Microsoft 365 – Office 365 for IT Pros https://office365itpros.com Mastering Office 365 and Microsoft 365 Fri, 27 Jun 2025 08:25:37 +0000 en-US hourly 1 https://i0.wp.com/office365itpros.com/wp-content/uploads/2024/06/cropped-Office-365-for-IT-Pros-2025-Edition-500-px.jpg?fit=32%2C32&ssl=1 Microsoft 365 – Office 365 for IT Pros https://office365itpros.com 32 32 150103932 Copilot Agent Governance Product Launched by ISV https://office365itpros.com/2025/06/27/agent-governance-rencore/?utm_source=rss&utm_medium=rss&utm_campaign=agent-governance-rencore https://office365itpros.com/2025/06/27/agent-governance-rencore/#respond Fri, 27 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69796

Microsoft Leaves Gaps in Technologies for ISVs to Fill – Like Agent Governance

Every time Microsoft makes a big move, ISVs seek to take advantage with a new product. It’s the way of the work. Microsoft creates technology and ISVs fill the holes left in that technology. In some respects, the cloud is a difficult place for ISVs. There’s less to tweak than in an on-premises environment and although the Graph APIs have extended their coverage to more areas of Microsoft 365 over the last few years, significant gaps still exist for major workloads like Exchange Online and SharePoint Online.

But a new technology creates a new opportunity because everything starts from scratch. Microsoft’s big move into artificial intelligence with Copilot hasn’t created too many opportunities because Copilot depends on a massive infrastructure operated by Microsoft that’s inaccessible except through applications like BizChat. Agents are different. They’re objects that need to be managed. They consume resources that need to be paid for. They represent potential security and compliance problems that require mitigation. In short, agents represent a chance for ISVs to build products to solve customer problems as Microsoft heads full tilt to its agentic future.

Building an Infrastructure for Agent Governance

To be fair to Microsoft, they’ve started to build an infrastructure for agent management. Apart from a whitepaper about managing and governning agents, the first concrete sign is the introduction of agent objects in Entra ID. Microsoft is thinking about how agents can work together, and how that communication can be controlled and monitored. That’s all great stuff and it will deliver benefits in the future, but the immediate risk is the fear that agents might run amok inside Microsoft 365 tenants.

Microsoft reports that there are 56 million monthly active users of Power Platform, or 13% of the 430 million paid Microsoft 365 seats. That’s a lot of citizen developers who could create agents using tools like Copilot Studio. Unless tenant administrators disable ad-hoc email subscriptions for the tenant, developers could be building agents without anyone’s knowledge.

Don’t get me wrong. I see great advantages in agent technology and have even built agents myself, notably a very useful agent to interact with the Office 365 for IT Pros eBook. One thing that we’ve learned over the last 30 years is that when users are allowed to create, they will. And they’ll create objects without thought, and those objects will need to be cleaned up eventually, or, as Microsoft discovered, the mass of SharePoint Online sites created for Teams became a real problem for Microsoft 365 Copilot deployments. Incorporating solid management and governance from the start is of great benefit for new technologies.

Rencore Steps Up with Copilot Agent Governance

All of which brings me to Rencore’s announcement of two new modules for their governance product to deal with Copilot and agent governance and Power Platform governance (Figure 1). Matthias Einig, Rencore’s CEO, has been forceful about the need to take control of these areas and it’s good to see that he’s investing in product development to help Microsoft 365 tenants take control before agents get any chance to become a problem.

Rencore Agent Governance (source: Rencore).
Figure 1: Rencore Agent Governance (source: Rencore)

I have not used the Rencore product and do not endorse it. I just think that it’s great to see an ISV move into this area with purpose and intent. It seems like Rencore aims to address some major pain points, like shadow IT, the cost of running Copilot agents, over-sharing, and “agent sprawl.” All good stuff.

I’m sure other ISVs will enter this space (and there might be some active in the area already that I don’t know of). This will be an interesting area to track as ISVs seek new ways to mitigate the potential risks posed by agents.

No Time to Relax

Product from one ISV does not mean that we can all relax and conclude that agent management is done. It’s not. The continuing huge investment by Microsoft in this space means that agent capabilities will improve and grow over time. Each improvement and new feature has the potential to affect governance and compliance strategies. Don’t let your guard down and make sure that your tenant has agents under control. And keep them that way.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2025/06/27/agent-governance-rencore/feed/ 0 69796
Microsoft 365 PowerShell Modules Need Better Testing https://office365itpros.com/2025/06/25/microsoft-365-powershell-azure/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-powershell-azure https://office365itpros.com/2025/06/25/microsoft-365-powershell-azure/#respond Wed, 25 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69757

Problems with Azure Automation Afflict Microsoft 365 PowerShell Modules

The recent problems with the Microsoft Graph PowerShell SDK are well documented. Suffice to say that the Graph PowerShell SDK hasn’t been very stable since V2.25. V2.26 and V2.27 just didn’t work, and although Microsoft delivered a much-improved update in V2.28 in May 2025, the Graph PowerShell SDK still has problems with Azure Automation.

In the Azure Automation environment, runbooks are configured to use a runtime version of PowerShell. When a runbook starts, Azure Automation loads the dependent modules (which must be a version that matches the runtime version) on the target server where the runbook executes. Currently, Azure Automation supports runtime versions for PowerShell V5.1, V7.1, and V7.2.

A Question of .NET

PowerShell V5.1 is the “classic” version. V7-based PowerShell is “PowerShell Core.” The V7.1 and V7.2 runtimes support .NET 6 while the latest versions of PowerShell use .NET 8. Software engineering groups don’t like supporting what they consider to be outdated software, so a decision was taken to drop support for .NET 6. The net effect was that V7.1 and V7.2 runbooks couldn’t use the Graph PowerShell SDK. The workaround was to use the PowerShell V5.1 runtime or revert to V2.25 of the Graph PowerShell SDK, which still supports .NET6.

Microsoft says that the solution will come when Azure Automation supports the PowerShell V7.4 runtime. That update was supposed to arrive by June 15, 2025. It’s late, so I cannot confirm or deny if Graph PowerShell SDK V2.28 code supports PowerShell V7.4 runbooks.

The .NET Versioning Problem Strikes Exchange

A week or so ago, a reader complained that the latest version of the Exchange Online management module (now V3.8.0) didn’t run with PowerShell V7.2 runbooks. A previous comment for the article where the issue was raised said that V3.5 was required to support PowerShell V7.2 runbooks as long ago as February 13, 2025. At the time, apart from finding a relevant Stack Overflow discussion, I didn’t pay too much attention to the problem. I guess I became accustomed to the Exchange module just working while the Graph PowerShell SDK was the problem child of the Microsoft 365 PowerShell modules.

As it turns out, the Exchange Online management module shares the same problem as the Microsoft Graph PowerShell SDK. Engineering decided to remove support for .NET 6 in V3.5.1 of the Exchange module and screwed up Azure Automation V7 runbooks. The release notes for V3.5.1 are brief and concise:

Version 3.5.1

  • Bug fixes in Get-EXOMailboxPermission and Get-EXOMailbox.
  • The module has been upgraded to run on .NET 8, replacing the previous version based on .NET 6.
  • Enhancements in Add-VivaModuleFeaturePolicy.

There’s nothing to raise awareness for tenant administrators that the change in supported .NET version will stop runbooks dead in the water. It’s easy to glance over the release notes and conclude that not much has changed and it’s therefore safe to upgrade to the new version. The problem becomes very evident when the Connect-ExchangeOnline cmdlet can’t run and as a result, every other Exchange cmdlet cannot be found (Figure 1).

An Exchange Online management runbook barfs when run by Azure Automation.

Microsoft 365 PowerShell.
Figure 1: An Exchange Online management runbook barfs when run by Azure Automation

The Need for Solid Azure Automation Support

No one denies that Microsoft must prune old software from their cloud services. It’s hard enough to keep a service running smoothly when it carries unnecessary baggage in the form of old code. But in the cases of both the Microsoft Graph PowerShell SDK and the Exchange Online Management module, it seems like the engineering groups never stopped to ask if the change might impact the ability of scripts to run. Running scripts interactively revealed no issues, but running code in an interactive session on a Windows PC (or even a Mac) is not the same as Azure Automation firing up a headless Linux server and configuring it with the software necessary to execute a runbook.

Ensuring that shipped modules support Azure Automation is a problem that can be solved by incorporating Azure Automation runbooks in the test procedures that must succeed before a new version of a module can be released. What’s more upsetting is the lack of awareness within Microsoft about why customers pay for Azure Automation to run scripts.

When a script moves from running interactively on an administrator workstation to become an Azure Automation runbook, it’s probably because the script is deemed to be important enough to run on a stable, robust, and secure environment, often on a schedule (the Windows Task Schedule should not be relied upon to run important scripts). In other words, Azure Automation is an important platform that deserves the respect and solid support of the Microsoft engineers that build PowerShell modules that can run within Azure Automation. That doesn’t seem to be the case today.

Too Much Disruption

Microsoft 365 tenants have suffered far too much disruption with PowerShell modules over the last few years. The retirement of the old Azure AD and MSOL modules was a necessary evil, but Microsoft didn’t handle the situation as well as they should. Many sins might be forgiven if the Microsoft 365 PowerShell modules were rock solid. They’re not currently. Let’s hope that Microsoft does a better job in their testing and pre-release verification processes for PowerShell modules in the future.


Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

]]>
https://office365itpros.com/2025/06/25/microsoft-365-powershell-azure/feed/ 0 69757
Microsoft Pushes European Sovereign Solutions https://office365itpros.com/2025/06/18/microsoft-365-local-announcement/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-local-announcement https://office365itpros.com/2025/06/18/microsoft-365-local-announcement/#comments Wed, 18 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69680

Marked Lack of Detail around Microsoft 365 Local

Microsoft’s June 16 announcement about “sovereign solutions empowering European organizations” (Figure 1) is obviously an attempt by Microsoft to reassure European customers that continuing to use Microsoft (U.S.-based) technology is a safe choice at a time when many question the policies of the current U.S. administration.

Microsoft sovereign clouds, including Microsoft 365 Local.
Figure 1: Microsoft sovereign clouds, including Microsoft 365 Local (source: Microsoft)

To be fair to Microsoft, they’ve been on the path to respect data sovereignty for many years, starting with the original “Black Forest” implementation of Office 365 for German customers to a point where multiple national-level datacenter regions are available within Europe. Microsoft’s continued efforts to provide comfort to customers who want their data stored in-country and under the control of European law is commendable.

However, the announcement of Microsoft 365 Local confused everyone. According to the announcement, “Microsoft 365 Local provides customers with additional choice by bringing together Microsoft’s productivity server software into an Azure Local environment that can run entirely in a customer’s own datacenter.”

Apart from the Name, No Trace of Microsoft 365

Applying the Microsoft 365 branding to the offering implies some form of connection to Microsoft 365. But apart from a need to connect to Azure., this solution seems to have nothing much to do with Microsoft 365 cloud services. Instead, it appears to be the on-premises versions of Exchange Server, SharePoint Server, and Skype for Business Server running on an Azure Local instance, defined as “a machine or a cluster of machines running the Azure Stack HCI operating system and connected to Azure.”

At this point, Microsoft hasn’t shared details of how the services connect together, but I assume that Active Directory is in the mix too. We also don’t know if the Azure-based local infrastructure operates as a separate deployment, can be integrated into an existing on-premises organization, or operate as part of a hybrid organization.

In other words, Microsoft 365 Local is a modernized example of a packaged Azure-based installation of Exchange, SharePoint, and Skype for Business built according to a reference architecture and accessed via the same kind of clients that people use today to connect to on-premises servers. Unsurprisingly, Microsoft 365 Local doesn’t include Teams because Teams relies so heavily on services from Exchange, SharePoint, OneDrive, Planner, and a bunch of Azure microservices.

The packaging might be innovative, and Microsoft marketing will certainly call the announcement a triumph for branding, but it has nothing to do with Microsoft 365. Anyone who steps back from using Exchange Online with its close integration with SharePoint Online will quickly discover how different things are.

Some Organizations Will Love Microsoft 365 Local

Although I hate the name, a place exists for a solution like Microsoft 365 Local. Some companies want to control their own destiny, which is why they continue running on-premises software; others don’t have sufficient external network capacity to be dependent on cloud services.

Other companies simply want to not have to deal with the blizzard of changes that Microsoft 365 customers have to cope with, or the constant nagging from Microsoft to adopt and use its AI-based tools like Microsoft 365 Copilot. European customers have a strong track record of respecting user privacy, and solutions like the recently-launched AI-powered People Skills are unlikely to be popular with unions or works councils.

Being able to purchase a packaged solution that is hopefully better integrated out-of-the-box is a nicer option than having to convince Exchange Server and SharePoint Server (for instance) to work together, an exercise that is usually guaranteed to frustrate. Presumably the solution leverages the subscription version of the three on-premises servers and will be paid for via an Azure subscription in the same manner as Azure Local.

Lack of Detail is Frustrating

The trouble is the total lack of detail currently available about Microsoft 365 Local. The above is inspired guesswork based on reading between the lines of Microsoft’s announcement. Many questions remain unanswered. Customers will need pricing and availability details from the various hardware vendors listed in the announcement are before they can decide if Microsoft 365 Local is for them. Migration from current on-premises deployments is another issue to resolve as is deployment alongside existing deployments.

The lack of detail is frustrating, but this is a classic marketing playbook: announce a product to gauge interest and follow up if the interest is there. It will be interesting to see what Microsoft 365 Local can deliver and at what cost.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/06/18/microsoft-365-local-announcement/feed/ 1 69680
People Skills Rolling Out Within Microsoft 365 https://office365itpros.com/2025/06/17/people-skills-overview/?utm_source=rss&utm_medium=rss&utm_campaign=people-skills-overview https://office365itpros.com/2025/06/17/people-skills-overview/#comments Tue, 17 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69652

New Service to Manage People Skills in an Organization

The April 23, 2025, announcement about the general availability of People Skills, “a powerful new data layer in Microsoft 365 Copilot” is now being followed by the deployment of People Skills to tenants as described in MC1060842 (last updated 3 June 2025, Microsoft 365 roadmap item 485726). Microsoft expects deployment to complete worldwide in mid-July 2025.

People Skills Licensing

Along with the deployment, MC1060845 says that Microsoft is updating Office 365 and Microsoft 365 licenses to include the People Skills Foundation service plan (PEOPLE_SKILLS_FOUNDATION, 13b6da2c-0d84-450e-9f69-a33e221387ca). According to the licensing section of the People Skills documentation, “People Skills comes with your Microsoft 365 or Viva licenses and doesn’t need a separate license.” Other People Skills licenses are available, and Microsoft once again is in danger of confusing customers with licensing. I think Figure 1 boils the licensing situation down to two buckets.

People Skills functionality depends on the license you have.
Figure 1: People Skills functionality depends on the license you have

Users with the foundation service plan (included with licenses such as Office 365 E3) can “search to add skills from your taxonomy or imported skills to create a skills profile using the Microsoft 365 profile editor.” In other words, these users can access skill information through the Microsoft 365 profile card and Outlook’s Org Explorer and update their skills via the Microsoft 365 profile editor. Users with Microsoft 365 Copilot licenses can do more, like use the Skills agent to look for people with specific skills in the organization. Or as Microsoft puts it, the agent “helps employees and leaders explore, manage, and use organizational skills for personal growth and strategic planning.”

This list of where skills data appears in Microsoft 365 is worth reading. Not everything is available today, but you can see where Microsoft is heading.

Setting Up People Skills

Before any skills appear in public view, a tenant must go through the People Skills setup process. The setup option is available in the Settings (choose Viva, then data management) or Copilot sections of the Microsoft 365 admin center. Microsoft recommends a quick setup (Figure 2) to configure the People Skills service with default settings, including a skills library of some 16,297 different areas of expertise that people might have.

Quick setup for People Skills in a Microsoft 365 tenant.
Figure 2: Quick setup for People Skills in a Microsoft 365 tenant

The setup process runs in the background and takes at least a day to finish. It seems like much of the time taken is to allow skills interferencing by AI to happen. This means that an AI agent examines the details of users and their activity (Graph-based access to email, Teams messages, and documents) to figure out what skills each user might have. For instance, someone with a “Software architect” job title probably knows something about software architecture, and their communications with other users will probably reveal what areas of software architecture they work in. If this sounds creepy, you can disable the feature using Viva policies managed through PowerShell.

For example, these commands reveal the set of features that can be managed through the PeopleSkills module and create a new policy to disable skills interferencing for members of a specific distribution list:

Get-VivaModuleFeature -ModuleId PeopleSkills

Add-VivaModuleFeaturePolicy -Module PeopleSkills -FeatureId SkillsInferencing -IsFeatureEnabled $false -GroupIds NoSkills@office365itpros.com -Name TurnOffSkillsInterferencing

The Get-VivaModuleFeatureEnablement cmdlet checks if the feature is disabled for a user:

Get-VivaModuleFeatureEnablement -ModuleId PeopleSkills -FeatureId SkillsInferencing -Identity Marty.King@office365itpros.com

FeatureId         Enabled
---------         -------
SkillsInferencing   False

Note that if Skills inferencing has already happened for a user, it will take several days for the information to disappear from their user profile. Speaking of profiles, Figure 3 shows how AI-inferenced skills appear in my Microsoft 365 profile card. The skills listed here aren’t confirmed. In other words, they are skills that the AI agents thinks that I might have based on the knowledge available to it (I won’t get upset by the poor spelling of PowerShell).

People Skills displayed in a user’s Microsoft 365 people card.
Figure 3: People Skills displayed in a user’s Microsoft 365 people card

I’m not sure about some of these skills (like decision making). By selecting the Update your profile option, I can select which skills I agree I have (Figure 4), add some more skills that the AI overlooked by selecting from the skills inventory, and confirm the set. Confirmed skills show up with a blue tick mark when people view the profile card.

Updating the People Skills for a user.
Figure 4: Updating the People Skills for a user

Graph API

A ListSkills Graph API is available for the Profile resource type to list the set of skills for a user account. The API uses the User.Read delegated permission and no application permission is available. In other words, you can’t use the API to create a report of skills for every user in the organization. Here’s how to use the Get-MgBetaUserProfileSkill cmdlet from the Microsoft Graph PowerShell SDK to list the skills of the signed in user:

Get-MgBetaUserProfileSkill -UserId (Get-MgContext).Account | Sort-Object DisplayName | Format-Table DisplayName, allowedAudiences, CreatedDateTime

DisplayName                              AllowedAudiences CreatedDateTime
-----------                              ---------------- ---------------
Application Development                  organization     11/06/2025 08:46:52
Application Programming Interfaces (API) organization     11/06/2025 08:46:52
Artificial Intelligence (AI)             organization     11/06/2025 08:46:53
Business Intelligence (BI)               organization     11/06/2025 08:46:53
Business Management                      organization     11/06/2025 08:46:52
Business Negotiation                     organization     11/06/2025 08:46:52
Change Management                        organization     11/06/2025 08:46:53

Some People Skills Oddities

Of course, the combination of skills determined by AI and the user might not actually be true. I could claim to be a Hyper-V expert (I’m not), and the AI might think that I know something about SharePoint Online because I’ve written about the topic often. Oddly, the AI concluded that I know something about Exchange but not about SharePoint, Teams, Planner, or other Microsoft 365-related topics. Although PowerShell is a skill, Microsoft Graph isn’t listed in the skills inventory. I tried to add some custom skills by following the steps in the documentation (requiring a CSV upload to SharePoint is bizarre), but the admin center couldn’t find the CSV uploaded to a site that I owned, no matter what form of a path I used.

The skills used by the latest iteration of skill highlighting and management within Microsoft 365 are not the same as those captured in SharePoint Online or Delve (User Profile Application or UPA skills). According to the documentation, once you enable People Skills, the UPA skills are hidden from the user profile card. This might happen in the future, but I see both sets of skills listed today. Another future is migration of UPA skills to People Skills. Microsoft says that this will happen but hasn’t yet clarified how or when. Perhaps migration isn’t in their current skill set?


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2025/06/17/people-skills-overview/feed/ 1 69652
AI Generative Summaries Make Life Even Harder for Technology Websites https://office365itpros.com/2025/06/13/generative-summaries-tech-websites/?utm_source=rss&utm_medium=rss&utm_campaign=generative-summaries-tech-websites https://office365itpros.com/2025/06/13/generative-summaries-tech-websites/#comments Fri, 13 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69636

Another Fall in Organic Traffic Because People Get What They Need from Generative Summaries

Last November, I wrote about the impact generative AI was having on technology websites. Things have become tougher since with the introduction of generative summaries. Take Figure 1 as an example. I asked Google a question and instead of responding with a list of websites that might contain good answers, Google generates a summary overview of the available information. There’s no need to go anywhere near the article that I published on June 6 because there’s enough information available in the summary to answer the question for most people.

Google search displays a generative summary as a response to a query.

AI generative summaries.
Figure 1: Google search displays a generative summary as a response to a query

Bing has its own take on generative summaries. I didn’t use it as an example because Bing search results are so horribly bad, especially when it comes to finding content in my site.

The result of the Google changes is a further decline in website traffic. And it’s not just me saying that this is the case. A recent Bain & Company survey found that “80% of US consumers rely on “zero-click” search results, meaning they get the information they need from the search engine’s results page and don’t click through to another website.”

Bain attributes the change in user behavior to the effect of AI search engines and generative summaries, resulting in a 15% to 25% reduction in organic web traffic, or page views created by people who find a website through unpaid search engine results (the listings displayed by Google, Bing, and other search engines) rather than through paid advertising or other marketing channels.

Why Does Falling Organic Traffic Matter?

The thing about generative AI is that it can only generate based on knowledge that exists in its LLMs or can find in a website. Generative AI doesn’t create new knowledge: to some extent, generative AI steals and reuses the work done by many people to understand, analyze, document, and discuss information about all the different topics indexed by the search engines and eventually create those generative summaries.

The model works when search engines directed everyone to the source websites. Those who write are happy that the web views recorded for their site reflect interest in their work. They might also benefit from advertising on the site. Depending on the page views, the revenue from advertising might be enough to live on. More usually, it might cover the domain and hosting fees.

Sites run by commercial companies to publicize their offerings commonly publish information to attract people to the site. The quality of the information varies greatly. Some (CodeTwo Software is an example in the Microsoft 365 space) is well written and very useful. Other sites hype up the problems solved by their current product (the need to spend lots of money to manage Entra ID apps is a common theme today) or dramatically over-emphasize why their product is needed. One example in that category is a site that tells people to run the EDBUTIL utility to defragment Exchange Server databases (last needed with maybe Exchange 2003).

From what I can see from the data for several websites, new content still receives attention and high page views because it is often linked to notifications sent via email, Twitter, Bluesky, or other media channels. A few days later, that material will be absorbed by AI and become less valuable in terms of driving the page views that search engines once sent to the host sites.

Writers Will Stop Sharing Content

The point is that if people and companies don’t see a return on their investment, they won’t write as many articles as they have in the past. A well-written and researched article might take four to six hours to put together, and longer if some PowerShell or other code examples are needed. Who wants to put in that effort, or pay writers to do that work, if page view numbers are continuing to fall month-over-month. Life is too short to throw away hours of effort for no reward (fiscal or just the pleasure of knowing that people read your content).

A real strength of technical communities focusing on topics like Exchange, SharePoint, Teams, and development technologies has been the willingness of people to share their knowledge and expertise, except perhaps via paid subscriptions to Substack or Patreon sites where exclusive access to content can be offered, perhaps for a period before open publication.

If open access to knowledge weakens, we will all be worse off. No amount of generative AI can guide people to a solution that hasn’t ever been documented. The information in the LLMs will gradually degrade because less new knowledge is being publicly shared. Over time, new knowledge might become less and less available to the LLMs and generative AI will become less valuable because it can only output old material.

Publishing the 2026 Edition

For now, the content shared on office365itpros.com will remain public and open to all. I have considered using Substack to host articles that aren’t related to book updates, with free subscriptions to that content for people who buy the Office 365 for IT Pros eBook. We might still go down that route, but for now we’re concentrating on publishing the 2026 edition on July 1, 2025.

I’m interested in hearing what people think about the effect AI has on content that many depend on to do their job. Please let us know your thoughts by posting a comment.

]]>
https://office365itpros.com/2025/06/13/generative-summaries-tech-websites/feed/ 10 69636
How to Block PST Files for the New Outlook for Windows https://office365itpros.com/2025/06/09/block-pst-access-new-outlook/?utm_source=rss&utm_medium=rss&utm_campaign=block-pst-access-new-outlook https://office365itpros.com/2025/06/09/block-pst-access-new-outlook/#comments Mon, 09 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69442

Use an OWA Mailbox Policy Setting to Block PST Access

A reader asked if it is possible to disable the ability of the new Outlook to open PST files, noting that some internet posts say that it’s not yet possible. One example from April 2025 points to the list of Microsoft 365 roadmap items related to PST files and suggests that support is coming.

Well, support is available through the OutlookDataFile setting in OWA mailbox policies. The default is to allow new Outlook clients to access PST files (a longstanding request for many people), but organizations that don’t want people to ever use PST files can easily block access.

Figure 1 shows the default access where users can add PST files for the client to open. As the note says, the current level of support extends to mail items only.

Managing Outlook Data Files (PSTs) in the new Outlook for Windows.
Figure 1: Managing Outlook Data Files (PSTs) in the new Outlook for Windows

Good reasons exist to justify being able to open PST files. Access to old email is an obvious reason. eDiscovery investigations often use PST files to export mailbox items found by searches for review by external experts.

The downside of allowing access to PST files is the temptation for people to move items from mailboxes into PSTs. This action makes items invisible for compliance purposes. It also makes email inaccessible to AI tools like Microsoft 365 Copilot. More worringly, PSTs encourage bad behavior, such as people filling PSTs with email that they want to preserve when they leave a company. Using sensitivity labels blocks this habit because although users can keep protected items in a PST, they won’t be able to access the items if they can’t authenticate with an account that has access rights to the items.

Mailbox Policy Settings

An OWA mailbox policy is a collection of settings that govern how OWA works. Exchange Online supports multiple OWA mailbox policies, allowing administrators to create and assign different policies to user mailboxes.

The new Outlook is tightly linked to OWA, so it’s unsurprising to find that OWA mailbox policy applies to the new Outlook too, such as the setting to block downloading of attachments. In this case, OWA doesn’t support PST access at all, so the setting is unique to the new Outlook.

Block PST Access in the OWA Mailbox Policy

To block PST access, run the Set-OWAMailboxPolicy cmdlet to update the OutlookDataFile setting. This command updates the setting to Deny to block all access to PSTs:

Set-OwaMailboxPolicy -Identity OWAFullAccess -OutlookDataFile Deny    

The effect is shown in Figure 2. The Outlook Data Files option is now hidden.

The Block PST Access setting is in force.
Figure 2: The Block PST Access setting is in force

Other values for the OutlookDataFile setting are:

  • NoExport: Users can’t export from a mailbox to a PST.
  • NoExportNoGrow: Users can’t export from a mailbox to a PST or copy items from a mailbox to a .pst file.
  • NoExportNoOpen: Users can’t export from a mailbox to a PST, or open new PSTs.
  • NoExportNoOpenNoGrow: Users can’t export from a mailbox to a .PST, copy items from a mailbox to a PST, or open new PST files.

These settings are the equivalent of the policy available to control PSTs in Outlook classic.

The effect of the new setting is not immediate. It takes time for Exchange Online to propagate the update to all the mailbox servers used by a tenant, and a further period before clients pick up and apply the setting. The time required might be as short as a few hours and as long as twelve hours. If you’re going to apply a block on PST usage, it’s best to implement the policy before people start to use the new Outlook.

PSTs are Ancient Baggage

Introduced in 1997, PSTs are an archaic part of the history of Exchange. Unfortunately, just like public folders (1996), customers can’t quite get rid of either. I guess we’ll just have to manage the beasts, which is what the mailbox setting described here does for PSTs in the new Outlook, aka Outlook designed for the 2030s dragging along ancient baggage…


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/06/09/block-pst-access-new-outlook/feed/ 1 69442
Mailbox Import-Export Graph APIs Leave No Audit Trail https://office365itpros.com/2025/06/04/import-export-graph-api/?utm_source=rss&utm_medium=rss&utm_campaign=import-export-graph-api https://office365itpros.com/2025/06/04/import-export-graph-api/#respond Wed, 04 Jun 2025 07:00:00 +0000 https://office365itpros.com/?p=69431

Use the Import-Export Graph API to Copy Data from Mailboxes Without a Trace

A recent LinkedIn post by a security practitioner set some alarm bells ringing when it disclosed that the Graph Mailbox Import-Export APIs processed mailbox content without creating audit events to track activity. Given that a) any operation that can exfiltrate mailbox data could be a highly prized tool for attackers and b) the extensive auditing capabilities built into Microsoft 365, this oversight is more than surprising.

What’s poignant about the situation is that Microsoft released the Mailbox Import-Export Graph APIs as part of their campaign to eliminate Exchange Web Services (EWS). EWS is deemed to be insecure and was used to exfiltrate mailbox data from many sensitive executive mailboxes in the Midnight Blizzard attack on Microsoft’s own tenant in March 2024.

Since then, Microsoft has been on a campaign to eradicate EWS from Microsoft 365 as quickly as practicable. The deadline for all apps to stop using EWS is October 2026, and Microsoft plans to eliminate EWS from first-party apps by October 2025, with recent moves to lay the path for Exchange Online and Teams to stop using EWS to share free-busy information and other data.

To be fair to Microsoft, the Mailbox Import-Export Graph API is in preview and beta software usually has a few holes to fill before it can become generally available. On the other hand, Microsoft launched the API in January 2025 and you’d imagine that someone in the development team would have noticed by now. The good news is that Microsoft has acknowledged the issue. I don’t imagine that it will take them long to begin generating audit events for import and export activities.

For an independent take on using the Mailbox Import-Export Graph API, I recommend reading the articles published by MVP Glen Scales.

Testing Auditing of Permanent Removals

Another step in the EWS removal process came with the launch of APIs to permanently remove mailbox items (including calendar items, contacts, and events). Given the issue reported above, I wanted to check if Exchange Online generated audit events for the permanent removal APIs. It’s not inconceivable that an attacker would seek to remove some items from a mailbox, and so much the better if they can do it without detection.

I processed some permanent deletions for mailbox objects and then ran an audit search for hard deletions (which is what these events are).

[array]$Records = Search-UnifiedAuditLog -StartDate '29-May-2025 10:00' -EndDate (Get-Date) -Formatted -SessionCommand ReturnLargeSet -ResultSize 5000 -Operations 'HardDelete'

Audit events for the permanent deletions duly turned up.

Permanent Removals of Calendar Events

I then processed a permanent deletion of a calendar event by finding some events in my own calendar, selecting one, and deleting it:

[array]$Events = Get-MgUserCalendarView -UserId $userId -Startdatetime "2025-01-01T19:00:00-08:00" -Enddatetime "2025-02-20T19:00:00-08:00"
$Event = $Events[1]
$Uri = $("https://graph.microsoft.com/v1.0/users/{0}/Events/{1}/permanentdelete" -f $UserId, $Event.Id)
Invoke-MgGraphRequest -Uri $Uri -Method Post

Again, Exchange Online captured a hard delete audit event for the deletion (Figure 1)

Details of an audit event for a hard delete operation recording permanent removal of a calendar event.

Import-Export Graph API.
Figure 1: Details of an audit event for a hard delete operation recording permanent removal of a calendar event

Deleting different types of mailbox items permanently generates audit events. I expected this to be the case because these are not new APIs. Instead, Microsoft extended existing APIs to support permanent deletion, and the extension picked up the existing auditing mechanism.

Auditing is Critical

Some might consider the inclusion of auditing to be a small point when an API is in beta. It’s an arguable point, but the counter is that attackers don’t care if an API that can do a job for them is a beta or production API. All they worry about is the outcome, which could be a bunch of data noiselessly moved out of a tenant.

Of course, the tenant must be compromised beforehand, but evidence exists of cases where attackers penetrated a tenant and waited months before seizing an opportunity to do damage. A beta API that doesn’t generate audit records sounds like just the kind of tool attackers might like to use.


Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

]]>
https://office365itpros.com/2025/06/04/import-export-graph-api/feed/ 0 69431
The Case of the Mysterious SharePoint Embedded Containers https://office365itpros.com/2025/05/28/sharepoint-embedded-containers-km/?utm_source=rss&utm_medium=rss&utm_campaign=sharepoint-embedded-containers-km https://office365itpros.com/2025/05/28/sharepoint-embedded-containers-km/#comments Wed, 28 May 2025 07:00:00 +0000 https://office365itpros.com/?p=69322

Oddly Named SharePoint Embedded Containers Show Up for Copilot Studio

Microsoft 365 tenant administrators can be swamped with message center notifications, reports about service health issues, and automated email generated by Entra ID and other workloads. Other more important things usually get in the way and often no great harm is done. Right now, there are 830 notifications in the message center for my tenant, and probably only 20% of the notifications are what I consider important. For instance, knowing that a new channel update is available for the Office apps isn’t usually a critical event.

In any case, some gems do appear, and it’s important that tenant administrators keep an eye on what’s happening. Let’s discuss an example involving SharePoint Embedded and Copilot Studio to illustrate the point.

The Set of SharePoint Embedded Containers with GUID Names

At first glance, message center notification MC1058260 (last updated 12 May 2025, Microsoft 365 roadmap item 489214), titled “Microsoft 365 Copilot: Admin controls and user file uploads for agent knowledge sources” didn’t seem too worrying. Given Microsoft’s current preoccupation with AI, it’s unsurprising that flood of notifications describing various Copilot enhancements appear weekly. As I don’t use Copilot Studio much, it was easy to assume that a development won’t impact my tenant.

When investigating how Loop workspaces connected to Teams standard channels, I noticed a bunch of strange containers for the Declarative Agent app had appeared in SharePoint Embedded (Figure 1). Some process had created these containers in three batches on April 27 (3:25am), 8 May (1:53am), and 15 May (2:21pm). All the containers appeared to be empty. The only clue was the application name, indicating that the containers are related to some form of agents.

Some of the mysterious SharePoint Embedded Containers created for Copilot agents.
Figure 1: Some of the mysterious SharePoint Embedded Containers created for Copilot agents

Agents process information from knowledge sources like SharePoint Online sites. MC1058260 explains that users will soon be able to upload up to 20 documents for agents to use as knowledge sources, and when this happens, the uploaded files are stored in “tenant-owned Microsoft SharePoint Embedded (SPE) containers.” MC1058260 goes on to note that “As part of this rollout, we will pre-provision a limited set of SPE containers in your tenant.” The mystery is solved because these containers are the pre-provisioned containers mentioned by MC1058260. I assume that Microsoft creates the containers to make it faster for users to upload documents (because they don’t have to wait for an agent to create a container).

Adding Files as Knowledge Sources for Agents

My tenant ended up with 80 pre-provisioned containers (so far – I have no idea if more provisioning cycles will happen in the future). As far as I can tell, the provisioning operation didn’t generate any audit records. At least, audit log searches for the creation times for the containers turn up nothing of interest.

My tenant doesn’t have 80 agents in use (the number is more like 8), so I assume that the pre-provisioned containers are a pool that agents can use. To test the theory, I edited an agent that I created with Copilot Studio a couple of months ago and added the source Word document for the Automating Microsoft 365 with PowerShell eBook as a knowledge source (Figure 2).

Adding a file as a knowledge source for a Copilot agent.
Figure 2: Adding a file as a knowledge source for a Copilot agent

What I expected to happen is an allocation of one of the pre-provisioned containers to the agent and an update to the container name to change it from the GUID used by the pre-provisioning routine to the name of the agent. Updates don’t happen quickly in the SharePoint admin center and site and containers data is usually at least two days behind real time, so I was prepared to wait. However, no change showed up over the next few days.

The Mysterious SharePoint Embedded Containers Disappear

And then, Microsoft hid the pre-provisioned containers. I had chatted to some Microsoft contacts and complained about the mysterious containers, so I guess they acted. In any case, there’s now no trace of the containers and I can’t find out if the updated agent took over a container. And as I don’t know the application identifier for the Declarative Agent app, I can’t use the Get-SPOContainer cmdlet to retrieve any details like the storage consumption (or name) to check if anything had changed in the set of containers.

It’s probably best that Microsoft hides these containers when they are newly created and empty. However, once a container is used by an agent, I think it should show up in the set of active containers displayed in the SharePoint admin center, if only because the storage consumed by the container is charged against the tenant SharePoint Online storage quota. It’s the kind of detail that Microsoft needs to deliver for tenant-wide agent management.

The mystery is solved, and I learned how to add a file as a knowledge source for an agent. Keep an eye on the notifications posted to the message center. You might even learn something too!


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/05/28/sharepoint-embedded-containers-km/feed/ 1 69322
June 2025 Update for the Automating Microsoft 365 with PowerShell eBook https://office365itpros.com/2025/05/23/microsoft-365-powershell-12/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-powershell-12 https://office365itpros.com/2025/05/23/microsoft-365-powershell-12/#respond Fri, 23 May 2025 07:00:00 +0000 https://office365itpros.com/?p=69337

Update #12 Available to Help People Figure Out Microsoft 365 PowerShell

Automating Microsoft 365 with PowerShell.

Microsoft 365 PowerShell

As is our norm, we have released the monthly update for the Automating Microsoft 365 with PowerShell eBook some days before the end of the month to allow us to concentrate on working on the Office 365 for IT Pros eBook. The current version number is 12.2 and the updated PDF and EPUB files are available for subscribers to download from Gumroad.com. Please use the link in your receipt (which always fetches the latest files) or go to your Gumroad account, See our FAQ for more information about downloading book updates.

The Automating Microsoft 365 with PowerShell eBook is available separately and as part of the Office 365 for IT Pros eBook bundle. The same update is available to all subscribers.

We also have a paperback version of the book available from Amazon.com. This version is proving to be more popular than we anticipated. I guess some people still like the tactile experience of reading a real book, and we are happy to oblige. Regretfully, we cannot provide monthly updates to the paperback edition as there’s no way to paste (literally) updated text into paper copies.

Focus Areas for Update #12

Most of the work in Update #12 focused on adding extra detail to the sections covering retrieving calendar information, messages, group-based license assignments, and sensitivity labels. Like always, a bunch of other changes were made to clarify thoughts or correct possible misinterpretations.

It’s the nature of a book like this that developments in Microsoft’s tools affect our content, so some Graph API requests that were used because of problems with Microsoft Graph PowerShell SDK cmdlets are now replaced by cmdlets following the release of V2.28 of the SDK on May 10, 2025.

Should I Upgrade to V2.28 of the Graph PowerShell SDK?

So far, the experience with V2.28 is positive. However, this isn’t a massive endorsement because the previous versions were so buggy and poorly tested prior to release. I think it’s safe to say that V2.28 is at least as good as V2.25, which was the last good release.

This does not mean that V2.28 is bug free. I think it would be impossible to release even a 99% bug-free Graph PowerShell SDK. The number of dependencies on many different product groups, the complex interactions with other PowerShell modules and products like Azure Automation, and the errors and omissions in the Open API documents that describe the different Graph APIs all create the potential for problems like missing parameters or failure to process parameters properly. Throw in some Entra ID authentication problems, like the current bug that sometimes requires double authentication after running the Connect-MgGraph cmdlet to create an interactive session, and it’s easy to understand why there’s over 160 reported issues for the SDK.

Bugs are a fact of IT life, and the presence of some known bugs is no reason to avoid using the Graph PowerShell SDK. In fact, the SDK is more popular now than ever before because of the retirement of the AzureAD and MSOL modules (some people still ask why they can’t run Connect-MSOLService or Connect-AzureAD like they used to…). It does mean that you should:

  • Pay attention to the known bugs reported to Microsoft.
  • Report any bugs that you find that aren’t on the known issues list.
  • Be prepared to use the underlying Graph API if a Graph PowerShell SDK cmdlet doesn’t work as expected (alternatively, if a parameter doesn’t work, try passing values in a hash table using the BodyParameter parameter).

Overall, I think it’s safe to upgrade to V2.28. Remember to upgrade modules used as resources by Azure Automation accounts too.

On to Update #13

Work has now started on update #13, which is planned for July 1. This version of the book will be part of Office 365 for IT Pros (2026 edition), which we plan to release on the same day. Happy coding!

]]>
https://office365itpros.com/2025/05/23/microsoft-365-powershell-12/feed/ 0 69337
Quest Tool Migrates Protected Email and Files Between Tenants https://office365itpros.com/2025/05/21/sensitivity-labels-t2t-migration/?utm_source=rss&utm_medium=rss&utm_campaign=sensitivity-labels-t2t-migration https://office365itpros.com/2025/05/21/sensitivity-labels-t2t-migration/#comments Wed, 21 May 2025 07:00:00 +0000 https://office365itpros.com/?p=69314

Solves the Problem of Migrating Data Protected by Sensitivity Labels

I’ve worked as an advisor with Quest for several years, but I had no indication that they would launch a product to migrate content protected by sensitivity labels from one Microsoft 365 tenant to another. That capability is now available in Quest On Demand Migration.

The tenant migration issue has existed since Microsoft introduced Azure Information Protection labels (now sensitivity labels) in 2016. The problem doesn’t arise with labels that simply mark content as being of a certain nature. It comes into play when sensitivity labels apply rights-management based encryption where usage rights define the level of access granted to individual users for protected files or messages.

The popularity of sensitivity labels has increased over time as more tenants come to understand the value of protecting their most sensitive content using the labeling features built into the Office apps. It’s true that labeling only extends to Office documents and PDFs, but that set covers most files created within Microsoft 365 tenants.

The advent of Microsoft 365 Copilot and its ability to find and use files stored in SharePoint Online and OneDrive for Business means that sensitivity labels are even more important. By themselves, sensitivity labels won’t stop apps like BizChat finding sensitive documents, but they can stop Copilot reusing content from those documents in its responses. The DLP policy for Microsoft 365 Copilot imposes a better block by stopping Copilot finding documents assigned specific sensitivity labels.

The growth in protected content creates a problem for tenant-to-tenant migration projects. Many products are available to move Exchange mailboxes and SharePoint files between tenants. However, migration products usually assume that the data they move is unprotected and that users will be able to access the content once it reaches the target tenant. That assumption doesn’t hold true when sensitivity labels protect email and files. The challenge is to move protected items from the source tenant in such a way that protection is maintained and respected by the target tenant.

Methods to Remove Sensitivity Labels from Files

Until now, the guidance for source tenants is to remove protection from content before migration to the target tenant. There are a couple of ways of doing this, starting off by assigning an account super-user privilege to allow them to remove sensitivity labels from files. Finding and processing protected files is an intensely manual process that’s prone to error. It will take a long time to prepare, move, and check any reasonable collection of labelled files, like the 5,188 items with the Public label as reported by the Purview Data Explorer (Figure 1).

Purview Data Explorer lists items with sensitivity labels.
Figure 1: Purview Data Explorer lists items with sensitivity labels

The SharePoint Online PowerShell module includes the Unlock-SPOSensitivityLabelEncryptedFile cmdlet. Administrators can use the cmdlet to remove protection from files in SharePoint sites and OneDrive for Business accounts. It is possible to script the removal of labels from files, but the automation journey breaks down when the files reach the target tenant and need to be relabeled.

SharePoint also supports the assignSensitivityLabel Graph API, which can remove or assign labels to files. However, assignSensitivityLabel is a metered API, meaning that each time the API is run, Microsoft charges $0.00185 (USD) paid for through an Azure subscription. That doesn’t seem like a big fee until the need exists to process tens of thousands of documents to remove labels in the source tenant and reapply labels in the target tenant.

