate the report because user principal names provide the match for usage data from the workloads, and the routine that generates the obscured data creates different values for the user principal name in each workload.

Microsoft 365 User Activity Report Output

The output generated by the script is a PowerShell list which can be exported in different formats. Figure 2 shows the output as viewed through the Out-GridView cmdlet. The script also generates a CSV file, but you could also use the ImportExcel module to create a nicely-formatted Excel worksheet or the PSWriteHTML module to generate a HTML report.

You can download the updated Microsoft 365 user activity report script from GitHub. If you find an enhancement (aka a bug fix), please suggest it in GitHub. It’s always good to have extra eyes review and improve code.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the ultimate eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Move to Clarify Microsoft 365 Compliance Licensing

Many of the new features created for Microsoft 365 compliance technology, like allowing Data Loss Prevention policies to use trainable classifiers, rely on high-end or add-on licenses. Microsoft doesn’t develop much new for the baseline Office 365 E3 enterprise plan. Everything seems to be bundled into Office 365 E5 or Microsoft 365 E5 or a new service plan.

This isn’t by accident. Microsoft is trying to drive the average revenue per user (ARPU) higher to increase cloud revenues and margin, something that CFO Amy Hood emphasizes to the market analysts every time Microsoft discusses its quarterly results. Making new features available only in high-end plans seems to be working. In their FY22 Q4 results, Microsoft reported that 12% of its Office 365 installed base now uses E5 and cloud revenues reached an annualized run rate of $100 billion.

Microsoft 365 Compliance Licensing Defined via Capability

It’s putting it mildly to say that Microsoft licensing guidelines for its compliance offerings were opaque. Confusing, misleading, inaccurate, poorly worded, and just plain wrong are other descriptions rightfully applied to Microsoft 365 compliance licensing over the years. Things weren’t helped by the way that many compliance features ignored licensing completely and allowed anyone who wanted to use a feature to go ahead and use it. Of course, using something without the right license isn’t the most intelligent strategy, especially when a software vendor tightens its code and introduces license restrictions, which is the case now.

I’ve been critical about Microsoft’s slipshod approach to licensing for Microsoft 365 compliance and security products in the past. Improvements have been coming, especially the introduction of a helpful spreadsheet to help tenants understand when they needed licenses for different features. The spreadsheet is now available in versions covering Enterprise and Frontline worker plans and Small to Medium Business plans.

Now, Microsoft has revamped their documentation for licensing guidance for Microsoft Purview Data Lifecycle and Records Management (Figure 1) to make it much clearer and easier to understand the licensing requirements for features like retention policies and retention labels. The new documentation clearly sets out the capabilities of a feature and what licenses are needed to use those capabilities.

For instance, if you want to use adaptive scopes to find locations to apply retention policies, you need Office 365 E5, Microsoft 365 E5, or either of the Microsoft 365 E5 compliance or information protection and governance add-ons. The same licenses are needed to when retention labels have settings that start retention after an event, trigger a disposition review or apply a new label when the retention period ends, or marks items as records or regulatory records.

Microsoft’s Definition of Automatic Label Processing

I like the new way of clearly setting out when advanced licenses are needed to use a feature, even if it highlights the absurdity of requiring E5 licenses to apply a default retention label to a SharePoint Online document library (Figure 2), folder, or document set. I know that Microsoft considers this to be automatic processing, and a case can be argued that the act of assigning a retention label to a document when a user uploads it to a library is automatic, but it’s hardly in the same category as auto-label policies which use artificial intelligence and machine learning (trainable classifiers) to find documents to label.

Microsoft is going down the same path with default sensitivity labels for document libraries (now in preview). I don’t agree with that decision either, but it’s likely to be the case when the feature reaches general availability.