No Solution for Protected Exchange Messages

Note that Exchange Online is missing from the discussion. That’s because all the methods described so far don’t handle email. I don’t know how clients like Outlook and OWA apply sensitivity labels to messages (it’s likely done using APIs from the Microsoft Information Protection SDK), but no cmdlets or Graph APIs are available to remove labels from messages or apply sensitivity labels in bulk to a set of messages migrated in mailboxes moved from one tenant to another.

Migrating Protected Content Between Tenants

All of which means that Quest’s claim to migrate protected content from Exchange Online, SharePoint Online, and OneDrive for Business is very interesting. It’s the first ISV migration offering that I know of which offers such a capability.

Reading the announcement and the accompanying Quest Knowledge Base article gives some insight into how the On Demand product handles protected items. A discovery process (like running the Get-Label cmdlet) finds the set of sensitivity labels in the source tenant. The labels from the source tenant are mapped to labels in the target in some form of table. Normal migration processing moves the data, and some form of post-migration task then updates the labels from the source tenant to matching labels for the target. Quest doesn’t describe what magic is used to make sure that protected content works when it reaches the target tenant, but the knowledge base article mentions the Microsoft Information Protection SDK, so it’s likely that On Demand uses MIP SDK API calls to read and update sensitivity labels for the migrated items.

User-Defined Permissions and Keys

Although creating the capability to move protected content between tenants is a great step forward for migration projects, there are always edge cases to consider. Sensitivity labels with user-defined permissions are an example. These labels are challenging because the permissions vary from item to item. SharePoint Online only recently gained support for sensitivity labels with user-defined permissions, and it’s interesting that Quest claim support for user-defined permissions out of the box.

Quest doesn’t mention sensitivity labels with double-key encryption (DKE), nor do they explain if On Demand supports migration of sensitivity labels with encryption based on customer keys rather than Microsoft-managed keys (sometimes called bring-your-own-key or BYOK). There’s a bunch of complexity involved in moving key management between tenants and it would be surprising if Quest supported BYOK. Thankfully, most customers use Microsoft-managed keys with sensitivity labels because it simplifies operations.

Let the Competition Begin

Overall, it’s great that an ISV has taken on and solved the challenge of moving protected content between tenants. The nature of competition is that once a migration vendor introduces a new capability, their competitors respond. We might see even more interesting developments in this space over the coming months.

]]>
https://office365itpros.com/2025/05/21/sensitivity-labels-t2t-migration/feed/ 1 69314
Time to Review How to Preserve Ex-Employee Data https://office365itpros.com/2025/05/16/preserve-ex-employee-data/?utm_source=rss&utm_medium=rss&utm_campaign=preserve-ex-employee-data https://office365itpros.com/2025/05/16/preserve-ex-employee-data/#comments Fri, 16 May 2025 07:00:00 +0000 https://office365itpros.com/?p=69253

Microsoft Layoffs Remind Microsoft 365 Tenants About the Need to Preserve Ex-Employee Data

This week’s news that Microsoft is trimming 3% of its global workforce brought shock to those affected by the elimination of their position. My LinkedIn feed has been flooded by updates from people who discovered that they’re in a position that they never anticipated, some of whom have been with Microsoft for many years. I’ve been involved in many downsizing actions at Digital Equipment Corporation, Compaq, and HP, and it’s never easy for managers and employees alike. I wish all those affected the best of luck in finding new positions.

The hope of Microsoft management is probably that the layoffs will result in a leaner, more agile organization, the only goodness for the Microsoft 365 community that comes from the episode is that it’s a great reminder for tenant administrators to review the process used to secure ex-employee information following a termination.

Changes in Microsoft 365 Make It More Complex to Preserve Ex-Employee Data

Ten years ago, the task was relatively simple because fewer types of information needed to be secured. Today, new applications and more integration between applications means that the task is more complex.

The basics remain:

  • Terminating access to resources by revoking access tokens, disabling accounts, and changing account passwords.
  • Physically securing devices (workstations and mobile devices) or remote wipes to remove corporate content.
  • Preserving application information such as mailboxes and OneDrive for Business accounts.

Deleting a user account via the Microsoft 365 admin center (Figure 1) takes care of the basics. To do a more comprehensive job, it’s best to script all the steps with PowerShell.

Deleting a user account with the Microsoft 365 admin center.

Preserve ex-employee data.
Figure 1: Deleting a user account with the Microsoft 365 admin center

I recommend using inactive mailboxes to retain mailbox content rather than making a regular user mailbox into a shared mailbox, but advantages exist for both approaches. Happily, not much has recently changed with mailbox retention. The situation is completely different with OneDrive for Business in terms of the app reliance on OneDrive and how Microsoft deals with unlicensed OneDrive accounts.

The Key Role Played by OneDrive for Business

OneDrive for Business has become the de facto storage destination for many Microsoft apps, storing files as diverse as Loop components, Teams meeting recordings, and whiteboards. Microsoft’s enthusiasm knows no boundaries when it comes to storing files in OneDrive for Business. Even PowerShell module installations end up in OneDrive for Business if you’re not careful.

Message center notification MC1053121 (last updated 23 April 2025) describes how users who don’t use the Known Folder Move (KFM) feature to redirect common folders like Documents from local disks to OneDrive will be more aggressively “encouraged” to back up files in OneDrive for Business. This change is rolling out to general availability and should be active worldwide by mid-June 2025. If you don’t like users seeing this kind of prompting, consider the new Restrict KFM from Office policy for the Office apps (see MC1053121 for details).

Because OneDrive for Business accounts owned by ex-employees are so important from a retention perspective, it’s important to ensure an alternative site administrator (usually the ex-employee’s manager) is assigned to these accounts so that any useful information in the account is retained. Moving shared objects like Loop components or files shared in Teams chats from the account will break sharing. Eventually, the organization can remove the OneDrive account. If the account remains online, Microsoft will archive the now-unlicensed OneDrive account. Deleting or archiving the account will also break sharing!

The challenges of dealing with OneDrive accounts owned by ex-employees is one of the reasons why it is important to coach users to store corporate information in SharePoint Online instead of keeping files in OneDrive for Business. Unfortunately, that advice is often observed more in theory than practice.

The New Challenge Posed by Flows and Agents

Power Platform flows are often tied to a user account. If the account goes away or is disabled, the flow will stop working. That shouldn’t be a problem if the process performed by the flow is personal to the now-departed employee. On the other hand, if the flow does something that others depend on, that process is now broken and needs to be fixed.

The same applies to agents. It all depends on what an agent does and who uses it. Personal agents will stop running when an account is no longer available to authenticate and that shouldn’t be a problem. But we’re at the early stages of understanding the development, deployment, and management of agents within Microsoft 365 tenants, and care must be taken to ensure that any agents created and maintained by ex-employees remain functional when needed or are disabled and removed if not. This doesn’t happen automatically when an administrator disables or deletes a user account.

Other Issues Requiring Attention

Apart from personal data, there are other issues that might need attention to preserve ex-employee data, including the ownership of:

  • Microsoft 365 groups, security groups, and distribution lists.
  • Loop workspaces and the associated SharePoint Embedded container.
  • Entra ID apps.
  • Recurring meetings.
  • Phone numbers for use with the Teams Phone system.

The point is that the Microsoft 365 ecosystem continues to evolve. This means that processes and procedures used to manage access to Microsoft 365 resources must evolve in step. This week’s Microsoft layoffs are a regrettable reminder of that fact.


Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

]]>
https://office365itpros.com/2025/05/16/preserve-ex-employee-data/feed/ 2 69253
Are Microsoft E5 Licensing Add-Ons a Good Deal? https://office365itpros.com/2025/04/11/microsoft-e5-security-add-on/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-e5-security-add-on https://office365itpros.com/2025/04/11/microsoft-e5-security-add-on/#respond Fri, 11 Apr 2025 07:00:00 +0000 https://office365itpros.com/?p=68826

Microsoft E5 Security for Microsoft 365 Business Premium Now Available

On April 6, 2025, Microsoft announced that the Microsoft E5 Security add-on is available to Microsoft 365 Business Premium tenants. Microsoft 365 Business Premium is one of the packages for small to medium businesses (up to 300 licensed seats). The E5 Security suite is a bundle of high-end features to improve the security of a tenant. Until now, Microsoft has targeted the add-on at enterprise customers with Office 365 E3 or Microsoft 365 E3 that want the extra security features without upgrading to Office 365 E5 or Microsoft 365 E5. This is the first time that Microsoft has made the add-on available for a small to medium product.

Finding Savings in Software Bundles

The unique selling point for the add-on is that it’s cheaper to buy it than license each of the features separately (Figure 1). Everyone loves a bargain, and saving 57% seems like a true deal.

Potential savings in the Microsoft E5 Security add-on.
Figure 1: Potential savings in the Microsoft E5 Security add-on

The truth is that the E5 Security add-on is a bargain if your tenant can use its functionality. Careful assessment of each of the licensed features is necessary to understand where the tenant can gain value. For instance, if the organization currently doesn’t have the capacity to deploy Defender for Endpoint, that wipes $5.20 off the add-on’s value. If nothing can be gained from Entra P2, an extra $9 disappears, and suddenly the saving to license the other three features goes from $16.20 to $2. That’s still a saving of up to $600 monthly/$7,200 annually for a 300-person Business Premium tenant, which is not quite as impressive as the headline. And to get that saving, you must invest $43,200 annually to license the 300 seats.

On the other hand, if Entra P2 stops a tenant being compromised through an account that can be identified as risky or an attacker can be stopped because Defender for Cloud Apps detects a problematic app, then the cost of the E5 Security add-on is more than justified. It all depends on how a tenant can extract value.

The same point is valid for the Microsoft E5 Compliance add-on (also available for $12/month in the U.S.). A bunch of interesting compliance technology is covered by the add-on, but if you don’t want to use features like Insider Risk Management, Communication Compliance, customer lockbox, customer key (for sensitivity labels), and Information Barriers, the value proposition becomes much less attractive.

Playing the Licensing Game

License management is an essential competence for tenant administrators. I don’t mean negotiation of licensing deals with Microsoft. Instead, I’m referring to understanding what licenses are needed for the functionality required by the business, knowing the cheapest way to license that functionality, and keeping track of how licenses are used. Tools like the Microsoft 365 licensing report script can help here. If you don’t want to build your own tools and want an off-the-shelf product to manage licensing, I recommend CoreView license management (the sponsor of the Office 365 for IT Pros eBook).

The higher the individual license cost, the more important it is to track active and ongoing usage. Microsoft 365 Copilot is a good example. It doesn’t make sense to assign $360/year licenses to people who don’t use Copilot, so tracking Copilot usage to ensure that people with licenses use those licenses is important.

Have a Deployment Plan Before Buying Anything

If you need and can use their features, Microsoft 365 add-ins can be great value. I don’t recommend buying these add-ons unless a tenant has a plan to deploy and use the licensed technology to achieve well-defined results. Having something that you cannot use isn’t a great idea and buying expensive software just because it seems like a bargain has never been a great tactic. Small to medium enterprises might not have the expertise to assess the true worth of the functionality bundled in E5 Security add-in. If you’re in that situation, engage an expert to help build your plan.

For more information about using Microsoft E5 security with Microsoft 365 Business Premium, see the Microsoft documentation. The Microsoft E5 Compliance add-on is not available for Business Premium (but that might change).


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/04/11/microsoft-e5-security-add-on/feed/ 0 68826
Microsoft Defender for Office 365 Exposes Bad Links in Email Preview https://office365itpros.com/2025/04/07/email-preview-defender/?utm_source=rss&utm_medium=rss&utm_campaign=email-preview-defender https://office365itpros.com/2025/04/07/email-preview-defender/#respond Mon, 07 Apr 2025 07:00:00 +0000 https://office365itpros.com/?p=68758

Recent Change Opens Door to Malicious Links Viewed in Email Preview

I receive many messages from readers about different aspects of Microsoft 365. To be honest, I usually don’t have much time to devote to these queries unless it’s an interesting topic. Hearing about a Microsoft 365 component that allows administrators to click links that are known to lead to bad destinations certainly fell into that category, especially when the communication comes from an experienced Security Operations (SecOps) practitioner.

Update 14 April, 2025: The Microsoft Defender for Office 365 engineering group reached out to me to acknowledge that clickable links in email preview was a regression that has now been fixed.

Threat Explorer and Message Views

The Threat Explorer is part of Microsoft Defender for Office 365. It’s a tool to help the SecOps team understand the level of threat flowing into a tenant through email. The Explorer has multiple views to allow administrators select different sets of messages such as malicious messages blocked for different reasons. An All Email view is also available to show both bad and good messages delivered to a tenant. Even though it shows “all email,” this view could do with some filtering because it includes messages like public folder hierarchy synchronization traffic.

Figure 1 shows the Threat Explorer listing messages blocked for phishing. The details of the selected message are shown in the right-hand panel. The message purports to come from Charles Schwab. Two of the URLs in the message are for the real Charles Schwab site. The other is planted to bring unsuspecting users to the attacker’s site.

Threat Explorer lists some messages blocked for phishing.
Figure 1: Threat Explorer lists some messages blocked for phishing

Using Email Entity and Email Preview for Investigations

The Threat Explorer also includes several tools to help SecOps investigate threat. To see more detail about the bad message, an investigator can open the email entity to view more details about the message and any attachments. One of the options that then becomes available in the Take Action menu is to view an email preview. Seeing how a malicious message presents itself to a recipient is invaluable information because it reveals how the attacker sets their trap for the unwary.

In this instance, the malicious message looks as if it could have come from the purported sender (Figure 2). The real links to pages on the Charles Schwab site are mixed in with the links to the attacker’s site (accessed from the Review Now button and Log In link).

Previewing a malicious email.

Email Preview.
Figure 2: Previewing a malicious email

Here’s where the strange aspect arises. The links to the attacker’s site are live and can be clicked on to bring the investigator to that site. On the one hand, this seems reasonable because an investigator is doing their job to follow the trail as far as possible. Skilled investigator will protect their workstation against malicious attack and will take great care when accessing bad links.

The problem is not with security investigators. It arises when people who are possibly less skilled in terms of security tools and forensics or less aware of how malware can infect a workstation clicks a live and potentially dangerous link. Clicking a link opens a connection between the workstation and the target site. Because the email preview page uses a https://security.microsoft.com/emailpreview URL, VPN backhauling is often ignored, and the traffic goes direct to the attacker site.

Recent Change Enabled Bad Links in Email Preview

The odd thing is that Microsoft appears to have enabled the ability to use these links only recently. In the past, Defender used two versions of the email preview page: one was static without links; the other showed link details if you hovered over a link but the link was not clickable. Microsoft’s documentation makes no mention of the danger of clicking active links to attacker sites and there’s no trace that I can find of an announcement explaining why Defender now enables malicious links. Given Microsoft’s current focus on tightening security in every product, it just doesn’t make sense to make it easier for people to connect to sites that Defender has (usually correctly) identified as problematic and a potential source of infection.

My correspondent told me that he reported the issue to Microsoft. The support response was that the links are protected by the Safe Links feature and no problems arise if you use a private browsing session or replace Edge with Firefox. It’s a curiously passive position that basically says that it’s OK to keep dangerous stuff around if you take steps to protect yourself’ Safe Links allowed me to click the bad link today. Enough said.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2025/04/07/email-preview-defender/feed/ 0 68758
Artificial Intelligence, PowerShell, and Microsoft 365 Administration https://office365itpros.com/2025/03/27/artificial-intelligence-and-powershell/?utm_source=rss&utm_medium=rss&utm_campaign=artificial-intelligence-and-powershell https://office365itpros.com/2025/03/27/artificial-intelligence-and-powershell/#comments Thu, 27 Mar 2025 07:00:00 +0000 https://office365itpros.com/?p=68601

Artificial Intelligence and PowerShell for Tenant Administration – An Unlikely Couple?

I’ve been asked by a few people to comment about Lokka, the new creation of Merill Fernando, a program manager in the Microsoft Entra ID group. Lokka is a proof of concept exploring how the combination of AI Large Language Models (LLMs) and the Model Context Protocol (MCP) can bring value to Microsoft 365 administration. In this case, by generating Graph API queries in response to administrator prompts. For example, “How many user accounts belong to the marketing or sales departments.”

Merill’s a very inventive individual whose capacity to invent extends to his eye-catching tweet asking the question if Lokka is the end of PowerShell for Microsoft 365 administrators (Figure 1).

 Is Lokka the end of PowerShell for Microsoft 365 administrators?

Artificial intelligence and powershell.
Figure 1: Will Lokka meld Artificial Intelligence and PowerShell into a tool for Microsoft 365 administrators?

Helping Administrators with Simple Queries and Examples

Of course, the advent of a proof of concept like Lokka doesn’t mean that Microsoft 365 administrators suddenly need to lose all interest in PowerShell. AI tools can certainly be helpful in responding to queries that aren’t covered by the standard admin center GUI. They can also educate administrators by showing them how to use PowerShell to run Graph AI queries.

The Exchange Server 2007 product was the first Microsoft server to embrace PowerShell. One of the brainwaves in that product was how the Exchange Management Center (EMC) console displayed the PowerShell code it executed when it performed actions. Figure 2 shows how the EMC in Exchange Server 2007 displayed the code used to create a new mailbox.

Exchange Server 2007 EMC shows the PowerShell to create a new mailbox.
Figure 2; Exchange Server 2007 EMC shows the PowerShell to create a new mailbox

Seeing the PowerShell code in action and being able to copy the commands for reuse helped administrators master basic PowerShell command for managing Exchange servers. Another example is how Merill’s Graph X-Ray tool gives administrators a glimpse into the Graph API requests run to perform some actions in the console.

Artificial Intelligence and PowerShell in the Microsoft 365 Admin Center

The Microsoft 365 admin center already has Copilot assistance that’s added automatically when a tenant buys some Copilot for Microsoft 365 licenses (Figure 3). The implementation is much like a Copilot Chat session where an administrator prompts Copilot for some information and receives a response containing instructions and possibly some PowerShell code. I imagine that the content used by Copilot is a restricted set of documentation, just like you can restrict a Copilot agent to reasoning over certain SharePoint and external web sites when it composes its responses.

Copilot in the Microsoft 365 admin center.
Figure 3: Artificial Intelligence and PowerShell from Copilot in the Microsoft 365 admin center

The Importance of Training Material

There’s no doubt that we will see increasing use of AI to assist administrators with tasks as time progresses. The assistance will become more comprehensive, intelligent, and useful. However, the usefulness of any generative AI tool is bounded by the material used to create its LLMs. This means that the answers that an administrative agent can give, whether how-to instructions or PowerShell code snippets, depend on text scanned to build the LLM. If an answer exists to a question, the AI can respond. This includes incorrect answers because the LLM doesn’t know if content contained in source material is accurate. And if an answer isn’t available, the AI cannot respond without hallucinating. For example, Copilot has been known to include the names of PowerShell cmdlets that don’t exist in its responses.

The current set of AI tools we have don’t include insight or creativity. They can respond to known problems, but even so, responses are often based on whatever the most common answer is found in its source material. Those answers might be inefficient. Take the code suggested in Copilot’s response in Figure 3.

Get-MgUser | Where Department eq "Sales"

Several problems exist with the answer. First, the syntax is incorrect and won’t work because the piping to the Where-Object cmdlet is wrong (probably because Copilot absorbed an incorrect answer from some source). Second, the Department property is not retrieved by the Get-MgUser cmdlet unless explicitly requested.

Get-MgUser -All -Property Id, Displayname, Department | Where-Object {$_.Department -eq "Sales"}

Third, it’s always better to use a server-side filter to retrieve PowerShell objects. And in the case of user accounts, it’s also a good idea to filter out guest accounts.

Get-MgUser -All -Filter "Department eq 'Sales' and userType eq 'member'"

And even with member accounts selected, you might get some accounts that are used for room or shared mailboxes that you don’t want to process.

The takeaway is that generative AI can only be as good as the material used for its training. The current state of the art is such that AI can’t recognize when its output is incorrect.

PowerShell Still an Essential Tenant Management Skill

Even with the prospect of better, more complete, and more comprehensive AI tooling on the horizon, I still believe that Microsoft 365 administrators should take the time to acquire a working knowledge of PowerShell. For the foreseeable future, AI might well offer help to those who don’t even know how to start using PowerShell to manage a tenant.

Experience to date demonstrates that AI is unlikely to master the creativity that’s often needed to create something like a full-blown tenant licensing report, complete with costs anytime soon. Combining data from multiple sources to deliver a solution requires more ingenuity than running straightforward Graph requests. I await to be proven wrong that artificial intelligence and PowerShell can do more than perform straighforward, mundane tasks. In the interim, using GitHub Copilot to accelerate the development of PowerShell scripts might be the most productive way to use AI to improve Microsoft 365 automation.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/03/27/artificial-intelligence-and-powershell/feed/ 2 68601
Microsoft Imposes 1-Year Retention for Teams Meeting Attendance Reports https://office365itpros.com/2025/03/11/attendance-report-retention-policy/?utm_source=rss&utm_medium=rss&utm_campaign=attendance-report-retention-policy https://office365itpros.com/2025/03/11/attendance-report-retention-policy/#comments Tue, 11 Mar 2025 07:00:00 +0000 https://office365itpros.com/?p=68375

Attendance Report Retention Policy Already in Force

Microsoft decision (announced in message center notification MC1022529 on March 4, 2025) to implement a retention policy for meeting attendance reports is interesting on multiple levels. The title of the notification is misleading because this is a new rather than an updated retention policy.

The attendance report retention policy is in force now and means that “all meeting attendance reports will be stored for one year after meeting end date to align with the Microsoft privacy policy.” I don’t see any specific mention of meeting attendance reports in Microsoft’s privacy policy, but I’m sure it’s covered somewhere. At least, it is to the satisfaction of Microsoft’s lawyers.

The term “retention policy” can confuse because it usually refers to the policies managed by Microsoft Purview data lifecycle management, aka Microsoft 365 retention policies. Teams chats and channel conversations can be managed by Microsoft 365 retention policies, but in this case, the retention policies are specific to Teams, just like the retention applied to Teams meeting recordings.

Attendance Report Basics

Attendance reports are available to meeting organizers. They can also be accessed programmatically using Graph APIs. In the case of meeting recordings, Microsoft research discovered that very few recordings were viewed more than 60 days after an event. It seems likely that exactly the same case pertains for attendance reports.

I doubt that many organizers go back and check the attendance for long-finished meetings. Certainly, organizers possibly review the attendance report for some meetings, but I don’t think this is common practice. Those who do can see details like the time meeting attendees joined and left the meeting, and if they reacted during the event (Figure 1).

a Teams meeting attendance report from April 2024.
Figure 1: a Teams meeting attendance report from April 2024

Clicking on an attendee reveals details of that person’s “engagement” with the meetings (Figure 2). Some are less effusive during calls and dislike using reactions to express their view on proceedings. Others are more demonstrative. It’s all very much a personal choice, as is enabling cameras during calls.

Details of an attendee's engagement during a Teams meeting.
Figure 2: Details of an attendee’s engagement during a Teams meeting

Downloading Attendance Report Data

The download option for attendance reports preserves the attendance report data in a CSV file. If you want to preserve information about meetings held before November 1, 2024, you have until late August 2025 to download that data. That’s curious, because a one-year retention policy implies that these reports should be available for a full year. For instance, the attendance reports for meetings held in October 2024 should be available until October 2025, and so on. Tenants can’t change the retention period, alter the retention period, or influence when retention jobs run to remove attendance reports.

My assumption is that Microsoft began stamping attendance reports with retention dates on or around November 1, 2024, and took the decision to run a one-time clean-up of older attendance reports on some unspecified date in late August 2025. Attendance reports have been around for several years. Microsoft discarded the old format in February 2021 and have been tweaking the current format ever since. The one-time cleanup operation will set a baseline for ongoing retention in the future.

No Option to Avoid

Microsoft 365 tenant can’t avoid the new attendance report retention policy. The justification for the new policy is Microsoft’s privacy policy and it’s probably a justifiable course of action considering the probability that people will want to go back and view old attendance data years after an event. Besides, organizers can preserve attendance data if they need to, so there’s not much to complain about.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/03/11/attendance-report-retention-policy/feed/ 1 68375
Why Microsoft 365 Copilot Works for Some and Not for Others https://office365itpros.com/2025/02/20/make-copilot-useful/?utm_source=rss&utm_medium=rss&utm_campaign=make-copilot-useful https://office365itpros.com/2025/02/20/make-copilot-useful/#comments Thu, 20 Feb 2025 07:00:00 +0000 https://office365itpros.com/?p=68101

I Can’t Wait for Agentic Experiences to Make Copilot Useful

We’re all on a journey to understand how to use artificial intelligence effectively to improve systems, lives, and human existence. If you pay for the necessary licenses, Copilot is everywhere within the Microsoft 365 ecosystem, both as helpers deployed in desktop apps like Word, Teams, and PowerPoint, and the possibility of custom agents for tenants to develop and deploy, albeit without the necessary tools to manage potentially thousands of agents created by citizen developers.

According to Microsoft CEO Satya Nadella, Microsoft wants to make it as simple for people to create agents than it is to create an Excel worksheet, which might mean the creation of the “highly customized agentic experiences” referred to in Microsoft 365 center notification MC985480 (January 22). I don’t quite know that phrase means, and the clarifying text that said it “means you can design unique prompts, connect to any LLM, and integrate these custom agents with Microsoft 365 Copilot” wasn’t much help either. When I asked Copilot, it struggled with the concept too (Figure 1). In any case, I’m sure that we’ll all be happy in our highly customized agentic world when it arrives.

Copilot attempts to define highly customized agentic experiences.
Figure 1: Copilot attempts to define highly customized agentic experiences

Why Today’s AI Falls Short of its Hype

All of which brings me to a thoughtful article in the Tomorrow’s Blueprint blog entitled “Why Others Think AI Is a Miracle But You Think It’s Useless.” The author is Microsoft product manager Abram Jackson, now deeply involved in the development of Microsoft 365 Copilot. The core of the article is an assertion that:

Today’s AI falls short of its hype for many due to three big reasons:

  • It often doesn’t have the data it needs to work with
  • Defining tasks precisely is very difficult
  • There’s little AI can do other than give you text or images.”

Abram knows much more about AI than I do. I reckon that he has captured the problems faced by many organizations as they consider how to extract value from a potentially massive investment in Copilot licenses.

Without access to data, Copilot can do nothing. The magic of Microsoft 365 Copilot, if some exists, is the Microsoft Graph, or access to the documents, emails, and Teams messages stored within Microsoft 365. Yet the legacy of some older Microsoft decisions around collaboration strategy forced organizations to restrict SharePoint Search to stop Copilot revealing information to anyone who asked. As it turns out, it is hard to stop Copilot using data because even document metadata can reveal secrets.

I like the way Abram discusses the issue of defining tasks. Math works because the answer is either right or wrong. Copilot works very well when given well-defined tasks to do, like summarizing a meeting transcript or extracting tasks for people to consider. The same goes for scanning an email thread or summarizing a Word document. Generating text is less satisfactory unless the user is very precise in their prompt and grounds Copilot with some suitable input, like documents to work from. The promise of early demos where Copilot generated project reports and other material in the blink of an eye is never attained where loose prompting gives the AI free rein to indulge itself.

How People Need to Use AI

The summary is that to extract value from AI (and Microsoft 365 Copilot in particular), users must:

Understand if a task is valuable and not prone to hallucinations. Asking Copilot for Word to scan a document and decide if it is well-structured and how make improvements is valuable for many people who aren’t natural writers. Asking Copilot for Word to generate the initial document introduces the possibility of hallucinations.

Work to define the task precisely: Asking Copilot to do something very precisely with clear boundaries and guidelines will generate much better results than dashing off a quick prompt. Grounding a prompt with some relevant information, like several pertinent documents will always help Copilot to generate better information.

Translate the result generated by the AI into the form you need it to be. For chat, the introduction of Copilot pages has proven useful because it allows users to easily capture the output generated by Copilot for reuse. But will the slides generated by Copilot for PowerPoint be the type you need? Or can Copilot for Excel really perform the computations you want? Of course, they can, but only with practice and perseverance on the part of the human.

As Abram says, this approach “isn’t natural and it is time-consuming.” It comes about because Copilot is essentially an eager assistant that wants to work but will do stupid things unless you tell it precisely what to do and how to do it. Expanding on the example shown in Figure 1, adding context and direction to the prompt gives Copilot the chance to deliver a much better answer. Prompts can now be up to 128,000 characters, so there’s lots of room for comprehensive instructions.

Make Copilot useful by giving the AI better and more detailed instructions. It's more likely to come up with a good answer.
Figure 2: Make Copilot useful by giving the AI better and more detailed instructions

The Bing Conundrum

One last point about data being available for Copilot to work with. I’m not sure about Abram’s statement that “hallucination is largely a solved problem for Microsoft Copilot.” I see odd stuff generated all the time. Abram justifies his claim by saying that “Copilot is trained to only respond with information it has been able to find through search.”

Copilot depends on Bing and Bing isn’t very good at searching. Take this website. Despite the ease in which Google has indexed and searched all my articles for years, Bing stubbornly refused to touch the site. I only discovered this fact when creating some declarative agents that used office365itpros.com as a source. Since then, the best efforts of WordPress support and my own attempts to navigate the online Bing webmaster advice have only just persuaded Bing to start indexing some pages. Some of the blocks are quite silly. One problem that caused Bing to refuse to index pages was the lack of an alt tag for a graphic in a sidebar.

If Copilot had better search facilities, it could generate better answers because it has better data to work with.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2025/02/20/make-copilot-useful/feed/ 1 68101
How to Use Bulk User Operations in Entra Admin Center https://office365itpros.com/2025/02/12/update-multiple-entra-id-accounts/?utm_source=rss&utm_medium=rss&utm_campaign=update-multiple-entra-id-accounts https://office365itpros.com/2025/02/12/update-multiple-entra-id-accounts/#respond Wed, 12 Feb 2025 07:00:00 +0000 https://office365itpros.com/?p=68040

Update Multiple Entra ID Accounts in a Single Action

It’s perhaps a natural assumption that administrative consoles like the Entra admin center perform actions against singular objects. However, that’s not the case because the Entra admin center now boasts an upgraded edit menu which supports operations against multiple user accounts (Figure 1). As indicated by the admin center, the update is currently in preview.

Bulk User account operations in the Entra admin center.

Update Multiple Entra ID accounts
Figure 1: Bulk User account operations in the Entra admin center

The older bulk operations menu has options for bulk create, bulk invite, and bulk delete.

No Notification from Entra

The disappointing thing is that Microsoft 365 administrators might struggle to discover interesting news like this because the Entra development group don’t post notifications to the Microsoft 365 message center. Hearing about changes might depend on fortuitously seeing a message in a social media feed or reading an article like this. It’s odd that Entra doesn’t take advantage of posting notifications in the Microsoft 365 message center because Microsoft 365 is a significant workload for Entra ID that generates large amounts of revenue through premium licenses.

The only documentation for bulk Entra ID updates that I can find refer to the bulk operations menu and says “Bulk operations in the Microsoft Entra admin portal could time out and fail on large tenants. This limitation is a known issue due to scaling limitations.”

The recommended workaround is to use the Microsoft Graph PowerShell SDK. That’s certainly a good idea if you want to process large numbers of accounts. It takes a little while to master user account management with the Graph SDK, but once you understand the basic mechanism, everything clicks into place and scripting account management isn’t a challenge.

What You Can do to Update Multiple Entra ID Accounts

Using the options in the edit menu is easy. Select some accounts (which can be a mixture of member and guest accounts), and choose one of the supported actions to update multiple Entra ID accounts:

  • Edit properties (Figure 2). Only certain properties can be edited.
  • Add manager. Every account should have a manager
  • Add sponsors. Account sponsorship is really intended for guest accounts. A flaw in the implementation means that the UI doesn’t reveal if the chosen accounts already have sponsors. There also doesn’t seem to be a way to cancel sponsor assignment if you decide not to select a sponsor. The perils of preview software…
  • Add as members of a group.
  • Add to administrative unit.
  • Edit account status. This option changes the accountEnabled property for the selected accounts from Enabled to Disabled or vice versa.
  • Revoke sessions with a forced sign-out. Affected user accounts must reauthenticate to reconnect.
Editing account properties to update multiple Entra ID accounts,
Figure 2: Editing account properties to update multiple Entra ID accounts

As you might expect, any change made to a user account is captured in an individual audit record and is discoverable by searching the Entra ID audit log (Figure 3) or the unified audit log (after ingestion).

Audit record for a bulk change made to an individual Entra ID user account.
Figure 3: Audit record for a bulk change made to an individual Entra ID user account

Update Multiple Entra ID Accounts is Goodness

The new edit menu option is an example of a change that’s surprising because it hasn’t appeared before now. Making changes to multiple accounts at one time is a great way to speed up administration. It avoids the need to use PowerShell to process one-off changes for small groups of users. However, I’d always use PowerShell for anything more complex because of the extra control it affords.

After all, the nice thing about PowerShell is that you get to choose how to implement functionality without waiting for Microsoft to add options to an admin center. Then again, good things come to those who wait…


Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

]]>
https://office365itpros.com/2025/02/12/update-multiple-entra-id-accounts/feed/ 0 68040
Maester Framework Continues to Prosper https://office365itpros.com/2025/02/07/maester-progress/?utm_source=rss&utm_medium=rss&utm_campaign=maester-progress https://office365itpros.com/2025/02/07/maester-progress/#comments Fri, 07 Feb 2025 07:00:00 +0000 https://office365itpros.com/?p=67958

New Maester Capabilities Added Recently

The Maester project is a PowerShell-based “test automation framework” to check tenant configurations to highlight potential issues for administrators to deal with. When I first covered the Maester project in April 2024, the initiative seemed like an interesting example of how the technical community can come together to build something of obvious value to Microsoft 365 and Entra ID administrators. By October 2024, Maester had added the ability for tenants to add custom tests to extend coverage to basically anywhere that the Microsoft Graph API could reach. In December, the developers published V1.0 of the Maester PowerShell module.

A glance at the latest Maester documentation shows just how much work has been put into its development. I was especially taken by the methods enabled to monitor Microsoft 365 tenants using Azure DevOps Pipeline, GitHub Actions, Azure Automation, and Azure Container App Jobs, including the ability to notify administrators through email or messages posted to Teams or Slack channels. There’s lots of value to explore here.

Running Tests Against User Accounts

The Maester documentation has examples of writing custom tests. If you want more, Clayton Tyger has created a GitHub repository for custom tests. Most of the current tests cover missing properties for Entra ID accounts, like phone numbers, city, department, hire date, employee identifier, and so on. Checking for missing properties isn’t difficult and given the importance of fully-populated accounts for components like the Microsoft 365 user profile card, it’s a good thing to do.

Venturing into tests for user account properties introduces a level of complexity over many of the other Maester tests. Often, a standard test checks for the presence of a setting which is either enabled or disabled, like who are allowed to create guest accounts in a tenant. Many conditional access policy settings are reviewed in tests to ensure that a tenant is well protected, and so on.

These kinds of tests can be completed quickly. Processing tests fast is important when Maester might run 120 or more tests to check a tenant configuration. You don’t want to get bogged down with waiting for details of 20,000 user accounts to be fetched for checking.

Maester uses a function called Invoke-MtGraphRequest to fetch data from Graph resources. My assumption is that the function is a developed version of the standard Invoke-MgGraphRequest cmdlet from the Microsoft Graph PowerShell SDK that adds functionality like automatic pagination and support for consistency headers for advanced queries. As such, Maester tests have no problem fetching large quantities of user objects to check, if you have time to wait.

Identifying Human Accounts

But then we get to the really difficult problem: how to identify “real” user accounts that should have values in all their properties? Finding all Entra ID member accounts isn’t a good way to proceed because Entra ID member accounts are created for room mailboxes, shared mailboxes, and other purposes. In addition, Entra ID creates member accounts for accounts synchronized from other tenants in a multi-tenant organization (MTO). Failing a Maester test because the account used by a shared mailbox doesn’t have its City property populated is probably not a valuable outcome.

The normal approach is to apply a filter to find user accounts with licenses on the basis that non-human accounts probably don’t have licenses. The only problem is that the accounts used for some shared mailboxes are licensed to allow the mailboxes to have archives or a higher storage quota. A variation on the theme is to filter user accounts with a specific service plan that isn’t usually assigned to non-human accounts. Finding such a service plan becomes the issue here. The service plan can’t be an Exchange plan, yet it must be assigned to all user accounts. The Teams service plan might be a possibility.

Another solution is to use one of the custom properties available in Entra ID to mark accounts. This approach allows a precise filter to find the set of Entra ID accounts used by humans at the expense of the overhead needed to mark accounts by updating the selected custom property.

The Alternative

An alternative is to use the Get-User cmdlet from the Exchange Online management module to fetch Entra ID accounts with user mailboxes. This approach works if everyone in the organization has a mailbox and it’s easy to check the accounts for missing properties (Figure 1).

Checking mailboxes for missing user account properties.

Maester tests.
Figure 1: Checking mailboxes for missing user account properties

Fetching a bunch of accounts to check their properties won’t be fast in large tenants, so this is a good example of processing best left to periodic Azure Automation jobs rather than the kind of on-demand test like those used by Maester. Functionality that works splendidly when processing just a few objects often struggles to cope when asked to do the same thing for thousands.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/02/07/maester-progress/feed/ 1 67958
Microsoft Cloud Revenues Keep on Heaping Up https://office365itpros.com/2025/01/30/microsoft-cloud-revenues-fy25q2/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-cloud-revenues-fy25q2 https://office365itpros.com/2025/01/30/microsoft-cloud-revenues-fy25q2/#comments Thu, 30 Jan 2025 00:59:38 +0000 https://office365itpros.com/?p=67903

Microsoft Cloud Revenues Break the $40 Billion (per quarter) Mark for the First Time

On Wednesday, January 29, 2025, Microsoft released their FY25 Q2 earnings and discussed the results at an analyst meeting afterward (transcript available here). Given Microsoft’s recent focus on anything branded as Copilot, a lot of attention was paid to what’s happening around artificial intelligence, but the headline number released was the $40.9 billion revenue for the Microsoft Cloud (an annual run rate of $163.6 billion).

The Microsoft Cloud is an amorphous grouping of products that includes Microsoft 365, Azure, Dynamics 365, and LinkedIn. The growth in cloud revenues has been strong and steady

The free edition of GitHub Copilot in Visual Studio Code notched up over a million signups in the first week post-launch. As I’ve noted here, GitHub Copilot is a great help to any developer, including those working with PowerShell for Microsoft 365.

Progress with Microsoft 365 Copilot

Satya Nadella said that customers who bought Copilot (for Microsoft 365) had expanded the number of seats by ten times over the last 18 months. That sounds impressive, but we don’t know the real numbers and when you start from a low base any increase seems large. Nadella also said that the number of people who use Copilot (for Microsoft 365) daily more than doubled over the last quarter with “usage intensity” increasing 60%. Usage intensity is Microsoft’s way of measuring how often people use Copilot for Microsoft 365 and what they do.

According to the documentation the statistic is based on “the average number of Copilot actions taken per user per month.” Microsoft 365 message notification MC986522 (23 January 2025, reports the addition of usage intensity and retention metrics in the Microsoft Copilot dashboard to allow customers to see how active their users are. It’s also possible to use the Graph Copilot usage API to analyze Copilot interactions and decide if people are active enough to keep their expensive licenses.

Copilot agents also received attention, with the claim being advanced that Copilot Studio makes it “as simple to build an agent as it is to create an Excel spreadsheet.” This is an aspiration rather than reality because creating a Copilot agent today (Figure 1) requires substantially more effort and expertise than firing up Excel to calculate some numbers.

Creating a Copilot agent in Copilot Studio isn't as easy as working on an Excel spreadsheet.

Microsoft Cloud Revenues
Figure 1: Creating a Copilot agent in Copilot Studio isn’t as easy as working on an Excel spreadsheet

CFO Amy Hood noted that the annual run rate for AI surpassed $13 billion and is above Microsoft’s expectations. The gap between the capital spending of circa $20 billion/quarter for the last several quarters and current revenues is one that Microsoft wants to close, and that’s why customers see so much stress being placed on Copilot.

No Detail about Microsoft 365 Seats

Microsoft failed to update the user numbers for Office 365, Microsoft 365, or Teams. The only clue was the statement that Microsoft 365 commercial seats grew by 7% year-over-year with revenue growth of 15% in constant currency. The growth was attributed to people switching to Microsoft 365 licenses and Copilot, but no details were given. A year ago, Microsoft said that the number of paid Office 365 seats was over 400 million. Applying a growth rate of 7% puts that number at around 428 million, which is as close as we can guess.

I could find just a single mention of Teams in the analyst meeting transcript, which was in Nadella’s comment that “Billions of e-mails, documents, and chats, hundreds of millions of Teams meetings, and millions of SharePoint sites are added each day. This is the enterprise knowledge cloud, and it’s growing fast, up over 25% year-over-year.” According to Microsoft,. this makes their cloud the “world’s largest source of organizational knowledge.” The official number for Teams users remains at 320 million as stated in October 2023. If Teams maintained the same ratio of seats to Office 365, it would be at around 350 million, bit Microsoft is staying silent on the topic for some reason. It’s interesting that the poster child of Microsoft investment briefings from a couple of short years ago has been left in the dust by the gallop toward AI.

Tactics to Generate Microsoft Cloud Revenues Won’t Change

I don’t expect much to change for Q3 (the current quarter). Microsoft will continue to be ultra-focused on driving Copilot revenue. Along will selling Microsoft 365 Copilot licenses, they’ll continue trying to convince customers to upgrade to higher base products, like Microsoft 365 E5. Given an apparent slowdown in new user acquisition, it’s the only way to keep the Microsoft 365 portion of the Microsoft Cloud revenues to grow.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2025/01/30/microsoft-cloud-revenues-fy25q2/feed/ 1 67903
Primer: Running Audit Searches and Sending Email from Azure Automation https://office365itpros.com/2025/01/28/azure-automation-for-audit-searches/?utm_source=rss&utm_medium=rss&utm_campaign=azure-automation-for-audit-searches https://office365itpros.com/2025/01/28/azure-automation-for-audit-searches/#respond Tue, 28 Jan 2025 07:00:00 +0000 https://office365itpros.com/?p=67840

Use Azure Automation for Audit Searches

In the past, I published articles covering the basics of using Azure Automation to process Microsoft 365 data. The articles cover the basics of using an automation account to execute runbooks (PowerShell scripts based on the Microsoft Graph PowerShell SDK), how to output results to a SharePoint Online list, and how to attach runbooks to automation schedules to make sure that processes execute automatically and reliably.

This article covers how to execute Microsoft 365 audit searches in runbooks and how to send the results extracted from the audit searches via email. I’m going to use the scenario discussed on 24 January about a flaw found in Entra ID that allowed users to change their user principal names. Microsoft has since addressed the problem, but the fact still remains that changes to user principal names can have consequences for services other than authentication. Any change like this deserves oversight. The purpose is to explore the principles rather than the details of a solution, and the techniques used here can be applied to any audit log search.

Basic Outline to Create a Runbook for a Microsoft 365 Audit Search

Two methods are available to search the unified audit log.

Opting for the Graph API makes sense for an Azure Automation job. Asynchronous searches take longer but that doesn’t matter when the job executes in the background, especially if it’s a scheduled run. In terms of the code, Microsoft has temporarily withdrawn the Get-MgBetaSecurityAuditLogQuery cmdlet and the Get-MgBetaSecurityAuditLogQueryRecord sometimes doesn’t work, so we use Graph API requests in this example. I used V2.25 of the Graph SDK and the cmdlets might have returned by the time you read this text.

The basic processing steps are:

  • Construct the parameters for the audit log search. The Update User operation captures changes made to user accounts, so that’s what the search looks for over the last seven days.
  • Submit the search and monitor its progress until completion.
  • Retrieve the audit records.
  • Process the audit records to check if any are for changes to the userPrincipalName property and capture details of these events.
  • Create a HTML fragment containing the events and use it to create the HTML content for a message.
  • Run the Send-MgUserMail cmdlet to send the message to a predetermined recipient. This can be any valid email address. In production, it’s likely that the recipient would be a distribution list, but it could be a Microsoft 365 group, or even a Teams channel.