Clarity is Best When Discussing Microsoft 365 Compliance Licensing

Now that Microsoft has clarified its license requirements for Microsoft Purview Data Lifecycle and Records Management, let’s hope that the trend continues across all aspects of Microsoft 365. Maybe even the folks who sometimes come up with the most convoluted text for message center announcements could sign up to improve their messaging. That would be very helpful indeed.

Learn about protecting SharePoint Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

New SITs Focus on Credentials

Now available in tenants, message center notification MC402123 (July 19, Microsoft 365 roadmap item 88941) covers the preview of 42 new sensitive information types (SITs) designed to protect different kinds of credentials (keys, passwords, and tokens) used in IT environments, including Azure, Amazon, GitHub, Slack, and Google. Most of the new SITs are of the Credential type, and there’s one called All Credential Types that’s a bundle of all the other new credential SITs.

Microsoft has steadily been increasing the set of available SITs. In April 2021, they released a bunch of country-specific SITs, while earlier this year, they introduced the concept of a bundled entity, or a set of SITs that can be processed as a single item (hence the bundled credential entity). The new set brings the total of Microsoft-created SITs to 306.

Sensitive information types are used with data loss prevention (DLP) policies and auto-labeling policies (with the right licenses). Each SIT contains patterns and definitions to detect a specific kind of data. In this case, the new SITs focus on things like usernames and passwords, Azure AD access tokens, storage account keys, and SQL server connection strings. Using the new SITs should allow organizations to clamp down on people circulating credentials in emails and Teams messages, which is a form of data leakage that you really don’t want to happen.

Checking Out Credentials Sensitive Information Types

I cover how to create a custom sensitive information type for Azure AD passwords in this article and experienced some issues using the custom SIT in production, so I was eager to discover what Microsoft delivered in their Azure AD User Credentials SIT.

One of the ways of discovering how an SIT works is to use the Test feature built into the Purview compliance portal. Open the portal, go to Data classification, and select the SIT you’re interested in. When SITs become generally available, Microsoft usually allows you to see details of the patterns used for a SIT. For now, you can’t, but you can test an SIT by uploading a text file containing test data to see whether Purview can detect any issues with the data using the SIT.

I couldn’t get a test to work for the Azure AD User Credentials SIT, even using the guidance in the SIT documentation. To make sure that I was doing the right thing, I tried with an Azure AD access token, and that worked (Figure 1), probably because tokens follow a clearly defined structure that’s relatively easy to define in a pattern.

I’m not sure that anyone would want to cut and paste an Azure AD access token into an email or Teams chat, but I’m glad that I can detect and block this information if necessary (Figure 2).

Testing the Azure AD User Credentials SIT in a DLP Policy

To test further, I configured a DLP policy to monitor for Azure AD user credentials in Teams chat. After waiting 15 minutes or so to let the policy become effective, I made multiple attempts to share username and password information through Teams chat. As Figure 3 shows, most attempts failed.

In fact, the only time the SIT detected a problem was when I used the Microsoft 365 service domain in a username. I don’t know many tenants that use service domains for user principal names (and email addresses), so this capability is sadly disappointing to say the least. I know that creating a pattern to detect different kinds of user credentials is difficult, but it’s hardly the cutting edge of software development.

All Fixed in General Availability

Oh well, the 42 new SITs are in preview, so we can expect that everything won’t work perfectly. The fact that SITs do not do exactly what you might expect underlines the need to test sensitive information types in realistic conditions using your data. If you don’t, you might end up sadly disappointed.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Guesswork Needed to Make Sense of Microsoft Data

Microsoft’s FY22 Q4 results were curiously devoid of anything really interesting when it came to Office 365 data. No new numbers appeared for Office 365 as a whole or for individual workloads like Teams, Exchange Online, or SharePoint Online. As normal, people were left to interpret what might be happening based on individual nuggets of information for Microsoft Cloud revenue strewn across the briefing.