Testing the Runbook for a Microsoft 365 Audit Search

As always, it’s wise to test the runbook code by running it interactively in a Microsoft Graph PowerShell SDK session. The automation account must have the AuditLogsQuery.Read.All application permission to access audit logs and Mail.Send to be able to send email. See my earlier post for how to assign Graph permissions to automation accounts. In production scenarios, you should use RBAC for Applications to restrict access for the automation account to specific mailboxes.

To mimic what happens when Azure Automation executes the runbook, use an app-only session by signing in with an app identifier, tenant identifier, and a certificate uploaded to the app. The app must have consent to use the two permissions listed above. Once everything works interactively, copy the code and create a new Azure Automation runbook and test that the code runs in that environment (Figure 1).

Testing a runbook to extract audit events in Azure Automation.

Azure automation for audit searches.
Figure 1: Testing a runbook to extract audit events in Azure Automation

When everything checks out, you can register the runbook with an automation schedule. This check is a good example of something that should be done bi-weekly. Of course, what the recipients do when they receive the message (Figure 2) is up to them.

Details of audit events distributed by email sent by an Azure Automation runbook.
Figure 2: Details of audit events distributed by email sent by an Azure Automation runbook

Better than Microsoft 365 Audit Policies?

Similar functionality in terms of sending email notifications for events found by Microsoft 365 audit searches available through Microsoft 365 audit policies. The reason why a DIY version might be preferable is that you have full control over the content presented in messages and the advice given to recipients, plus any associated processing you might want to do. For instance, you could log the highlighted audit events in a SharePoint Online list and require administrators to attest that they checked each event to make sure that it’s appropriate. That might be too much, but it’s possible.

The code I used for testing can be downloaded from the Office 365 for IT Pros GitHub repository.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2025/01/28/azure-automation-for-audit-searches/feed/ 0 67840
Primer: How to Use Azure Automation to Run Microsoft Graph PowerShell SDK Scripts https://office365itpros.com/2025/01/21/azure-automation-runbook-primer/?utm_source=rss&utm_medium=rss&utm_campaign=azure-automation-runbook-primer https://office365itpros.com/2025/01/21/azure-automation-runbook-primer/#respond Tue, 21 Jan 2025 07:00:00 +0000 https://office365itpros.com/?p=67742

Running PowerShell in Azure Automation Runbooks Seems Complex – But Is it?

Over this past weekend, I was quizzed about why many people recommend using Azure Automation runbooks to run PowerShell scripts when setting everything up is so complex. I guess that I’ve been using this stuff for so long that I just accept how it works and parse out some of the issues that people struggle with. In an attempt to help, I thought that I’d create a really simple example as a starting point. Let’s see how I can do.

The Nature of Azure Automation

Azure Automation is a cloud-based service that supports running PowerShell scripts on headless servers. The scripts are called runbooks and the code that runs in Azure Automation is similar to the scripts that you run interactively.

The big difference is that Azure Automation is a non-interactive environment. Prompts don’t exist and any output is only seen when scripts finish. That being said, it is not difficult to take code written for interactive use and move it to Azure Automation. In fact, because debugging code in a non-interactive environment is difficult, it’s always best to make sure that a script runs without problems in an interactive environment before attempting to move it to Azure Automation.

Starting Off with Azure Automation

To begin, you’ll need an Azure subscription with an associated credit card to pay for the resources used to run code. Microsoft has Azure free account and pay-as-you-go options.

With an Azure account, you can create a resource group (to hold the resources needed by Azure Automation) and an automation account (Figure 1). The automation account holds the permissions and roles needed to access Microsoft 365 data.

Creating a new Azure Automation account.
Figure 1: Creating a new Azure Automation account

Resources for the Automation Account

Before writing any code to access Microsoft 365 via Azure Automation, you’ll need to add some resources to the automation account. The resources are the PowerShell modules containing the cmdlets needed by your scripts. When you execute a runbook, Azure Automation loads the modules into the session created on the headless server.

To add a PowerShell module, access the automation account and go to Modules under Shared Resources. Click Browse gallery and input the name of the module to add (Figure 2).This example features a script to list recently created Entra ID user accounts, so I added the Microsoft.Graph.Authentication (needed for any Graph SDK script) and the Microsoft.Graph.Users modules.

Browsing PowerShell modules to add as resources to an automation account.
Figure 2: Browsing PowerShell modules to add as resources to an automation account

How do you know what modules to add? In some cases, like Exchange Online, a single module (ExchangeOnlineManagement) is needed. The Microsoft Graph PowerShell SDK is more complex because it’s composed of multiple sub-modules.

If you have the Microsoft Graph PowerShell SDK installed on a workstation, an easy way to find out which sub-module is needed for a specific cmdlet is to use Get-Command in an interactive session. For instance, Get-Command reports that the source for the Get-MgUser cmdlet is the Microsoft.Graph.Users module:

Get-Command Get-MgUser | Format-Table Name, Source

Name       Source
----       ------
Get-MgUser Microsoft.Graph.Users

If you don’t have the Microsoft Graph PowerShell SDK installed, the name of the module that a cmdlet is in is mentioned in the cmdlet documentation.

Permissions for the Automation Account

As you’re probably aware, any access to data via the Microsoft Graph is governed by permissions. Automation accounts use application permissions and therefore have access to any data in the tenant allowed by the assigned permissions.

The permissions also include Entra ID roles needed to access the data you want to process. For instance, cmdlets from the Exchange Online module assume that they’re run by administrators, so the automation account must be added to the Entra ID Exchange administrator role and have consent for the Exchange ManageAsApp permission.

The permissions granted to automation accounts are held by the service principal for each account. You can see details of the service principal for an automation account in the enterprise apps section of the Entra admin center. Figure 3 shows that the automation account called M365Automation has a single assigned Graph permission (User.Read.All).

Permissions assigned to the service principal for an automation account.
Figure 3: Permissions assigned to the service principal for an automation account

The Entra admin center allows you to see assigned permissions but not assign other permissions. You can only assign permissions with PowerShell. This is a little messy, but once you know how, it will make sense. After connecting a Graph SDK interactive session with the AppRoleAssignment.ReadWrite.All permission, find the details of the Graph application (which always has the same identifier) and the service principal for the automation account.

Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All
$GraphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$TargetSP = Get-MgServicePrincipal -filter "displayname eq 'M365Automation'"

Next, find the identifier for the app role (permissions) we want to assign.

$Role = $GraphApp.AppRoles | Where-Object {$_.Value -eq "User.Read.All"}

Now build a hash table containing the parameters for the new role assignment. As you can see, the parameters are the identifiers for the service principal, resource (Microsoft Graph), and the role.

$AppRoleAssignment = @{}
$AppRoleAssignment.Add("PrincipalId",$TargetSP.Id)
$AppRoleAssignment.Add("ResourceId",$GraphApp.Id)
$AppRoleAssignment.Add("AppRoleId",$Role.Id)

Finally, run the New-MgServicePrincipalAppRoleAssignment cmdlet to make the assignment and report success if an application role assignment identifier is returned.

$RoleAssignment = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $TargetId -BodyParameter $AppRoleAssignment
If ($RoleAssignment.AppRoleId) {
  Write-Host ("{0} permission granted to {1}" -f $Role.Value, $TargetSP.DisplayName)
}

Write Some Code for an Azure Automation Runbook

All the steps above have created the environment to write and run some PowerShell code. My example is to return the names of Entra ID accounts created in the last month. In an interactive session, the code is:

$Date = (Get-Date).ToUniversalTime().AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
[array]$Users = Get-MgUser -Filter "createdDateTime ge $Date" -Property Id, displayName, UserType, CreatedDateTime |Sort-Object UserType
If ($Users) {
   $Users | Format-Table DisplayName, UserType
}

The same code works in Azure Automation. Go to the automation account and create a PowerShell V7.2 runbook. Copy the same code into the runbook and add a line to authenticate using a managed identity:

Connect-MgGraph -Identity -NoWelcome

A managed identity is a system-managed highly secure identity. All the major Microsoft 365 PowerShell modules support system-assigned managed identities. Using a managed identity for authentication means that you don’t need to worry about passwords, secrets, or X.509 certifications.

After copying the code into the runbook and adding the connection via a managed identity, the runbook should look like Figure 4.

Viewing PowerShell code in an Azure Automation runbook.
Figure 4: Viewing PowerShell code in an Azure Automation runbook

The test pane allows you to test the code under Azure Automation. When the test pane loads, click Start. Azure Automation goes through its process to allocate a server, provision the server with the necessary resources, and then run the code. When the code finishes, you’ll see the output (Figure 5). It’s always nice to see the expected result when an Azure automation runbook stops.

The output for the runbook.
Figure 5: The output for the runbook

Lots More Possible with Azure Automation Runbooks

We’ve been through a basic example to explore the principles involved in creating an Azure Automation account, adding resources and permissions, and running some code. There’s lots more to do from this point: code will be more complex and probably create some output like email, SharePoint Online documents, or Teams messages, more resources and permissions will be needed, and you’ll probably want to explore how to schedule jobs so that they run on a regular basis. For instance, checking audit events weekly for signs of any problems with tenant security. In the next article in this series, I cover how some of this ground by showing to output the results of an Azure Automation runbook to a SharePoint list.

Azure Automation isn’t overly complex. Like all of us, it just needs to be appreciated in its own way.


Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

]]>
https://office365itpros.com/2025/01/21/azure-automation-runbook-primer/feed/ 0 67742
Microsoft 365 User Profile Card Gets Name Pronunciation https://office365itpros.com/2025/01/17/name-pronunciation-profile-card/?utm_source=rss&utm_medium=rss&utm_campaign=name-pronunciation-profile-card https://office365itpros.com/2025/01/17/name-pronunciation-profile-card/#comments Fri, 17 Jan 2025 07:00:00 +0000 https://office365itpros.com/?p=67705

Name Pronunciation Recordings Helps People Get Names Right

Message center notification MC917748 (last update 13 November 2024, Microsoft 365 roadmap item 420329) marks the latest update for the Microsoft 365 user profile card. This time round, users get the opportunity to add a recording of up to ten seconds to help colleagues understand how to pronounce their name correctly (Figure 1).

Adding name pronunciation for a user via the Microsoft 365 user profile card.
Figure 1: Adding name pronunciation for a user via the Microsoft 365 user profile card

Microsoft says that the “new feature helps promote diversity by giving working colleagues relevant information about each other. Names are a crucial part of a person’s identity. The incorrect pronunciation of a person’s name can lead to anxiety and offense in some cases. Correctly pronouncing a person’s name helps to create an inclusive environment.” Having the proven ability to make a mess of many peoples’ names in my career, I should find this feature useful.

Once a name pronunciation is available, people can play the recording back by clicking the playback button beside the user’s name (Figure 2).

Playing a name pronunciation recording.
Figure 2: Playing a name pronunciation recording

It’s worth noting that zero checking is performed when a user records their name pronunciation. If they want to call themselves “Mickey Mouse,” they can. Likewise, they can also include something more objectionable in the recording.

General availability is scheduled for mid-January 2025, so the update is currently rolling out. The roadmap item tags the feature for Teams, but MC917748 correctly notes that it’s also available in OWA and the new Outlook for Windows (but not yet in Outlook classic). Over time, I assume that name pronunciation recording will show up everywhere that the Microsoft 365 profile card is visible.

Where Name Pronunciation Recordings are Stored

MC917748 says “Pronunciation data is stored in each user’s mailbox until the user deletes the recording.” Keeping the data in user mailboxes means that pronunciation recordings are available across all clients across all workstations and avoid the kind of problems encountered with Outlook classic where settings are usually held in the system registry.

The non-IPM folders of a mailbox are not visible to normal email clients like Outlook. Applications often use folders in this section to store configuration and other data. The new Outlook for Windows and OWA store many mailbox settings in sub-folders of ApplicationDataRoot, and browsing through those folders with the MFCMAPI utility reveals a folder called ApplicationDataRoot\8c22b648-ee54-4ece-a4ca-3015b6d24f8e\source_sourcenamepronunciation.

The folder holds a single message item containing the pronunciation recording. Figure 3 shows how the item appears in MFCMAPI. In my case, the recording takes 440,728 bytes (approximately 430 KB), which seems about right for a six-second recording.

The message item holding the pronunciation recording for a mailbox.
Figure 3: The message item holding the pronunciation recording for a mailbox

Enabling Name Pronunciation Recordings

According to MC917748, the feature is off by default, meaning that you don’t see the icons to record and play back name pronunciation recordings in the user profile card. According to an update to MC917748 posted on 29 April 2025, Microsoft announced the deployment of GUI to control the setting for the name pronunciation feature in the Security & Privacy section of Org Settings in the Microsoft 365 admin center (Figure 4).

Name pronunciation setting in the Microsoft 365 admin center.
Figure 4: Name pronunciation setting in the Microsoft 365 admin center

Programmatic control over name pronunciation is via the Graph namePronunciationSettings resource type with APIs available to Get and Update the setting controlling whether users see the record and playback buttons. For instance, to get the current setting with the Microsoft Graph PowerShell SDK, run these commands:

$Uri = "https://graph.microsoft.com/beta/admin/people/namePronunciation"
Invoke-MgGraphRequest -Uri $Uri -Method Get

Name                           Value
----                           -----
isEnabledInOrganization        True
@odata.context                 https://graph.microsoft.com/beta/$metadata#admin/people/namepronunciation/$entity

To update the setting to disable name pronunciation recordings, construct a hash table containing the new value and update (patch) the resource:

$Settings = @{}
$Settings.Add("isEnabledInOrganization", $false)
Invoke-MgGraphRequest -Uri $Uri -Method Patch -Body $Settings

The setting is on or off for a complete tenant. You cannot enable name pronunciation recording and playback for some mailboxes and not for others. This is very similar to the way that the setting controlling the display of personal pronouns (introduced in March 2023) is managed:

Uri = "https://graph.microsoft.com/V1.0/admin/people/pronouns"
Invoke-MgGraphRequest -Uri $Uri -Method Get

Name                           Value
----                           -----
isEnabledInOrganization        True
@odata.context                 https://graph.microsoft.com/beta/$metadata#admin/people/pronouns/$entity

Unfortunately, the API requests to control the name pronunciation settings currently fail with a 404 not found error. I’m sure that this is a transient problem that Microsoft will sort out soon.

Up to Organizations to Decide

Some consider this kind of addition to the user profile to be so much woke fluff. Others consider getting pronouncing names correctly is an essential part of business discourse. Both are entitled to their opinion. It’s good to have the choice within a world where dealing with different cultures and names is a reality for most.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2025/01/17/name-pronunciation-profile-card/feed/ 14 67705
All About the Office 365 for IT Pros GitHub Repository https://office365itpros.com/2025/01/10/office365itpros-github/?utm_source=rss&utm_medium=rss&utm_campaign=office365itpros-github https://office365itpros.com/2025/01/10/office365itpros-github/#respond Fri, 10 Jan 2025 07:00:00 +0000 https://office365itpros.com/?p=67527

A Store of PowerShell Scripts for Microsoft 365 Tenant Management in the Office365ITPros GitHub Repository

I’m on record as saying that knowing how to access and interact with Microsoft 365 data with PowerShell is essential knowledge for tenant administrators. Many options are enabled through settings that are only accessible through PowerShell, and it’s possible to extract more data from workloads with PowerShell (including use of Graph API requests) than is exposed through the different Microsoft 365 administrative interfaces.

Microsoft helps by including PowerShell examples in its documentation. The examples are basic and tend to concentrate on performing a single step in what is often a more complex sequence of commands necessary to fully complete a task. Nevertheless, all examples are welcome, and the Microsoft examples receive lots of attention because of their source.

What’s in the Office365ITPros Repository

As part of investigating Microsoft 365 technology to report how things work, we write a lot of PowerShell code. Until 2019, we published code in articles. At an Experts Live event in Oslo, Norway in 2019, Ståle Hansen (who wrote the Teams devices chapter for the book at that time) suggested that we establish a GitHub repository and use it to distribute script samples instead. Simple web links allow us to reference scripts in the Office365ITPros GitHub repository as needed in presentations, articles, and the Office 365 for IT Pros and Automating Microsoft 365 with PowerShell eBooks.

The suggestion made a ton of sense. Instead of updating script code in WordPress pages, we could update the script code in GitHub to keep it current, eliminate annoying bugs, and smoothen out problems caused by Microsoft changing the way that cmdlets work. For instance, scripts that call the Search-UnifiedAuditLog cmdlet have needed updates several times since 2018. Looking forward into 2025, Microsoft proposes to make another fundamental (and horrible) change to Search-UnifiedAuditLog that will cause many problems.

Another important change happened when the Microsoft Graph PowerShell SDK went from V1 to V2 and changed the structure of the modules and naming scheme for the beta cmdlets. Looking back, this was a good change, even if it caused disruption at the time by forcing developers to remove the cmdlet that selected beta or production cmdlets together with renaming any beta cmdlets called in scripts.

https://office365itpros.com/2021/01/21/introducing-office-365-for-it-pros-github-repository/The Office 365 for IT Pros GitHub repository (Figure 1) currently contains 304 PowerShell scripts covering different aspects of Microsoft 365 and Entra ID tenant management (the repository held 80 scripts when we first launched it in 2021). We update scripts when we discover issues or when people let us know about bugs or features they would like to see implemented.

The Office365ITPros GitHub Repository.
Figure 1: The Office365ITPros GitHub Repository

The quality of the code has gradually improved over the years. Several reasons exist why this should be so:

The repository could be better organized into folders for different topics and the naming convention isn’t great at times. We know that things could be better and improving the structure is on our to-do list.

It’s important to understand that Office 365 for IT Pros does not create fully-fledged solutions. The scripts are to explore principles of interacting with Microsoft 365 workloads, to extract and refine data, create objects, manage settings, and so on. Error handling is enough to make sure that everything works, but not sufficient for deployment in a production environment. We take this approach deliberately because every organization has its own coding standards. Our intention is that developers can take the code we create and meld it in their own fashion to solve automation problems within a tenant.

Forking the Office365ITPros GitHub Repository

You can share the scripts in the Office365ITPros repository by forking to create your own copy of the repository. As you can see from Figure 1, 583 forks exist for the Office365ITPros repository, all created by people who want to have their own copy of the scripts to work with. Those with forks can change code to make scripts work better by fixing bugs or adding features and then push the changes for inclusion in our repository. Twenty people have made contributions in this manner since the creation of the repository. It’s a great example of community in action.

Browse the Office365ITPros GitHub Repository – And Maybe Become a Contributor

The Office365ITPros repository exists to share PowerShell code so that we can all learn how to write quality scripts for Microsoft 365. Take the time to browse the scripts to see what might be useful to you. If you find something that could be done better, fork the repository and make the change and push the amended code to us. We’ll have a look at the changes and decide whether to accept them. We always welcome a new contributor!


Need more help to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

]]>
https://office365itpros.com/2025/01/10/office365itpros-github/feed/ 0 67527
Viva Engage Items Show Up in Search Results https://office365itpros.com/2025/01/02/viva-engage-search/?utm_source=rss&utm_medium=rss&utm_campaign=viva-engage-search https://office365itpros.com/2025/01/02/viva-engage-search/#respond Thu, 02 Jan 2025 07:00:00 +0000 https://office365itpros.com/?p=67547

Viva Engage Search Results in Microsoft Search in Bing (for Now)

News that Microsoft has decided to remove Microsoft 365 results from searches run by Bing.com (Microsoft Search in Bing) was quickly followed by an update for message center notification MC797471 (Microsoft 365 roadmap item 391669) on 24 December 2024. MC797471 originally appeared on 31 May 2024 and the update informs us that that the general availability of Viva Engage results in searches is further delayed until mid-January 2025.

What’s amusing about the announcement is that the now-deprecated Microsoft Bing at Work (aka Microsoft Search in Bing) is one of the scheduled places to surface Viva Engage results. Clearly, writing the announcement that Viva Engage items will appear in search results preceded the decision to cancel Microsoft Search in Bing. It’s the kind of thing that is almost inevitable inside such a large ecosystem where functionality often depends on multiple moving parts.

Viva Engage Search Results Include Questions, Answers, and Storylines

The announcement says that users searching in office.com and sharepoint.com (and even Microsoft Bing at Work until its demise) will see results from Viva Engage (Yammer) that they have access to. Viva Engage items are interleaved with results from other workloads on the search page. The items surfaced are currently limited to question posts from public Communities, Storylines, and Answers. I have no idea why regular conversation items don’t show up. Figure 1 shows how a Viva Engage question appears in the search results displayed by Office.com.

Viva Engage items appear in Office.com search results.

Viva Engage search.
Figure 1: Viva Engage items appear in Office.com search results

It’s no secret that I don’t know why Microsoft has persisted with Viva Engage for so long. My guess is that a set of very large customers bought into the enterprise networking spiel when Microsoft bought Yammer in 2012 and Microsoft felt that they needed to support Yammer to keep those customers. The great promise of fully connected and collaborative organizations didn’t quite work out as planned, largely because Yammer remained so disconnected from the rest of the Office 365 ecosystem for so long. Teams came along in 2016 and demonstrated how to build a new collaboration platform based on Microsoft’s toolkit of Azure services, Entra ID, Exchange Online, SharePoint Online, and OneDrive.

Since then, Viva Engage has been a bit player in Microsoft 365, albeit one with a strong connection to Teams as the provider of apps like Q&A for meetings. Microsoft has not disclosed a recent number for Viva Engage users, which is always a sign that things aren’t going so well in terms of customer success.

In today’s environment where so much of Microsoft 365 engineering resources are dedicated to Copilot everywhere, it’s possible that Yammer would have met the same fate as Viva Topics and Viva Goals if its acquisition was more recent.

The Triumph of Outlook Mobile

In other news, I’ve seen a few LinkedIn posts reminding us that it’s ten years since Microsoft acquired Acompli in a bold move to refocus its mobile email strategy. The Acompli client became Outlook Mobile for iOS and Android and introduced features like the Focused Inbox, now available for all Outlook clients.

Microsoft replaced the original cloud processing service based on Amazon Web Services with Azure several years ago. The cloud service was a critical component for Outlook Mobile because it’s where intelligence is applied to messages to support the delivery of advanced functionality in the client. The Focused Inbox was the first such feature. The same Microsoft synchronization service also processes information for the new Outlook for Windows. Without this processing, Outlook couldn’t deliver features to users whose mailboxes are hosted on antiquated IMAP4 and POP3 servers, a point that utterly escapes people who criticize Microsoft for copying mailbox data to the cloud to be processed there.

In any case, Outlook Mobile is a huge success. The last public number given by Microsoft (April 2019) is 100 million active users. At that time, Office 365 had 180 million active users. Today, it has over 400 million active users (or paid seats), so we can conclude that Outlook Mobile has many more than 100 million users.

No Recipe for Acquisition Success

You can’t make every acquisition pay. Acompli is a great success. Yammer persists and does a job within Microsoft 365 without setting the world on fire, and Viva Goals (ally.io) tanked after 28 months. The same is true for home-grown products where Microsoft 365 SKUs like Cortana Scheduler and StaffHub disappeared soon after launch.

The important thing is that the overall ecosystem keeps on moving forward, and this is true for Microsoft 365, even if it would be nice if some of the effort driven by the current fascination with AI could be refocused on improving performance, addressing bugs, and making the UI smarter. Maybe this will all happen in 2025.


Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

]]>
https://office365itpros.com/2025/01/02/viva-engage-search/feed/ 0 67547
Microsoft Search in Bing Gets the Bullet https://office365itpros.com/2024/12/23/microsoft-search-in-bing-retires/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-search-in-bing-retires https://office365itpros.com/2024/12/23/microsoft-search-in-bing-retires/#comments Mon, 23 Dec 2024 07:00:00 +0000 https://office365itpros.com/?p=67488

No Room for Microsoft Search in Bing in a World Increasingly Dominated by Copilot

In a change that might be linked to the ever-increasing influence of Copilot across Microsoft 365, Microsoft announced (MC961557, 19 December 2024) their intention to remove Microsoft Search in Bing on March 31, 2025. Microsoft says that the decision is the result of their work to “streamline search experiences and focus on enhancing core productivity tools.” A more truthful assessment might advance the case that Microsoft 365 Copilot (BizChat) is now the preferred way for customers to integrate work and web search results, even if that means that a free facility is being replaced by one costing $360/user annually.

Microsoft introduced Microsoft Search by Bing in May 2019. The idea is simple: connect the search indexes generated by Microsoft Search from Exchange, SharePoint, OneDrive, and Teams content and make the data available through searches run from bing.com. Figure 1 shows the “work” results generated by searching bing.com for “Search in Bing.” Depending on what Bing finds, other results might be available under messages (Teams and Outlook), sites, and people.

Microsoft 365 content surfaced by a bing.com search 

Microsoft search in Bing
Figure 1: Microsoft 365 content surfaced by a bing.com search

The integration works well for people whose preferred search engine is bing.com. Once you sign into your tenant account, Bing automatically looks for matches in work sources. The problem is that bing.com is not heavily used, with industry assessments putting its use at around 10% of the desktop search engine market.

Microsoft 365 Copilot Uses Bing

Removing Microsoft Search in Bing doesn’t mean the disappearance of Bing-based searches from Microsoft 365. BizChat and Microsoft Copilot both use Bing to search web sources. Bing is not my favorite search engine and some of the web-based results I see in Copilot leave me wondering where they came from. However, it cannot be denied that Copilot does a much better job of stitching work and web results together to answer user questions.

Tags Being Retired Too

Microsoft Search in Bing lasted nearly five years. The tags feature, introduced in December 2023 to allow users to categorize content “in a way that makes sense to you,” is getting an accelerated retirement and will disappear from the Microsoft 365 app starting on January 6, 2025, and will be completely gone by January 10 (MC961601). The speed of withdrawal indicates that not many people use tags. This isn’t at all surprising given the very low level of utility delivered by the feature.

You can define and apply tags to files through the Microsoft 365 app (Figure 2) but then what? There’s nothing else you can do except apply a tag to add a small splash of color to the details shown for files. It seems like this was a feature introduced without much thought and no follow-up.

Tagging a file in the Microsoft 365 app
Figure 2: Tagging a file in the Microsoft 365 app

The Microsoft 365 app is due to be overhauled in mid-January 2025 (MC958905, 16 December 2024) and the demise of tags is probably an outcome of the review to decide what to keep and what to drop from the app.

Don’t Worry About Retirements

There’s been a spate of retirements within Microsoft 365 recently. Office Delve retired earlier this month and Microsoft announced that Viva Goals will retire in December 2025. Tenant administrators can be forgiven for thinking that the functionality offered by Microsoft 365 is a tad unstable.

The fact is that change happens all the time in the cloud. Office 365 and Microsoft 365 have seen retirements in the past. No product has a guaranteed right to succeed. Some will launch and discover soon afterward that the expected market is just not there. Others will have a burst of initial success and decline thereafter. If a Microsoft 365 product isn’t successful, it won’t last long. Another recent factor seems to be that the availability of engineering resources has tightened because more people are working on Copilot-related features. The pressure is on to reduce effort on non-core or underused features, which is what might have eventually killed Microsoft Search in Bing.

Kaizala, StaffHub, Cortana Scheduler are three examples of products that appeared and disappeared without trace. Viva Topics was retired earlier this year, and Sway is on life support. Yammer was the great hope of 2014 that had to reinvent itself as Viva Connections to stay relevant after Teams came along and became the focus of chat-based collaboration within the suite.

On that thought, this blog will take a short break until the New Year. Over that period, the Office 365 for IT Pros eBook team will still be busy preparing the January 2025 update, including figuring out how to cover the change discussed here. I hope that you all get some well-deserved rest over the holidays and come back refreshed for new (or renewed) challenges in the big, bad world of Microsoft 365 in 2025.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/12/23/microsoft-search-in-bing-retires/feed/ 5 67488
Blocking Microsoft 365 Copilot Making Inferences in Teams Meetings https://office365itpros.com/2024/12/19/copilot-inference-and-evaluation/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-inference-and-evaluation https://office365itpros.com/2024/12/19/copilot-inference-and-evaluation/#respond Thu, 19 Dec 2024 07:00:00 +0000 https://office365itpros.com/?p=67452

Copilot Inference and Evaluation Policy Prevents Copilot in Teams Interpreting Participant Emotions During Meetings

One of the interesting things about using Microsoft 365 Copilot in Teams meetings (or rather Copilot in Teams, for it’s only one of the many Copilots licensed by Microsoft 365 Copilot) is that it attempts to evaluate user sentiment based on their contributions to meetings. Copilot does this by analyzing the words spoken by participants to “infer emotions, make evaluations, discuss personal traits, and use context to deduce answers.”

Evaluating how happy someone is during a meeting sounds a bit too much like big brother oversight to many, especially in countries where personal privacy is more highly prized than in others. In your organization is in this situation, tenant administrators can restrict “Copilot’s ability to make inferences or evaluations about people or groups when prompted to do so by users” by updating the Copilot inference and evaluation policy.

A Simple Graph Query

Microsoft explains how to update the policy in message center notification MC916990 (last updated 16 December 2024, Microsoft 365 roadmap item 411568). Deployment to tenants with Microsoft 365 Copilot licenses is now complete.

MC916990 describes how to use the Graph Explorer to update the policy. Much as I like the Graph Explorer, the description given isn’t very clear and lacks some essential detail, like how to format the JSON input payload (Figure 1) and the required permission.

Updating the Copilot inference and evaluation policy with the Graph Explorer
Figure 1: Updating the Copilot inference and evaluation policy with the Graph Explorer

The Copilot Admin Limited Mode Resource Type

Here’s some of that detail together with instructions about how to do the job with the Microsoft Graph PowerShell SDK. The first thing to know is that the Copilot inference and evaluation policy is represented in the Graph by the copilotAdminLimitedMode resource type. This is important to know, because we can then reference the documentation to discover that the CopilotSettings-LimitedMode.ReadWrite permission is needed to update the policy. This is a delegated permission, so it works in the context of the signed-in user, and only accounts with the Global administrator or Global reader roles can update policy settings.

The documentation for the Get and Update operations doesn’t include any Microsoft Graph PowerShell SDK cmdlets to get and update the policy, but we can use the HTTP URI to interact with the policy through the Invoke-MgGraphRequest cmdlet.

To begin, let’s sign into a Microsoft Graph PowerShell SDK interactive session and request the necessary permission.

Connect-MgGraph -Scopes CopilotSettings-LimitedMode.ReadWrite

If CopilotSettings-LimitedMode.ReadWrite is not in the static list of permissions held by the service principal for the Microsoft Graph Command Line Tools app, you’ll be prompted to grant consent (Figure 2):

Requesting consent for the CopilotSettings-LimitedMode.ReadWrite permission
Figure 2: Requesting consent for the CopilotSettings-LimitedMode.ReadWrite permission

Next, let’s fetch the current policy values by running Invoke-MgGraphRequest with a Get request to the URI for the policy. The values shown below are the defaults:

$Uri = "https://graph.microsoft.com/beta/copilot/admin/settings/limitedMode"
$Data = Invoke-MgGraphRequest -Uri $Uri -Method GET

$Data

Name                           Value
----                           -----
isEnabledForGroup              False
groupId
@odata.context                 https://graph.microsoft.com/beta/$metadata#copilot/admin/settings/limitedMode/$entity

To update the policy and block Copilot evaluating sentiment for some users, you must create a group and populate its membership with the user accounts to block. Then find the object identifier for the group and copy it for reuse (Figure 3).

Finding the object identifier of the group to use with the Copilot inference and evaluation policy
Figure 3: Finding the object identifier of the group to use with the Copilot inference and evaluation policy

You can then use the group identifier to update the group settings. This code creates a hash table to hold the two settings to update. The first setting contains the group identifier (stored in a PowerShell variable). The second sets the value for the isEnabledForGroup setting to true for the members of the group. The effect is to instruct Teams to use limited mode for the members of the group when they are meeting participants. When the hash table is ready, run Invoke-MgGraphRequest again to patch the policy with the settings in the hash table.

$GroupId = 'f805d711-c4f4-4663-9993-b08b4be52cb5'
$Parameters = @{}
$Parameters.Add("groupId",$GroupId)
$Parameters.Add("isEnabledForGroup",$true)

Invoke-MgGraphRequest -Uri $Uri -Method Patch -Body ($Parameters | ConvertTo-Json)

The policy update can take up to a day before it is effective. When it is, Copilot will decline to answer questions about someone’s performance, emotions, or personal traits. Figure 4 shows two examples. The first is the same example as used in Microsoft’s announcement: ask if someone is happy based on their contributions to a meeting. The second asks who made the most positive contribution to the conversion.

Copilot in Teams declines to answer questions blocked by the the Copilot inference and evaluation policy
Figure 4: Copilot in Teams declines to answer questions blocked by the the Copilot inference and evaluation policy

In contrast, Figure 5 shows how Copilot responds to the same question asked by another meeting participant who isn’t restricted by policy.

The answer Copilot really wanted to give until it was blocked by policy
Figure 5: The answer Copilot really wanted to give until it was blocked by policy

Using the policy to restrict user interaction with Copilot also stops people asking questions like “is Tony participating in this meeting,” which will come as a relief to those of us who attend calls and say nothing because we’re busy doing other things as the meeting progresses (and rely in the meeting recap to understand what happened).

Stop Big Brother Oversight

I’m not sure that many people ask questions about the feelings or emotions of other meeting participants. It seems like a kind of weird thing to do, and I can appreciate that some would find the prospect of AI measuring their emotions to be on the wrong side of big brother observation. Concern has already been expressed about how Copilot could compromise user privacy. For example, SURF, the ICT cooperative of Dutch education and research institutions issued a Data Protection Impact Assessment (DPIA) on December 18, 2024 to caution about privacy risks associated with the use of Copilot.

With that thought in mind, implementing a policy to control Copilot’s ability to evaluate user emotions is a good thing that organizations using Copilot today should consider using.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/12/19/copilot-inference-and-evaluation/feed/ 0 67452
New Option Available to Update Microsoft 365 User Profile https://office365itpros.com/2024/12/10/user-profile-updates/?utm_source=rss&utm_medium=rss&utm_campaign=user-profile-updates https://office365itpros.com/2024/12/10/user-profile-updates/#comments Tue, 10 Dec 2024 07:00:00 +0000 https://office365itpros.com/?p=67352

Find Your Account with Microsoft Search to Update Your Details

Delve is scheduled for retirement on December 16, 2024. As noted previously, when Delve retires, users need a different mechanism to update their profile settings. Microsoft said that the replacement for user profile updates will be available through Microsoft search and promised that the replacement would be available before the demise of Delve. The option to update user profiles has duly arrived and should now be available in tenants.

The new option hasn’t yet replaced the My Microsoft 365 profile accessed by clicking the user profile photo in the top right-hand corner of Microsoft 365 browser interfaces. I’m sure that this will happen, but in the interim, you’ll need to go to Office.com and search to find your user profile. When you view your profile, you should see the option to Update your profile (Figure 1).

The option to update a user profile
Figure 1: The option to update a user profile

Eventually, the option to update user profile settings should appear in all apps where users can currently view their profile card.

Updating User Details

Generally speaking, updating a user profile is straightforward. Some updates show up faster when people view the user profile than the 24 hours expectation set by Microsoft when saving new values for the profile (Figure 2).

Updating user profile settings
Figure 2: Updating user profile settings

A Mixture of Properties

My issue with the current implementation is that it still surfaces some elements of the old SharePoint profile. For instance, if you click the link to “add more profile information,” you’re brought to the old Edit Details screen. For most tenants, there’s nothing on this screen that cannot be changed with the update profile screen, so I’m unsure what extra value the link delivers. Perhaps it’s to serve tenants who add custom user profile properties to SharePoint Online.

The duplication of some common properties shown on the profile card is more worrisome. Most properties relating to the organizational information stored about users is held in Entra ID, which is the authoritative source for directory information within Microsoft 365. These properties include the job title, department, company name, office location, and business address. They also include contact information like numbers for home, business, and mobile phones.

The issue is that the user profile card displays two sets of telephone numbers. One set are the values stored in Entra ID; the other are stored in SharePoint Online. Users can’t update Entra ID, but they can update their home and mobile numbers in the profile information in SharePoint (Figure 3). Oddly, users can update the business fax information in SharePoint Online, but the equivalent from Entra ID isn’t even shown.

Some duplicate properties in the user profile
Figure 3: Some duplicate properties in the user profile

Perhaps the desire is to allow users to publish both official (Entra ID) and unofficial contact details. That could very well be a good idea, if the same names weren’t used. For instance, Figure 4 shows my user profile. There are two values listed for mobile phone and business fax. Entra ID doesn’t store home phone numbers for users, so the profile uses the data from SharePoint Online.

A mixture of properties in the user profile
Figure 4: A mixture of properties in the user profile

A Missed Opportunity

While acknowledging that the implementation now being rolled out is to assist in the retirement of Delve by replacing how users update profile information, it seems like failing to rationalize the information displayed on the user profile card is a missed opportunity.

Most Microsoft 365 tenants don’t add custom user profile properties to SharePoint Online. The feature is a legacy inherited from the on-premises server that should be replaced by easier customization for user accounts within Entra ID. Given the core position of Entra ID within the Microsoft 365 ecosystem, it just doesn’t make sense to persist with a mechanism that, as far as I can tell, isn’t widely used.

You can add custom directory extensions or schema extensions to Entra ID, but using the extensions isn’t as easy as it should be. For instance, there’s no way to customize the user profile card to add custom directory or schema extensions in the same way as supported for Exchange custom attributes. It would be nice if Microsoft made it easy for administrators to create tenant-specific versions of the user profile card and for users to update their details. It’s possible to create and update profile cards today, but pulling everything together is just more complicated than it should be.


Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

]]>
https://office365itpros.com/2024/12/10/user-profile-updates/feed/ 1 67352
Microsoft Kills Viva Goals https://office365itpros.com/2024/12/09/viva-goals-retirement/?utm_source=rss&utm_medium=rss&utm_campaign=viva-goals-retirement https://office365itpros.com/2024/12/09/viva-goals-retirement/#comments Mon, 09 Dec 2024 07:00:00 +0000 https://office365itpros.com/?p=67341

Viva Goals Retirement To Happen on December 31, 2025

Viva Goals retirement

retire Viva Goals

Viva Goals is an implementation of the Objections and Key Results (OKR) methodology to allow organizations to define and measure progress against goals (the OKRs) set at the organization or team level. Goals wasn’t part of the original launch for Microsoft’s Viva employee engagement suite in February 2021. As part of its work to extend the Viva suite Microsoft acquired Ally.io in October 2021. The technology was subsequently rebranded as Viva Goals and reached general availability in August 2022.

Microsoft’s decision to retire Viva Goals came like a bolt from the blue. The first public indicator emerged when Microsoft published MC949603 in the Microsoft 365 admin center on December 5 along with a companion explanatory article to let customers know that Microsoft ceased development for Viva Goals on December 5, 2024 and will retire the product on December 31, 2025. Microsoft also said that no prospect exists to extend access to Viva Goals past the retirement date.

Looking back, the resignation of Ally.io founder Vetri Vellore from Microsoft in December 2023 might be seen as an early indicator that things weren’t going so well with Viva Goals. Vellore is now leading the development of Rhythms.ai, an “AI-powered operating system for high-performing teams.” It’s not unusual for founders of acquired companies to depart after their retention agreement expires, and Vellore departing to set up another startup fits the pattern. However, it probably didn’t help. Losing leadership is never good for a struggling product.

Why Forced the Viva Goals Retirement?

When it announces decisions, Microsoft often stresses its use of telemetry acquired from user activity to inform those who make the decisions. In this case, Microsoft says that “While some customers have recognized value, overall adoption and usage of Viva Goals across the Viva Suite customer base has not grown. Microsoft has been unable to reach the scale and impact needed to continue further investment.” In other words, some customers like Viva Goals but not enough have opted to use it to warrant further development.

Given the scale that Microsoft 365 runs at, it’s unsurprising that Microsoft has high hopes for new products. If products don’t attract substantial customer interest, the potential for failure and retirement always exists. Introducing OKRs into an organization is not like launching an application like Planner. According to some successful practitioners, executive buy-in and leadership is needed to drive the adoption of the methodology. Support from the top of the organization can’t be half-hearted or inconsistent. It’s got to be fully committed and ongoing, and while some customers are enthusiastic about OKRs, it’s obvious that most didn’t view Viva Goals as an important part of their cloud infrastructure.

The most recent usage number revealed by Microsoft was that the Viva Suite had 35 million monthly active users (July 2023). However, Microsoft did not specify usage data for individual products within the suite. The situation is further complicated because Viva Engage (Yammer) components like the Q&A app show up in Teams and might accrue some usage through that route. Another example of how Viva Engage embraces Teams in a way that should drive usage is the support for storylines in Teams chat announced at Ignite 2024 and due for availability in early 2025.

The Second Viva Element to Fall

Viva Goals is the second element of the Viva Suite to be axed following another surprise decision to retire Viva Topics earlier this year. In the case of Viva Topics, Microsoft pointed to Microsoft 365 Copilot as a replacement. Since the announcement, Microsoft has delivered features like custom agents to allow tenants to develop their own form of knowledge infrastructure, albeit for much higher license costs.

The path forward for customers who use Viva Goals is less obvious. In the FAQ for the Viva Goals retirement, Microsoft says that they are “exploring third-party solutions and partnerships to facilitate a smoother transition.” It seems like a lot of work needs to happen between now and December 2025 to create migration tools to export data from Viva Goals to other platforms. We’ll have to see how the transition unfolds.

More Disruption in Viva?

The retirement of two products from the Viva suite might cause some to think that it’s not worthwhile to invest any more time into Viva products. That’s an understandable feeling. Given the way that Microsoft has demonstrated absolute ruthlessness in cutting underperforming products from its portfolio, the future of any Viva product is certainly something to consider. The current line-up is:

  • Viva Connections
  • Viva Engage
  • Viva Amplify
  • Viva Pulse
  • Viva Glint
  • Viva Insights
  • Viva Learning

Seven products seem like too many. It’s certainly confusing at times to understand what each product does. It will be interesting to see if Microsoft trims the line-up further in 2025.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/12/09/viva-goals-retirement/feed/ 3 67341
The Impact of Generative AI on Technology Websites https://office365itpros.com/2024/11/25/impact-of-generative-ai/?utm_source=rss&utm_medium=rss&utm_campaign=impact-of-generative-ai https://office365itpros.com/2024/11/25/impact-of-generative-ai/#comments Mon, 25 Nov 2024 07:00:00 +0000 https://office365itpros.com/?p=67118

AI Harvesting of Information Lowers Traffic and Reduces Revenue for Websites

The administrators of many websites and blogs have complained about a decline in traffic (page views), especially over the last year. Office365ITPros.com is not immune to what’s happening across the internet. We’ve seen a drop of about 50% in traffic since the summer of 2023. There’s lots of theories being explored for why the drop in traffic happened. Thinking about the situation, I believe that technical, human, and disruptive change combine to deliver what we see today with the impact of generative AI on technology websites being felt and not in a good way.

Many point to the effect of Google Analytics 4 (GA4) and say that the results for website traffic reported by GA4 are markedly different to its predecessor (here’s an example). I don’t pretend to be an expert on Google Analytics, but when everyone’s talking about the impact of a change, it’s hard not to conclude that the introduction of GA4 has had some effect.

In addition, search engine result pages (SERPs) now include snippets of information that might be sufficient to answer user queries (Figure 1). If an answer is found in a snippet, there’s no need to follow the link to the source web site to find more information. Snippets are great for users while contributing to declining page views.