$100 Billion Landmark Reached

Microsoft maintained the steady growth for its nebulous “Microsoft Cloud” segment to reach $25 billion. On an annualized basis, the Microsoft Cloud now generates an annualized run rate of $100 billion revenue, or five times the goal for cloud revenues set by Satya Nadella in 2015 (Figure 1).

We learned that Office 365 commercial revenue grew 15% year over year, or 19% in constant currency (all numbers were affected by the strengthening dollar). But as we don’t know what the base number for Office 365 commercial revenue was last year, it’s impossible to calculate how much Office 365 brings in annually. Office 365 is lumped into the Microsoft Cloud reporting segment along with Azure, Dynamics 365, and LinkedIn.

Microsoft’s actual numbers for Microsoft Cloud over FY22 were:

• Q1: $20.7 billion
• Q2: $22.1 billion
• Q3: $23.4 billion
• Q4: $25 billion

Total: $91.2 billion.

From a margin perspective, Microsoft said that their gross margin for the Microsoft Cloud decreased slightly to 69%. Still 69% of $91.2 billion is $63 billion, which is a nice business in anyone’s definition.

Figuring Out Office 365 Revenues

In their discussion with market analysts, Microsoft revealed that LinkedIn brought in $11 billion (talent and marketing solutions) in the last year. Of the $80-odd billion left after taking out LinkedIn (from the $91.2 billion Microsoft Cloud revenues), I think we can divide the remainder as follows:

• Office 365: $46 billion
• Azure: $30 billion
• Dynamics 365/the rest: $4 billion(maybe).

Microsoft said that Office 365 paid seats grew 14% year over year. The last formal number given was 345 million paid seats, so it’s likely near 360 million now. If each paid seat generates $10/month for license fees and add-ons, that’s $43.2 billion. Microsoft made a big thing that the percentage of users paying for Office 365 E5 licenses is now 12% of the base (up from 8% last year), so $46 billion is not unreasonable.

As always, Microsoft emphasized the growing Average Revenue Per User (ARPU) they generate from Office 365 customers. At the scale Office 365 is at now, every additional dollar generates a huge amount of money. For instance, if Microsoft sold more E5 licenses and compliance add-ons and increased the average ARPU to $12/month, their annual revenue goes to $51.84 billion. This is why Microsoft sales teams are so eager to help customers understand the wonders of higher-priced licenses (Office 365 or Microsoft 365) and why the engineering groups deliver many new product features that require high-end licenses or add-ons.

Teams and Power Platform

Microsoft didn’t give a new number for Teams monthly active users, so we’re still working with the 270 million number from their FY22 Q2 results in January. Microsoft did say that Teams Phone now has over 12 million users, doubling the number in the last year. Teams Phone requires add-on dial plans and is a good example of how Microsoft is driving revenue from its installed base.

Microsoft also said that Power Platform has nearly 25 million monthly active users. That’s healthy growth but I do wonder how they count an active user of Power Platform. Are 2% of all Office 365 users active with Power Platform? It could be the case, but some more understanding of what active means here would be nice.

Onto The Next Stage in Cloud Evolution

It feels like the era of huge cloud growth is tapering off. Microsoft Cloud revenues will continue to grow, and this will remain a highly profitable business for Microsoft, but how long it will take for Office 365 to reach 500 million paid seats or Teams to reach 400 million monthly active users are open questions. I suspect Microsoft will achieve these landmarks, but they’ll require longer than the massive growth seen over the last five years.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

Microsoft 365 Admin Center Releases Software Update Page

Message Center Notification MC397469 (July 5, 2022) announced the arrival of a new Microsoft 365 Software Updates page under the Health section of the Microsoft 365 admin center. The page is currently in preview, but according to Microsoft 365 roadmap item 82148, it should be generally available in August. The idea is that the new page gives tenant administrators a simple way to discover the update status of Office and Windows on devices known to the organization. As Figure 1 shows, my tenant is in pretty good shape.