A SERP from Bing.com contains answers to user questions
Figure 1: A SERP from Bing.com contains answers to user questions

User behavior is also changing. More mobile devices are used, so if an article doesn’t seize the attention of the reader within the first few paragraphs, the user will move on and not follow links in the text. Another factor is that mobile devices can favor the consumption of video content rather than traditional articles.

But the biggest change affecting websites covering technology is the impact of generative AI tools like ChatGPT and Microsoft Copilot. AI tools build large language models (LLMs) using information from the internet and can regurgitate that knowledge in a more approachable fashion than regular search results (Figure 2).

Microsoft Copilot answers a question

Impact of generative AI on technology websites
Figure 2: Microsoft Copilot answers a question

I used Bing.com for the SERP example in Figure 1 because Microsoft Copilot uses Bing search to gather information for its responses. What you see in Figure 2 is the Copilot equivalent of the Bing result in Figure 1. Interestingly, Copilot dropped the reference to the article used in the Bing SERP. I wrote that article some years ago and it’s very outdated now. It seems like Copilot favored more recent articles in its output.

What we learn from this demonstration is that AI gathers the knowledge that people would have found through web searches and serves it up without the need to go anywhere near the source sites. The result is a dramatic fall in website traffic with the only page views counted by Google being those that occur when someone clicks a link in an AI response.

The Lesson of Stack Overflow

Stack Overflow is a stark example of what can happen to a thriving technology website. For years, Stack Overflow was the place for developers to go when they had a coding problem or needed an example to know how to do something. Then ChatGPT came along and the effect on the traffic handled by Stack Overflow was dramatic (Figure 3).

The effect of generative AI on Stack Overflow website traffic (source: Tom Alder)
Figure 3: The effect of generative AI on Stack Overflow website traffic (source: Tom Alder)

Simply because technologists adopt new technology faster than the general public, technology sites were always likely to experience an impact as generative AI began to have an effect. In the case of Stack Overflow, the people who used it to seek answers are prime candidates to adopt new technologies like ChatGPT. The numbers don’t lie.

An analysis of the effect of ChatGPT on Stack Overflow and Reddit published on nature.com noted, “We estimate that Stack Overflow’s daily web traffic has declined by approximately 1 million individuals per day, equivalent to approximately 12% of the site’s daily web traffic just prior to ChatGPT’s release.” The report also noted a decrease in posting activity on the site. In time, Stack Overflow bowed to the inevitable loss in revenue and laid off 28% of its staff in October 2023.

GitHub Copilot

The success of GitHub Copilot and other AI-based developer tools increased the pressure on sites that offer answers to developers. The advantages of having a tool that can literally write code (and comments) to meet the needs of a developer cannot be understated. I’ve used GitHub Copilot for about a year and although I am not a professional developer and only write PowerShell scripts, GitHub Copilot has removed much of the need to lookup code examples.

GitHub Copilot shows generative AI off at its best. The users know what they are looking for, recognize errors, the source material for the LLMs is based on working code, and the output must always meet the acid test that it either works or not. It’s much easier for a tool like GitHub Copilot to cope with code than it is for its Microsoft 365 Copilot counterpart, which must deal with the vagaries of writing styles and content found in Office documents.

Users can’t be blamed for switching focus. From their perspective, it’s much easier to use a tool like ChatGPT than clicking through multiple threaded posts seeking a definitive answer to a problem. Leaving aside the salient fact that generative AI is quite capable of producing horrendously inaccurate answers, the user experience is easier, especially when AI delivers what seems to be well-crafted and complete answers.

Killing the Goose that Lays the Golden Eggs

All of this is great for those who sell generative AI products. At least, it is for now. The danger exists that the source material ingested by the LLMs used by generative AI will dry up over time as websites close because of a lack of traffic and declining revenue. In the Microsoft 365 space, we’ve seen this happen earlier this year with the demise of the Tekki Gurus site.

If no new content is created and published in blogs and articles on websites, ChatGPT and Microsoft Copilot will increasingly rely on aging information. This might be fine for answering questions of historical interest; it won’t be for questions about technology.

In October, I commented that errors and hallucinations generated by Microsoft 365 Copilot run the risk of corrupting the Microsoft Graph by being included in documents and files that are subsequently included in Microsoft Search and the semantic index. Once in the Graph, the bad information becomes available for Copilot to reuse and spread. No doubt users will pay attention to what Copilot generates in its responses and will attempt not to reuse erroneous content. But humans are humans and sometimes the pressure of work leads to mistakes.

Some websites won’t be affected. I think sites that offer very specific product content are less likely to see dramatic falls in website traffic patterns than those which specialize in covering general-purpose technology, like Microsoft 365. Sites offering news coverage and other time-dependent content will be less affected because of the time required to populate the LLMs with new material. Sites selling products won’t be affected because generative AI just doesn’t do this kind of thing (yet), and so on.

In-Person Technology Conferences Score

In a weird sort of way, in-person technology conferences become more important in the new world. Human interaction with conference attendees, asking questions at sessions, and the ability to have offline conversations with experts to explore their knowledge are real advantages that artificial intelligence cannot deliver. Virtual conferences offer the chance to learn and share knowledge too, but that in-person connection is where magic happens.

With that in mind, I look forward to meeting people at the ESPC event in Stockholm next month. Perhaps someone there can convince me that AI won’t continue to kill websites that publish valuable information about how technology works, but given the evidence available today, I can see only one outcome.

]]>
https://office365itpros.com/2024/11/25/impact-of-generative-ai/feed/ 4 67118
Microsoft’s Simple Message at Ignite: It’s All About AI https://office365itpros.com/2024/11/22/ignite-2024-ai/?utm_source=rss&utm_medium=rss&utm_campaign=ignite-2024-ai https://office365itpros.com/2024/11/22/ignite-2024-ai/#comments Fri, 22 Nov 2024 07:00:00 +0000 https://office365itpros.com/?p=67183

Copilot Branding Applied Liberally Across All Product Announcements at Ignite 2024

I decided to stay away from the Ignite 2024 conference in Chicago this week. The monetary investment to fly to Chicago, stay in a hotel, meals, lost time, and the conference fee outweighed the potential return. I would have liked to meet up with people, but the cost to attend what’s essentially a marketing event was way too high.

What’s clear from the announcements made at Ignite is that Microsoft is heavily focused at recouping the massive investments they’ve made to build out the datacenter infrastructure to deliver artificial intelligence functionality. That’s understandable in light of quarterly investments of around $20 billion in hardware, software, and datacenter fabric. Another factor is the need to extract more revenue from the Microsoft 365 installed base to offset a slowing in the growth of overall user numbers.

A Slew of AI Announcements at Ignite 2024

The net result is a slew of announcements for AI-infused functionality helpfully captured in the Ignite 2024 “Book of News.” The online document mentions Copilot 259 times and AI 278 times, which is a clear statement of where Microsoft’s PR priorities lie.

The announcements range from general availability for features that are already shipping (like Agents in SharePoint Online) to some very interesting developments for Teams, like the ability for Copilot in Teams to analyze information shared on-screen during meetings. Another thing that seized my attention was how Copilot can schedule focus time or 1:1 meetings similar to the way that the now-defunct Cortana Scheduler attempted to help users select optimum meeting slots. The ability to have live translation for multilingual meetings (rather than just from a single language into other languages) should also be popular in multinational organizations.

A welcome development is the introduction of detection of prompt injection in Purview Communication Compliance. After researchers at Black Hat 2024 described some vulnerabilities in Microsoft 365 Copilot Chat, including prompt manipulation, Microsoft said that they had addressed the issue without giving details. Now, Communication Compliance will detect and report attempts to inject prompts to “elicit unauthorized behavior from the large language model (LLM).”

Restricting Access to Information

On the tenant administrative side, the work to help organizations restrict the ability of Microsoft 365 Copilot to process documents continues. For example, a new DLP rule condition based on the sensitivity label assigned to documents can prevent Copilot summarizing information from documents or using content from documents in its responses. On the downside, it’s unbelievable that Microsoft can justify calling one new rule condition “Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot.

At a broader scale, Restricted Content Discoverability (RCD) will stop Copilot accessing documents in sites on a deny list. RCD is a more sensible and scalable approach than the 100-curated site allow list implemented in Restricted SharePoint Search.

I was pleased to hear that Microsoft plans to make SharePoint Advanced Management (SAM) licenses available to tenants with Microsoft 365 Copilot. I called for this to happen in an October 3 post. It didn’t make sense to ask customers to pay the $3/user/month fee for SAM to control aspects of Microsoft 365 Copilot that they pay $30/user/month for. Apparently, the roll-out of SAM licenses to eligible tenants will happen in early 2025.

Also in SharePoint Online, a new sensitivity label option will extend SharePoint site permissions to downloaded documents. The new configuration handles situations like when a user loses access to a site, or a file is deleted from a site. In these situations, the sensitivity label will recognize that the situation for a document has changed and block access. To implement the protection, you’ll need both an E5 license (to set a default sensitivity label for the site) and a SAM license.

Conditional Access for Generative AI

Not to be outdone by announcements by other development groups, the Entra ID team released details of Protect AI with a Conditional Access Policy, which is all about limiting access to AI services like Microsoft 365 Copilot and Security Copilot through conditional access policies.

To make the block work, Microsoft asks tenants to create two service principals to represent the Enterprise Copilot Platform and Security Copilot apps. The service principals represent the instantiation of the apps used by Copilot within a tenant and allow conditional access policies to monitor connections to the apps (read this article to discover more about sign-in activity for service principals). Conditional access policies can apply restrictions to app connections like enforcing multifactor authentication (MFA) or a certain type of strength for multifactor authentication, like requiring the use of a FIDO2 key.

I created a conditional access policy to require MFA for Copilot. It works, but the user experience isn’t great. For instance, Figure 1 shows what the user sees when an account that doesn’t use MFA attempts to connect to Microsoft Copilot.

Microsoft Copilot fails to connect due to the requirement for MFA

Ignite 2024
Figure 1: Microsoft Copilot fails to connect due to the requirement for MFA

It seems like the user-facing experience doesn’t cope well with the error that results when the browser attempts to connect to the Enterprise Copilot Platform app. No doubt the chat client will get an update to resolve the problem.

Great Technology Revealed at Ignite 2024, But Someone’s Got to Pay

It’s great that Microsoft continues to push the boundaries of how AI can help Microsoft 365 tenants. However, we shouldn’t lose sight of the fact that Microsoft 365 Copilot is not as widely used within the 400-million plus installed base of Office 365 paid seats. It’s definitely in Microsoft’s interest to convince more of that installed base to buy Copilot, but it would be nice if every new feature that arrives didn’t come with the requirement for a new license, license upgrade, or add-on.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/11/22/ignite-2024-ai/feed/ 4 67183
Microsoft to Enforce Mandatory MFA Requirement for Microsoft 365 Admin Center https://office365itpros.com/2024/11/18/mandatory-mfa-for-microsoft-365/?utm_source=rss&utm_medium=rss&utm_campaign=mandatory-mfa-for-microsoft-365 https://office365itpros.com/2024/11/18/mandatory-mfa-for-microsoft-365/#respond Mon, 18 Nov 2024 07:00:00 +0000 https://office365itpros.com/?p=67090

Mandatory MFA for Microsoft 365 Admin Center Connections from February 3, 2025

After their communications triumph around the announcement of the imposition of an MFA requirement to sign into Azure administrative endpoints like the Entra admin center earlier this year, Microsoft is moving to its next target. According to a Microsoft Technical Community post of November 11, 2024, they will roll out the requirement for connections to the Microsoft 365 admin center to pass a mandatory multifactor challenge beginning on February 3, 2025 (MC933540, 13 November 2024).

Rolling out a change like this to hundreds of thousands of Microsoft 365 tenants can’t be done overnight. Microsoft says that tenant administrators will receive notification 30 days before the restriction commences.

The last time round, people panicked when they assumed that all connections to Azure, including those from non-privileged user accounts, would need to use MFA. However, the set of affected endpoints featured sites that few “normal users” go near simply because they have no need to connect to administrative portals like the Intune admin center or PowerShell modules like Azure.

The same rules apply here. Only accounts holding administrative roles that need to connect to the Microsoft 365 admin center are affected. There’s probably a broader set of roles involved, and the new restriction means that staff like help desk personnel might be required to use MFA for the first time. But here’s the thing: anyone accessing the Microsoft 365 admin center to perform administrative tasks for a tenant should already be using MFA. Those who don’t are inviting compromise of their accounts by attackers that leads to potential compromise of the entire tenant depending on the roles held by the account.

Figuring Out Who Might be Affected by the Mandatory MFA Requirement

If you have Entra P1 licenses, you can use PowerShell to analyze Entra Audit sign-in logs to determine the set of accounts that use MFA. Audit logs only go back 30 days, but it’s enough to have a good idea. Alternatively, you could use PowerShell to interrogate the sign-in logs to find successful connections to the app used by the Microsoft 365 admin center (the app name reveals its roots), reduce the set to find unique user accounts, and check each user account to validate if it uses MFA. In this example, I use the Get-MgServicePrincipal cmdlet to find the identifier of the app. You could also scan the sign-in logs in the Entra admin center to find a record for a connection to the Microsoft 365 admin center. The beta version of the Get-MgAuditLogSignIn cmdlet is used to fetch sign-in records because it returns information about authentication requirements. Here’s some code to do the job (available from GitHub):

Connect-MgGraph -Scope AuditLogs.Read.All
$M365AdminCenterId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Office 365 Portal'").AppId
Write-Host "Checking for sign-ins to the Microsoft 365 Admin center..."
[array]$M365PortalSignIns = Get-MgBetaAuditLogSignIn -Filter "AppId eq '$M365AdminCenterId' and status/ErrorCode eq 0" -All -PageSize 500
[array]$UniqueUsers = $M365PortalSignIns | Sort-Object UserPrincipalName -Unique
$Report = [System.Collections.Generic.List[Object]]::new()

ForEach ($User in $UniqueUsers) {
    $MFA = "Not enabled"
    If ($User.authenticationRequirement -eq 'multifactorauthentication') {
        $MFA = "Enabled"
    }
    $ReportLine = [PSCustomObject] @{ 
        User                = $User.UserDisplayName
        'MFA Status'        = $MFA
        'Last sign-in'      = $User.createdDateTime
    }
    $Report.Add($ReportLine)
}

$Report

User                                    MFA Status  Last sign-in
----                                    ----------  ------------
Hans Geering (Project Management)       Enabled     09/11/2024 20:50:47
Ken Bowers                              Enabled     16/11/2024 13:20:40
Lotte Vetler (Paris)                    Enabled     15/11/2024 13:23:06
Paul Robichaux (Office 365 for IT Pros) Not enabled 29/10/2024 19:46:04
Tony Redmond                            Enabled     03/11/2024 15:30:24

Another approach is in the user passwords and authentication report script, which generates a comprehensive report about user accounts, passwords, sign-ins, and registered MFA methods. You can check this report to make sure that the users detected using the Microsoft 365 admin center have suitable MFA methods registered.

Another helpful script generates a report about accounts holding administrative role assignments. You can use the information in the report (and the CSV file generated by the script) to focus on the accounts that will be affected by the new mandatory MFA requirement. For example, accounts holding the user administrator role (Figure 1) will need to satisfy the mandatory MFA requirement to connect to the Microsoft 365 admin center after Microsoft deploys the change to your tenant.

User administrators will now need to satisfy the mandatory MFA for Microsoft 365 admin center connections
Figure 1: User administrators will now need to satisfy the mandatory MFA requirement

Essentially, PowerShell is your friend when it comes to finding out who uses MFA in a tenant.

The Ongoing Need to Accelerate the Adoption of MFA

According to a Microsoft research report, MFA reduces the risk of account compromise by 99.22% across all accounts and by 98.56% for leaked account credentials (usernames and passwords). The last figures shared by Microsoft said that only 38% of Entra ID monthly active users use MFA (February 2024). Microsoft is on a campaign to get that number to at least 80% and enforcing mandatory requirements for MFA to connect to different sites is a good way to drive that message home.

One thing’s for sure. Microsoft is not going to stop imposing mandatory MFA requirements to connect to Microsoft 365. I expect the campaign to continue and spread to user-focused applications like Teams and Outlook. Quite when that will happen is anyone’s guess, but the important thing is to get ahead of the game by accelerating the adoption of MFA to protect Microsoft 365 user accounts, preferably using strong authentication methods like the Microsoft Authenticator app, FIDO2 keys, or software passkeys.

Another Big Change Coming in February 2025

Another big thing that will happen in February 2025 is the deprecation of the ApplicationImpersonation role in Exchange Online. This might not seem important to you, but it might be. Many bespoke and third-party tools use this role with Exchange Web Services (EWS) to access mailboxes. If you don’t check now, you might have an unpleasant surprise early in 2025. The Microsoft post references some tools to help check a tenant. It’s worth taking the time to do so.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/11/18/mandatory-mfa-for-microsoft-365/feed/ 0 67090
How to Search for Email Protected by Sensitivity Labels https://office365itpros.com/2024/10/28/find-emails-with-sensitivity-labels/?utm_source=rss&utm_medium=rss&utm_campaign=find-emails-with-sensitivity-labels https://office365itpros.com/2024/10/28/find-emails-with-sensitivity-labels/#comments Mon, 28 Oct 2024 07:00:00 +0000 https://office365itpros.com/?p=66808

Use Microsoft Search to Find Emails with Sensitivity Labels

In June 2023, I wrote about how to search SharePoint Online for files with sensitivity labels. The key point is to use the InformationProtectionLabelId property in the KeyQL query in a search, passing the label identifier to search for. As described in the article, the label identifier for a sensitivity label is found by running the Get-Label cmdlet and it’s possible to search for items with several different sensitivity labels at one time.

Unfortunately, I might have inadvertently created the impression that only SharePoint Online supports searches against InformationProtectionLabelId. That’s not true because Exchange Online supports searches against the same property. It’s just not a well-known fact.

Viewing Sensitivity Label Data with MFCMAPI

When I was asked recently whether it was possible to search for email with a specific sensitivity label (for instance, all messages sent by a user labeled as Confidential), my initial action was to fire up the MFCMAPI utility to see what properties Exchange Online stores for labeled email. A bunch of properties are found, including the person who labeled the email (Drmowner) and the organization that “owns” the item from a rights management perspective. The most relevant is the MSIPLabelGuid property (Figure 1), which holds the identifier of the label.

The identifier for a sensitivity label applied to an email as viewed through MFCMAPI
Figure 1: The identifier for a sensitivity label applied to an email as viewed through MFCMAPI

it’s quite likely that a schema normalization process will transform the property in different ways, such as giving it a different name. That’s exactly what happens here because the MSIP (Microsoft Information Protection) Guid ends up in the item’s InformationProtectionLabelId property.

Use Microsoft Search to Find Emails with Sensitivity Labels

To test the theory, you can search for labeled emails using the search box available in the Microsoft 365 browser app. Type in InformationProtectionLabelId: followed by the identifier for the label to search for. The emails found by the search are listed under the Messages tab (Figure 2). Only labeled emails received by the signed-in account are found by this search.

Using the Microsoft 365 app to search for labeled email
Figure 2: Using the Microsoft 365 app to search for labeled email

Even better, because Outlook clients use the Microsoft Search index, you can find email with sensitivity labels by using the same syntax with Outlook search (Figure 3).

Using Outlook to find email with sensitivity labels
Figure 3: Using Outlook to find email with sensitivity labels

Use Purview Content Search to Find Emails with Sensitivity Labels

Searching from a browser only finds messages in the signed-in user’s mailbox. To find labeled emails in other mailboxes, you must use a Purview content search. Microsoft is currently in the middle of “modernizing” Purview eDiscovery, but the basic idea of creating a search with a KeyQL query to find items still holds true. In this case, I used the very simple search

informationprotectionlabelid:2fe7f66d-096a-469e-835f-595532b63560 (c:c) (Kind=email)

to look for items. Content searches find all emails, received and sent. Figure 4 shows the result.

Viewing labeled emails found by a Purview content search

Find emails with sensitivity labels
Figure 4: Viewing labeled emails found by a Purview content search

Obviously, the query could be more complex to focus on certain mailboxes, which is where the query builder comes in useful. In fact, the query builder in the modern eDiscovery UI supports sensitivity labels as a condition, and you can add a condition to search for one or more labels very easily (Figure 5).

Sensitivity labels are a supported condition for Purview content searches
Figure 5: Sensitivity labels are a supported condition for Purview content searches

Interestingly, when you use the modernized query builder to add sensitivity labels as a condition for a search, the query uses MipSensitiveLabel instead of Informationprotectionlabelid, and you can end up by mixing and matching the two properties in a query like this:

informationprotectionlabelid:2fe7f66d-096a-469e-835f-595532b63560 (c:c) ((Kind=email) AND ((Date=2024-01-01..2024-10-01)) AND (((SubjectTitle:Project) OR (SubjectTitle:Important) OR (SubjectTitle:Critical))) AND (((MipSensitiveLabel=2fe7f66d-096a-469e-835f-595532b63560) OR (MipSensitiveLabel=8b652c9a-a8b7-40ec-bb1a-c5334b1b7fef) OR (MipSensitiveLabel=27451a5b-5823-4853-bcd4-2204d03ab477) OR (MipSensitiveLabel=810b94b5-8ff8-4670-ab07-3e2daeda47d2))))

Searching against the MIPSensitiveLabel property works, but the older query builder doesn’t like using an equals sign between the property and value. A semi-colon works just fine.

Several Ways to Find Emails with Sensitivity Labels

The bottom line is that you can search for emails protected by sensitivity labels (with or without encryption). eDiscovery searches are the most powerful and flexible when the need arises to find a very specific item, but Microsoft 365 search in the browser can find items too.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/10/28/find-emails-with-sensitivity-labels/feed/ 4 66808
Will Microsoft 365 Copilot Errors and Hallucinations Eventually Corrupt the Microsoft Graph? https://office365itpros.com/2024/10/18/copilot-errors-graph/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-errors-graph https://office365itpros.com/2024/10/18/copilot-errors-graph/#respond Fri, 18 Oct 2024 07:00:00 +0000 https://office365itpros.com/?p=66738

Copilot Errors in AI-Generated Text Can Persist and Spread

When I discussed working with Copilot Pages last Wednesday, I noted the usefulness of being able to capture output generated by Microsoft 365 Copilot as a response to a prompt in a Loop component. That’s the happy side of the equation. The dark side is that being able to capture AI-generated text so easily makes it easier for hallucinations and mistakes to sneak into the Microsoft Graph and become the source for further Copilot errors.

Take the example I showed in Figure 1 of the article where Copilot’s response captured in a page includes an incorrect fact about compliance search purge actions. Copilot reports that a soft-delete action moves items into the Deleted Items folder (in reality, the items go into the Deletions folder in Recoverable Items). This isn’t a big problem because I recognized the issue immediately. The Copilot results cited two documents and two web sites, but I couldn’t find the erroneous text in any of these locations, which implies that the knowledge came from the LLM.

Copilot Errors Can Persist

The text copied into the Copilot page included the error and was caught and corrected there. The content stored in the Loop component is accurate. But here’s the thing. When I went back to Microsoft 365 Business Chat (aka BizChat) to repeat the question with a different prompt asking Copilot to be explicit about what happens to soft-deleted items, the error is present once again, even though Copilot now cites the page created for the previous query (Figure 1).

Copilot generated text contains an error

Copilot errors
Figure 1: Copilot generated text contains an error

At this point there’s not much more I can do. I have checked the Graph and other sources cited by Copilot and can’t find the error there. I’ve added a Copilot page with corrected information and seen that page cited in a response where the error is present. There’s no other route available to track down pesky Copilot errors. I guess this experience underlines once again that any text generated by an AI tool must be carefully checked and verified before it’s accepted.

AI-Generated Text Infects the Graph

But humans are humans. Some of us are very good at reading over AI-generated text to correct mistakes that might be present. Some of us are less good and might just accept what Copilot generates as accurate and useful information. The problem arises when AI-generated material that includes errors is stored in files in SharePoint Online or OneDrive for Business. (I’m more worried about material stored in SharePoint Online because it is shared more broadly than the personal files held in OneDrive).

When documents containing flawed AI-generated text infect the Graph, no one knows about the errors or where they originated. The polluted text becomes part of the corporate knowledge base. Errors are available to be recycled by Copilot again and again. In fact, because more documents are created containing the same errors over time, the feeling that the errors are fact becomes stronger because Copilot has more files to cite as sources. And if people don’t know that the text originated from Copilot, they’ll regard it as content written and checked by a human.

The Human Side

Humans make mistakes too. We try and eliminate errors as much as we can by asking co-workers to review text and check facts. Important documents might be reviewed several times to pick up and tease out issues prior to publication. At least, that’s what should happen.

The content of documents ages and can become less reliable over time. The digital debris accumulated in SharePoint Online and OneDrive for Business over years is equally likely to cajole Copilot into generating inaccurate or misleading content. Unless organizations manage old content over time, the quality of the results generated by Copilot are likely to degrade. To be fair to Microsoft, lots of work is happening in places like SharePoint Advanced Management to tackle aspects of the problem.

Protecting the Graph

I hear a lot about managing the access Copilot has to content by restricting search or blocking off individual documents. By comparison, little discussion happens about how to ensure the quality of information generated by users (with or without AI help) to prevent the pollution of the Microsoft Graph.

Perhaps we’re coming out of the initial excitement caused by thoughts about how AI could liberate users from mundane tasks to a period where we realize how AI must be controlled and mastered to extract maximum advantage. It’s hard to stop AI pollution creeping into the Microsoft Graph, but I think that this is a challenge that organizations should think about before the state of their Graph descends into chaos.


]]>
https://office365itpros.com/2024/10/18/copilot-errors-graph/feed/ 0 66738
Working with Copilot Pages https://office365itpros.com/2024/10/16/copilot-pages/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-pages https://office365itpros.com/2024/10/16/copilot-pages/#comments Wed, 16 Oct 2024 06:00:00 +0000 https://office365itpros.com/?p=66705

Copilot Pages are a Useful Way to Capture and Refine AI-Generated Text

Copilot pages featured in Microsoft’s Copilot Wave 2 announcements on September 16, 2024. With marketing’s normal ability to construct impenetrable text, Microsoft says: “Copilot Pages is a dynamic, persistent canvas in Copilot chat designed for multiplayer AI collaboration.” Parsing that sentence took me a while, but I think it means that a Copilot page is a Loop component generated from the results of a Copilot chat that can be shared with other users.

If your organization already uses both Copilot for Microsoft 365 and Loop (either the standalone app or components in Teams and Outlook), the ability to save the results generated by Copilot is very useful. Or as Microsoft puts it, a Copilot page takes: ”ephemeral AI-generated content and makes it durable.”

Using Copilot Pages

Figure 1 shows an example where I asked Copilot for a short summary about how to use compliance searches to purge mailbox items. After Copilot responded to the prompt, clicking the Edit in Pages button opens the Loop component to the right with the text generated by Copilot loaded and ready for editing. As you can see, I’ve used a comment to highlight an error in the text.

Editing a Copilot page containing AI-generated text

Copilot pages.
Figure 1: Editing a Copilot page containing AI-generated text

The page shown in Figure 1 has the Internal sensitivity label. This is the highest-priority sensitivity label assigned to the documents Copilot found and used in its response. The user can assign a different sensitivity label if appropriate. The shield with padlock used to indicate the presence of a sensitivity label doesn’t include the color configured for the label. That’s a pity because the traffic light scheme to indicate the relative sensitivity levels of labels is often used to give a visual clue to users.

After making whatever updates are required, the page can be shared with other people or copied and inserted into a Teams chat or channel conversation, Outlook message, or into the Loop app. The page behaves just like any other Loop component.

Currently, Copilot Pages are only available for user accounts with Copilot for Microsoft 365 licenses. Microsoft says in their Copilot Pages for IT admins post that “soon users with access to Microsoft … will also be able to create pages.”

Managing Pages

Editing and sharing Copilot Pages are all very well, but administrators want to know about where the data is stored and how it is managed. Insight into these and other questions comes from the admins post (notable for featuring the word “Copilot” no less than 64 times). Here we discover several key facts.

Copilot Pages are stored in SharePoint Embedded containers, just like the containers used for Loop app workspaces. The containers are visible through the SharePoint admin center (Figure 2). All the containers are called “Pages,” and although the owner’s name is visible as a property of the container, it would be useful if Microsoft included the owner’s name in the container name.

Copilot Pages containers shown in the SharePoint admin center
Figure 2: Copilot Pages containers shown in the SharePoint admin center

Microsoft publishes a page describing governance and compliance capabilities for Loop. The page hasn’t been updated for Copilot Pages, and the assumption is that the containers created for pages will function much like those for Loop workspaces with the caveat that “governance and compliance processes apply the same way they would to a user’s OneDrive.”

Microsoft also says that content of Copilot Pages is “lifetime-managed with the user account and is deleted when the user account is deleted from the organization. There is a default timeline where it is first soft deleted (can be recovered by an IT Admin) and then purged.” There’s also a statement about an “Admin workflow to enable access to these containers before deletion so that valuable content can be copied to new locations.”

Even if Microsoft still must deliver some features (and APIs to access Copilot Pages), the comments noted above appear to match the existing capabilities available when removing a Microsoft 365 account. Dealing with personal information can be challenging, especially when OneDrive holds so many kinds of information. Handling Copilot Pages now joins the list of things to take care of when preserving information belonging to people who leave an organization.

Using Pages as a Copilot Notebook

Like any new Microsoft 365 feature, it will take a little time for organizations and users to figure out if Copilot Pages will become part of the work landscape. Having a way to capture the output from Copilot is useful, and I think I will use these pages to record Copilot output rather than as the starting point for collaboration. But everyone’s different and it will be interesting to see how this capability evolves over time.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/10/16/copilot-pages/feed/ 2 66705
Delve Retirement and User Profiles https://office365itpros.com/2024/10/08/user-profile-delve/?utm_source=rss&utm_medium=rss&utm_campaign=user-profile-delve https://office365itpros.com/2024/10/08/user-profile-delve/#respond Tue, 08 Oct 2024 07:00:00 +0000 https://office365itpros.com/?p=66599

Time to Consider the Impact on User Profiles for Microsoft 365 Tenants

Microsoft announced the demise of the Delve browser app in December 2023 and on October 1, they issued a reminder in MC902780 that December 16, 2024 is when the curtain finally descends on Delve. Microsoft’s formal guidance on the Delve retirement is available online along with a support document.

The Microsoft 365 User Profile

I think it’s undeniable that the management of user profile information, including photos, within Microsoft 365 has been a mess for a long time. The underlying reason is simple: Microsoft 365 is built from the foundation of on-premises servers like Exchange and SharePoint, each of which had its own directory and method to store profile photos. Throw in cloud services like Yammer (Viva Engage) and Teams and the water became even muddier.

It’s also fair to say that Microsoft has taken far too long to rationalize the situation. At one point, Delve seemed to be a potential solution, but things didn’t work out with the app. However, it’s disappointing that Microsoft didn’t see the issue and do something about the problem more quickly.

One thing is obvious. Entra ID is the directory of record for Microsoft 365. If you want to store information about people, store it in Entra ID, which supports a wide range of properties for user accounts that can be surfaced on the profile card. If you want to store custom information about people that’s specific to your tenant, use the predefined custom attributes for the job. If you need more than fifteen custom attributes, consider using Entra ID custom security attributes. The downside is that these attributes can’t be added to the profile card.

The Microsoft 365 User Profile Card

Even as different services competed to store profile data, Microsoft 365 introduced the user profile card. This is a common component used across Microsoft 365 to display properties of user accounts, including customizable properties. After December 16, Microsoft will redirect from Delve profiles to the Microsoft 365 search experience, which displays the same data as user profiles. The sample URLs described in the document seem more complex than what’s needed. I use the following format. Figure 1 shows the result

https://www.microsoft365.com/search/?q=sean.landy@office365itpros.com

User profile information shown by Microsoft 365 search
Figure 1: User profile information shown by Microsoft 365 search

The redirects will take care of casual browsing for user information. What it won’t do is allow users to upload their preferred choice of profile photos, nor will it allow users to update profile details in the same way as is possible with Delve.

Updating User Profiles

Microsoft says that they are working on a new “edit profile experience” that is “tightly coupled with the profile card.” This work is due for release in November 2024 and should allow users to edit their profile information “across Microsoft 365.” Only properties that can be edited today with Delve will be exposed and editable via an Update your profile button in the profile card.

Other details that can be set in SharePoint profiles today won’t appear in the Microsoft 365 profile card because the profile card is designed to work across the service. It’s time to move this kind of information about people out of SharePoint and into Entra ID.

Of course, it will take time for the upgraded profile card to appear in apps, but at least we know the direction in which Microsoft is going.

User Profile Photos

Microsoft doesn’t mention user profile photos in their guidance for the Delve retirement. This is odd because Delve is one of the places where Microsoft 365 users can upload profile photos.

My assumption is that the new edit profile experience will include the ability to upload photos. We won’t know if this is the case until the new UI is available. I hope that the current controls over who can upload photos will be used rather than the non-granular Entra ID Photo Update Settings policy that’s coming into view. I’ve no doubt that the photo update settings policy will be the long-term control for Microsoft 365, but it would be nice if Microsoft made it optional until the policy works in the way that it should.

And a Mention for Copilot

It seems like Microsoft sometimes operates an edict that Copilot for Microsoft 365 should be mentioned in all documentation. Copilot appears in the support documentation, which solemnly informs the reader that Copilot can find information about your colleagues, possibly as a replacement for browsing Delve. The thing is that Delve was free to tenants with Office 365 E3 and Copilot costs $30/user/month. It’s hardly a comparison.

In any case, the summary of the Delve retirement is that Entra ID is the directory of record, the user profile card feeds off Entra ID and will have a way for users to update their details. The new profile card will appear in apps gradually. After all these things happen, we will forget about Delve and its retirement next December.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/10/08/user-profile-delve/feed/ 0 66599
Adding a Custom Test to the Maester Tool https://office365itpros.com/2024/10/07/custom-maester-test/?utm_source=rss&utm_medium=rss&utm_campaign=custom-maester-test https://office365itpros.com/2024/10/07/custom-maester-test/#respond Mon, 07 Oct 2024 07:00:00 +0000 https://office365itpros.com/?p=66568

Create a Custom Maester Test with PowerShell and the Graph

I last wrote about the Maester tool in April 2024. At that time, Maester had just been released as a community-based framework for automated testing of a Microsoft 365 tenant against well-established frameworks like MITRE. Maester has come a long way since, and it was great to catch up with Merill Fernando and Thomas Naunheim at the TEC 2024 conference in Dallas to assess its current state.

Merill has great information-packed demos, even if they are delivered at dazzling speed. The ability to create custom Maester tests grabbed my attention this time around. Out-of-the-box, Maester comes with a set of tests based on Microsoft recommendations for Entra ID and another based on the Entra ID Security Config Advisor (EIDSCA), another community-driven project.

Regular Maester Tests

Great value can be derived from the results generated by a Maester using its default tests. You might not agree with some of the measured conditions. Last time round, my tenant failed 42 tests. The latest run failed 97. For example, my tenant failed test MS.AAD.3.7 because I don’t have a conditional access policy in place to require managed devices for authentication (Figure 1).

The reasons why a Maester test failed
Figure 1: The reasons why a Maester test failed

Insisting on managed devices is important in some contexts and less important in others. This underlines the need for Maester reports to be treated as a guideline rather than creating the absolute necessity to pass all tests. No one gets extra brownie points for achieving a perfect Maester score, and it might be the case that achieving such a state might be more painful than useful, which can sometimes be the case when seeking better tenant security. As I have noted in the past, cranking up the signin frequency interval enforced by a conditional access policy might seem like a good idea, but it’s not if forcing users to constantly reauthenticate gets in the way of real work.

In any case, the results of a Maester run creates a nice benchmark to measure a tenant against. How the tenant administrators decide to use that benchmark is entirely up to them.

Creating a Custom Maester Test

Coming back to the topic of this article, tenants can add custom tests for Maester to assess. Essentially, if you can grab some data like tenant settings or another type of value by running a Graph API request in PowerShell, a test can assess the data returned by the Graph and either pass or fail.

As an example, I wrote a test to check that the ability for end users to create new Microsoft 365 groups (and teams) is disabled. Allowing people to create new groups is a one-way ticket to team sprawl and excessive digital rot, so it seems like a good thing to test. The setting is in the Entra ID Groups policy and can be fetched and assessed as shown in the code below.

Describe "RAEntraConfig" -Tag "Privilege", "Office 365 for IT Pros" {
    It "OFFICE365.Test01: Check 'Group creation should be blocked for non-authorized users" {
	 
	$Uri = "https://graph.microsoft.com/beta/settings"
        $Result = Invoke-MgGraphRequest -Method Get -Uri $Uri

	$GroupSettings = $Result.Value | Where-Object { $_.displayName -eq 'Group.Unified' }

        $GroupCreationControl = $GroupSettings.values | Where-Object {$_.Name -eq 'EnableGroupCreation'} | Select-Object -ExpandProperty Value
        If ($GroupCreationControl -eq $false) {
           $TestResult = $true
        } else {
           $TestResult = $false
        }

	If ($null -ne $TestResult) {
            $TestResult | Should -Be $true -Because "User ability to create Microsoft 365 Groups is disabled."
        }
	
    }
}

Only one test is present, but you can add multiple tests to the same file. Maester can process custom tests separately or include them in a full run. Figure 2 shows the output from the custom test. It’s functional and not as pretty or informative as Figure 1, but any administrator will know what the test measures.

The result of a custom Maester test
Figure 2: The result of a custom Maester test

If you develop a test that you think would be of interest to other organizations, you can create an issue in the Maester GitHub repository to explain the test and share the code.

Stretching and Expanding Maester

Best practice is a nebulous concept at best. In the cloud, things often change faster than the proponents of best practice can cope. Having a community-driven project like Maester available to assess your tenant is a good way to get a snapshot of how the tenant measures up against security frameworks. Being able to add your own custom Maester tests makes the tool so much better.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/10/07/custom-maester-test/feed/ 0 66568
Microsoft Retires the Revoke-SPOUserSession Cmdlet https://office365itpros.com/2024/10/04/revoke-spousersession-deprecation/?utm_source=rss&utm_medium=rss&utm_campaign=revoke-spousersession-deprecation https://office365itpros.com/2024/10/04/revoke-spousersession-deprecation/#respond Fri, 04 Oct 2024 07:00:00 +0000 https://office365itpros.com/?p=66581

Revoke-SPOUserSession is No Longer Fit for Purpose

Microsoft’s announcement in message center notification MC903785 (3 October 2024) that they will retire the Revoke-SPOUserSession cmdlet (in the SharePoint Online PowerShell module) in early November 2024 was expected. There’s no purpose served by having a workload-specific cmdlet to revoke user access to an app when the job can be done across all workloads with a single cmdlet built for the job. That cmdlet is Revoke-MgUserSignInSession, which I discuss in an article about the right way to revoke access from Entra ID accounts.

The Roots of Revoke-SPOUserSession

Microsoft introduced the Revoke SPOUserSession cmdlet in January 2016. That’s an aeon in cloud terms. Teams hadn’t yet appeared, Azure AD delivered a much simpler directory and authentication service, with no notion of features like continual access evaluation (CAE), and SharePoint Online wasn’t trying to deal with nearly 4 billion files created daily.

At the time, the primary access to SharePoint Online was through the browser (now I suspect primary access is via Teams), and I’m sure that it made perfect sense to create a cmdlet to force the sign-out of a user from SharePoint Online across all devices.

Retiring Revoke-SPOUserSession

Microsoft says that their telemetry indicates that only a few organizations are active users of Revoke-SPOUserSession. I’m surprised that even a few tenants exist that might still use the cmdlet because better options have existed for some time, cumulating with the Revoke-MgUserSignInSession cmdlet the Microsoft Graph PowerShell SDK.

The critical difference is that the SDK cmdlet forces a sign-out from all Microsoft 365 sessions, not just SharePoint Online. It’s an essential part of any administrator action to secure an account because of suspected compromise or because an employee is leaving the organization. If you’re in the category of those who have scripts that use Revoke-SPOUserSession, it’s time tio change before the curtain comes down.

Securing an Employee Account

All of which brings me to the second annual PowerShell script-off at TEC 2024 (in Dallas). It’s quite a challenge to strut your PowerShell skills in front of a sometimes-boisterous crowd, and I admire the folks (Figure 1) who stepped up to take part.

Intense coding at the TEC 2024 PowerShell script-off (and yes, the glass of wine helps)

Revoke-SPOUserSession
Figure 1: Intense coding at the TEC 2024 PowerShell script-off (and yes, the glass of wine helps)

The first challenge was to write a script to automate the securing of my account (I make a great victim) after my forced ejection from the organization at 9AM on Monday. You’d imagine that this is a well-trodden path with many sample scripts available on the internet, so it was surprising the difficulty some had with the challenge. Competitors couldn’t use ChatGPT and Microsoft 365 Copilot to avoid any hint of generative AI spoiling the responses, and it was interesting to see how people approached the issue without that kind of help.

Most immediately focused on disabling the Microsoft 365 account. This is undoubtedly an important step, but there’s more to be done, like:

Forcing a sign out with Revoke-MgUserSignInSession is a great next step, but only after changing the account password. You don’t want to have someone be prompted to reauthenticate because their access tokens are invalid only to be able to sign in again because their account password is changed. Yes, disabling the account should stop the sign-in, but let’s be sure.

Securing devices is another step. It all depends on what device management software a tenant uses, but it should be possible to wipe corporate data from devices to prevent ex-employees having continued access to local copies. Sensitivity labels help here by making sure that even if an ex-employee takes copies of sensitive files, they won’t be able to authenticate and gain the right to access the content. Sensitivity labels put a stop to the tactic often seen when people just about to leave exfiltrate large amounts of confidential documents and email (in PSTs) to removeable devices. Exfiltration might work, but once the ex-employee can no longer authenticate, the confidential material becomes no more than an interesting collection of bytes.

It’s Hard to Revoke Access

No one quite delivered a script to totally secure an ex-employee’s account in the 20 minutes allotted for the task (one solution was delivered that removed access from every account in the tenant). Even with access to the internet, it takes time to find, assess, and decide what code to base a solution on. The difficulty is compounded when people are looking over your shoulder to criticize every move, or even when you find a great cmdlet to revoke access that Microsoft’s just about to deprecate…


Learn more about how the Microsoft 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

]]>
https://office365itpros.com/2024/10/04/revoke-spousersession-deprecation/feed/ 0 66581
TEC 2024 Rolls Into Dallas https://office365itpros.com/2024/09/27/tec-2024-dallas/?utm_source=rss&utm_medium=rss&utm_campaign=tec-2024-dallas https://office365itpros.com/2024/09/27/tec-2024-dallas/#respond Fri, 27 Sep 2024 07:00:00 +0000 https://office365itpros.com/?p=66507

The Practical Microsoft 365 Event

TEC 2024 Dallas

TEC 2024 (aka, “The Experts Conference”) takes place at the Loews Arlington Hotel on Tuesday and Wednesday next week (October 1-2, 2024) with full-day workshops on Monday, September 30. The last few tickets still remain if you find the sudden urge to mix technology with Tex-Mex cruisine.

TEC is my favorite technology conference. There are several reasons why:

  • A great team of people organize and run TEC. They’re all smiles.
  • There are always great keynote speakers (see below).
  • Speakers and attendees have the chance to mingle and exchange ideas in a way that just doesn’t happen at large conferences like Microsoft Ignite.
  • TEC includes fun sessions like the PowerShell script-off where competitors have the chance to strut their PowerShell skills in solving some real-world problems using my favorite scripting language. This year, the competitors are banned from using AI tools like ChatGPT and Microsoft 365 Copilot (both of which can generate pretty awful code) but can “phone a friend” to get advice.
  • Great conference parties where vendors aren’t demanding their pound of flesh before people can attend.

Unfortunately, TEC sessions are not recorded for later access. A substantial cost is involved in recording a conference and the TEC organizers decided to keep ticket prices low by eliminating “nice to have but unnecessary” costs. However, articles covering many TEC sessions appear on Practical365.com after the event, so you can keep an eye on that site to learn more.

TEC 2024 Keynote Speakers

TEC selects keynote speakers to provoke conference attendees to think about the current state of IT rather than to push the latest and greatest product. This year, TEC 2024 features:

  • Paul Thurrott, the well-known co-host of the Windows Weekly webcast and the brains behind Thurrott.com, will cover the future of Windows (or the lack thereof). Paul is never one to hold back on his opinions, so attendees can expect some fireworks in this session.
  • Andy Greenberg, a senior writer for Wired.com, covers “From Crypto Crime to Cyberwar: Stories From the Front Lines.” TEC attendees will receive a copy of Andy’s latest book, “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency” and can have their copy signed.
  • Shinesa Cambric from Microsoft will talk about “Identity. Where it’s been and where it’s going.” Shinesa will also hold a signing for her “Cloud Auditing Best Practices” book. Given the ongoing very real threat to on-premises and cloud deployments through badly-protected user accounts, this session should be thought-provoking.

TEC keynote speakers are an integral part of the event. The best example I can give about how keynote speakers participate in a really impactful way is how Alex Weinert, VP of Entra Security at Microsoft, took the time to sit down and help a user remove some malware from her PC at TEC 2022. Talk about going beyond the call of duty!

Workshops

TEC 2024 hosts two Microsoft 365 workshops: one on understanding and managing conditional access policies, the other on using PowerShell to automate common administrative scenarios for on-premises and cloud environments. Both are good topics, and the conditional access workshop has racked up a large attendance. I guess this reflects the challenges of building conditional access policies for an organization and the need for people to understand exactly how conditional access conditions work when Entra ID evaluates inbound connections, including controlling access by guest accounts. I hope that the session emphasizes how to impose practical security instead of using policies to make the user experience miserable.

I plan to spend some time in both workshops and look forward to learning something new from the presenters.

On to Dallas

Naturally, I’ll be looking for topics that I can cover in the Office 365 for IT Pros eBook and in articles for this site. I usually find several things to write about after attending TEC sessions, and I expect TEC 2024 to be no different. See you in Dallas!

]]>
https://office365itpros.com/2024/09/27/tec-2024-dallas/feed/ 0 66507
The New Entra ID Photo Update Settings Policy for User Profile Photos https://office365itpros.com/2024/09/16/photo-update-settings-policy/?utm_source=rss&utm_medium=rss&utm_campaign=photo-update-settings-policy https://office365itpros.com/2024/09/16/photo-update-settings-policy/#comments Mon, 16 Sep 2024 07:00:00 +0000 https://office365itpros.com/?p=66363

Photo Update Settings Policy is Long-term Unified Replacement for Other Controls

Given the historical foundation of Microsoft 365 in several on-premises applications, it probably wasn’t surprising that we ended up with a confusing mish-mash of routes by which it was possible to update the profile photos for user accounts through SharePoint, Exchange, Teams, Delve, PowerShell, and so on. Looking back, it took a surprising amount of time before Microsoft acknowledged that the situation was untenable.

A new approach that worked across Microsoft 365 was necessary. That process began in October 2023 with the retirement of the Exchange Online cmdlets to update photos for mailboxes. Entra ID is now the definitive source of photo information for user accounts and groups and the foundation for the new approach is a set of Graph APIs surfaced as cmdlets in the Microsoft Graph PowerShell SDK, like Set-MgUserPhotoContent.

A New Photo Update Settings Policy to Control User Profile Updates

In June 2024, Microsoft introduced a new Entra ID policy based on the photoUpdateSettings resource to control who can update photos and the allowed sources for updates. Managing the photo update settings policy requires the PeopleSettings.ReadWrite.All scope. The settings for a tenant can be retrieved as follows:

$Uri = "https://graph.microsoft.com/beta/admin/people/photoupdatesettings"
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Get
$Settings

Name                           Value
----                           -----
allowedRoles                   {}
@odata.context                 https://graph.microsoft.com/beta/$metadata#admin/people/photoUpdateSettings/$entity
Source

The settings shown above are the default. The supported values are described in the photoUpdateSettings documentation.

Controlling From Where Photos Can Be Updated

The source for photo updates can be undefined, meaning that photo updates can be sourced from applications running in either the cloud or on-premises (synchronized to Entra ID from Active Directory). Alternatively, you can set the source to be either cloud or on-premises. For example, to update the settings so that photo changes are only possible through cloud applications, create a hash table with a single item to change the source to cloud and use the hash table as the payload to patch the policy:

$Body = @{}
$Body.Add("Source", "Cloud")
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

Like any update to an Entra ID policy, it can take 24 hours before the policy update is effective across a tenant.

Controlling Who Can Update Photos

By default, any user can update the photo for their account and the value for AllowedRoles is blank. If you want to restrict who can update photos, you can select one or more directory roles and include the GUIDs for these roles in the AllowedRoles property (a string collection).

The roles defined in AllowedRoles must hold the permission to set user photos. In Graph terms, these permissions are either microsoft.directory/users/photo/update or microsoft.directory/users/allProperties/allTasks (only held by the Global administrator role). The following roles can be used:

  • Directory writers (9360feb5-f418-4baa-8175-e2a00bac4301).
  • Intune administrator (3a2c62db-5318-420d-8d74-23affee5d9d5).
  • Partner Tier1 Support (4ba39ca4-527c-499a-b93d-d9b492c50246) – not intended for general use.
  • Partner Tier2 Support (e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8) – not intended for general use
  • User administrator (fe930be7-5e62-47db-91af-98c3a49a38b1).
  • Global administrator (62e90394-69f5-4237-9190-012177145e10).

All are privileged roles, meaning that these are roles that enjoy a heightened level of access to sensitive information.

To update the photo settings policy to confine updates to specific roles, create a hash table to hold the GUIDs of the selected roles. Create a second hash table to hold the payload to update the settings and include the hash table with the roles. Finally, patch the policy.

$Roles = @{}
$Roles.Add("62e90394-69f5-4237-9190-012177145e10", $null)
$Roles.Add("fe930be7-5e62-47db-91af-98c3a49a38b1", $null)
$Body =@{}
$Body.Add("allowedRoles", $Roles)
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

To reverse the restriction by removing the roles, run this code:

$Body = '{
  "allowedRoles": []
}'
$Settings = Invoke-MgGraphrequest -Uri $Uri -Method Patch -Body $Body

The result of limiting photo updates for user accounts to the user administrator and global administrator roles means that after the new policy percolates throughout the tenant, any account that doesn’t hold a specified role cannot change their profile photo.

The Teams client is probably the best example. The implementation here is not yet optimal. The block on photo updates imposed by an OWA mailbox policy causes Teams to inform the user that administrative restrictions stop photo updates. If the photo update settings policy restricts updates to specific roles, Teams allows the user to go through the process of selecting and uploading a photo before failing (Figure 1).

A failure to update a profile photo due to policy restrictions

Photo settings
 policy
Figure 1: A failure to update a profile photo due to policy restrictions

An Early Implementation of the Photo Update Settings Policy

Inconsistencies appear in the early stages of implementation. It will take time for Microsoft to update clients to allow and block profile updates based on the photo settings policy. And it will take time for tenants to move from the previous block imposed by OWA mailbox policies. In doing so, you’ll notice that the only restriction supported by the new policy is through roles. The OWA mailbox policy setting allows per-user control and multiple policies can exist within a tenant. The current situation therefore delivers a less granular policy.

Maybe a less granular mechanism will be acceptable if it helps with the rationalization of photo updates across Microsoft 365. However, I can’t help thinking that this is a retrograde step. Perhaps Microsoft will address the need for more granular control through Entra ID administrative units, which seems to be the answer for this kind of requirement everywhere else in Entra ID.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/09/16/photo-update-settings-policy/feed/ 20 66363
Microsoft Withdraws Copilot Catch Up Feature https://office365itpros.com/2024/08/30/copilot-catch-up/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-catch-up https://office365itpros.com/2024/08/30/copilot-catch-up/#comments Fri, 30 Aug 2024 07:00:00 +0000 https://office365itpros.com/?p=66196

Copilot Catch Up Fails to Impress

On August 28. 2024, Microsoft posted a revision to message center notification MC799636 (Microsoft 365 roadmap item 388746) to announce their decision to completely roll back their deployment of the new “catch up” feature for Copilot for Microsoft 365 and Teams.  The roll back operation will start on September 2. Previously, the feature was supposed to reach general availability in early August 2024.

According to Microsoft, the deployment had reached 50% of users. These are eligible accounts with Copilot for Microsoft 365 licenses. Given that many large enterprises have committed to Copilot for Microsoft 365, the number of affected users might be in the low several million range.

The Black Box of Card Determination

The blurb for the Copilot catch up feature says that it “helps users [to] take action on important updates.” In other words, Copilot had found something it deemed of interest to the signed-in user and brought the item to their attention in a series of cards that rotated through a carousel. In my case, the feature only turned up a couple of days ago. Figure 1 shows what I see. The three cards cover a Word document (chapter 2 for the Office 365 for IT Pros eBook), a calendar invitation, and a Loop workspace.

Copilot catch up.

Copilot for Microsoft 365
Figure 1: Copilot catch up

Like many elements of artificial intelligence, the process to determine what cards to display is a black box. Looking at the cards chosen by Copilot, I can see the logic of selecting the Word document because it’s a reminder that its content has changed, and I need to review the updates. The meeting is probably there because it happens later today. To help me prepare, Copilot found an email sent about a Teams service outage which frankly is of zero relevance to the meeting. The sole connection is that the word Teams appears in the subject for both the meeting invitation and email. The selection reminds me of “I must find something” instead of “I must find something useful.” I can’t account for why Copilot chose the Loop workspace because nothing has happened in it for months. Perhaps Copilot Catch Up wanted to be diverse in its choice of application sources.

I don’t think I shall miss the carousel. It seems like a modern take on the many ways that Office apps suggest documents to users or the way that the now-deprecated Delve highlights documents to users. The Viva Insights for email feature available in Outlook clients is another example of how Microsoft seeks to extract value from user data to highlight “things to do.”

Automatic Document Summaries by Copilot for Microsoft 365

The list key points link on the card for the Word document (Figure 2) appears to do what I expect to see when Microsoft deploys message center notification MC871010 (Microsoft 365 roadmap item 399921), scheduled for late August. This update promises that Copilot “will generate a summary in the window at the top of the Word document.”

Key points for a Word document generated by Copilot for Microsoft 365.
Figure 2: Bulleted points for a Word document generated by Copilot for Microsoft 365

MC866152 (23 August 2024) also covers the same ground for Microsoft Copilot (the version that doesn’t use the Graph).

I have some problems with the idea of generating automatic summaries because I fear it might slow down the opening of large documents based on the current performance in the Copilot chat app. It seems like a terrific demo feature that works well for 2-page documents. I can’t imagine how it will cope with the 1,300 pages of the Office 365 for IT Pros eBook source file. MC866452 says that the summary window can be collapsed to hide it. There’s no detail about what I really want to do, which is to disable automatic summaries for all Word documents.

Copilot Can’t do Everything

Figuring out what features will really be interesting and useful is an aspect of software engineering that is often very difficult. Sometimes I think Microsoft tries too hard, tries to be too clever, or utterly fails to understand how people outside Microsoft work. Applying artificial intelligence to as many aspects of Microsoft 365 as possible is madness, even if it keeps senior management happy.

The truth is that not every idea discussed around a conference table in Redmond or virtually in a Teams call is valuable. Sometimes it takes exposure in the harsh light of reality to figure out what works and what doesn’t. The demise of Copilot catch up is a reminder to us all that just because a new feature appears, its value needs to be assessed in terms of how it contributes to the success of the business.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/08/30/copilot-catch-up/feed/ 2 66196
Switching Microsoft 365 Data Report Privacy On and Off https://office365itpros.com/2024/08/15/usage-reports-api-ga/?utm_source=rss&utm_medium=rss&utm_campaign=usage-reports-api-ga https://office365itpros.com/2024/08/15/usage-reports-api-ga/#respond Thu, 15 Aug 2024 07:00:00 +0000 https://office365itpros.com/?p=65999

Admin Settings API to Control Usage Reports Data Gets an Update

If you don’t follow the sometimes-anarchic world of the Microsoft Graph, message center notification MC859853 (13 August 2024) might have passed you by without comment. However, given the importance of reporting usage data to understand the activity level within tenants, this is a significant change.

The option to anonymize user information like display names in usage reports generated from the Microsoft Graph has existed since 2020. The control for the option is under Reports in the Org Settings section of the Microsoft 365 admin center and its purpose is to protect the privacy of users. The control affects all access to usage data via the Graph, including reports generated using PowerShell, such as the Teams and Groups Activity Report. In fact, if you choose to obfuscate user data, reports lose much of their value and can make it impossible to derive comparisons between different forms of usage data. For instance, the script to analyze use of different Microsoft 365 workloads by individual accounts to determine who could best use Copilot for Microsoft 365 licenses depends on being able to match user principal names.

Programmatic Access to Set the Privacy Control for Usage Reports Data

It’s useful for programs and scripts to be able to turn the privacy control off to fetch usage data and back on again when finished. Until now, programmatic access to control the privacy setting for usage reports existed in the beta adminReportSettings Graph API. What’s changed is that the API is now generally available and therefore available through the V1.0 Graph endpoint. In the past, a script might have done something like this to check if the privacy setting was on or off:

$Uri = "https://graph.microsoft.com/beta/admin/reportSettings"
$Data = Invoke-MgGraphRequest -Method Get -Uri $Uri
Write-Host ("The current report privacy setting is {0}" -f $Data.displayConcealedNames)
The current report privacy setting is False

Now that the API is generally available and fully supported, the URI is https://graph.microsoft.com/V1.0/admin/reportSettings. For instance, to update the privacy setting to set it on, you’d do:

$Uri = "https://graph.microsoft.com/V1.0/admin/reportSettings"
$Settings = @{}
$Settings.Add("displayConcealedNames","true")
Invoke-MgGraphRequest -Uri $Uri -Method Patch -Body $Settings

The Microsoft Graph PowerShell SDK has just had a refresh to V2.22 but the SDK cmdlets haven’t yet caught up with the change and remain using the beta endpoint. This means that you should use Get-MgBetaAdminReportSetting to fetch values and Update-MgBetaAdminReportSetting to switch the control from on to off or vice versa.

To update the privacy control, the signed-in account must hold the global administrator role and the app used must have consent for the ReportSettings.Read.All permission.

Backup Restore Module in V2.22 of the Microsoft Graph PowerShell SDK

One of the notable things about V2.22 of the Microsoft Graph PowerShell SDK is the appearance of a new beta module for Microsoft 365 Backup (backup and restore operations). To list the commands in the module, run Get-Command:

Get-Command -Module Microsoft.graph.beta.backuprestore

Use of the cmdlets requires consent for the BackupRestore-Control.Read.All permission (Figure 1).

Granting consent for permission to use Microsoft 365 Backup APIs.

Usage Reports API
Figure 1: Granting consent for permission to use Microsoft 365 Backup APIs

Despite having the permission and an active Microsoft 365 Backup schedule in place for SharePoint Online, OneDrive for Business, and Exchange Online, all attempts to use the cmdlets met with an internal error. Oh well, Microsoft 365 backup is only just generally available, and this is a beta module. Things are expected to go wrong. It’s just another opportunity for improvement within the Microsoft 365 ecosystem.

Graph Keeps On Growing

Being able to control usage report data privacy and Microsoft 365 Backup through Graph APIs are two examples of how people might not have considered using the Graph to automate common administrative scenarios. It’s proof of the growing influence of the Graph, and underlines why Microsoft 365 tenant administrators need to become Graph literate.


Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

]]>
https://office365itpros.com/2024/08/15/usage-reports-api-ga/feed/ 0 65999
Comparing Microsoft Cloud Email Services https://office365itpros.com/2024/08/13/microsoft-cloud-email-services/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-cloud-email-services https://office365itpros.com/2024/08/13/microsoft-cloud-email-services/#respond Tue, 13 Aug 2024 07:00:00 +0000 https://office365itpros.com/?p=65933

HVE and ECS Compete for Different Customers of Microsoft Cloud Email Services

I need to apologize to some of the subscribers to the Office 365 for IT Pros eBook. Over the last few weeks, I’ve been using you as the targets for emails sent using Exchange Online High-Volume Email (HVE) and the Azure Email Communication Service (ECS).

Both solutions focus on sending large quantities of email. HVE is more internal-focused but can handle external messages. HVE is part of Exchange Online and intended to help customers move off on-premises servers to handle traffic generated by multi-functional devices and applications. ECS is a standalone offering that can handle large volumes of external email such as newsletters, subject to thresholds set by Microsoft. According to Microsoft, ECS is very popular and handles large amounts of messages daily.

HVE is in preview and is free to use today. When it’s generally available, HVE will likely cost for some traffic. ECS is already a pay-as-you-go service that must be funded by an Azure subscription.

Seeking Test Email Targets for Microsoft Cloud Email Services

When setting out to test the effectiveness of emailing solutions, you need large numbers of target recipients. Little is to be learned by sending a couple of messages to a few internal recipients. To run a better trial, I decided to use HVE and ECS to send reminder messages to subscribers of the 2024 edition of the Office 365 for IT Pros eBook to ask if they wanted to take advantage of an offer to extend their subscription. Sending email to ask people to buy something or take out a subscription seemed like a pretty good scenario to test the useability of HVE and ECS.

Comparing HVE and ECS

Overall, HVE is easier to use. Less setup is required, and the PowerShell used to generate and submit messages is based on the old (deprecated) Send-MailMessage cmdlet. No shortage of articles can be found on the internet to tell you how to use Send-MailMessage. Because of the need to provide an email service for apps and devices, HVE uses a restricted form of basic authentication with the SMTP AUTH protocol. Support for modern authentication is coming, but using basic authentication for internal messages will make the switchover to HVE much easier.

HVE reporting (Figure 1) is basic. More comprehensive reporting is built into ECS. In both cases, feedback from sent messages is minimal, so figuring out what happened to messages is tough. ECS can tell you the number of messages it failed to send but HVE is silent on this point. However, HVE is in preview and Microsoft says that they will deliver better reporting when the solution is generally available.

HVE Mail Statistics

Microsoft Cloud Email Service
Figure 1: HVE Mail Statistics

The ECS setup is more complicated if you’re unaccustomed to dealing with Azure resources and billing. ECS uses an Entra ID app for authentication and to prove that an app (like a PowerShell script) has the right to submit messages to the service. Creating and submitting messages to ECS is similar to using Graph-based cmdlets like Send-MgUserMail. Some differences exist because a different API is used, but the basics of building a hash table of message parts and converting it to JSON before sending won’t be unfamiliar.

Throttling and thresholds were the biggest issue I encountered with both ECS and HVE. It took a little while to find where limits applied in practice and to investigate ways around them. Microsoft has a documented process for applying for higher limits for ECS but my ability to navigate the process failed and I never managed to achieve a higher threshold. Microsoft is careful with HVE while it is in preview and some limitations (like the 2,000 external recipients per tenant daily) are hardcoded and won’t change until the software reaches general availability.

Testing of both Microsoft Cloud Email Services Proves Valuable

As always, the opportunity to conduct realistic tests over a sustained period proved invaluable in gaining an understanding about how HVE and ECS work. In my case, sending thousands of reminder messages to Office 365 for IT Pros subscribers certainly taught me a lot. You can read more about my experiences in articles covering HVE and ECS in-depth. Other articles about HVE and ECS are available on the internet, but most are content to send just a few test messages and then declare success. That’s no way to exercise a high volume email system.

If you’re interested in one of these services, my advice is to spin up both and test using a sample of messages that your organization needs to send. Exchange Online tenants will, I think, select HVE, but I can see why ECS has its attractions especially if the focus is on sending large quantities of email to external recipients. Beauty is in the eye of the mail sender.


Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

]]>
https://office365itpros.com/2024/08/13/microsoft-cloud-email-services/feed/ 0 65933
Microsoft 365 Admin Center to Take Over License Assignments https://office365itpros.com/2024/08/09/license-assignments-move/?utm_source=rss&utm_medium=rss&utm_campaign=license-assignments-move https://office365itpros.com/2024/08/09/license-assignments-move/#comments Fri, 09 Aug 2024 07:00:00 +0000 https://office365itpros.com/?p=65905

License Assignments Cease in Entra Admin Center from September 1, 2024

Microsoft hasn’t announced the change formally yet, but a notice posted in the Entra admin center and associated documentation proclaims that from September 1, 2024, administrators won’t be able to assign any form of license to user accounts or groups through the Licenses page of the Entra admin center (Figure 1). In addition, it will no longer be possible to assign or update licenses by editing user account properties in the Entra admin center. Instead, administrators must make license assignments through the Microsoft 365 admin center.

License assignments in the Entra admin center.
Figure 1: License assignments in the Entra admin center

Following the switchover, it will still be possible for administrators to view license assignments in the Entra admin centre. Only license assignments and updates for current assignments are blocked.

According to Microsoft documentation, the change will “streamline the license management process within the Microsoft ecosystem.” A case can certainly be argued that it’s better to centralize license management in one place, even for Entra P1 and P2 premium licenses. Given that Microsoft 365 consumes most licenses, it is logical to focus licensing activity on the Microsoft 365 admin center.

PowerShell Remains Unaffected

The change only affects the GUI in the Entra admin center. Licenses can still be assigned to users and groups via the Microsoft Graph PowerShell SDK or Graph API requests. Any tools written based on the SDK or Graph requests such as the Microsoft 365 Licensing Report remain unaffected.

Microsoft 365 Admin Center Updates

License management has been present in the Microsoft 365 admin center for a while. Group-based license management is a relatively new addition (Figure 2) and supports the same feature set as the Entra admin center.

Group-based license assignments in the Microsoft 365 admin center
Figure 2: Group-based license assignments in the Microsoft 365 admin center

One nagging doubt that I have about the move is that the Microsoft 365 admin center is invariably slower at dealing with anything to do with licensing than the Entra admin center is. Perhaps folks who work on the Microsoft 365 admin center need some help about efficient license management techniques from their Entra colleagues. Another is that the Microsoft 365 admin center doesn’t support administrative units in the same way as the Entra admin center does (albeit requiring Entra P1 licenses). Hopefully, administrative unit support will appear in the Microsoft 365 admin center soon.

Overall, I don’t think making the Microsoft 365 admin center the fulcrum for license assignments will discomfort anyone except people who write about license assignments. Proving the value of ePublishing, we’ll document this change in the September 2024 update of the Office 365 for IT Pros eBook (2025 edition).

Self-Service Purchases Get a GUI

A change that might have more impact is the one announced in message center notification MC853238 (6 August 2024). For years, tenant administrators have complained about the way Microsoft opened up self-service purchases to users and the need to use the awful MSCommerce PowerShell module to disable the ability for users to buy licenses.

MC853238 says that in mid-September 2024, the Microsoft 365 admin center will have a new Self-service trials and purchases option under Org Settings (Figure 3) to enable or disable self-service license purchases previously only manageable through PowerShell.

Self-service and trial product licenses in the Microsoft 365 admin center
Figure 3: Self-service and trial product licenses in the Microsoft 365 admin center

Administrators can choose to:

  • Allow self-service trials and purchases: Users are allowed to apply for trial licenses and buy self-service licenses.
  • Allow trials only. Even after a successful trial, the user cannot purchase a license.
  • Do not allow purchases: Users cannot purchase self-service licenses.

It’s surprising that Microsoft has taken so long to introduce the GUI to manage self-service purchases, but at least it’s happening now.

Friday Happiness

These changes are good examples of the kind of updates that flow through Microsoft 365 on an ongoing basis. Neither are earthshattering. They won’t cause processes to stop working unless you really depend on the Entra admin center for license assignments. Even if you do, the switch to the Microsoft 365 admin center is easy. Everyone should ignore some of the breathless hype around these changes and have a nice weekend, which is what I plan to do.

]]>
https://office365itpros.com/2024/08/09/license-assignments-move/feed/ 14 65905
Microsoft Quashes Bad Habit of Sending Passwords in Email https://office365itpros.com/2024/08/05/send-password-in-email-m365/?utm_source=rss&utm_medium=rss&utm_campaign=send-password-in-email-m365 https://office365itpros.com/2024/08/05/send-password-in-email-m365/#comments Mon, 05 Aug 2024 07:00:00 +0000 https://office365itpros.com/?p=65810

Removal of Microsoft 365 Admin Center Option to Send Password in Email

In a change that surprises only because it took so long to be made, message center notification MC837081 (29 July 2024) announces that administrators will lose the option to send user passwords inemail after August 30, 2024. Although the detail in the post is hazy, I assume that this change refers to the email the sign-info info to me option after changing a user account password in the Microsoft 365 admin center (Figure 1).

Send password in email option in the Microsoft 365 admin center.
Figure 1: The option to send a user’s password to administrators

Sending Passwords in Email is a Terrible Idea

The option to send a changed password by email has always existed in Office 365/Microsoft 365, possibly because it’s difficult to remember system-generated passwords. Sending email to the administrator to remind them about the password is possibly a lesser evil than writing down a system-generated password.

Users should always be forced to change their password when they first sign in after an administrative process changes their password. Even if a secure system-generated password is used, it’s unlikely that the user will remember it and they’ll either write the password down on a sticky note or request another password change. It’s better to let the user use the self-service password reset (SSPR) feature to choose their own password, providing it meets password complexity requirements.

An argument can be made that passwords don’t matter all that much anymore. This might be true if strong multifactor authentication (like the authenticator app or passkeys) protected every Microsoft 365 account and we had reached the stage where passwordless operation was possible everywhere, but there’s more work to be done before Microsoft 365 gets to that point.

Overall, sending password information in unencrypted email is a terribly bad idea that encourages people to treat passwords with less respect than they should. Purview Data Loss Prevention (DLP) includes sensitive data types for Azure AD (Entra ID) user credentials, User login credentials, and All credential types to help organizations block emails and Teams messages containing usernames and passwords.

The Print Option

Microsoft’s suggested replacement is to use “the new Print option in the Microsoft admin center to save the user account details and share them in a secure manner with your users.” I don’t see any trace of a new Print option in the Microsoft 365 admin center and the advice in the documentation is to use the print to PDF feature (CTRL/P). This works, even if it creates too many pages in the output PDF, and the method has the advantage that the PDF can be protected by a sensitivity label. I imagine that in most cases the PDF will be sent as an email attachment to someone like the user’s manager instead of being printed off and carried by an administrator direct to the user.

How best to get a new password to a user in a secure manner is a good discussion for tenant administrators to have. Given that many users work from home, it seems like making a phone call to communicate the new password is the most practical method. That is, if you can reach the user. Another idea I have heard include using Azure Key Vault to store updated credentials that a user can access through an Azure function.

Moving On

I doubt that many will mourn the passing of the option to send a user’s password to administrators via email. It’s a legacy artifact from a simpler time when passwords weren’t treated with as much respect as they deserve. It’s time to move on toward a future where user passwords are less important than they are now.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/08/05/send-password-in-email-m365/feed/ 3 65810
Microsoft Cloud Revenues Keep on Growing https://office365itpros.com/2024/08/02/microsoft-fy24-q4-results/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-fy24-q4-results https://office365itpros.com/2024/08/02/microsoft-fy24-q4-results/#respond Fri, 02 Aug 2024 03:00:00 +0000 https://office365itpros.com/?p=65840

But No New Numbers for Office 365 and Teams Users in Microsoft FY24 Q4 Results

As has become the norm, Microsoft delivered another solid set of quarterly results (FY24 Q4) on July 30. 2024. The headline number was the $36.8 billion for Microsoft Cloud, a 21% growth year-over-year equating to an extra $6.5 billion earned in FY24 Q4 compared to the same quarter the previous year. The annualized run rate for Microsoft Cloud is now $147.2 billion. The gross margin for Microsoft Cloud decreased two points to 69% but Microsoft expects it to go back up in the current quarter.

Microsoft FY24 Q4 Results

Also following its norm, Microsoft successfully obscured the numbers for segments like Teams (no updated number provided, so the official number remains at 320 million monthly active users claimed in October 2023). Teams Premium now has 3 million users, or less than 1% of the total Teams installed base. Microsoft said that the seat growth was up 400% year-over-year, proving once again that impressive growth figures are always possible from a low base.

Office 365 Numbers and Growth

Amy Hood said that Office 365 commercial seats grew 7% year-over-year, but this isn’t helpful without a base number to compare it against. The last we heard was the “over 400 million paid seats” cited in January 2024 or the 382 million number given in April 2023. Possibly the unwillingness to share precise numbers is to disguise a slowdown in new user acquisition over the last year or so. Office 365 Commercial revenue increased 13% (14% in constant currency). The same level of growth is expected to continue in Q1.

More impressively, Enterprise Mobility and Security now has 281 million paid seats. That’s an increase of 13 million over two quarters. Another number is that Power Platform now has 48 million monthly active users. I assume most of these people are Office 365 users. If so, has Power Platform really reached 12% of the Office 365 base? I guess it’s possible and Microsoft is certainly doing all that it can to encourage more use, such as retiring the Office 365 connectors in favor of workflows.

GitHub Everywhere

The Transcript of the call with market analysts illustrates Microsoft’s intention to discuss Copilot and AI at every opportunity and the continued fascination in the market about whether the huge investment in datacenter capacity will ever generate a return. CFO Amy Hood said that Microsoft spent $19 billion on capital expenditure during the quarter, almost all of it related to Cloud and AI. The spend breaks down roughly 50/50 between infrastructure and servers. In a response to a later question, Satya Nadella said that “the kit” for a datacenter represented about 60% of the total spend. Either way, Microsoft is spending heavily to support Cloud and AI.

Microsoft reported that the number of customers using Copilot for Microsoft 365 grew 60% quarter over quarter. Microsoft also said that the number of customers with over 10,000 Copilot for Microsoft 365 seats doubled quarter over quarter. However, in neither case did they give a firm number, preferring instead to mention some marquee names, such as the decision by EY to deploy Copilot for Microsoft 365 to 150,000 seats.

Given the huge marketing effort by Microsoft to push Copilot for Microsoft 365, it’s unsurprising to see substantial customer interest in the product. Everyone is curious about how generative AI can help people do their job smarter and better, so many tests are ongoing. One thing I hear time after time is the difficulty of measuring saved time or better outcomes, plus how to assess if people use saved time in a productive manner. After all, being able to save five minutes to draft and send an email isn’t much good if the time saved is devoted to non-essential tasks.

Satya Nadella said that GitHub Copilot used by more than 77,000 organizations (up 180% year over year). GitHub Copilot now represents 40% of GitHub Revenue. By itself, GitHub Copilot is larger in revenue terms than the entire GitHub was when Microsoft bought it. I don’t think this is surprising. I use GitHub Copilot with Microsoft 365 PowerShell every day and consider it to be an absolute bargain for what it delivers. Even though it is capable of creating some odd code, GitHub Copilot is a great example of how AI can be very effective when given limited goals.

New Fiscal Year, Continued Growth

It seems clear that the Microsoft Cloud will continue to grow revenue during Microsoft’s 2025 fiscal year. The growth probably won’t come from vast quantities of new Office 365 users. Instead, it will come from convincing customers to upgrade to more expensive licenses (like Office 365 E3 to E5), premium licenses, and AI.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/08/02/microsoft-fy24-q4-results/feed/ 0 65840
Team Owners Can Rename the General Channel https://office365itpros.com/2024/07/17/rename-general-channel/?utm_source=rss&utm_medium=rss&utm_campaign=rename-general-channel https://office365itpros.com/2024/07/17/rename-general-channel/#comments Wed, 17 Jul 2024 07:00:00 +0000 https://office365itpros.com/?p=65625

Rename General Channel with a “Meaningful Name”

Message Center notification MC814583 (July 16, 2024, Microsoft 365 roadmap item 395931) announces that team owners can soon rename the General channel (or the local language version of General when Teams isn’t run in English). For years, Microsoft resisted this request because the General channel is (in effect) the heart of a team. A team must have at least one channel and General is the default channel created in every team.

In the early days of Teams, it seemed like the General channel had a protected status where only team owners could post messages to the channel. The idea was to reserve the General channel for important announcements and the like and offload discussions to other channels dedicated to different topics. There’s value in this idea but perhaps not as much as people thought. It takes a certain discipline to always use the General channel for announcements.

Now Microsoft says that team owners can rename the General channel and give it a “meaningful name” to reflect the core role the channel has within a team. Renaming the General channel updates the channel’s display name, which can be up to 50 characters long. Some restrictions on characters that can be in the name do exist, but just like any other channel name, you can include emojis if you like (Figure 1). This must surely count as a meaningful name.

Renaming a General channel in a team

Rename General channel
Figure 1: Renaming a General channel in a team

The warning shown in Figure 1 that once a team owner renames the General channel to some other name, they can’t reverse the process and use the General name again. “General” is a reserved name that can’t be assigned to any channel except when a team is created. I guess Microsoft could have created some extra code to track renames for General channels to allow channels to become General again, but it’s easier to say that the word General can never be used for a channel name.

Availability of Rename General Channel

The new feature is available in the Teams 2.1 desktop and browser clients. Microsoft plans to roll out the update to targeted release tenants in early August 2024. General Availability for commercial tenants will follow in mid-August 2024. GCC, GCC-High, and DOD tenants should get the update in September 2024.

Programmatic Ability to Rename General Channel

Current versions of the Graph Update Channel API block renames of the General channel (“General channel cannot be patched”), so the Update-MgTeamChannel cmdlet from the Microsoft Graph PowerShell SDK doesn’t work either. When the restrictions are lifted, you should be able to run a command like this to rename the General channel:

Update-MgTeamChannel -ChannelId '19:L2cxcx_ObbZSwEuRcwo1jEjIGZoxhAR-Fchi-PSujiM1@thread.tacv2' -DisplayName 'Everyone is a Winner' -TeamId $TeamId

A Small But Important Change in the Evolution of Channels

As I noted earlier this year, Microsoft is emphasizing better use of channels in an attempt to reduce the number of inactive or underused teams. With a team now capable of supporting a mixture of 1,000 regular, shared, and private channels, there’s certainly lots of potential to explore in maximizing the use of channels. Perhaps being able to rename the General channel will make it less of a special place than it’s been in past and make it into what the General channel is becoming: just another regular channel in a team.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/07/17/rename-general-channel/feed/ 1 65625
Teams to Begin Automatically Hiding Inactive Channels https://office365itpros.com/2024/07/03/teams-inactive-channels/?utm_source=rss&utm_medium=rss&utm_campaign=teams-inactive-channels https://office365itpros.com/2024/07/03/teams-inactive-channels/#comments Wed, 03 Jul 2024 07:00:00 +0000 https://office365itpros.com/?p=65450

Prevent Inactive Channels from Cluttering User Views

In another step in Microsoft’s overhaul of Teams channels, message center notification MC804771 (24 June 2024, Microsoft 365 roadmap item 325780) announces the implementation of a new housekeeping function to clean up user channel lists by hiding unactive channels (Figure 1).

Teams cleans up a channel list
Figure 1: Teams cleans up a channel list

The change will only be effective in commercial and government tenants. Education tenants won’t have their channels cleaned up. The update to the Teams 2.1 client for Windows, MacOS, and browsers will appear in mid-July 2024 for targeted release tenants and reach general availability for commercial tenants in mid-August 2024 with worldwide deployment scheduled to complete by mid-September. GCC, GCC High, and DoD tenants will see the update about a month later.

Update: On March 20, 2025, Microsoft announced that based on customer feedback, they are taking a fresh look at how automated hiding of channels works to make the feature opt-in only. Deployment is halted and will resume to make the feature generally available “later in 2025.”

Channel clean up happens for both member and guest user accounts.

The Chaos of Inactive Channels

Tenants are well aware of the problem of digital rot caused by too many teams. Each team can now have up to 1,000 channels, and Microsoft is keen for customers to create channels rather than teams to reduce the amount of digital debris in their tenants. A shared or private channel can often replace a team, especially as both come with a dedicated SharePoint Online site to store documents.

It would be nice if those who created channels always maintained those channels, but this doesn’t happen in the real world. Like teams, channels can be created only become inactive or uninteresting to users quickly. It might be that the channel isn’t needed, that people discuss the topic created for the channel in a group chat instead, or that the topic simply isn’t worth a separate channel. For whatever reason, people lose interest and inactive channels find their way into user channel lists.

To solve the problem, Teams will automatically detect and hide inactive channels that users have not interacted with recently. Microsoft hasn’t said what period is used of inactivity Teams uses to make the determination or what interaction means. Based on experience with the preview version of the feature, interaction seems to mean open a channel to view conversations. Microsoft says that 45 days is the point used to decide if a user is active in a channel. It seems like Teams checks for inactive channels every couple of weeks.

When Teams detects inactive channels, it offers the chance for the user to review the set and make the call to unhide some of the channels (Figure 2).

Reviewing the set of inactive channels to be removed from view.
Figure 2: Reviewing the set of inactive channels to be removed from view

It’s a good idea to review the set of inactive channels selected by Teams because useful channels that are temporarily inactive will appear in the list.

Settings for Channel Cleanup

The Teams Settings app includes the ability for users to opt out of automatic channel cleanup as well as an option to initiate the cleanup process on demand (Figure 3).

Teams settings for inactive channels clean up.
Figure 3: Teams settings for inactive channels clean up

If you opt to clean up now, Teams checks the current channel list and displays any that it believes to be inactive.

The important thing to remember is that a hidden channel is still available to a user and can be unhidden at any time by viewing the set of channels for a team and unhiding any that they want to see.

Inform Users About Channel Clean Up

Automatic clean up processes are usually a good idea and hiding inactive channels is an example of one that’s worthwhile. However, like anything else that affects users, some explanation is necessary for people to understand why and what is happening. No one wants a bunch of help desk calls asking where a favorite (but inactive) channel has gone.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/07/03/teams-inactive-channels/feed/ 13 65450
Office 365 for IT Pros 2025 Edition is Now Available https://office365itpros.com/2024/07/01/office-365-for-it-pros-2025-edition/?utm_source=rss&utm_medium=rss&utm_campaign=office-365-for-it-pros-2025-edition https://office365itpros.com/2024/07/01/office-365-for-it-pros-2025-edition/#comments Mon, 01 Jul 2024 00:01:00 +0000 https://office365itpros.com/?p=65403

Eleventh Edition of the Most Comprehensive Book About Office 365 and the Microsoft 365 Ecosystem

After some late nights finishing up the book content before building the PDF and EPUB files, the Office 365 for IT Pros team is happy to announce the publication of Office 365 for IT Pros 2025 edition. This is the eleventh book in a series going back to May 2015 and is the 109th monthly update issued in that time. The new book is now online on Gumroad.com.

Office 365 for IT Pros 2025 Edition

We have emailed an upgrade code to subscribers of the 2024 Edition to allow them to upgrade for $16.95 (the same price as last year). We also sent a code to people who subscribed during June 2024 to allow them to claim a free upgrade. This is in line with our normal policy of offering anyone who subscribes in the last month of an edition the chance to automatically extend their subscription to cover the next edition.

A New PowerShell Book

Office 365 for IT Pros (2025 Edition) does not have a companion volume. We made the decision to discontinue the companion volume because the information it contains is now quite old. Please keep the 2024 companion volume if you wish to retain access to its content.

This year, we launched a new 240-page four chapter book called Automating Microsoft 365 with PowerShell. We have strong PowerShell content in the 2024 edition. Given all the changes in Microsoft 365 PowerShell modules and growing usage of Microsoft Graph APIs, it seemed like a good idea to create a book focusing on this area. There are still hundreds of PowerShell examples in the main book where they are used to explain how to accomplish specific tasks. The PowerShell book allows us to dedicate more in-depth coverage to this critical area, especially about using PowerShell with Microsoft Graph APIs and the Microsoft Graph PowerShell SDK.

The Office 365 for IT Pros (2025 edition) subscription includes Automating Microsoft 365 with PowerShell in both PDF and EPUB formats. Like our other content, we will update the PowerShell eBook monthly.

In addition to including the new eBook in the Office 365 for IT Pros subscription, we sell Automating Microsoft 365 with PowerShell separately. People who don’t want to buy the full Office 365 for IT Pros subscription can purchase a copy of the PowerShell book from Gumroad.com or as a paperback version available from Amazon.com. This is the first time that we have produced a print book since the original edition of Office 365 for Exchange Professionals appeared at the Ignite conference in May 2015. At that time, Microsoft paid for 500 print copies, all of which were distributed at the conference. Anecdotal evidence since is that some of our readers have printed the PDF version to have a hard copy. The size of the main book (now about 1,220 pages) means that online print services can’t handle it, but splitting off a section to create a separate book allows opens up the possibility of print copies again.

In the future, we might split off other books, such as ones covering Teams or compliance, and make them available in the same way. That decision depends on how people like the PowerShell book.

Why New Editions Appear on July 1

Some ask why we choose to introduce new editions on July 1. We’ve done this since 2016 to align with Microsoft’s fiscal year. That might sound strange, but it’s an undeniable fact that many Microsoft engineering groups aim to ship new functionality before the close of their fiscal year. There’s a rush within Microsoft to finish new software and make it available to customers before June 30. Afterwards a relative lull sets in as many Microsoft engineers take vacation. In a strange kind of way, this helps us to frame a new edition in a way that wouldn’t be possible at the end of the calendar year.

CoreView is Our New Sponsor

After a terrific year’s support from CodeTwo Software, including some excellent t-shirts made by Szymon Szczesniak and his team, CoreView is the sponsor for Office 365 for IT Pros (2025 Edition). We like having an alignment with our sponsors and believe that this exists with CoreView, who are deeply involved with Microsoft 365 management and automation. We look forward to a great year working with the CoreView team.

Seven Books in One

We like to think that Office 365 for IT Pros is seven books in one:

  • Exchange Online.
  • Entra ID.
  • SharePoint Online.
  • Teams.
  • Purview Compliance.
  • Information Protection.
  • Automation (Power Automate and PowerShell).

Office 365 for IT Pros (2025 Edition) strengthens our claim. The two books covered by the subscription contain a huge amount of knowledge. Our work isn’t perfect, but it’s our honest and best effort to communicate our experience of working with Exchange Online, Entra ID, SharePoint Online, Teams, OneDrive for Business, Planner, Stream, Purview, Power Automate, and associated technologies. The rate of change across these products means that the advantage of publishing an eBook is more evident now than ever before. In the 24 hours before publication, we updated five chapters of the Office 365 for IT Pros (2025 Edition) eBook and one chapter for the Automating Microsoft 365 with PowerShell eBook.

Stay tuned for our email announcing when the new book is released and available. Thank you for your support for the Office 365 for IT Pros project. We hope that you like the books as much as we enjoyed working on them. And stay tuned to what we publish here. You never know when we might say something valuable!

]]>
https://office365itpros.com/2024/07/01/office-365-for-it-pros-2025-edition/feed/ 6 65403
Teams Adjusts the Activity Feed https://office365itpros.com/2024/05/29/teams-activity-feed-changes/?utm_source=rss&utm_medium=rss&utm_campaign=teams-activity-feed-changes https://office365itpros.com/2024/05/29/teams-activity-feed-changes/#comments Wed, 29 May 2024 07:00:00 +0000 https://office365itpros.com/?p=64919

Calendar Notifications Appear in Teams Activity Feed

Described in MC704955 (last updated 2 April 2024, Microsoft 365 roadmap item 314355), after several weeks of use, I have come to the conclusion that I hate the the inclusion of calendar notifications in the Teams activity feed. According to the deployment schedule, almost all tenants should have the feature by now.

Calendar notifications arrive for

  • Meeting invitations (including channel meetings where the organizer sends personal invitations).
  • Meeting updates, including cancellations.
  • Meeting forwards (that the user organized).