Access to the data is limited to certain administrative roles including Global administrator, Global reader, Office apps admin, Reports reader, usage summary reports reader, Intune administrator, and Exchange administrator. The information presented in the report comes from device telemetry gathered when devices connect to Microsoft 365.

The Imminent Need for Upgrade

It’s a good idea to know whether software used to connect to a service is patched appropriately. Over the years, Microsoft has been reasonably accommodating in terms of the range of clients (desktop, mobile, and browsers) that people could connect to Microsoft 365. Things started to tighten up as the retirement of Internet Explorer approached. Indeed, Teams rejected IE as long ago as November 2020.

However, the need to upgrade client software is heading for a crunch period as organizations prepare for Microsoft to begin turning off basic authentication for seven email connectivity protocols in October 2022. The increasing number of warnings from Microsoft and the steps they’re taking to highlight the issue to customers is evident that some tenants might not be listening to the warnings.

Outlook

Outlook for Windows is a huge client for Exchange Online. Given its long history, it’s unsurprising that some older Outlook clients are still in use. Microsoft wants customers to make sure that they have enabled modern authentication for Outlook. Check by running the Get-OrganizationConfig cmdlet to ensure that the OAuth2ClientProfileEnabled setting is True:

Get-OrganizationConfig | fl OAuth2ClientProfileEnabled
OAuth2ClientProfileEnabled : True

There’s more to do after that, like making sure that users have recent Outlook clients installed. Outlook 2016 or later is recommended. The Outlook click-to-run version in Microsoft 365 apps for enterprise uses modern authentication out-of-the-box.

Apple Mail App

Last month, Microsoft released details of the automated approach they’re taking in conjunction with Apple to move Apple Mail app users to modern authentication. Two important gotchas need consideration. First, the automated approach won’t work if the organization deploys an MDM solution (Apple doesn’t want to mess with organization-controlled configurations, so they exclude these devices from their automatic update process). Second, the mail app uses Exchange ActiveSync to connect to personal Exchange Online mailboxes and that’s what the upgrade to modern authentication affects. If you use Apple devices to access shared mailboxes via IMAP4, the upgrade won’t do anything to enable modern authentication for IMAP4 (the Exchange ActiveSync protocol doesn’t support shared mailboxes).

If you’re in this position, maybe now is the right time to move from the Apple mail app to Outlook for iOS, which supports shared mailboxes natively. You might be waiting a while for Apple to update their IMAP4 implementation to connect to Exchange Online via modern authentication.

Other Exchange ActiveSync Clients

Microsoft and Apple are working together to solve the modern authentication issue for Apple mail clients, but what of all the other mobile device mail clients that use Exchange ActiveSync to connect to Exchange Online? The simple answer is that it’s the vendor’s responsibility to upgrade their clients so that they can connect to Exchange Online in a secure manner. The practical answer is that you should contact the vendor and ask them how their mail clients will work once basic authentication is unavailable.

IMAP4 and POP3

Speaking of IMAP4 and POP3, Microsoft has released support for modern authentication for the IMAP4 and POP3 protocols. This is something that client developers (like Apple) need to take care of rather than individual users. The folks who build the Thunderbird client have done a good job of making sure that this client is ready, but that’s not the case for other IMAP4 and POP3 clients, so make sure that you check if people in your tenant use these clients to connect to Exchange Online.

Developers who use IMAP4 and POP3 to retrieve messages for application rather than personal use must upgrade their applications using a different method to make sure that they can continue to access mailboxes.

No Silver Bullet for Client Health

The new Software updates page won’t tell you anything about the state of non-Microsoft clients. Tenants with Office 365 E3 or higher plans that include Microsoft 365 apps for enterprise might find the feature useful, but it’s not going to be a silver bullet to keep client software in robust health. Welcome as it is, the new Software updates page will be the source of some additional information, but that’s about all.

Keep up to date with developments like the transition to modern authentication for email connectivity protocols by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.