A calendar notification in the Teams activity feed.
Figure 1: A calendar notification in the Teams activity feed

Calendar events pop up as unread notifications in the activity feed, cluttering the feed that’s already heavily trafficked by @mentions, replies, invocations to renew expiring teams, and the like. In fact, I get two sets of notifications because Outlook notifies me about new invitations and updates too. At least, Outlook would if I had not configured its calendar long ago to accept invitations automatically.

Suppressing Calendar Notifications in Teams

The good news is that you can suppress calendar notifications in Teams too. If you hover over the timestamp for a calendar notification (like 16:22 in Figure 1), an ellipsis menu appears. Select the “turn off calendar” option and the activity feed becomes a more pleasant place again.

This experience reminds me once again of the value of paying attention to the notification settings in the Teams client. As obvious from this 2021 post, it’s an ongoing battle because new sources of notifications (like the calendar) appear over time.

“Turn off calendar” disables most calendar notifications in the settings app (Figure 2). It doesn’t disable notifications for when people forward meetings that you organize. You can turn that setting off too if you like.

Teams notification settings for calendar events
Figure 2: Teams notification settings for calendar events

Reduced Filters in the Activity Feed

After sorting out calendar notifications, let’s turn our attention to message center notification MC793967 (17 May 2024), a candidate for the worst written message center post of the year. This feature, rolling out to general availability soon, removes much of the filtering capability for the activity feed. Microsoft explains that they’re doing this “To solve for discoverability and ease of usage of @Mentions in activity” (whatever that means) by introducing two “selectable pills” (normal people call these “buttons”) to filter for @mention and unread notifications (Figure 3).

The Teams activity feed gets two selectable pills.
Figure 3: The Teams activity feed gets two selectable pills

The other filters previously available are retired. These include replies, reactions, apps, and voicemail, all of which seem pretty useful. No doubt Microsoft’s wonderous telemetry will prove otherwise.

To replace the retired filters, Microsoft says “we recommend the utilization of upfront mentions pill, which address the bullseye of filtering needs in Activity feed.” I have no idea what this mangled attempt at an English sentence means. Surely Copilot could have rewritten the text for clarity and conciseness? You could interpret the words to mean that Microsoft believes that @mentions are the most important notifications for users (probably true) with unread a close second. Hence the two filter options.

It’s also worth noting that a secondary filter option exists. Press CTRL+Shift+F (Windows) or click the funnel icon and you can input some words to filter the current list of notifications. For instance, if the selected filter is for unread notifications and you input “Paul” as a filter, the activity feed shows you unread notifications from users with Paul in their display name and notifications with Paul in their text.

Cleaning up Teams

All of this is part of Microsoft’s efforts to clean up what had become a cluttered Teams client. They want the Teams 2.1 client to be easy to use with the most important elements highlighted to users. I’ve no problem with that aspiration, but it would be good if communication was better.


Keep up to date with developments in Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

]]>
https://office365itpros.com/2024/05/29/teams-activity-feed-changes/feed/ 2 64919
Update Entra ID User Role Permissions to Secure Your Tenant https://office365itpros.com/2024/05/09/user-role-permissions/?utm_source=rss&utm_medium=rss&utm_campaign=user-role-permissions https://office365itpros.com/2024/05/09/user-role-permissions/#comments Thu, 09 May 2024 07:00:00 +0000 https://office365itpros.com/?p=64648

Make Your Tenant More Manageable by Tightening User Role Permissions

The ability of non-privileged user accounts to perform certain administrative tasks in an Entra ID tenant (Microsoft 365 tenant) is controlled by the user role permissions policy. This policy exists in every Entra ID tenant, and it comes with some default settings that are just plain silly for all but test tenants.

The settings I’m concerned about are found in the User settings page (Figure 1).

User role permissions in the Entra admin center
Figure 1: User role permission settings in the Entra admin center

Apps, Tenants, and Security Groups

Three settings are up for debate. Should users be able to create registered apps, tenants, and security groups.

Only administrators should add registered apps to a tenant. Registered apps are enormously useful, especially the creation of an integrated Entra ID identity configuration that can authenticate against the Graph and other APIs. Attackers love apps too, and they like creating apps within compromised tenants and then assigning those apps the necessary permissions to exfiltrate data. The potential for app abuse is too high to allow “normal” users to create new apps might have made sense when attackers weren’t quite so interested in their use as an attack vector. The current threat horizon is such that it’s unwise to allow non-administrators to create new apps.

The same is true for tenants. What regular Microsoft 365 user sets out to create a new Entra ID tenant as part of their daily activities? The answer is none. Creating new tenants might be something that’s useful as part of a development project, but tenants created from the Entra admin center have no licenses and aren’t particularly useful. Developers are better off working against a Microsoft 365 development tenant. They’ll get 25 licenses to work with and the tenant will automatically renew if they work with Graph APIs. If someone can make a good case to create a new tenant, let them make it to a tenant administrator.

I’m less strict about restricting users from creating security groups. However, because security groups are used to control access to resources, it seems to make sense to restrict their creation too. And most Microsoft 365 tenants suffer from a surplus of groups caused by unrestricted creation of Teams. Why add to the debris accumulating in a tenant?

I suspect that Microsoft chose the default settings with the best intentions at a time when threat was less evident. It’s regrettable that the settings remain so permissive. My position is therefore that tenants should update the default settings and impose control over creation of apps, tenants, and security groups. Feel free to disagree.

Using PowerShell to Update User Role Permissions

It’s easy to correct the settings in the Entra admin center. To make sure that the settings are not changed, you could use an Azure Automation scheduled runbook to update the settings periodically. Changes to the authorization policy require consent for the Policy.ReadWrite.Authorization permission. Here’s the necessary Microsoft Graph PowerShell SDK code to disable the ability for users to:

  • Create new Entra ID registered apps (AllowedToCreateApps)
  • Create security groups (AllowedToCreateSecurityGroups)
  • Create new tenants (AllowedToCreateTenants)

Connect-MgGraph –NoWelcome -Scopes Policy.ReadWrite.Authorization
# Create hash table for body
$BodyParameters = @{}
# Create hash table to hold role permissions for tenant users
$RolePermissions = @{}
$RolePermissions.Add("AllowedToCreateTenants", $false)
$RolePermissions.Add("AllowedToCreateApps", $false)
$RolePermissions.Add("AllowedToCreateSecurityGroups", $false)
# Add the role permissions to the body
$BodyParameters.Add("DefaultUserRolePermissions", $RolePermissions)
# Update default authorization policy
Update-MgPolicyAuthorizationPolicy -BodyParameter $BodyParameters 
# Check the results
Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List Allowed*

AllowedToCreateApps                      : False
AllowedToCreateSecurityGroups            : False
AllowedToCreateTenants                   : False
AllowedToReadBitlockerKeysForOwnedDevice : True
AllowedToReadOtherUsers                  : True

For a detailed description of the user role permissions, see this page. Note the admonition not to change the allowedToReadOtherUsers to false. Doing so will have “unfortunate effects.”

Take Control Over Your Tenant

The temptation exists not to change default settings in an administrative portal unless the obvious need exists. That’s a reasonable position to take, but the simple fact is that the three default settings discussed here are outdated and illogical. Take control of your tenant and make sure to disable these capabilities. There’s no point in allowing people create objects unless there’s good reason to do so.


Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

]]>
https://office365itpros.com/2024/05/09/user-role-permissions/feed/ 1 64648
Microsoft Cloud Exceeds 50% of Microsoft Total Revenues https://office365itpros.com/2024/04/26/microsoft-fy24-q3-results/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-fy24-q3-results https://office365itpros.com/2024/04/26/microsoft-fy24-q3-results/#respond Fri, 26 Apr 2024 09:34:06 +0000 https://office365itpros.com/?p=64620

Microsoft FY24 Q3 Results Demonstrates Continuing Cloud Strength

Microsoft cloud revenues had an annual run rate of $140.4 billion based on the quarterly revenue of $35.1 billion. A year ago, the comparable figures were $114 billion and $28,5 billion, meaning that Microsoft grew cloud revenues by 23% year over year. Cloud revenues represented just over 50% of Microsoft overall revenues of $69.1 billion. From a profitability standpoint, the gross margin for Microsoft cloud was 72% ($25.27 billion), or 58.23% of Microsoft’s overall gross margin. That’s a healthy margin at a time when Microsoft is investing heavily in its datacenter infrastructure to accommodate the demands of AI-based services.

More details about the FY24 Q3 results are available on Microsoft’s website.

Office 365 Seat Growth Slows in Percentage Terms

In their FY24 Q2 results, Microsoft said that the number of Office 365 paid seats had reached “over 400 million.” Given that Office 365 has so many customers, it’s unsurprising that the percentage growth in seats is slowing. Over the last year, the year-over-year rate has decreased from 11% to 8% (Figure 1). Still, 8% of 400 million is still an additional 32 million seats annually. Microsoft said that seat growth was driven by their “small to medium business and frontline worker offerings,” implying that larger companies have mostly moved to the cloud at this point, 13 years after the launch of Office 365.

 The slowing seat growth of Office 365.

Microsoft FY24 Q3 results
Figure 1: The slowing seat growth of Office 365

Given that large enterprises tend to be better at keeping on-premises servers up to date, I wonder if the campaign to stop obsolete Exchange on-premises servers (Exchange 2013 and below) sending email to Exchange Online is convincing small to medium businesses to move to the cloud. If so, that’s a good thing. If you can’t maintain an Exchange server, it’s time to use a cloud-based email service.

Microsoft notes that revenue growth is ahead of seat growth driven partially by higher average revenue per user (ARPU). This comes about when Microsoft sells add-ons and higher-priced plans to customers. Copilot for Microsoft is particularly notable here because not only is Copilot a high-cost add-on ($360/user/year) but Microsoft does its level best to convince customers that they get better Copilot results with higher-priced E5 plans.

Microsoft expects Office 365 revenue growth to get an uptick to 14% in the coming quarter with progress with “adoption of Copilot for Microsoft 365” being cited as a reason.

Numbers

Microsoft didn’t reveal new numbers for users or paid seats for Office 365 or Teams. However, they did say that Power Apps has reached 25 million monthly active users, and that Teams Rooms hit the one million mark. They also shared that 20 million people use Teams Phone for PSTN access.

They also reported that GitHub Copilot has 1.8 million paid subscribers. I’ve been using GitHub Copilot for several months and consider it a bargain at $10/month. I write PowerShell scripts in Visual Studio Code and find the GitHub Copilot plug-in works well. At times, it is uncanny at its ability to predict the code to insert. I guess I must be very predictable…

Speaking of Copilot, Microsoft said that 60% of the Fortune 500 use Copilot for Microsoft 365. That seems impressive but given that an organization can run a trial with exactly one Copilot license, it might represent just 300 seats. Given the size of these companies and their relationship with Microsoft, I know that the number is far higher (and Microsoft cited some examples of customers with over 10,000 seats), but it does prove that you shouldn’t take a statistic at face value without thinking through what it might mean.

A sign of Microsoft’s current focus is that Copilot appeared regularly in the transcript of the earnings call with analysts. Of the 8,797 total words spoken, Copilot was mentioned 41 times compared to Microsoft 365 (14) and Office 365 (7). Azure scored highest at 46 mentions. Even if Copilot isn’t yet generating the kind of revenue Microsoft aims for, there’s no doubt that driving Copilot sales to increase the usage of Azure to offset the massive capital investment in datacenter infrastructure is top of mind for their senior leadership.

Next Week in Orlando

Next week I shall be at the M365 “community conference” in Orlando. If you’re at the event, be sure to come by either of my sessions:

  • Mastering the Microsoft Graph PowerShell SDK (Tuesday at 11:30AM in the Mockingbird 2 room in the Swan hotel). We’ll discuss how the SDK leverages Graph APIs to get to all parts of Microsoft 365.
  • Don’t let Copilot for Microsoft 365 be a vanity project (Wednesday at 8AM in the Pelican 2 room in the Swan hotel): Navigating through the hype surrounding Copilot for Microsoft 365 to seek measurable business results by deploying Copilot. Or something like that.

Don’t be slow to say hello at either session!


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/04/26/microsoft-fy24-q3-results/feed/ 0 64620
Disappointing Session Schedule for M365 Conference https://office365itpros.com/2024/04/22/m365-conference-2024/?utm_source=rss&utm_medium=rss&utm_campaign=m365-conference-2024 https://office365itpros.com/2024/04/22/m365-conference-2024/#respond Mon, 22 Apr 2024 02:00:00 +0000 https://office365itpros.com/?p=64556

M365 Conference Next Week in Orlando

M365 Conference

Next week, I shall present two sessions at the M365 conference in Orlando (if you still want to attend the event, here’s a $100 off discount code). It’s the first time for me to present at this conference. A previous commitment to speak fell through due to a family event and then the pandemic and other reasons prevented the M365 conference from getting onto my agenda.

I have two sessions:

  • Mastering the Microsoft Graph PowerShell SDK (Tuesday, April 30, 11:30am).
  • Don’t Let Copilot for Microsoft 365 Be a Vanity Project (Wednesday, May 1, 8am).

Please come along if you’re interested in these topics. Heckling is welcome, but only if it’s intelligent and interesting.

Seeking Joy in the M365 Conference Schedule

One of the things I like to do in the period leading up to a conference is figure out which sessions to attend. There’s always a chance to learn from someone else’s take on a subject that you might think you know well.

Browsing the session schedule, the effect of Microsoft sponsorship is evident. There’s lots of sessions covering topics that are important to current Microsoft initiatives, especially those associated with the OneDrive and SharePoint organization (ODSP). As expected, Copilot for Microsoft 365 features prominently, including the interesting topic of extending Copilot to cover tenant-specific content. Teams, SharePoint, Online OneDrive for Business, and Purview all get slots, with the number assigned to Teams much reduced compared to previous events.

I guess the all-embracing focus on Copilot detracts from the attention Microsoft pays to Teams, and that’s reflected in the conference schedule. On a positive note, Teams has 320 million monthly active users. Microsoft can certainly extract more revenue from the installed base by selling $10/user/month Teams Premium licenses, but they’d prefer to sell $30/user/month Copilot for Microsoft 365 licenses instead.

The session schedule is rounded out with slots for topics like Viva Suite, Viva Connections, Viva Amplify, and Viva Engage. These products are not in the same major workload category as SharePoint Online and Teams, but they have a relatively small fan base who will be happy to see this content.

Entra ID and Exchange Online Missing from the M365 Conf Schedule

What’s missing from the conference is any mention of two major technologies that exert massive influence over Microsoft 365: Entra ID and Exchange Online. I cannot understand how any conference asserting itself to be the “biggest and most exciting Microsoft 365 community event of the year” can ignore these workloads. Simply put, if you don’t get Entra ID right, your Microsoft 365 tenant is at risk of compromise. And if you don’t pay attention to Exchange Online, the workloads that depend on email will experience problems.

It’s not as if there is nothing to discuss in these areas. The recent Midnight Blizzard attack against Microsoft’s own tenant resulted in exfiltration of email from executive mailboxes and caused an upswing of interest in better management of OAuth apps. Microsoft has an ongoing campaign to increase the percentage of Entra ID accounts protected by multifactor authentication (now around 38%) and makes substantial investments in tools like conditional access policies, authentication method, and the Authenticator app (now previewing support for passkeys). Sessions helping people understand the risk environment, how to manage inbound connections into tenants, and how to use tools to secure tenants and trace bad actor actions would be invaluable to anyone involved with a Microsoft 365 tenant.

Relating to Exchange Online, there has been much comment about Microsoft’s plans to stop old on-premises Exchange servers sending email to Exchange Online over connectors in hybrid organizations. Microsoft recently announced plans to introduce a high-volume email service, the deprecation of Exchange Web Services in Exchange Online (forcing developers to use Graph APIs instead), the deprecation of SMTP AUTH client submissions, and a new way of controlling how much external email can be sent from mailboxes. There’s also the introduction of a new version of a subscription-based Exchange Server to consider. And on the client side, there’s the ongoing fuss and bother around the Outlook Monarch client to discuss.

The folks who choose sessions to appear on a conference schedule can justifiably claim that the reason why Entra ID and Exchange Online sessions are not there is that speakers don’t submit sessions for consideration. This is true, but potential speakers take guidance from conference organizers about what topics the conference wishes to feature. And naturally, speakers are influenced by the priorities set by Microsoft, which leads to large numbers of sessions featuring the technology du jour. In this instance, it’s Copilot.

The point is that technologies like Entra ID and Exchange Online are essential to Microsoft 365 success. Every one of the 400 million plus Office 365 paid seats uses Entra ID and the number of Exchange Online mailboxes is in the billions. A tenant can run perfectly well with low-end Office 365 licenses and ignore Copilot for Microsoft 365 and the entire Viva Suite. But if users cannot connect and sign-in securely, the tenant will fail. And if users can’t access their email, they won’t be slow to let the tenant administrators know.

No Conference Gets it Perfectly Right

No technology conference ever offers the perfect mix of sessions to inform and inspire attendees. However, I think that the program teams responsible for choosing sessions should do a better job of selecting topics that reflect the real-life concerns of customers instead of sessions aligned with Microsoft marketing priorities. Achieving a better balance between coverage of new initiatives and the technology everyone works with daily would make conferences more attractive and valuable, even if it might annoy some of the marketing fraternity.


]]>
https://office365itpros.com/2024/04/22/m365-conference-2024/feed/ 0 64556
How to Create a Password Expiration Report https://office365itpros.com/2024/04/17/password-expiration-report/?utm_source=rss&utm_medium=rss&utm_campaign=password-expiration-report https://office365itpros.com/2024/04/17/password-expiration-report/#comments Wed, 17 Apr 2024 08:00:00 +0000 https://office365itpros.com/?p=64505

But Will a Password Expiration Report be Obsolete Soon?

The advice not to force users to change passwords regularly comes from both Microsoft and independent security agencies. Forcing people to change passwords creates friction for people without delivering better security. The consensus is that better security is attained by moving away from passwords to protect accounts with stronger authentication methods like multifactor authentication or passkeys. Evidence of progress in this direction is Microsoft’s recent announcement of support in Entra ID for device-bound passkeys based on the Authenticator app.

The direction of travel seems clear, but progress is slow. The percentage of Entra ID connections using multifactor authentication reached 38% in early 2024. It takes time to change, which is why I still receive requests for how to create a report showing when Entra ID accounts last updated passwords and details of when the next password change is scheduled.

Setting the Password Expiration Policy

My tenant doesn’t force password changes. The password expiration policy for the tenant is set to never expire. This is easily done through the Org settings section of Microsoft 365 admin center (Figure 1).

Setting the password expiration policy for a Microsoft 365 tenant.
Figure 1: Setting the password expiration policy for a Microsoft 365 tenant

The accounts in the tenant are not a great test case for reporting password changes. I’m more concerned about how to report the multifactor authentication status for accounts. With that thought in mind, let’s examine how to approach creating a report with PowerShell.

Steps to Create a Password Expiration Report

Generating a password expiration report is straightforward. In this discussion, I used the Microsoft Graph PowerShell SDK to create a script to:

  • Connect to the Graph endpoint by running the Connect-MgGraph cmdlet. Three permissions are needed (If you wish, Directory.Read.All is a higher privileged permission that can be used instead of the first three permissions).
    • Domain.Read.All to read the domain information.
    • User.Read.All to read account information.
    • Organization.Read.All to read information about the tenant (fetch the display name).
    • AuditLog.Read.All to read the sign-in activity information for user accounts.
  • Find the password expiration policy for the tenant. This can be done by using the Get-MgDomain cmdlet to fetch details of the default domain and retrieving the password validity period from it. If the value is 2147483647, the tenant does not expire passwords. Date calculations won’t work with 2147483647, so the script adjusts the value to 20000 to calculate a notional password expiration date.
  • Find the set of licensed member accounts in the tenant. It’s important to use a server-side filter here to maximize performance. Running a command like Get-MgUser -All fetches all the known accounts in a tenant, but a client-side filter will be necessary to remove guest accounts and unlicensed member accounts such as those used for room and shared mailboxes. Master the art of filtering to make sure that scripts that work with Entra ID accounts perform well. I’ll cover filtering in some depth during my Microsoft Graph PowerShell SDK session at the M365 Conference in Orlando.
  • For each account, retrieve details like the date and time of the last password change, the password profile for the account, and to compute a date when the password should be renewed. In tenants that don’t force password renewal, this date will be somewhere long after you retire.
  • Generate a report.

A good case exists for using the beta version of the Get-MgUser cmdlet in the script. Apart from fetching a wider set of properties by default, the Get-MgBetaUser cmdlet returns an additional timestamp for the last successful interactive sign-in (which might be different than the last sign-in).

Figure 2 shows a sample password expiration report generated by the script. In this case, the tenant password expiration policy sets password to never expire, so the reported expiration dates are years into the future and no warnings about impending expiration appear in the status column.

An example of a password expiration report for a Microsoft 365 tenant.
Figure 2: An example of a password expiration report for a Microsoft 365 tenant

You can download the script from GitHub. Remember, the code is intended to illustrate a principle. Use it as you see fit.

Onward to a Passwordless Future

I don’t think there is any doubt but that the time will come when passwords disappear, and we will use more phishing-resistant technologies to prove our identities and sign into applications. Until then, perhaps some will want to report password expiration, and now you have a script to do the job.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work. The PowerShell chapter includes hundreds of examples of using the Microsoft Graph PowerShell SDK.

]]>
https://office365itpros.com/2024/04/17/password-expiration-report/feed/ 3 64505
All About Microsoft 365 Tenant Identifiers https://office365itpros.com/2024/03/28/tenant-identifiers/?utm_source=rss&utm_medium=rss&utm_campaign=tenant-identifiers https://office365itpros.com/2024/03/28/tenant-identifiers/#respond Thu, 28 Mar 2024 08:00:00 +0000 https://office365itpros.com/?p=64253

Resolving Tenant Identifiers

Every Microsoft 365 tenant has a unique identifier (a GUID) that’s used within the Entra ID ecosystem to identify the tenant and its objects. This post is an update for a previous article published three years ago. Much has changed in the intervening period, including a renaming of Azure AD to be Entra ID and the introduction of new Graph APIs to resolve tenant identifiers in different ways.

The tenant identifier is used in many places, such as to identify the tenant to connect a Microsoft Graph PowerShell SDK to:

Connect-MgGraph -TenantId "72f988bf-86f1-41af-91ab-2d7cd011db47"

The identifier for your tenant is available in the Overview section of the Entra admin center (Figure 1). Usefully, you can copy the value from the admin center and keep it for other purposes.

Tenant identifier listed in the Entra admin center.
Figure 1: Tenant identifier listed in the Entra admin center

To find the identifier for your tenant with PowerShell, run the Get-MgOrganization cmdlet after connecting to the Microsoft Graph PowerShell SDK.

Connect-MgGraph -Scopes Organization.Read.All -NoWelcome
Get-MgOrganization | Format-List Id, DisplayName

Id          : a662313f-14fc-43a2-9a7a-d2e27f4f3478
DisplayName : Office 365 for IT Pros

The responses for many Graph requests and PowerShell cmdlets return the GUID identifying the tenant. Usually, the tenant identifier points to your own tenant, and you’ll recognize it. Sometimes APIs return identifiers from other tenants. For instance, the Get-AssociatedTeam cmdlet from the Microsoft Teams module includes the identifier for external tenants that host shared channels that users have direct membership in. This is why it’s useful to resolve tenant identifiers programmatically.

Resolving a Tenant Identifier GUID

It’s useful to be able to resolve the GUID for a tenant identifier and find the display name. For example, few people will recognize 72f988bf-86f1-41af-91ab-2d7cd011db47, but most will understand “Microsoft.”

To resolve a tenant identifier, use the findTenantInformationByTenantId Graph API to look up the tenant information published on the internet. There doesn’t seem to be a cmdlet in the latest version of the Microsoft Graph PowerShell SDK, so it’s necessary to use the Invoke-MgGraphRequest cmdlet. This example takes a tenant identifier and calls the API to return the tenant information. The code then extracts the tenant display name from the information to use for reporting or other purposes.

$LookUpId = $TenantId.toString()
$Uri = ("https://graph.microsoft.com/V1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{0}')" -f $LookUpId)
$ExternalTenantData = Invoke-MgGraphRequest -Uri $Uri -Method Get
$ExternalTenantName = $ExternalTenantData.displayName
Write-Host ("The tenant with identifier {0} is {1}" -f $LookupId, $ExternalTenantName)

Resolving a Tenant Display Name to the Tenant Identifier

To do the reverse and find the tenant identifier for a Microsoft 365 tenant using its domain name, use the findTenantInformationByDomainName API. The code is similar to resolving a tenant name by identifier:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='{0}')" -f $Domain) 
[array]$DomainData = Invoke-MgGraphRequest -Uri $Uri -Method Get -ErrorAction SilentlyContinue
If (!($DomainData)) {
    Write-Host ("Whoops - can't find a Microsoft 365 tenant for {0}" -f $Domain)
} Else {
    Write-Host ("The tenant id for {0} is {1}" -f $DomainData.displayName, $DomainData.tenantId)
}
What domain should I lookup: Microsoft.com
The tenant id for Microsoft is 72f988bf-86f1-41af-91ab-2d7cd011db47

Both examples use the tenantRelationships Graph API to lookup tenant information by identifier or name. To gain access, the calling app (such as the Microsoft Graph PowerShell SDK) must have consent for the CrossTenantInformation.ReadBasic.All Graph permission.

The Graph APIs are relatively recent. It’s also possible to use the federationProvider web API to read the published information about tenants from the internet. Because this API is not part of the Graph APIs, use the Invoke-RestMethod cmdlet instead of Invoke-MgGraphRequest. For example:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain={0}" -f $domain)
$DomainId = Invoke-RestMethod -UseBasicParsing -Uri $Uri | Select-Object -ExpandProperty TenantId -ErrorAction SilentlyContinue

This is the approach used by websites like What is My Tenant Identifer (a ShareGate property – Figure 2).

The What is my Tenant Identifier website.
Figure 2: The What is my Tenant Identifier website

Knowing Tenant Identifiers is a Good Thing

GUIDs are difficult to remember, and I don’t bother trying. When I think about the number of times I have had to find a tenant identifier over the years, the amount must be in the hundreds. Being able to find a tenant identifier without reverting to the Entra admin center is a good skill to have, especially if you want to use the information in a script.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/03/28/tenant-identifiers/feed/ 0 64253
How Many Licensed Microsoft 365 Accounts Use the Loop App? https://office365itpros.com/2024/03/27/loop-app-usage/?utm_source=rss&utm_medium=rss&utm_campaign=loop-app-usage https://office365itpros.com/2024/03/27/loop-app-usage/#comments Wed, 27 Mar 2024 08:00:00 +0000 https://office365itpros.com/?p=64185

Use Audit Records to Track Usage of the Loop App

Following last week’s announcement about external access support for the Loop app, thoughts might turn to understanding how many people within a tenant use the app. In fact, there are two categories of users: those with a license that includes the Microsoft Loop service plan (identifier c4b8c31a-fb44-4c65-9837-a21f55fcabda), and those who do not. The latter category includes anyone without a Microsoft 365 E3, E5, or Business Standard or Premium license. For now, these users can create new workspaces with the Loop app, but from June 30, 2024, they lose that capability when Microsoft enforces license requirements (Figure 1).

Warning that time is running out for an unlicensed Loop app user.
Figure 1: Warning that time is running out for an unlicensed Loop app user

Identifying Usage of the Loop App

The task then is to identify who’s using the Loop app and if they have the right license. Thinking about the problem, you could use the approach explained in this article to report Loop workspaces. The PowerShell script reports workspaces and members and doesn’t tell us who is actively using the Loop app. A different approach is necessary to detect actual usage, and as normal in these situations, the unified audit log is a good place to look for information.

The Loop app supports a wide range of compliance features and logging its activities in the audit log is included. This shouldn’t be surprising because the Loop app uses SharePoint embedded and the audit log captures its actions to add, update, or remove workspaces just like it does for “normal” user file actions in SharePoint Online and OneDrive for Business.

It’s therefore possible to search the audit log to look for file actions performed by the Loop app (identifier a187e399-0c36-4b98-8f04-1edc167a0996) to understand who’s using the app.

Interrogating the Audit Log for Loop App Activities

I therefore wrote a PowerShell script (downloadable from GitHub) to do the following:

  • Connect to Exchange Online and the Microsoft Graph (Connect-MgGraph).
  • Find the set of users licensed to use the Loop app.
  • Find the set of users not licensed to use the Loop app.
  • Run the Search-UnifiedAuditLog cmdlet to search the unified audit log to find SharePoint file events like FileModified or FileModifiedExtended.
  • Filter the retrieved set of audit events to find the set applicable to the Loop app.
  • Sort the set by user principal name to find a unique set of users who have used the Loop app over the last 15 days (the period is customizable).
  • Check against the set to find licensed and unlicensed users who have used the Loop app. Also find licensed users who haven’t used the Loop app. This is a perfectly normal situation. The users might not have wanted to use the app, or they have been absent during the review period.
  • Report everything (using the Out-GridView cmdlet and by exporting to a CSV file).

It was a fun script to write. Between the two approaches (usage activity and workspace information), you have enough information to know exactly what’s happening with the Loop app within a Microsoft 365 tenant (Figure 2).

Active users of the Loop app and their license status.
Figure 1: Active users of the Loop app and their license status

Next Steps

An immediate action is to assess if the people using the Loop app without a license are doing so in a productive manner. If they are and they want to continue using the app after June 30, 2024, they need to be assigned an eligible license (perhaps swapping with someone who has an eligible license but isn’t using the licensed features). After that, it’s a good idea to acquaint the Loop users with new capabilities. Perhaps you can create a Microsoft 365 group or distribution list to inform people when features like external access are available. Proactive communication is always better than reactive updates.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/03/27/loop-app-usage/feed/ 3 64185
Microsoft Grounds Copilot Apps with Graph and Web Content https://office365itpros.com/2024/03/25/copilot-for-microsoft-365-grounding/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-for-microsoft-365-grounding https://office365itpros.com/2024/03/25/copilot-for-microsoft-365-grounding/#comments Mon, 25 Mar 2024 08:00:00 +0000 https://office365itpros.com/?p=64268

Office Apps Get Better Grounding in Copilot for Microsoft 365

Message center notification MC734281 (12 March 2024) might have passed by without too much attention unless you’re particularly interested in Copilot for Microsoft 365. The notification informs tenants that Word, Excel, PowerPoint, and OneNote will ground user prompts by reference to enterprise data and the web. As Microsoft notes, this is like what happens when users interact with Copilot for Microsoft 365 chat.

Grounding against enterprise data means that when Copilot responds to user prompts, it will seek additional context by attempting to find relevant information in Microsoft 365 repositories using Graph requests. Web grounding means that Copilot will use Bing search to find relevant information from sites within and outside the enterprise. The fact that major apps will start to use grounded requests from April 2024 might come as a surprise. After all, Microsoft has long cited Copilot’s ability to use the “abundance of data” stored in Microsoft 365 as a major advantage of Copilot for Microsoft 365 over other AI tools that don’t have access to Microsoft 365 repositories.

The roll out starts with Word (Windows and Online) and progresses to PowerPoint, Excel, and OneNote. Microsoft expects to complete the deployment by September 2024.

The Importance of Grounding

Microsoft explains that grounding is “the process of using large language models (LLMs) with information that is use-case specific, relevant, and not available as part of the LLM’s trained knowledge.” In other words, if you ask Copilot for Microsoft 365 to do something and grounding doesn’t happen, it relies on the user prompt to query the LLM.

Until now, users have been able to ground prompts in apps like Word by including up to three reference documents in the prompt. Let me illustrate the importance of grounding by showing an example of two briefing notes generated by Copilot in Word about the Midnight Blizzard attack against Microsoft in January 2024. Copilot generated the first briefing note without any reference documents. Because it couldn’t search the Graph or web for relevant information, the grounding of the prompt was poor, and Copilot could only use whatever information is in the LLM.

As shown in Figure 1, the generated text included several inaccurate statements (hallucinations), including the remarkable assertion that the attack led to a drop of $400 billion in Microsoft’s market value together with a declaration had deprived millions of Microsoft cloud users from accessing services.

Briefing note about Midnight Blizzard generated by Copilot for Microsoft 365 (without reference documents).
Figure 1: Briefing note about Midnight Blizzard generated by Copilot for Microsoft 365 (without reference documents)

If some relevant reference documents are included in the prompt, Copilot’s generated text becomes more accurate and balanced (Figure 2).

Briefing note about Midnight Blizzard generated by Copilot for Word with reference material.
Figure 2: Briefing note about Midnight Blizzard generated by Copilot for Word with reference material

The important point here is that after Microsoft updates Copilot to allow the Office apps to ground prompts using Graph and web material, the chances of Copilot generating absolute rubbish lessen considerably. That is, if Copilot can find relevant information through its searches. Adding reference documents to prompts in Copilot for Word will generate even better results because the reference documents should give Copilot a more precise context to work with.

Microsoft says that Graph grounding is enabled for all user prompts and that Copilot requests will use “the file context” (whatever file is open at the time) plus web searches as well. Copilot for Microsoft 365 chat uses Graph and web lookups today.

The Quality of AI-Generated Text

In some respects, I was shocked that it has taken so long for Microsoft to ground Copilot requests in these important apps. Copilot for Microsoft 365 is evolving rapidly, but the ability to generate high-quality text at general availability seems like an essential rather than a nice to have feature. I’ve always been suspicious about the quality of the text generated by Word and this revelation certainly explains a lot.

Take Your Time

The advice of Directions on Microsoft analyst Wes Miller that organizations should pace themselves and understand exactly what they are buying before they invest in expensive Copilot licenses is accurate. Things are changing, and the hyperbole around Copilot is like a dust storm that obscures detail. Why rush in where angels fear to tread?

Before making your mind up about Copilot, take the time to read the article posted by MVP Joe Stocker where he reports a drop-off of Copilot activity after the novelty effect of asking the AI to perform tasks wears off. Although the sample size was small, this emphasizes the need to support users on their Copilot journey, especially as important new functionality like Graph and web grounding appears.

And if you attend the Microsoft 365 Conference in Orlando at the end of April, make sure that you come to my session about not letting Copilot for Microsoft 365 become a vanity project. You might even enjoy what I have to say!


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem, including in Copilot. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2024/03/25/copilot-for-microsoft-365-grounding/feed/ 1 64268
Understanding How Much Microsoft 365 Backup Charges to Protect Data https://office365itpros.com/2024/03/20/microsoft-365-backup-costs/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-backup-costs https://office365itpros.com/2024/03/20/microsoft-365-backup-costs/#comments Wed, 20 Mar 2024 08:00:00 +0000 https://office365itpros.com/?p=64169

Microsoft 365 Backup Costs Based on Per Gigabyte of Protect Content

In my last article about Microsoft 365 Backup, I explained that I liked the ease of use of the product but had problems restoring data to SharePoint Online sites and OneDrive for Business accounts. Here I want to discuss the cost of using Microsoft 365 Backup (preview).

Microsoft charges for backups on a pay as you go basis at a rate of $0.15/month per gigabyte of protected content. The costs are paid through an Azure subscription The documentation includes a calculator to help estimate how much it will likely cost to use Microsoft 365 backup. An essential part of that is to know the size of the sites, accounts, and mailboxes chosen for backup.

Getting Sizes for Protected Content

Storage usage information for workloads can be obtained using PowerShell cmdlets or the Graph usage reports API. Unhappily, some problems prevent easy access to storage usage data for SharePoint Online sites through the Graph. However, the data is available through the SharePoint Online management module (here’s an example script) or by checking the storage data reported in the SharePoint admin center.

The same problem doesn’t affect Graph usage data for Exchange Online or OneDrive for Business, so you could use that approach or cmdlets from the Exchange Online and SharePoint Online management modules. Here are examples of scripts to report Exchange mailbox sizes and OneDrive for Business account sizes.

Microsoft warns that “Mailboxes are the size of the user’s mailbox plus their online archives plus deleted items held for Backup.” The Exchange mailbox size calculation is therefore the size of user-accessible folders in the primary and archive mailboxes (if enabled) plus the size of the Recoverable Items folders in the primary and archive mailboxes.

Computing Microsoft 365 Backup Costs

In my tenant, the outcome for the locations selected for backup protection was:

  • SharePoint Online 109 GB * $0.15 = $16.35
  • OneDrive for Business 71 GB = $10.65
  • Exchange Online: 20 GB = $3

Overall, the estimated Microsoft 365 backup costs for my tenant came to $30. Growth is expected to accommodate new information added to the target locations, so the actual cost over a year might go from $30 to $36 (20% growth).

Your mileage will vary depending on the growth experienced in the selected locations and how aggressive the tenant is in clearing out older data using retention policies. Archive mailboxes grow by holding information moved from the primary mailbox by Exchange mailbox retention policies. Archived data tends to remain for longer periods. For this reason, it’s not unusual to see archive mailboxes that are several times larger than primary mailboxes (up to the 1 TB limit for expandable archives).

In the first month, Microsoft 365 backup cost EUR 12.88 or $14.03 (Figure 1), or about half the expected cost. I assume that some startup processing takes place in the background that resulted in the lower outcome.

Microsoft 365 Backup costs for the first month
Figure 1: Microsoft 365 Backup costs for the first month

The invoice for the second month increased backup costs to EUR 25.18 or $27.42 (Figure 2), so it’s tracking closer to the expected level. Microsoft 365 Backup is processing more data. However, the extra data does not reflect a doubling of costs over the previous period. Overall, this points to some stabilization in the calculation of backup costs. I imagine that when Microsoft 365 Backup is generally available, the costs incurred for Azure subscriptions will be at the predicted levels very soon after commencement.

Microsoft 365 Backup costs for the second month.
Figure 2: Microsoft 365 Backup costs for the second month

Driving Toward General Availability

Microsoft 365 Backup is certainly worth considering for tenant data protection. The big issue that traditional backup products point to is that the data remains in Microsoft datacenters and therefore breaks the classic backup principle of keeping a copy of the data in a separate location. While true, the counterargument is that given the petabytes of data created in Microsoft 365 tenants daily, it’s hard to move such a volume of data offsite to a remote backup and even harder to restore data in an acceptable time. Microsoft’s datacenters have a robust record of availability, and I don’t see a problem with the backup data being kept alongside the live data. After all, if the Microsoft 365 datacenters are unavailable, what is the restore target for the offsite copies of sites and mailboxes?

A compromise might be to combine traditional and Microsoft 365 Backup into a hybrid where the traditional backup satisfies the need to move data to a remote location while Microsoft 365 backup satisfies the requirement for fast restore. Given that several backup vendors are building support for the Microsoft backup API into their products, I imagine that we will see some interesting innovation in this space.

In the meantime, we await the general availability of Microsoft 365 Backup. In that version, I anticipate that Microsoft will address the problem with restoring sites under compliance holds. I hope that they add properties to show when sites and mailboxes are protected by Microsoft 365 Backup that’s available through PowerShell and a Graph API. Properties like last backup time, the technology used for backup (including ISV products), and the size of protected data would be nice. In fact, a Graph API for setting up and managing backups and restores would be even nicer.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/03/20/microsoft-365-backup-costs/feed/ 3 64169
Microsoft Lifts External Sharing Restriction for Loop App https://office365itpros.com/2024/03/15/loop-app-external-sharing/?utm_source=rss&utm_medium=rss&utm_campaign=loop-app-external-sharing https://office365itpros.com/2024/03/15/loop-app-external-sharing/#comments Fri, 15 Mar 2024 08:00:00 +0000 https://office365itpros.com/?p=64141

Two-Phase Plan to Lift Loop App External Sharing Restiction Starts in Late April 2024

Loop App External Sharing.

The Loop app reached general availability in late 2023. The Loop app is licensed through a service plan included in the Microsoft 365 E3 or E5 enterprise subscriptions. SME accounts can use the Loop app with a Microsoft 365 Business Standard or Premium license. The ability to use individual Loop components (like a bulleted list) in applications like Teams and Outlook is included in the licenses for those applications, but if you want to organize your thoughts in Loop workspaces, you must use the Loop app.

Workspaces are the organizational unit for the Loop app. Inside workspaces, information is divided into pages, which are in turn composed of Loop components. Microsoft is gradually building out the set of components supported by Loop, the most recent being a Planner plan.

Microsoft says that the Loop app is “built for the new way of work.” Strong as it might be as a platform for collaborative creation, Loop suffers from the lack of support for sharing outside a tenant. This deficiency has always struck me as strange. Loop is built on SharePoint Embedded (or as it was once called, Syntex Repository Services). It’s an example of an application that uses SharePoint for storage while providing a unique user interface. That is very different from the traditional SharePoint UX.

Because Loop uses SharePoint Embedded, it’s logical to assume that it would support the same kind of external file sharing for its workspaces as in SharePoint Online and OneDrive for Business. But that wasn’t the case and the Loop app didn’t support Entra ID B2B Collaboration (guest accounts), which is the basis for control over content shared externally. Individual Loop components created by apps like Teams and Outlook are stored in the OneDrive for Business account of the component owner and can be shared by the owner with external users, just like any other file.

Microsoft 365 message center notification MC736437 (13 March 2024) announces that external access to Loop workspaces, pages, and components will come in late April 2024 with full deployment due by early June 2024. Lifting the restriction on external access to content managed by the Loop app is very welcome news. It will certainly help me work more collaboratively with people in other Microsoft 365 tenants.

Two Deployment Phases to Implement Loop App External Sharing

The kicker is that only tenants without sensitivity labels can use the initial stage of external access. This restriction should only affect enterprise tenants who use sensitivity labels for container management, protection, content marking, or a combination of these features. It seems like Microsoft is delaying roll-out of external access for Loop in tenants that use sensitivity labels until it has incorporated support for sensitivity labels in the Loop app.

MC736437 says that “Sensitivity labels will begin rolling out in the first half of 2024.” This doesn’t make sense because sensitivity labels have been around for years. I read the sentence to mean that support for sensitivity labels in the Loop app will come in the first half of 2024. Given that we’re already in mid-March and the initial deployment to tenants that don’t use sensitivity labels won’t complete until early June, it’s a reasonable bet that the second phase of external access for the Loop app will come around then.

How the Loop App External Sharing Might Support Sensitivity Labels

While Microsoft hasn’t said how the Loop app will support sensitivity labels, it’s likely to include:

  • Container management for Loop workspaces to mark the workspaces with a level of confidentiality. Given its tight connection to SharePoint Online, the Loop app will probably apply the external sharing settings defined in sensitivity labels to workspaces. MC736437 points out that the Loop app will respect the organization sharing policy defined for SharePoint Online and OneDrive for Business. For instance, the policy might restrict sharing to guest accounts that already exist in the tenant directory.
  • Protection and marking for Loop pages. In this respect, a Loop page is like a Word document stored in SharePoint. Applying a sensitivity label with encryption to a page would protect the page content when it leaves the tenant so that only external users with access rights can open and interact with the page. It might also be possible to protect an individual Loop component in the future. However, to make this happen, Microsoft would have to make sure that protected component can be read in other Office applications. No Office application currently supports the assignment of a sensitivity label to a Loop component.

No doubt more precise information will become available in product documentation as the time approaches for the roll-out of full-blown external access to Loop workspaces, pages, and components.

Loop App External Sharing is A Nice Step Forward

The Loop app is a great way to share ideas and work together. It’s not OneNote and it’s not Teams. It’s not like sending email around with a link to a shared document. The Loop synchronization model means that everyone who shares a component, page, or workspace sees the update in near real-time. That’s just different and it takes time for collaborators to become accustomed to how things work. Most of my work is with people outside my tenant. I’m intrigued to see how the Loop app copes with external access and sensitivity labels.


Keep up to date with developments like sensitivity label support for the Loop app by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

]]>
https://office365itpros.com/2024/03/15/loop-app-external-sharing/feed/ 4 64141
Restoring Data with Microsoft 365 Backup (Preview) https://office365itpros.com/2024/02/29/microsoft-365-backup-restore/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-backup-restore https://office365itpros.com/2024/02/29/microsoft-365-backup-restore/#comments Thu, 29 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63891

The Evolution of Microsoft 365 Backup to its Current Preview Status

Paul Robichaux, a longstanding MVP and someone who knows much more than I do about backup technologies, wrote an interesting review of the public preview of Microsoft 365 Backup for Practical365.com. I don’t need to dive into the details of what Paul covered about the mechanisms used by Microsoft 365 Backup to protect SharePoint Online, OneDrive for Business, and Exchange Online data. Instead, I decided to focus on how restore operations work. I did this on the basis that it’s straightforward for a backup product to stream data from a repository to create a copy of one form or another. The trick is to be able to restore copied data to the right place at the right time in the right way.

For background, I’ve been tracking the progress of Microsoft 365 Backup for several years, including discussions with the Microsoft engineers who built the product. When Microsoft began to discuss the product in public, I concluded that it was something I needed to test and potentially use over the longer term to protect my tenant’s data.

Until now, I have largely eschewed backups for Microsoft 365 and relied on native data protection (for Exchange Online) and retention policies. I consider many of the arguments advanced by companies selling backup solutions to be firmly rooted in FUD, especially when it comes to Teams. Unsurprisingly, because Teams is the most difficult Microsoft 365 workload to backup (and even harder to restore), Microsoft hasn’t included it in its set of target workloads.

When Microsoft launched the preview of Microsoft 365 Backup, I configured backup policies for all workloads and opted to protect the most active (and probably) valuable sites, accounts, and mailboxes in the tenant, including the site holding the source files for the Office 365 for IT Pros eBook. Backups have progressed since early January. Apart from adding extra mailboxes and accounts to the backup policies, I haven’t had to do anything since the original configuration.

Restoring Microsoft 365 Data

The big selling point for Microsoft 365 Backup is that it makes it fast and easy to restore data. The data for backups is stored in the Microsoft Cloud and is almost instantly accessible, or so the story goes. Backup professionals don’t like all their eggs stored in one cloud basket and don’t consider Microsoft 365 Backup to be a true backup. However, having everything in the Microsoft cloud makes backup and restore operations much faster than if the data must transit the internet to storage in a backup vendor’s datacenter.

There’s no doubt that Microsoft created a simple and easy to use UI for backup. The downside is that there’s no log to help you understand what happened during a restore or more importantly, where problems might have been met. Before beginning, it’s wise to read the latest set of limitations documented by Microsoft. Apart from anything else, you might discover that you must do something before a restore is possible, such as removing in-place holds from Exchange mailboxes. The number of documented limitations is likely to decrease as Microsoft develops the product from its current preview statis to a point where Microsoft 365 Backup is generally available.

You can learn the details of restore operations from Microsoft’s documentation. Creating a restoration task follows much the same path for all workloads:

  • Select the workload.
  • Select the protected locations (site, account, or mailbox) to restore.
  • Select the restore point (Figure 1).
  • Confirm everything and launch the restoration task.
  • Wait for the restoration task to complete.

Selecting a restore point for Microsoft 365 Backup.
Figure 1: Selecting a restore point for Microsoft 365 Backup

My experience is that Exchange Online restores are quicker than SharePoint Online or OneDrive for Business. That’s likely due to the way Exchange uses an existing copy-on-write mechanism to tag items. In all tests, Exchange restored data within a few minutes. As a quick and simple test to ensure that the data was restored, I used PowerShell to note the contents of important folders before and after a restore.

For example, here are the folder statistics at the time that I wanted to restore to:

Get-EXOMailboxFolderStatistics -Identity "James.Ryan@office365itpros.com" | where-object {$_.ItemsInFolder -gt 0 -and $_.Name -in $Folders} | Format-Table Name, ItemsInFolder, FolderSize

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             0 0 B (0 bytes)
Inbox                  1038 248.5 MB (260,572,313 bytes)
Sent Items               19 794.1 KB (813,182 bytes)
Deletions                 6 3.689 MB (3,868,185 bytes)
Purges                    1 1.904 KB (1,950 bytes)

I then removed some items from the Inbox and emptied the Deleted Items folder. The increased number of items in the Deletions folder matches the number of items removed from the Inbox and those emptied from Deleted Items (5).

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             0 0 B (0 bytes)
Inbox                  1033 247 MB (258,973,507 bytes)
Sent Items               19 794.1 KB (813,182 bytes)
Deletions                11 5.214 MB (5,467,162 bytes)
Purges                    1 1.904 KB (1,950 bytes)

I then created a restore task using the restore point closest to the time when I first noted the folder contents. When the restore finishes, I checked the data reported by Exchange. We can see that it roughly matches what was there at the start. One item from Sent Items was deleted, so it’s in Deleted Items. This emphasizes that Exchange Online uses a roll forward mechanism for restore, meaning that items that aren’t affected (a refile to another folder doesn’t affect the item status, a deletion does) are left intact.

Name          ItemsInFolder FolderSize
----          ------------- ----------
Deleted Items             1 19.28 KB (19,745 bytes)
Inbox                  1038 248.5 MB (260,572,377 bytes)
Sent Items               18 774.9 KB (793,459 bytes)
Deletions                 6 3.689 MB (3,868,185 bytes)
Purges                    1 1.904 KB (1,950 bytes)

Naturally, this is an imperfect way to validate restore operations. A visual check of mailbox contents confirmed that everything that I expected to be there was in place. Exchange Online logs audit records for the New-MailboxEnhancedRestoreBatch and New-MigrationBatch operations when it starts a restoration task. The details of the audit event only tell you that a restore began for a user called “NT AUTHORITY\\SYSTEM (w3wp).” Some of the data logged in the events might be useful to a Microsoft support representative, but the information isn’t detailed enough to help a tenant administrator understand what happened.

Happy that I could restore mailboxes, I went ahead to try to restore data for a SharePoint site.

Restoring SharePoint Online

Both SharePoint Online and OneDrive for Business use a roll back process for restores. In other words, you decide what restore point to use, and Microsoft 365 Backup rolls back the site or account to have the content stored at that time. Restores can be to the same site or to a new site. If you restore to the same site, the possibility currently exists that people working in the site might have their work overwritten. Microsoft plans to lock sites against changes to avoid this issue in the future. Exchange uses a roll-forward process, meaning that unchanged items since the chosen restore point are unaffected and only changed or deleted items are brought back. In any case, my experience with SharePoint restores didn’t go so well.

I added a bunch of files to a site and then tried to roll back to a point beforehand. The idea was to replicate infection by malware when you need to restore a site to the last good backup before the malware arrived. SharePoint accepted the restore task and about fifty minutes later politely failed. Nothing happened to the restore destination and the detail available about what happened to cause the restoration task to fail was non-existent (Figure 2).

Details of a failed attempt to restore a SharePoint Online site.
Figure 2: Details of a failed attempt to restore a SharePoint Online site.

Many attempts to restore the site failed and the last restoration task failed after nearly three hours (the second task listed in Figure 3). SharePoint Online does not log any audit records for administrators to check nor is any other log available to consult to discover why the task failed. Despite rereading the documentation several times and checking all the settings, I could make no progress. Perhaps it’s just me, but I failed in my initial attempts to successfully restore SharePoint Online sites or OneDrive for Business accounts.

An unhappy record and some frustration at failed restore attempts.
Figure 3: An unhappy record and some frustration at failed restore attempts

Without Microsoft 365 Backup generating a log file or revealing more details about failure symptoms it’s hard to diagnose what’s happening. I put the problem to Microsoft and learned that the problem is due to the holds applied by retention policies. This limitation is documented for OneDrive and mailboxes but not for sites. For now, the solution is to restore files to a new site. This works and restoring files to a different site allows them to be copied to the original site as necessary. However, it’s not quite the smooth recovery operation that I anticipated, even in a preview product.

My biggest concern is that the holds imposed by retention policies block restoration tasks. When things go wrong, administrators want to restore sites or accounts back to good health as quickly as possible. Speed, after all, is the promise extended by Microsoft 365 Backup. Altering settings for Microsoft 365 retention policies to remove holds on sites, including the potential need to adjust adaptive scopes, is not speedy. It can take days before changes are fully respected by SharePoint Online. How then are fast restores possible?

Remember It’s a Preview

Microsoft 365 Backup is a preview solution, but it’s a paid-for preview and I expected what appears to be a straightforward restore request to happen without trauma. After talking to Microsoft, I think they understand that problems exist that must be sorted out before the product reaches general availability. As noted above, these issues include speed of restore, faster detection of problems in restoration tasks, better error handling and logging, and much more elegant handling of sites under control of retention policies.

]]>
https://office365itpros.com/2024/02/29/microsoft-365-backup-restore/feed/ 2 63891
Microsoft Releases Entra ID License Utilization Insights https://office365itpros.com/2024/02/26/entra-id-usage-insights/?utm_source=rss&utm_medium=rss&utm_campaign=entra-id-usage-insights https://office365itpros.com/2024/02/26/entra-id-usage-insights/#respond Mon, 26 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63904

Entra ID Usage Insights for Premium Licenses

A February 20 Microsoft Technical Community post covering the introduction of Microsoft Entra License Utilization Insights began by saying that over 800,000 organizations use Entra ID before announcing the preview of a new Entra ID License utilization portal. When I read this first, I assumed that the new portal would help customers manage all licenses assigned to Entra ID accounts but that’s not the case. Instead, the new portal (or rather, a new page in the Entra admin center) focuses on Entra ID premium licenses.

Entra ID premium licenses are available separately or as part of a package such as Enterprise Mobility and Security or Microsoft 365 E3 or E5. Although these licenses enable access to a range of features, the most common reason why Microsoft 365 tenants need Entra ID premium licenses is for conditional access policies. Currently, Microsoft says that 38% of Entra ID accounts use multifactor authentication. Demand is likely to grow in the future when Microsoft deprecates the per-user multifactor authentication capabilities available in Office 365 E3 and E5 and forces tenants to use conditional access policies instead.

Microsoft says that the new page (Figure 1) allows administrators to view usage details for Entra ID premium licenses. The preview is limited to support for conditional access (P1) and risk-based conditional access (P2).

Entra ID License Utilization Insights in the Entra admin center.

Entra ID usage insights.
Figure 1: Entra ID Usage Insights in the Entra admin center

Microsoft expects to add support for more features when the feature reaches general availability. They claim that usage insights will help tenants to understand the number of available premium licenses and the value gained by users from these licenses. And of course, if any over-usage is detected, Microsoft will be happy to bring that salient fact to the attention of tenant administrators.

A More Restrictive Regime Coming?

At present, I Microsoft does not enforces licensing requirements for Entra ID premium features with the same precision as happens for Microsoft 365 licenses.  For instance, Entra ID processes connections that require multifactor authentication no matter if the account has a premium license. The advent of this license utilization page might be a pointer to a more restrictive regime that’s coming, including for premium features consumed by guest users (which should now be covered by Monthly Active User (MAU) pricing).

For instance, my tenant has five Microsoft 365 E5 licenses among the licensing mix, so that means that the tenant has five Entra ID P2 licenses. The insights page tells me that there are 11 accounts using conditional access and 45 users using conditional access B2B (guests). Costs for the guests are covered by MAU pricing tied to an Azure subscription, but I seem to have a deficit of six Entra ID P1 licenses to license multifactor authentication for the excess user accounts. Obviously, this is something that I will deal with immediately.

Graph Access to Entra ID Usage Insights

In addition to the page in the Entra admin center, Microsoft has a Graph API to access the usage insights (through the beta endpoint because it’s a preview feature). Here’s how to access the data using the Microsoft Graph PowerShell SDK:

[array]$Data = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/reports/azureADPremiumLicenseInsight" -OutputType PSObject

$Data

@odata.context            : https://graph.microsoft.com/beta/$metadata#reports/azureADPremiumLicenseInsight/$entity
entitledP1LicenseCount    : 0
entitledP2LicenseCount    : 5
entitledTotalLicenseCount : 5
p1FeatureUtilizations     : @{conditionalAccess=; conditionalAccessGuestUsers=}
p2FeatureUtilizations     : @{riskBasedConditionalAccess=; riskBasedConditionalAccessGuestUsers=}

To get the counts of user accessing the licensed features, we can do something like this:

Write-Host ("The tenant has {0} member accounts and {1} guest accounts that use conditional access" -f $Data.p1FeatureUtilizations.conditionalaccess.usercount, $Data.p1FeatureUtilizations.conditionalaccessguestusers.usercount )

The tenant has 11 member accounts and 45 guest accounts that use conditional access

Here’s how to find which accounts actively use multifactor authentication to access your tenant.

Entra ID Usage Insights Serve Microsoft More Than Tenants

It’s natural that the Entra ID development group should take care of their license consumption and revenue, so the provision of a page to make tenants aware of the consumption is unsurprising. I think this is a forerunner of a more restrictive regime for Entra ID premium licensing, which again is unsurprising. I just hope that it doesn’t put tenants off from using multifactor authentication to protect user accounts. Given today’s threat horizon, multifactor authentication is more of a must-have than an added extra and it would be nice if Microsoft supported tenants to use more multifactor authentication rather than putting barriers in the way.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/02/26/entra-id-usage-insights/feed/ 0 63904
Microsoft Kills Viva Topics to Focus on Copilot https://office365itpros.com/2024/02/23/viva-topics-retirement/?utm_source=rss&utm_medium=rss&utm_campaign=viva-topics-retirement https://office365itpros.com/2024/02/23/viva-topics-retirement/#comments Fri, 23 Feb 2024 00:01:00 +0000 https://office365itpros.com/?p=63851

Viva Topics Retirement Propelled by More Lucrative Copilot Opportunity

In a surprise announcement posted in Microsoft 365 message center notification MC718486, Microsoft said that they will retire Viva Topics on February 22, 2025 and will stop new feature development as of February 22, 2024. Originating as part of Project Cortex, Microsoft launched Viva Topics as one of the four modules in its new Viva employee experience platform in February 2021. Support documentation covering the retirement is available online as is a FAQ.

The idea behind Viva Topics is that organizations could leverage their investment in SharePoint Online by creating curated knowledge network about topics important to the business. Knowledge editors would maintain the topics and link them to sources. Users could consume the information in the knowledge network by inserting topics into the natural flow of communications created in Outlook messages, Teams chats and channel conversations (Figure 1), or SharePoint documents. The latest development was to expose topics in the Microsoft 365 user profile card.

Viva Topics in a Teams channel conversation.

Viva Topics retirement
Figure 1: Viva Topics in a Teams channel conversation

There’s some great technology in Viva Topics. Alas, great technology doesn’t always survive in the acid test of the market. Some Microsoft 365 tenants use Topics, but I don’t see any evidence of a major groundswell of projects. The level of discussion about Topics is low in online forums and it’s not a subject for sessions submitted to major Microsoft 365 conferences. Although hardly a test that could be stood over, it is undeniable that potential speakers submit sessions for technology that interests them or that they work on. I cannot recall seeing a submission for a Viva Topics session in the last year.

Knowledge Management is Hard

Knowledge management is hard. Anyone who set up and managed a knowledge network for Viva Topics will appreciate that the AI-powered harvesting of topics from content stored in SharePoint Online can generate hundreds or thousands of topics to curate, refine, and publish, all of which takes time. The work of the knowledge managers might not be appreciated by end users, or even recognized if end users don’t receive education about how to use Topics.

Even though they announced lightweight management for Topics through Viva Engage in July 2023 and Copilot in Viva Topics in April 2023, the benefit of hindsight shows that Microsoft’s heart had been snatched by Copilot and the clarion call to development groups to create Copilot-branded experiences.

Copilot Wins the Game and Forces the Viva Topics Retirement

Apart from being swept along by the Copilot wave, I think hard business logic is a major driving factor behind Microsoft’s decision to retire Viva Topics. Copilot for Microsoft 365 brings in $30/user/month plus the opportunity to upsell customers to more expensive Office 365 or Microsoft 365 licenses. Microsoft’s pricing for Viva Topics varied over the years. According to Copilot, a Viva Topics license brings in $4/user/month (Figure 2).

Copilot figures out the cost of Viva Topics licenses.
Figure 2: Copilot figures out the cost of Viva Topics licenses

Even when included in the Viva Communications and Community license, Topics cannot contribute anywhere close to the revenue that Copilot will likely deliver over the next five years. In addition, Viva Topics is usually a much harder project to sell, and its implementation lacks the excitement and glamor currently associated with Copilot. I mean, topic refinement compared to AI-generated email and documents?

Looking at the situation through the business lens, it makes absolute sense for Microsoft to retire Viva Topics and realign the engineering resources from that program to work on other AI-related projects, such as the “new AI-powered knowledge management experiences” promised in the announcement.

Third Time Lucky

Microsoft’s record in knowledge management is not stellar. The next-generation knowledge portals promised at Ignite 2015 vanished as soon as the attendees left Chicago and its infamous baloney conference lunches behind. Now Viva Topics is being retired. Microsoft has put all its knowledge management eggs in the Copilot basket. Let’s hope that the next round of knowledge applications powered by Copilot demonstrate once again that Microsoft has the habit of getting things right third time around.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes to understand why the Viva Topics retirement happened. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering the Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/02/23/viva-topics-retirement/feed/ 2 63851
Copilot for Microsoft 365 to Support Outlook Classic https://office365itpros.com/2024/02/15/outlook-win32-copilot-support/?utm_source=rss&utm_medium=rss&utm_campaign=outlook-win32-copilot-support https://office365itpros.com/2024/02/15/outlook-win32-copilot-support/#comments Thu, 15 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63712

Outlook Win32 Copilot Support Coming. Teams Gets a Better Integration

After removing the major barriers blocking adoption of Microsoft 365 Copilot last month, Microsoft has quietly dropped its insistence that Copilot would only support the Outlook Monarch client. The latest version of the Microsoft 365 Copilot requirements documentation (2 February 2024) says that Copilot works with the new Outlook client on Windows and Mac (Outlook mobile is also supported) and then notes that “Microsoft Copilot for Microsoft 365 will be supported on classic Outlook for Windows (Win32 desktop app) in the future.”

A link to the Microsoft 365 roadmap lists three items relating to the introduction of Copilot functionality in the classic Outlook client together with dates when the rollout is supposed to start:

  • Coaching by Copilot (190927) –February 2024
  • Draft by Copilot (190937) – March 2024. Figure 1 shows the draft created by Copilot in OWA.
  • Summarize by Copilot (180900) –November 2023
Copilot drafts a message for OWA.

Outlook Win32 Copilot Support
Figure 1: Copilot drafts a message about Outlook Win32 Copilot Support

According to the items, Microsoft added 190927 and 190937 on 6 December 2023, and 180900 on December 10, 2023. Don’t pay too much attention to the purported rollout dates until you see a Microsoft 365 message center announcement describing when the new functionality will be available in the preview and other Office channel. Even then, announced dates are often optimistic and end up being delayed. I’m pretty sure that Outlook Win32 support will only extend to the subscription version of Outlook packaged in Microsoft 365 enterprise apps, but we’ll see when Microsoft shares more details.

No Formal Announcement for Outlook Win32 Copilot Support

Speaking of details, I can’t find a formal Microsoft announcement about the change in direction. Ever since the original Copilot for Microsoft 365 announcement in March 2023, Microsoft held to the line that Monarch was the only supported Outlook desktop client. As I noted in August, this position applied despite the fact that Microsoft’s One Outlook program includes the ability for Outlook desktop to use code developed for Monarch/OWA. The only logical conclusion is that Microsoft hoped to use Copilot to drive customers to embrace Monarch.

The sad fact is that Monarch is still not fit for purpose in the eyes of many Outlook users. The lack of offline access and PST support are just two issues that must be addressed before Monarch has a chance to replace the classic client.

Although they’re rolling Monarch out as a replacement for the standard Windows mail and calendar client, Microsoft knows that the software lacks many features needed for success in commercial environments. All the missing functionality is on a list for development, but the fact remains that it’s very hard to force people to change to a client that doesn’t do what they need, and this became a blocking factor for Copilot adoption.

Given that making it easy for customers to use Copilot is much more important for Microsoft than achieving an earlier switchover to Monarch is, the choice for senior management must have been simple, and that’s probably why the restriction is gone. Customers will applaud the new reality.

New Copilot Experience in Teams

Meanwhile, on February 12, Microsoft announced a new Copilot experience in Teams. Like the rest of Teams, the experience is in the form of an app that administrators can control through setup policies. According to Microsoft, the major changes are better prompts, access to Copilot Lab to see prompts that you might use, and a list of your Copilot chat history.

The app delivers a chat experience, so it should come as no surprise that Teams can store and reveal previous interactions with Copilot. The chat messages are captured for compliance purposes, just like personal and group chats, and can be retrieved by content searches for eDiscovery.

Just to be sure that Copilot support for Outlook Win32 is a reality, I asked Copilot in Teams (Figure 2) about Outlook Win32 Copilot support. After thinking for a bit, Copilot duly responded to confirm support and noted two references, one being the requirements documentation, the other a document stored in a SharePoint Online site. Website content is only available to Copilot if enabled for the tenant and the user chooses to enable it for searches.

Copilot in Teams confirms support for Outlook Win32.
Figure 2: Copilot in Teams confirms Outlook Win32 Copilot Support

More Change Coming

I suspect that the Copilot for Microsoft 365 journey will have other ups and downs as customers identify and Microsoft removes barriers to adoption, problems, bugs, and other issues. Like the initial development of Teams in the 2017-2020 period (albeit accelerated in some part by the Covid pandemic), I expect lots of change. Stay tuned.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/02/15/outlook-win32-copilot-support/feed/ 5 63712
Tracking Licensing Costs for Microsoft 365 Tenants https://office365itpros.com/2024/02/14/microsoft-365-licensing-report/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-licensing-report https://office365itpros.com/2024/02/14/microsoft-365-licensing-report/#comments Wed, 14 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63686

Microsoft 365 Licensing Report Details Costs Per User to Find Optimizations

Recently, I released an update to my Microsoft 365 Licensing Report PowerShell script to include the ability to assign costs to user accounts. The idea is to give administrators information about how much the cumulative annual license charges are for each account. Combining cost data with insight about account activity in a tenant (generated with the user activity report script or by reference to the individual workload usage reports in the Microsoft 365 admin center), administrators can figure out if users have the right licenses they need to work and no licenses are assigned to inactive accounts.

Managing the cost of Office 365 and Microsoft 365 licenses has always been important. As Microsoft puts more focus on driving revenue through high-priced add-ons such as Teams Premium ($120/year) and Copilot for Microsoft 365 ($360/year), it’s even more essential to keep close tabs on license assignments. There’s no point in assigning a Copilot license to someone who’s inactive or whose usage pattern indicates that they might not take advantage of the license. No one is rewarded for overspending on licenses.

Adding Cost by Department and Cost by Country to the Microsoft 365 Licensing Report

Almost immediately after releasing the updated script, calls came in to ask if it was possible to generate an analysis of licensing cost by country and by department. My initial response was “sure” and I set to figuring out the best way to implement the change.

Because the report script tracks license costs per user, the simple method is to:

  • Find the sets of departments and countries in user accounts.
  • For each department (or country), calculate the sum of license costs.
  • Include the information in the report.

The same approach works to analyze license costs for any user account property fetched by the initial Get-MgUser command at the start of the script. If the set of regular account properties don’t work for your organization, you could use an Exchange custom attribute to store the required values. For instance, you could include a cost center number in a custom attribute. Here’s how to access Exchange custom attributes with Get-MgUser. You’ll need to extract the information from the custom attribute before you can use it in the script.

The Problems Caused by Inaccurate Directory Data

The obvious problem is that sometimes the properties of user accounts don’t include a department or country. Account properties should hold accurate properties, but unfortunately this sometimes doesn’t happen because administrators fail to add properties to accounts, or a synchronization process linking a HR system to Entra ID encounters problems, or something else conspires to erode directory accuracy. The point is that inaccurate or missing user account properties result in bad license accounting.

The first order of business is therefore to validate that the account properties that you want to use for license cost reporting exist and are correct. This article explains how to detect user accounts with missing properties. Making sure that properties are accurate requires an extra level of review. The value of the country property assigned to user accounts shouldn’t change frequently, but properties like department and office might.

Reporting Licensing Costs for Country and Department

After making sure that all the necessary user account properties are in place (and accurate), the code to generate cost analyses based on department and country worked like a dream. The script also required an update to insert the new data into the output report, including warnings for administrators when costs cannot be attribute to countries or departments because of missing account properties. Figure 1 shows the result.

Costs for departments and countries shown in Microsoft 365 Licensing Report.
Figure 1: Costs for departments and countries shown in Microsoft 365 Licensing Report

The code changes are in version 1.6 of the report script, which you can download from GitHub. If you haven’t run the script before, make sure that you read the previous Practical365.com articles to understand how the script works and how to generate the two (SKU and service plan) CSV files used by the script.

Remember that this script is intended to demonstrate the principles of interacting with and interpreting Entra ID user account and license information with the Microsoft Graph PowerShell SDK. It’s not intended to be a bulletproof license cost management solution. Have fun with PowerShell!


Learn how to exploit the data available to Microsoft 365 tenant administrators (like licensing information) through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/02/14/microsoft-365-licensing-report/feed/ 21 63686
How Many Message Center Announcements End Up Being Delayed? https://office365itpros.com/2024/02/09/message-center-posts-sdk/?utm_source=rss&utm_medium=rss&utm_campaign=message-center-posts-sdk https://office365itpros.com/2024/02/09/message-center-posts-sdk/#comments Fri, 09 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63615

Use the Microsoft Graph PowerShell SDK to Analyze Service Update Messages

In November 2020, I wrote an article about the number of Microsoft 365 message center posts about new features that ended up being delayed. At the time, 29.27% of message center posts needed to adjust their published date for feature availability. Being of a curious nature, I wondered if Microsoft is better at predicting when they can deliver software across the spectrum of Microsoft 365 applications.

The code I used in 2020 is now obsolete. Microsoft moved the service communication API from the old manage.office.com endpoint to the service communications Graph API and access to message center posts is through the service update message resource. Because the service communications API is a full-fledged Graph API, cmdlets in the Microsoft Graph PowerShell SDK are available to work with message center posts. For instance, the Get-MgServiceAnnouncementMessage cmdlet retrieves message center posts. This command shows how to retrieve posts for the last seven days:

$SevenDaysAgo = (Get-Date).AddDays(-7)
$CheckDate = (Get-Date($SevenDaysAgo) -format s) + "Z"  
[array]$MCPosts = Get-MgServiceAnnouncementMessage -filter "StartDateTime ge $CheckDate"

Adding the “Z” to the sortable date generated by the Get-Date cmdlet is important for the filter to work.

Updating the Code

The code written in 2020 uses a registered Entra ID app to obtain an access token and fetch the message center posts. Updating the script involved:

  • Removing the code to obtain an access token and replacing it with a call to the Connect-MgGraph cmdlet specifying the ServiceMessage.Read.All scope (permission).
  • Run the Get-MgServiceAnnouncement cmdlet with the All parameter to fetch all available message center posts.
  • The data returned for message center posts using the service communications Graph API differs from that returned by the old API. Some adjustment was necessary in the script to update property names and the content returned for some properties.
  • Addition of some code to calculate the percentage of delayed feature announcements. In 2020, this was done using Excel. The basic test for a delay is the presence of the string “(Updated)” in the title for a message center post. No attempt is made to compute the length of the delay because message center posts don’t contain a structured property with this information. Instead, information about delays is conveyed in the text. For example, “We will begin rolling out in mid-September 2023 (previously late August) and expect completion by mid-February 2024 (previously late January).

Comparing Results

In 2020, the results looked like this:

 		Notifications	Updates		Percent updated
Teams		58		22		37.93%
SharePoint	37		14		37.84%
Exchange	30		9		30%
Yammer		10		4		44.44%
Intune		8		0		—-
Power Apps	5		0		—-

On February 5, 2024, the Get-MgServiceAnnouncement cmdlet fetched 552 message center posts for my tenant. This is a higher amount than in 2020 because the tenant subscriptions now include some Microsoft 365 E5 licenses covering more apps. The number of message center posts available in a tenant vary depending on the active subscriptions that exist within the tenant.

Figure 1 shows the results. Nearly a third of all message center posts are delayed. Teams remains the workload that issues most message center posts (83), but its performance in terms of avoiding delays has worsened from 38.93% to 57.24% This might be due to the transition from the classic Teams client to the new Teams client (due to be complete by the end of March), or it might be that the Teams product managers have real difficulty in predicting when software might be ready for deployment.

Percentage of delayed message center posts by workload.
Figure 1: Percentage of delayed message center posts by workload

Some message center posts cover multiple workloads and it’s hard to know where the responsibility lies for a delay. The data is therefore indicative rather than definitive. To be sure about where delays lie, you’d need to examine the text of each message center post and extract and collate the details.

You can download the updated script from GitHub.

Easier to Work with Message Center Posts

Being able to work with service communication data through Microsoft Graph PowerShell SDK cmdlets makes the information more accessible than before. Some of the improvements introduced by Microsoft for message center posts since 2020 aren’t available. The relevance property appears to have disappeared from the Microsoft 365 admin center and the number of active users for a workload, which does show up in the message center, is missing from the properties returned by the SDK cmdlet. But the rest of the information you might want is available and ready to be sliced and diced as you want.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/02/09/message-center-posts-sdk/feed/ 2 63615
Teams Users Can Hide the General Channel https://office365itpros.com/2024/02/08/general-channel-hide/?utm_source=rss&utm_medium=rss&utm_campaign=general-channel-hide https://office365itpros.com/2024/02/08/general-channel-hide/#comments Thu, 08 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63530

Is Hiding the General Channel Important?

I can imagine that many who read message center notification MC711019 (29 January 2024, Microsoft 365 roadmap item 324840) to discover that Microsoft Teams is making it possible to hide the General channel for a team experienced a “so what” moment. The change rolls out to targeted release tenants in early February and reaches standard release in mid-February. By the time you read this, you might be able to indulge in the joy of hiding a general channel.

The General channel is present in all teams. It cannot be removed or renamed. Because it’s omnipresent, the General channel is regarded as the basis of a team. Teams now supports the addition of up to another 999 channels in a mixture of standard, shared, and private channels. I don’t recommend that you create such a monster unless absolutely necessary and justified with good reason, but it is possible.

Limiting General Channel Posts

With so many channels available to segregate conversations, team owners often limit posting to the General channel (Figure 1) and keep interaction there to announcements of general interest. This tactic serves to force members to consider which of the available channels is best suited to their topic and prevents a mishmash of unrelated conversations accruing in the General channel.

Settings for the General channel.
Figure 1: Settings for the General channel

If posting is restricted to the General channel, the channel occupies unnecessary space in the teams and channel list. This didn’t matter so much in the past, but the teams and channels list can include many more channels now and if every team in the list has a General channel, it’s obvious that less space is available to display more important channels. This is the logic behind the change.

Hide and Restore the General Channel

Team owners cannot hide the General channel for all members. Instead, individual members (both tenant users and guests) decide if they want to show or hide the channel. To hide the channel, select the […] menu beside the General channel in the list of teams and channels and then choose Hide (Figure 2). Teams then removes the channel from the displayed list.

Hiding the General channel for a team.
Figure 2: Hiding the General channel for a team

If the General channel is the only channel in the team, hiding General moves the team into the list of hidden teams and displays an informational message (Figure 3). I guess this is logical. If the General channel is the only channel in a team, hiding it and keeping the team in the visible list of teams doesn’t make sense. It’s better to move the entire team to the hidden list from where users can select and show the team if necessary.

Hiding the General channel might hide a team.
Figure 3: Hiding the General channel might hide a team

To restore the channel, select See all channels link at the bottom of the channel list, select General, and click Show (Figure 4).

Restoring a hidden General channel.
Figure 4: Restoring a hidden General channel

Alternatively, use the Channels tab in the Manage team option to unhide the channel.

The option to hide the General channel is not supported in the classic Teams client. However, if you switch from the new Teams client to the classic client and back, hidden channel settings are respected.

Reasonable and Sensible Change

Allowing users to hide the General channel is a reasonable and sensible change. There’s no doubt that not much activity happens in many General channels and removing these underused containers from the teams and channels list frees up space for more important information. A nice enhancement might be an option to remove the General channel for all teams in the Your teams (exposed) list. Then again, it’s not hard to do a one-time cleanup to hide the General channels for selected teams in that list. I must be getting lazy.


Learn about using and managing Microsoft Teams and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

]]>
https://office365itpros.com/2024/02/08/general-channel-hide/feed/ 4 63530
Use the Graph SDK to Access Microsoft 365 Service Health Information https://office365itpros.com/2024/02/07/service-health-data-api/?utm_source=rss&utm_medium=rss&utm_campaign=service-health-data-api https://office365itpros.com/2024/02/07/service-health-data-api/#comments Wed, 07 Feb 2024 01:00:00 +0000 https://office365itpros.com/?p=63487

Graph-based Service Communications API is now the Route to Service Health Data

In January 2021, I wrote about how to use the Office 365 Service Communications API to programmatically retrieve the service health information that’s available in the Microsoft 365 admin center (Figure 1).

Service Health information viewed in the Microsoft 365 admin center.

Microsoft 365 service health data.
Figure 1: Service Health advisory messages viewed in the Microsoft 365 admin center

At the time, the API used the manage.office.com endpoint. In December 2021, Microsoft deprecated the manage.office.com endpoint and introduced the Service Communications Graph API as the replacement. In this article, I explain how to use the API with Microsoft Graph PowerShell SDK cmdlets to retrieve service health information.

Retrieving Service Health Data

As shown in Figure 1, the active items Microsoft is working on are those that impact the service in some way, usually by removing the ability of users to do something. To find these items, run the Get-MgServiceAnnouncementIssue cmdlet and filter for items classified as advisory with a status of ‘serviceDegration’:

[array]$ServiceHealthItems = Get-MgServiceAnnouncementIssue -All `
    -Filter "classification eq 'Advisory' and status eq 'serviceDegradation'" | `
    Sort-Object {$_.LastModifiedDateTime -as [datetime]} -Descending

$ServiceHealthItems | Format-Table Id, Title, FeatureGroup, LastModifiedDateTime

If you don’t filter the service health items, the Get-MgServiceAnnouncementIssue cmdlet, including those where Microsoft resolved the issue (as with many SDK cmdlets, the All switch tells the cmdlet to fetch everything). This data reveals the areas where most issues occur. In my tenant, the 346 available issues broke down as follows:

$Data = Get-MgServiceAnnouncementIssue -All
$Data | Group-Object FeatureGroup -Noelement | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize

Name                                    Count
----                                    -----
Teams Components                           80
Administration                             39
E-Mail and calendar access                 27
SharePoint Features                        25
Portal                                     23
Management and Provisioning                22
Microsoft Defender for Endpoint            21
Cloud App Security                         13
Viva Engage                                10

Another interesting grouping is by service:

$Data | Group-Object Service -Noelement | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize

Name                                      Count
----                                      -----
Microsoft Teams                              80
Microsoft 365 suite                          64
Exchange Online                              60
Microsoft Defender XDR                       32
SharePoint Online                            30
Microsoft Defender for Cloud Apps            25
Microsoft Viva                               12
OneDrive for Business                         8

The start date for the oldest issue was March 1, 2023. The oldest last modified date for an issue was July 31, 2023. This suggests that Microsoft might keep about six months of service issue data online. Your mileage might vary.

Fetching Overall Service Health Data

Underneath the advisory items, the Microsoft 365 admin center displays an overview showing the health for individual services like Exchange Online, Teams, SharePoint Online, and so on. This information is accessible by running the Get-MgServiceAnnouncementHealthOverview cmdlet. In my tenant, this generates a list of 32 individual services, some of which (like Sway and Microsoft Managed Desktop), I’m not interested in. I therefore amend the output by filtering the services that I consider most important:

[array]$ImportantServices = "Exchange", "Teams", "SharePoint", "OrgLiveID", "Planner", "microsoftteams", "O365Client", "OneDriveForBusiness"
[array]$ImportantServiceStatus = Get-MgServiceAnnouncementHealthOverview | Where-Object {$_.Id -in $ImportantServices}
$ImportantServiceStatus | Sort-Object Service | Format-Table Service, Status -AutoSize

Service            Status
-------            ------
Exchange Online    serviceDegradation
Microsoft 365 apps serviceOperational
Microsoft Entra    serviceOperational
Microsoft Teams    serviceDegradation
Planner            serviceOperational
SharePoint Online  serviceDegradation

Using Service Health Data to Highlight Current Advisories

Many people will be perfectly happy to access service health information via the Microsoft 365 admin center. The advantage of using an API to retrieve the same information is that you can then use it in whatever way you think appropriate. As a working example to demonstrate what’s possible, I wrote a script that can run interactively or as an Azure Automation runbook using a managed identity.

The script retrieves the open service health advisories and creates an email with an HTML-format report containing the service data that is sent to nominated recipients (any mixture of mail-enabled objects, including individual mailboxes, distribution lists, and Microsoft 365 groups). The idea is to keep the recipients updated about progress with open issues that Microsoft is working on. Figure 2 shows an example email generated using the service advisories published in my tenant.

Email detailing open service health advisories.
Figure 2: Email detailing open service health advisories

After it’s extracted, the report can be disseminated in other ways. For instance, you could publish it as a Teams channel message.

You can download the script from GitHub.

Disrupted Change

Changing the details of an API is always disruptive. It’s not just the new endpoint. It’s also the way that the API returns data. Everything must be checked and verified. At least now the Service Communications API is part of the Microsoft Graph. As such, the level of change should be minimal in the future and we have the added benefit of PowerShell cmdlets to work with.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/02/07/service-health-data-api/feed/ 4 63487
Microsoft Cloud Revenues Powered by Office 365 https://office365itpros.com/2024/01/31/office-365-reaches-400-million/?utm_source=rss&utm_medium=rss&utm_campaign=office-365-reaches-400-million https://office365itpros.com/2024/01/31/office-365-reaches-400-million/#comments Wed, 31 Jan 2024 10:05:13 +0000 https://office365itpros.com/?p=63551

Office 365 Reaches 400 Million Paid Seats

Microsoft reported revenue of $62 billion and operating income of $27 billion for the second quarter of their FY24 fiscal year. Emphasizing the importance of cloud computing to Microsoft, almost 55% of their revenue ($33.7 billion) came from the “Microsoft Cloud,” an amorphous term for a collection of cloud products including Office 365, Azure, LinkedIn, and Dynamics 365.

Microsoft FY24 Q2 Results.

Office 365 reaches 400 million
Figure 1: Microsoft FY24 Q2 Results

A year ago, the number was $25.7 billion. Growing quarterly revenue by $8 billion in a year is pretty special. The annualized run rate for the Microsoft Cloud is now $134.8 billion.

Copilot Optimism

Microsoft didn’t comment about any impact on Microsoft Cloud revenues generated by the Copilot products they have released to date. They said that 10,000 organizations use Copilot Studio to create add-ons for Copilot for Microsoft 365 and that Copilot for Microsoft 365 had “faster adoption than either our E3 or E5 suites.” However, they didn’t give any comparative data to prove the point. Anyway, it’s impossible to compare the adoption rate for a product introduced to an installed base of 400 million users against a new product like Office 365 E3 that had to cope with the initial inertia of moving from on-premises systems to the cloud.

We heard once again that “Copilot for Microsoft 365 users were 29% faster in a series of tasks like searching, writing, and summarizing.” What Microsoft didn’t say is that your mileage will vary depending on the quality of the user interaction and the data available in your tenant. Interestingly, Satya Nadella spoke about his own experience of Copilot and the value he gains from summarization of Teams meetings email, and documents. He said that summarization “has become a big deal.” I agree. I think summarization is a way people can get immediate value from AI that’s just harder to achieve with generated text.

My recommendation is to ignore the ongoing hype around Copilot for Microsoft 365 and focus on a hard-nosed assessment of what the technology can and cannot do in your environment.

Office 365 News

Microsoft said that Office 365 commercial seats grew 9% year over year, “driven by small and medium business and frontline worker offerings.” Satya Nadella said that the growth put the number of paid Office 365 seats at “over 400 million”. It seems like they have been at or around this number for the last few quarters. In April 2023, Microsoft reported 382 million Office 365 paid seats. For years, Office 365 has grown at around 2.5 million seats per month. Adding 22.5 million to the 382 gives 404.5 million. Microsoft didn’t give a figure for the number of active Office 365 users, so it’s hard to do an apples-to-apples comparison against the data available for years before FY22. Even so, the interesting thing is that Office 365 active users continue to grow at a reasonable rate.

  • April 2017: 100 million.
  • October 2019: 200 million.
  • December 2021: 300 million.
  • January 2024: 400 million.

CFO Amy Hood continued to emphasize the increased expansion of average revenue per user (ARPU), meaning that Microsoft extracts more money per user. They do this by selling add-ons like Teams Premium and convincing customers to upgrade licenses to more expensive packages such as Microsoft 365 E5. In an answer to an analyst question, she also said that the new seats being added come from small to medium organizations and so are “lower RPU seats.” However, they are new seats, and the opportunity exists to sell upgrades to those seats, including Copilot (either the new Copilot Pro for individual users or Copilot for Microsoft 365).

EMS Reaches  268 Million

Microsoft has reported a number for active Enterprise Mobility and Security (EMS) users over the last few quarters. In FY24 Q1, the number was 259 million. Now it’s 268 million. Growing by nine million in a quarter is better than the three million achieved between FY23 Q4 and FY24 Q1, but as I noted last time round, I suspect that the FY23 Q4 number was a glitch.

The Remarkable SLA Performance of Office 365

Another recent statistic is the 99.996% performance against the Office 365 SLA during the last quarter of 2023. The last time Microsoft had any kind of dip in performance against the Office 365 SLA was the first quarter of 2013, when they achieved 99.94%. So much for all the fears about the reliability of cloud services.

This doesn’t mean that Microsoft’s cloud services are perfect because they are not. Outages happen all the time and some outages affect hundreds of thousands of users. However, the distribution of tenants across multiple datacenter regions and the availability features incorporated into services like Exchange Online, SharePoint Online, and Teams means that an individual problem seldom has any impact on the SLA.

On to the next quarter – and the next hundred Office 365 seats.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2024/01/31/office-365-reaches-400-million/feed/ 7 63551
Copilot for Teams Extracts Real Value from Meeting Transcripts https://office365itpros.com/2024/01/22/copilot-for-teams-meeting/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-for-teams-meeting https://office365itpros.com/2024/01/22/copilot-for-teams-meeting/#comments Mon, 22 Jan 2024 01:00:00 +0000 https://office365itpros.com/?p=63345

Too Many Meetings – Perhaps an Opportunity for Copilot for Teams

We live in a world of perpetual meetings. At least, it seems like that at times. Microsoft has invested substantial effort to make team meetings more useful (and bearable) through innovations like avatars and the Meet app. To help people manage their calendars more intelligently, since 2015, enterprise Office 365 SKUs include analytics information about meeting habits (now in Viva Insights – Figure 1) based on calendar events. Humans are creatures of habit, so whether anyone uses analytics to moderate how they participate in meetings is quite another matter.

Viva Insights analyzes meeting habits.
Figure 1: Viva Insights analyzes meeting habits.

Generating Meeting Content from Transcripts

This brings me to Copilot for Teams (part of Copilot for Microsoft 365) and its ability to generate meeting notes for Teams meetings and allow people to ask questions about what happened during a meeting. This aspect of Copilot for Microsoft 365 is one of its most compelling features.

Copilot uses the meeting transcript to generate notes and summaries. The transcript captures spoken contributions to meetings, including speaker attributions, in the form of short snippets. The transcript later becomes the basis for the captions for the meeting recording.

Copilot needs about five minutes of transcript capture before it can make sense of what’s happening in a meeting. After this point, participants can query Copilot to prompt for information about topics, action items, and contributions based on what’s happened in the meeting so far. This is all very nice, but if you’re paying attention to the meeting, you’ll probably be able to figure out how to move the meeting forward or end discussion about a topic. On the other hand, people who nod off (as I have) in a meeting or pay more attention to email or chat while others are talking will appreciate the ability to catch up.

True magic happens once the meeting is over. I really like the AI notes generated from the transcript. The overall accuracy of the notes is reasonably high, but it’s important to check the notes before accepting that AI-generated text is a full and faithful account of meeting proceedings. Some errors are simple (like referring to Michel de Rooij as Michelle – Figure 2). Other errors are more fundamental when the AI misunderstands what was said.

Using a meeting transcript to interact with Copilot for Teams.
Figure 1: Using a meeting transcript to interact with Copilot for Teams

What’s really good is using Copilot for Teams to interrogate the meeting notes. Microsoft’s documentation suggests some questions to ask, like what was the mood of a call. I asked Copilot to summarize the mood of a recent call about the Office 365 for IT Pros eBook (Figure 2), and was told:

The mood of the meeting was mostly friendly and cooperative, with some jokes and banter among the participants. There were no signs of conflict or tension, and everyone seemed to respect each other’s opinions and contributions. The only exception was when Tony made a sarcastic remark about Paul’s airplane being stuck in the snow, which Paul did not appreciate. 1 However, this did not seem to affect the overall tone of the meeting, which was positive and productive.

I’m not sure that I was being sarcastic when I asked Paul about his airplane being grounded by 7 inches of snow in a Kentucky municipal airport, but there you are. Like other aspects of Copilot for Microsoft 365, extracting full value from meeting notes with Copilot can only occur when users receive education about how to interact with the AI.

The intelligent recap feature available in Teams Premium includes some of the capabilities used by Copilot for Teams like AI-generated notes. The big difference between the two is that intelligent recap only includes a static transcript that can’t be interrogated after the event.

Using Copilot Without a Meeting Transcript

Originally, meetings had to be recorded and transcribed for Copilot to work. This is a suitable arrangement for most meetings, but sometimes people don’t want to record sensitive meetings. A Teams meeting option is available to allow Copilot to work without recording a meeting. Essentially, instead of capturing a permanent transcript that’s stored for eDiscovery purposes, Teams uses Microsoft Audio Services to create a temporary transcript that Copilot can use during the meeting. Once the meeting concludes, Teams discards the transcript.

Chasing Value from Copilot

Hype surrounds Copilot for Microsoft 365. Despite the removal of previous limitations, investment in a Copilot deployment still involves a $30/user/month investment with a year-long commitment. In other words, a ten-user test will cost $3,600 for Copilot licenses. Figuring out to extract value for that investment is important unless you like throwing money away. Extracting information from Teams meeting transcripts can be extraordinarily valuable for some people (I wish I had had this capability available when I worked as a Vice President in HP). Whether it’s sufficient to justify the investment in Copilot is a question that only you can answer.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/01/22/copilot-for-teams-meeting/feed/ 1 63345
Ignore the Hype Surrounding the Copilot Announcement https://office365itpros.com/2024/01/18/copilot-for-microsoft-365-deployment/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-for-microsoft-365-deployment https://office365itpros.com/2024/01/18/copilot-for-microsoft-365-deployment/#comments Thu, 18 Jan 2024 01:00:00 +0000 https://office365itpros.com/?p=63308

Extract Value from Copilot for Microsoft 365 Deployments

Microsoft’s January 15 announcement removing the limitations on Copilot for Microsoft 365 purchases sparked an avalanche of commentary. Regretfully, many of the words published merely recycled text and added nothing to the debate, perhaps because the authors really don’t know too much about how Copilot for Microsoft 365 works and what it does. A knowledge vacuum often appears following the debut of new technology with a high ratio of noise to signal sprouting across many blogs and articles. I think we’re in that kind of environment now. Hopefully, the Copilot hype will calm down as knowledge takes root. We’ll see.

Lower Cost Copilot for Microsoft 365 Deployments

As a recap, the announcement boils down to two points:

  • The previous requirement to purchase 300 Copilot for Microsoft 365 licenses is gone. You can buy any quantity from one up at $30/user/month. Following its usual pattern, Microsoft insists on a year-long commitment, so you sign up to pay $360/user.
  • Office 365 E3 and Office 365 E5 are now eligible platforms to host Copilot for Microsoft 365. As I pointed out last August, making Microsoft 365 E3 and E5 the only eligible platforms for enterprise customers was a somewhat cynical exercise in product packaging.

Taken together, the result of the announcement makes it much easier for organizations to run Copilot for Microsoft 365 in their own environment to measure if generative AI makes sense for them. Instead of a minimum $108,000 spend in the first year plus the potential costs of upgrading base licenses to Microsoft 365 E3 or E5, an Office 365 E3 tenant can spend $3,600 for a ten-user test. That level of expenditure is much more palatable and makes it more likely that tenants will sign up to kick the Copilot tires. Currently, trial licenses are unavailable for Copilot for Microsoft 365.

Aspects to Consider About Copilot for Microsoft 365 Deployments

Until now, the organizations contemplating Copilot deployments have largely been at the high end of the enterprise sector. Usually, those organizations have large staffs available to research and plan steps in a comprehensive deployment plan. Smaller tenants might not have the same resources. If your tenant is considering signing up for Copilot for Microsoft 365, here are a few points to consider when thinking about a Copilot for Microsoft 365 deployment:

  • Office 365 E3 is enough to support Copilot for Microsoft 365. E3 includes Purview solutions like sensitivity labels, retention policies, eDiscovery, and auditing, all of which are supported by Copilot operations. E5 introduces more automatic processing like auto-label policies and better eDiscovery. You do not need to upgrade to a higher-cost Office 365 or Microsoft 365 license unless you find a good reason and value to do so. Likewise, you don’t need add-on products like Viva Pulse to be successful with Copilot for Microsoft 365.
  • App upgrades might be necessary. Copilot for Outlook only supports the Outlook Monarch and OWA clients. Microsoft could have implemented Copilot in such a way to support the Win32 client, but they haven’t. Copilot for Teams supports the new Teams client. Given that Microsoft will retire the old Teams client and automatically upgrade users to the new client on March 31, 2024, this shouldn’t be an issue.
  • The concepts of “data in use” and “data available for use” are important. Data in use is information Copilot processes when working with an open file, including local files, files stored on a network share, or files from a third-party repository. Data available for use describes the information stored in Microsoft 365 repositories like SharePoint Online sites and OneDrive for Business accounts. Storing as much data as possible in Microsoft 365 creates an abundance of information for Copilot to interrogate when it responds to user prompts. Only items accessible to the user through search can be used by Copilot. This includes information loaded into a tenant through a third-party connector. Figuring out what data is available to Copilot, where the data is stored, and the accuracy of the data is a big part of any deployment. Cleaning up an existing SharePoint Online/OneDrive for Business environment will probably take longer than you think.
  • Copilot depends on the semantic index. Think of the semantic index as a tweaked version of Microsoft Search that’s optimized for interrogation by generative AI tools like Copilot. When users create or import new information and store it in a Microsoft 365 repository, the content ends up in the semantic index.
  • Good prompting is a skill for users to acquire. Prompts instruct Copilot what to do. When you ask Copilot to do something, its input to the Large Language Model includes the user prompt and implicit or explicit references to ground (add context to) the prompt. Implicit references are documents and files found by Copilot through Graph searches. Explicit references are documents specified by users when they create a prompt. In my experience, explicit references help ground Copilot better because they create a more precise set of information for the AI to work with. Implicit references can find incorrect or invalid information that finds its way into Copilot responses. Everything good flows from well-crafted prompts, so make sure that users are prepared to interact with Copilot.
  • If your tenant uses sensitivity labels to protect confidential information, review the usage rights assigned in labels to ensure that Copilot can’t access documents stamped with highly sensitive labels. It’s been common practice to add rights to labels to allow anyone in an organization to have read access to documents (Figure 1). The content of protected documents are accessible by Copilot if the rights assigned to the signed-in account include View (see the content) and Extract (use the content). Now is a good time to review the rights assigned in labels and decide if the rights should be more specific (assigned to accounts and groups rather than everyone) and limited. This article explains how to generate a report of sensitivity label settings with PowerShell.

Assigning usage rights for a sensitivity label.

Copilot for Microsoft 365 deployment
Figure 1: Assigning usage rights for a sensitivity label

No Silver Bullet

In the deployment of any technology, it’s critical to have a clear idea of why the technology is needed, how it will be used, the expected benefits, how to measure success, and the expected user group. Microsoft’s removal of limitations surrounding Copilot for Microsoft 365 are very welcome, especially because of the reduced cost. But widening Copilot availability does not make it a silver bullet. Like any other technology, Copilot brings its own strengths and challenges. I look forward to learning more about them during 2024.

]]>
https://office365itpros.com/2024/01/18/copilot-for-microsoft-365-deployment/feed/ 4 63308
Recent Stream Updates Enhance Video Functionality https://office365itpros.com/2024/01/10/stream-browser-app-updates/?utm_source=rss&utm_medium=rss&utm_campaign=stream-browser-app-updates https://office365itpros.com/2024/01/10/stream-browser-app-updates/#comments Wed, 10 Jan 2024 01:00:00 +0000 https://office365itpros.com/?p=63149

Enhancements to Stream Browser App Make it Easier to Consume Video

Stream’s proclaimed mission is to make video as easy to work with inside Microsoft 365 as documents and email are. We’re in the final stages of the transition from Stream Classic to Stream on SharePoint. The reminder published in message center notification MC703758 says that Microsoft will close down Stream classic on April 15, 2024 and remove any remaining videos stored in that platform after that date. In other words, it’s way past the best time to migrate.

With that cheery thought in mind, let’s do a quick fly-past of recent developments in Stream.

Changes to Stream Browser App

Although Stream is embedded in many places within Microsoft 365, the browser app is the most obvious instantiation of Stream. It’s the app launched when users select Stream from the app menu. A bunch of small but important changes have appeared in Stream that might have escaped your attention. For instance, Microsoft has given the Stream browser app a visual makeover (Figure 1) to include new choices for filtering and a screen recording capability (the old ‘recording’ option is now ‘camera recording’). The filtering options include fast access to Teams meeting recordings and the videos you’ve shared with others.

The Stream browser app.
Figure 1: The Stream browser app

Stream in Teams

Examples of where Stream shows up elsewhere in Microsoft 365 include the Stream web part for SharePoint pages, the Stream app in Teams (really just a version of the Stream browser app), and being able to preview and play Stream videos inline in Teams chat and channel conversations. The latter functionality is covered by MC649917 (last updated 15 December 2023, Microsoft 365 roadmap item 127596) and it’s taken a while to deploy. The latest update is that deployment should complete worldwide by the end of January 2024.

What this means is that people can copy a link for a video from the Stream browser app and insert it into a Teams message. In the example shown in Figure 2, the video is stored in a SharePoint document library. The nice thing is that the viewers don’t need to know anything about where a video comes from (the location is shown beneath the video if someone really wants to know). The important thing is if the link allows access, users can play the video inline and have access to features like the transcript, chapters, and comments.

Stream video playing inline in a Teams channel conversation.
Figure 2: Stream video playing inline in a Teams channel conversation

Share but No Download

Speaking of sharing, message center notification MC699712 (December 19, 2023) announced a change to the sharing link setting with the addition of the “Can view, but not download” option to the permission drop down. This change is supposed to hit targeted release tenants in mid-December, but I haven’t seen it yet and still have the old sharing experience (Figure 3).

You can generate sharing links to block downloads for Stream videos.
Figure 3: You can generate sharing links to block downloads for Stream videos

Some folks are unaware that you can send sharing links which block downloads, so that’s why I include it here. Stay tuned for the improved version.

Analytics and the Timeline

Stream has supported access to video analytics for a couple of years. The latest addition is the ability to superimpose details of viewer retention on a video as it is viewed by its owner. Previously this functionality was available as part of the analytics available in the flyout panel. As shown in Figure 4, as a video advances through its timeline, analytics shows the percentage of engaged viewers at any point.

Viewer retention percentage shown on a video timeline
Figure 4: Viewer retention percentage shown on a video timeline

Clearly the aim is to retain viewers until the end of a video but it’s natural to see some drop-off toward the end, which is why it’s important to communicate important messages early.

Preview Mode

Another new feature is the ability to preview a video so that the owner sees the content as others do when they view it. This option is available when playing a video. Previewing allows access to the transcript, analytics, and comments but not video settings. Oddly, the route back to owner mode is to click the Edit button.

It seems like preview mode is associated with the update described in message center notification MC698135 (December 14, 2023, Microsoft 365 roadmap item 124992). The notification covers the difference between View mode and Edit mode and says that the default mode will be View to prevent inadvertent changes to video metadata happening when users with edit access open videos. At the time of writing, I see videos open in edit mode so the change hasn’t reached my tenant (deployment is due to be complete by the end of January 2024).

Hyperlinks and Forms in Videos

More changes are described in MC688631 (last updated December 14, 2023, Microsoft 365 roadmap item 180795) where video owners can add a hyperlink or text callout to videos. The callouts are associated with specific points in the video timeline and appear when viewers reach those points. MC688632 (9 November 2023, Microsoft 365 roadmap item 180796), describes much the same except that the timeline insertion covers surveys, quizzes, or polls created with Microsoft Forms.

Large Video Files and Automatic Transcript Generation

MC635989 (last updated 5 October 2023, Microsoft 365 roadmap item 124932) promised that automatic generation of transcripts for videos uploaded to SharePoint Online, Viva Engage (Yammer), and Office.com would be complete for standard tenants by the end of December 2023.

That is, unless your videos are too large. I noticed that a video of a podcast I recorded with the CodeTwo Software team at the European SharePoint Conference didn’t have a transcript. When I tried to generate a transcript manually, Stream informed me that transcript generation only caters for videos with a maximum size of 4 GB. That’s a good limitation to know because many professional high-definition videos can generate very large files (11.8 GB in this case).

Odd Video Search

While working with videos in the Stream browser app, I noticed the availability of Visual Search option button when hovering over videos (Figure 5). I hadn’t seen this button before, but that could be the result of my inability to find options.

The visual search option in the Stream browser app.
Figure 5: The visual search option in the Stream browser app

But I suspect it’s related to the announcement in MC681879 (16 October 2023, Microsoft 365 roadmap item 117552) covering improvements in video search for Office.com and SharePoint. In any case, clicking the button causes Stream to perform a visual search. I’m not sure what criteria Stream uses for the search but it generated some odd results from YouTube (Figure 6). At least, results that I couldn’t correlate with the selected video.

Using Visual Search in the Stream browser app.
Figure 6: Using Visual Search in the Stream browser app

Stream Evolving Fast

Because Stream is available in places like SharePoint and Teams it’s easy not to have a reason to go near the browser app for months at a time. The experience gained here revealed that because Stream is evolving fast it’s wise for tenant administrators to keep an eye on what’s happening, just in case you’re asked if a capability is available for video files. It’s just plain embarrassing when a feature exists and you aren’t aware of it.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2024/01/10/stream-browser-app-updates/feed/ 2 63149
Creating Viva Engage Communities with the Graph API https://office365itpros.com/2024/01/03/viva-engage-community-graph/?utm_source=rss&utm_medium=rss&utm_campaign=viva-engage-community-graph https://office365itpros.com/2024/01/03/viva-engage-community-graph/#comments Wed, 03 Jan 2024 01:00:00 +0000 https://office365itpros.com/?p=63008

Beta API Can Create and List a Viva Engage Community

Message center notification MC701523 (24 December 2023, Microsoft 365 roadmap item 178311) marks the start of Graph API support for Viva Engage with a beta Community API to create and list Viva Engage communities. The API is limited to modern Viva Engage (Yammer) networks. All new networks are modern. The key point is that modern networks use Microsoft 365 groups to manage community membership.

This step marks the initial Graph API support for Viva Engage. Yammer has long had its own APIs but embracing the Graph is an inevitable part of integrating with the wider Microsoft 365 ecosystem (Graph support for Viva Engage activity data is already available). For whatever reason, the old Yammer engineering group resisted integration with Microsoft 365 for many years following the 2012 acquisition. That tactic didn’t work well in terms of driving Yammer use. Fortunately, Microsoft saw sense some years ago and began down the path to transition Yammer to Viva Engage in 2022.

PowerShell Code to Create a New Viva Engage Community

Creating a new Viva Engage community is simple. The API supports both delegated and application permissions. To make things easy, I used an interactive session with the Microsoft Graph PowerShell SDK. These commands:

  • Connects to the Graph SDK endpoint with the necessary scope (permission).
  • Defines the URI for the Communities endpoint.
  • Creates a hash table containing the parameters for the new community.
  • Converts the hash table to a JSON-format variable.
  • Posts to the Communities endpoint using the JSON variable as the request body.

Connect-MgGraph -Scopes Community.ReadWrite.All -NoWelcome
$Uri = "https://graph.microsoft.com/V1.0/employeeExperience/communities"
$VivaCommunityParameters = @{
  "displayName" = "Viva Engage Technical Discussions"
  "description" = "A community where everyone gets together to discuss the technology that drives Viva Engage and its communities."
  "privacy" = "Public"
}
$VivaCommunityBody = $VivaCommunityParameters | ConvertTo-Json
Invoke-MgGraphRequest -Uri $Uri -Method POST -Body $VivaCommunityBody -StatusCodeVariable "Status"

Figure 1 shows the new community as it appears in the Viva Engage web app.

New Viva Engage community created using the Graph API.
Figure 1: New Viva Engage community created using the Graph API

Because Viva Engage communities depend on Microsoft 365 groups to manage their membership, creating a community also creates a Microsoft 365 group with a single owner and single member (the signed-in account). The current version of the API doesn’t support specifying a different account as the owner or additional members in the request body. This issue is easily addressed by running the New-MgGroupOwnerByRef and New-MgGroupMember cmdlets after creating the community. See this article for more information.

The API does not support creating a community using an existing group. You can only create a new community with a new group.

Points About Creating a Community

Specifying the StatusCodeVariable parameter when running the POST request with Invoke-MgGraph to create a new community returns a status value in a variable with the name of the passed string (in this case, $Status). A 202 value means that the request successfully created the community.

The unfortunate thing is that the value returned doesn’t include the Viva Engage identifier used with the Get method to retrieve details of the new community. The Viva Engage (Yammer) identifier is not the same as the Entra ID group identifier. Instead, it’s a Base64 value like eyJfdHlwZSI6Ikdyb3VwIiwiaWQiOiI4MzIxMjc1In0 (equating to {“_type”:”Group”,”id”:”8321275″}). The Get method requires the identifier to fetch details of a community and doesn’t support fetching details of all communities. That seems like an oversight that Microsoft should fix before the API attains general availability.

Another bug is that if you specify “public” (lowercase p) in the parameters, the API sets the new community to be private. You must set the value to be “Public” if you want to create a public community.

Interaction with Microsoft 365 Groups

The new API can create a group but it cannot update group properties (like its photo) or group membership. Most group properties are still controlled by Yammer APIs and are inaccessible through the Graph. In addition, you’ll find that most attempts to update group settings like the access type (public or private) using the Set-UnifiedGroup or Update-MgGroup cmdlets fail.

However, you can run the Add-UnifiedGroupLinks to populate the new community with owners and members. Here’s an example of adding four members to a community:

$GroupId = (Get-UnifiedGroup -Filter {displayName -eq 'Viva Engage Technical Discussions'}).ExternalDirectoryObjectId
[array]$Members = "Lotte.Vetler", "James.Ryan", "Chris.Bishop", "Andy.Ruth"

A Start Along the Road to Fully Embracing the Graph

All beta APIs tend to exhibit imperfections and bits that are incomplete. Being able to create new Viva Engage communities using the Graph is a good step forward but it’s only the start of the transition from the old Yammer APIs. We look forward to seeing more progress on this point in the future.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/01/03/viva-engage-community-graph/feed/ 4 63008
Don’t Feed Large Reference Documents to Copilot for Word https://office365itpros.com/2024/01/02/copilot-for-word-reference/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-for-word-reference https://office365itpros.com/2024/01/02/copilot-for-word-reference/#comments Tue, 02 Jan 2024 01:00:00 +0000 https://office365itpros.com/?p=62989

Copilot for Word Reference Documents Can be Too Large to Process

I’m happily using Copilot for Word to generate, refine, and summarize text when I run into an issue that afflicts all AI technologies based on large language models (LLMs): the prompts generated for the LLM to process support a limited number of characters. I can’t say precisely what that limit is because I can’t find any documentation for the issue, but I can say that incorporating a large reference document into a prompt causes Copilot some difficulty.

Take the prompt shown in Figure 1. As a reference document, I added a 518 KB 27-page Word document which happens to be the first chapter of the Office 365 for IT Pros eBook. I asked Copilot to use the information to help it generate a brief overview of the value Office 365 brings to customers.

Adding a reference document to a Copilot for Word prompt.

Copilot for Word reference document.
Figure 1: Adding a reference document to a Copilot for Word prompt

Copilot worked away and began to generate text. After several seconds, the output was ready but came with the caveat that Copilot couldn’t process the reference document fully (Figure 2). The output generated by Copilot is “based only on the first part of those files.” In some cases, this might not make a difference, but the latter half of the reference document contained information that I thought Copilot should include.

Copilot for Word reports a reference document is too long.
Figure 2: Copilot for Word reports a reference document is too long

The question is why can’t Copilot use the full content of large reference documents. Here’s what I think is happening.

Grounding and Retrieval Augmented Generation

Copilot for Word uses reference documents to help ground the prompt entered by the user with additional context. In other words, the content of the reference document help Copilot understand what the user wants. Copilot uses a technique called Retrieval Augmented Generation (RAG). According to an interesting Microsoft article about grounding LLMs, “RAG is a process for retrieving information relevant to a task, providing it to the language model along with a prompt, and relying on the model to use this specific information when responding.”

Limits exist in grounding large language models. Copilot allows users to include a maximum of 2,000 characters in their prompts. Copilot adds content extracted from the reference documents and other information found in the semantic index to the prompt to provide the context for the LLM to process. The semantic index holds information about documents available to the user stored in SharePoint Online or OneDrive for Business or ingested via a Graph Connector. The maximum size of a prompt must cover whatever the user enters plus the information extracted from reference documents during grounding.

I have very large Word documents of well over 1,000 pages, but it would be unreasonable to tell Copilot to use these files to ground prompts. There’s too much content covering too many varying topics for Copilot to make much sense of such beasts.

Good Copilot for Word Reference Documents

A good reference document is one whose content is adjacent to the topic you ask Copilot to generate text about. Ideally, the document is well structured by being divided into clear sections that cover different points. A human should be able to scan the document quickly and tell you what it’s about. My tests indicate that Copilot for Word generates the best results when reference documents are structured, contain material pertinent to the prompt, and are less than 10 pages. Your mileage might vary.

Although chapter 1 of the Office 365 for IT Pros eBook is packed full of useful and pertinent information, it’s just too much for Copilot to consider when attempting to respond to the user prompt. Copilot would be much happier if I provided it with a five-page overview of Office 365.

Other Copilots Have Limits Too

Encountering difficulties using long reference documents is similar to the limit that exists when Copilot for Outlook attempts to summarize a long email thread. According to the support article covering the topic, “In the case of a very long thread, not all messages may be used, as there are limitations of how much can be passed into the LLMs.”

Copilot for GitHub also has limits, as attested in many questions developers ask about its use (here’s an example).

In other Copilots, the type of information being processed might reduce the possibility that Copilot might run into issues. For instance, when Copilot for Teams summarizes the discussion from a meeting, it uses the meeting transcription as its basis. Even a very long meeting is unlikely to trouble Copilot too much because (assuming the meeting has an agenda), the discussion flows from point to point and has a reasonable structure.

Preparing for Copilot

All of which brings me back to a central point about preparing for a Copilot for Microsoft 365 deployment. You can deploy all the software you want, including the tools available in Syntex (soon to be SharePoint Premium) to prepare content and Microsoft Purview to protect content. But at the end of the day, Copilot will be asked to process documents created by human beings. Whether those documents make good reference documents remains to be seen.

It’s a hard nut to crack. Humans never wrote documents to be processed by AI. They created documents to meet goals, explain projects, lay out solutions, and so on. Sometimes the documents are well-structured and easily navigated. Other times they’re a challenge for even their authors to interpret, especially as time goes by. Some documents remain accurate even after years and some are outdated in the weeks following publication. It will be interesting to see how Copilot copes with the flaws and imperfections of human output.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2024/01/02/copilot-for-word-reference/feed/ 1 62989
The Demise of Office Delve https://office365itpros.com/2023/12/18/delve-retirement-2024/?utm_source=rss&utm_medium=rss&utm_campaign=delve-retirement-2024 https://office365itpros.com/2023/12/18/delve-retirement-2024/#comments Mon, 18 Dec 2023 01:00:00 +0000 https://office365itpros.com/?p=62887

Microsoft to Retire Delve in December 2024

Posted on December 14, 2023, message center notification MC698136 announces the sad news that Microsoft will retire the Delve web app (“Office Delve” was the original name) from Microsoft 365 on December 16, 2024. The demise of Delve (Figure 1) isn’t altogether surprising because the app never achieved much traction.

Delve web app.
Figure 1: Delve web app

Launched as codename “Oslo” at the SharePoint 2014 conference, Delve was the first of a planned set of Office 365 next generation portals. In the case of Delve, Microsoft said that it would “reimagine search.”  While this mightn’t have happened, Delve introduced some interesting and worthwhile functionality. It was the first app to exploit the power of the Office Graph (now the Microsoft 365 Graph) to calculate and expose relationships between people and their work.

Delve Exposed Documents

When Delve used the Graph to calculate popular documents and display that information users, it caused n uproar in some quarters because people saw information that they shouldn’t. The problem wasn’t due to Delve. Instead, it happened because of inconsistent, inaccurate, or missing permissions on SharePoint Online sites that allowed the software to find interesting documents. The same issue might recur with Microsoft 365 Copilot with the big difference that documents accessible to Copilot can be used to generate text. There’s quite a difference between suggesting documents to users and ingesting documents to create new content,

On a more positive note, Delve allowed users to edit their profile and update their photo at a time when that experience was dreadfully fragmented across Exchange, Lync, and SharePoint. Microsoft is only now moving to an Entra-ID based solution that they hope will deliver consistent user photos across Microsoft 365. And Delve introduced a way for users to highlight documents by pinning them to boards. Overall, Delve seemed important enough to warrant a dedicated chapter in the Office 365 for IT Pros eBook over several editions.

Chipping Away at Delve Functionality

Time moves on and technology evolves. Delve’s problem was that it didn’t evolve quickly enough (or at all). Some of its functionality, like blog publishing, vanished in 2020 followed by its desktop app (killed in March 2021). Delve Analytics (always more of an add-on rather than an integrated component) broke away to become MyAnalytics (now exposed through the Viva Insights app and add-in). Microsoft’s attention turned elsewhere, and Delve didn’t occupy a compelling and important role in the Microsoft 365 ecosystem, and that’s what brings us to its demise in 2024.

No Replacement for Delve Features

Microsoft doesn’t think that there is a need to replace the functionality currently available in Delve. To help users manage their profiles, Microsoft says that they plan to deliver a new edit profile capability in mid-2024 that is “tightly coupled with profile cards.” I’m unsure why they feel the need to assert the closeness of the connection given the pervasiveness of the user profile card across Microsoft 365 apps. A replacement for the Delve organization view is available in the user profile card and the Org Explorer (with the necessary licenses). Unsurprisingly given the sad lack of development since 2015, there’s no replacement for Delve Boards.

Lack of Functionality and Development

Even though I never had much use for Delve, I think Microsoft got some value from the app. We didn’t know much about the Graph in 2014-15. An app had to demonstrate what Microsoft meant by reimagining the way people searched for information together with the value of discovering information that could be useful to a person by reference to the connections that exist between that person and others within an organization. Delve did both, but I guess its flaw was that there wasn’t much else that users could do aside from pinning documents to boards.

It seems like Microsoft lost interest in Delve some years back. For whatever reason, it’s going to join other apps like StaffHub, Cortana Scheduler, Kaizala, and Sway in the Microsoft 365 wastebasket. All had some interesting aspects, but all eventually failed to appeal to the masses.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/12/18/delve-retirement-2024/feed/ 3 62887
Using Microsoft 365 Copilot for Word https://office365itpros.com/2023/12/14/copilot-for-word/?utm_source=rss&utm_medium=rss&utm_campaign=copilot-for-word https://office365itpros.com/2023/12/14/copilot-for-word/#comments Thu, 14 Dec 2023 01:00:00 +0000 https://office365itpros.com/?p=62822

Copilot for Word Will Help Many Authors Create Better Text

As folks might know, I write quite a few articles about technical topics. Recently, I’ve had the assistance of Microsoft 365 Copilot in Word. Not because I felt the need for any help but rather in the spirit of discovering if Copilot lives up to its billing of ushering in “a new era of writing, leveraging the power of AI. It can help you go from a blank page to a finished document in a fraction of the time it would take to compose text on your own.”

Good technical articles tell a story. They start by introducing a topic and explaining why it’s of interest before progressing to a deeper discussion covering interesting facets of the topic. The final step is to reach a conclusion. Copilot for Word aims to help by assisting authors to structure their text, write concise sentences, and start drafting based on a prompt submitted by the author.

Starting Off with Copilot for Word

Writing the first few sentences can be the hardest part of an article. To help, Copilot for Word can generate text by responding to a user prompt. A prompt is how to tell Copilot what to do. It can be up to 2,000 characters.

Crafting good prompts is a skill, just like it is to build good keyword searches of the type used to find information with Google or another search engine. Figure 1 shows my first attempt at a prompt for this article.

Prompting Copilot for Word.
Figure 1: Prompting Copilot for Word

I wasn’t happy with the content generated by Copilot because it read like the text of a marketing brochure. This isn’t altogether surprising given two facts. First, my prompt wasn’t precise enough. Second, generative AI tools like Copilot can only create text based on previous content. The response obviously originated from Microsoft marketing content that lauded the powers of Copilot.

A second attempt was more concise and precise (Figure 2) and produced more acceptable text (Figure 3).

Refining a prompt for Copilot for Word.
Figure 2: Refining a prompt for Copilot for Word
The text generated by Copilot for Word.
Figure 3: The text generated by Copilot for Word

Although better, I would never use the text generated by Copilot. It has value (especially the last three points), but it’s just not my style. The point to remember is that Copilot supports refinement of its output through further prompts. The text shown in Figure 3 is the result of asking Copilot to “make the text more concise.”

Using Reference Documents

A prompt can include links (references) for up to three documents, which must be stored in a Microsoft 365 repository. Copilot uses references to “ground” the prompt with additional context to allow it to respond to prompts better. When starting to write about a new topic, you might not have a usable reference, but in many business situations there should be something that helps, such as a document relating to a project or customer. The prompt shown in Figure 4 asks Copilot to write an article about the January 2024 update for the Office 365 for IT Pros eBook and includes a reference document (an article about the December 2023 update).

Including a reference document in a Copilot for Word prompt
Figure 4: Including a reference document in a Copilot for Word prompt

The generated text (Figure 5) follows the structure of the reference document and I no complaints about the opening paragraph. Copilot even figured out that the January update is #103. The problems mount swiftly thereafter as Copilot’s generated text promises a new chapter on Microsoft Viva and an updated chapter on Copilot for Microsoft 365, neither of which exist. I also don’t know what the integration between Teams and Syntex refers to, and the new Teams Pro license is a predecessor of Teams Premium. Later, we’re told that Microsoft Lists will launch in February 2024. These are Copilot hallucinations.

Copilot generates an article about an Office 365 for IT Pros monthly update.
Figure 5: Copilot generates an article about an Office 365 for IT Pros monthly update

This experience underlines the necessity to check everything generated by Copilot. You have no idea where Copilot might source information and whether that data is obsolete or simply just wrong. Tenants can limit Copilot’s range by preventing it from searching internet sources for information, but even the best corporate information stored in SharePoint Online or OneDrive for Business can contain errors (and often does).

Rewrites with Copilot for Word

Apart from generating text, Copilot for Word can rewrite text. Figure 6 shows a rewrite of the second paragraph from this article. The version generated by Copilot uses the “professional” style (the other styles are “neutral”, “casual”, “concise,” and “imaginative.”

Text rewritten by Copilot for Word.
Figure 6: Text rewritten by Copilot for Word

The two versions are reasonably close. I prefer mine because it’s written in my style, but the alternative is acceptable.

Rewrite is useful when reviewing someone else’s text. I often edit articles submitted to Practical365.com for publication. Because authors come from many countries, their level of English technical writing varies greatly. Being able to have CoPilot rewrite text often helps me understand the true intent of an author.

The Usefulness of Copilot for Word

I’ve tried many different text proofing tools in Word, from the built-in ones like Microsoft Editor to external ones like Grammarly. They all have their pros and cons, and their own quirks. Copilot for Word is more user-friendly and intuitive than any existing tool. If they remember to check the generated text carefully, Copilot will help many people write better. The downside is the $30/user/month cost for Microsoft 365 Copilot licenses (currently, you can’t buy a Copilot license just for Word).

Microsoft 365 Copilot obviously covers much more than generating better text with Word. That being said, it’s nice that the integration of AI into one of the more venerable parts of Microsoft 365 works so well.

Summarizing Copilot for Word

It seems apt to close with the summary generated by Copilot for this article (Figure 7). Copilot summarizes documents by scanning the text to find the main ideas. What’s surprising in this text is the inclusion of ideas that are not in document, such as “What Copilot for Word cannot do.” Copilot cites paragraphs five and six as the source, but neither paragraph mentions anything about weather or visuals, or that Copilot for Word is limited to outputting text in bullet points or paragraphs. This information must have come from the foundational LLMs used by Copilot.

Copilot summary of a document's content.
Figure 7: Copilot summary of a document’s content

I’m sure Copilot included the information to be helpful but it’s jarring to find the AI introducing new ideas in summaries. Oh well, this kind of stuff gives people like me stuff to write about…


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/12/14/copilot-for-word/feed/ 3 62822
Microsoft Cancels the Teams Who Bot https://office365itpros.com/2023/11/10/who-bot-app-gone/?utm_source=rss&utm_medium=rss&utm_campaign=who-bot-app-gone https://office365itpros.com/2023/11/10/who-bot-app-gone/#comments Fri, 10 Nov 2023 01:00:00 +0000 https://office365itpros.com/?p=62408

Who Bot Was One of the Original Teams Bots

Message center notification MC687849 (7 November 2023) is a terse announcement of the demise of the Teams Who bot, an app in the Teams app store. This is a pity. I rather liked the Who bot and even included it as an example app in an article about Teams setup policies. Oh well.

The Who bot app scored a surprising 3.2 overall rating
Figure 1: The Who bot app scored a surprising 3.2 overall rating

Microsoft created the Who bot in the early days of Teams development as a sample to demonstrate how to create a Teams bot. The purpose of the app is to help users find information about others in the organization based on the information stored in Entra ID and the Graph. Users could chat with the bot to ask questions like who in the organization might know about a certain topic. Figure 2 shows a query from January 2018 when I asked “who works for me?” It’s the kind of helpful information that befuddled managers like to receive.

The Who bot responds to a chat query
Figure 2: The Who bot responds to a chat query

As you can see, the Who bot used chats to interact with users. In today’s Microsoft 365, the role of AI-based helpful communication is assigned to Microsoft 365 Copilot or rather, the implementation of Copilot within Teams. Microsoft says that they are working to improve the functionality delivered in the Who bot and will deliver a better user experience within Microsoft 365 Copilot sometime in the future.

Knowing What’s Happening

The deprecation is due in mid-December 2023 but already the Who bot knows about its fate. I fired the bot up on November 9 and was prompted for consent to perform searches (a refinement from the original version). After giving consent, the response was a bunch of messages heralding the depreciation. And although the Who bot reassured me that it was ready to start chatting (Figure 3), no further interaction was possible.

The Who bot knows too much about what’s going to happen to it
Figure 3: The Who bot knows too much about what’s going to happen to it

Indeed, some folks in the Microsoft Technical Community noticed that the Who bot was declining in late October. Microsoft might have been trying to deprecate the bot on the quiet, but were forced to come clean when people noticed! I don’t know if this is the case, but perhaps low usage data convinced Microsoft that they could remove the Who bot without causing any problems for users.

No Way Back

In any case, there’s no way back for the Who bot. Microsoft’s attention is fully focused on adding Copilots to every piece of software that it can, no matter if the software benefits from receiving a splash of artificial intelligence.

The bad thing is that the Who bot was a free app available to all 320 million Teams users. The new route that Microsoft has taken will restrict access to whatever replacement functionality they build to people with Copilot licenses. Right now, that’s a large investment (minimum of $108,000 for 300 users for a year) that limits exposure to organizations that can afford to pay for licenses. Losing the Who bot isn’t a big deal because it was really only ever a demo app, but it’s always sad when functionality disappears behind a licensing barrier. Microsoft tends to go down that path too often these days.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/11/10/who-bot-app-gone/feed/ 3 62408
Microsoft Details Compliance Support for Microsoft 365 Copilot https://office365itpros.com/2023/11/09/microsoft-365-copilot-compliance/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-copilot-compliance https://office365itpros.com/2023/11/09/microsoft-365-copilot-compliance/#comments Thu, 09 Nov 2023 01:00:00 +0000 https://office365itpros.com/?p=62342

Compliance through Sensitivity Labels, Audit Events, and Compliance Records

Now that the fuss around the general availability of Microsoft 365 Copilot (November 1) is fading, organizations face the harsh reality of deciding whether to invest a minimum of $108,000 (300 Copilot licenses for a year) to test the effectiveness of an AI-based digital assistant is worthwhile. Before deploying any software, companies usually have a checklist to validate that the software is suitable for their users. The checklist might contain entries such as:

In MC686593 (updated 6 November, 2023), Microsoft addresses the last point by laying out how Purview compliance solutions support the deployment of Microsoft 365 Copilot. Rollout of the capabilities are due between now and mid-December 2023.

Sensitivity Labels Stop Microsoft 365 Copilot Using Content

Microsoft 365 Copilot depends on an abundance of user information stored in Microsoft 365 repositories like SharePoint Online and Exchange Online. With information to set context and provide the source for answering user prompts, Copilot cannot work. The possibility that Copilot might include sensitive information in its output is real, and it’s good to know that Copilot respects the protection afforded by sensitivity labels. The rule is that if a sensitivity label applied to an item allows a user at least read access, its content is available to Copilot to use when responding to prompts from that user. If the label blocks access, Copilot can’t use the item’s content.

If the Confidential label allows Microsoft 365 Copilot to access the information, it can be used in responses
Figure 1: If the Confidential label allows Microsoft 365 Copilot to access the information, it can be used in responses

Audit Events Record Microsoft 365 Copilot Interactions

Recent changes in the Microsoft 365 unified audit log and the surrounding ecosystem have not been good. The Search-UnifiedAuditLog cmdlet doesn’t work as it once did, a factor that might impact the way organizations extract audit data for storage in their preferred SIEM. Some will not like the removal of the classic audit search from the Purview compliance portal in favor of the asynchronous background search feature. Both changes seem to be an attempt by Microsoft to reduce the resources consumed by audit searches. This tactic is perfectly acceptable if communicated to customers. The problem is the deafening silence from Microsoft.

On a positive note, the audit log will capture events for Copilot prompts from users and the responses generated by Copilot in a new Interacted with Copilot category. These events can be searched for and analyzed using the normal audit retrieval facilities.

Compliance Records for Microsoft 365 Copilot

The Microsoft 365 substrate captures Copilot prompts and responses and stores this information as compliance records in user mailboxes, just like the substrate captures compliance records for Teams chats. Microsoft 365 retention policies for Teams chats have been expanded to process the Copilot records. If you already have a policy set up for Teams chat, it processes Copilot records too (Figure 2).

 Retention processing handles Microsoft 365 Copilot interactions along with Teams chats
Figure 2: Retention processing handles Microsoft 365 Copilot interactions along with Teams chats

Although it’s easier for Microsoft to combine processing for Teams chats and Copilot interactions, I can see some problems. For example, some organizations like to have very short retention periods for Teams chat messages (one day is the minimum). Will the same retention period work for Copilot interactions? It would obviously be better if separate policies processed the different data types. Perhaps this will happen in the future.

Because the substrate captures Copilot interactions, the interactions are available for analysis by Communication Compliance policies. It should therefore be possible to discover if someone is using Copilot in an objectionable manner.

Block and Tackle Support for Microsoft 365 Copilot

None of this is earthshattering. SharePoint Online stores protected documents in clear to support indexing, but it would be silly if Microsoft 365 Copilot could use protected documents in its response. Gathering audit events treats Copilot like all the other workloads, and compliance records make sure that eDiscovery investigations can include Copilot interactions in their work. However, it’s nice that Microsoft has done the work to make sure that organizations can mark the compliance item on deployment checklists as complete.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2023/11/09/microsoft-365-copilot-compliance/feed/ 4 62342
Office 365 for IT Pros November 2023 Update Available https://office365itpros.com/2023/11/01/office-365-for-it-pros-101/?utm_source=rss&utm_medium=rss&utm_campaign=office-365-for-it-pros-101 https://office365itpros.com/2023/11/01/office-365-for-it-pros-101/#respond Wed, 01 Nov 2023 01:00:00 +0000 https://office365itpros.com/?p=62241

Download new Office 365 for IT Pros Files Now

Office 365 for IT Pros November 2023 Update

The Office 365 for IT Pros eBook team is delighted to announce that the 101st monthly update is now available for download. Subscribers to the PDF/EPUB version can download the updated files from Gumroad.com using their account or the link contained in the receipt emailed to them when they subscribed. People who bought the Kindle edition from Amazon can ask Amazon support to make the update available to them.

Office 365 for IT Pros Monthly Update 101

As in any month, the latest update covers a variety of topics. For example:

  • New data about user numbers released in Microsoft’s FY24 Q1 results (Teams now has 320 million monthly active users).
  • Deprecation of the Set-UserPhoto and Get-UserPhoto cmdlets.
  • A new organization setting to allow tenants avoid roaming signatures until Microsoft fixes the problem with OWA signatures.
  • The storage consumed by Loop workspaces (but not Loop components used in apps) will count against tenant SharePoint storage quotas.

During the month, we also published details of how to use the Microsoft Graph PowerShell SDK (and PnP.PowerShell) create and update Microsoft Lists. This led to the addition of a small paragraph in chapter 23 and is an example of the kind of research the writing team does to improve the quality and coverage of the book.

We also expressed our annoyance at the number and persistence of the annoying pop-up messages Teams insists on displaying to users.

For more information about changes in the 101st update, please see our change log. Details of how to download updates can be found in our FAQ.

New Teams Client Becomes the Only Teams Client in March 2024

The biggest change for many Microsoft 365 tenants is the launch of the new Teams client, which attained general availability on October 5, 2023. There’s no doubt that the new Teams client is an advance over the “classic” client in terms of performance, resource consumption, and some functionality (like guest access to multiple tenants). Microsoft still has some work to do to attain full feature equivalence across the two clients, but this will come in time. A useful web page explains where Microsoft hopes to make progress and where functionality differs across the two versions.

Nice as it is to have the new client, I think people were surprised when Microsoft issued message center notification MC686187 on October 31 to tell customers that Microsoft plans to remove the classic client on March 31, 2024. People using the classic client at that time will receive an automatic upgrade to the new client, even if they’d really prefer to stay with the old version.

The new Teams client isn’t available yet for Virtual Desktop Infrastructure (VDI), so VDI users are unaffected by the deprecation and will not be automatically updated. The same is true for Teams Room and Surface Hub devices, which need a special version of the new client to deal with their environments.

I fully understand Microsoft’s desire to remove the classic client. They’ve invested a ton of engineering effort to move away from the Electron-based roots of the old client to develop a new client that answers many of the criticisms expressed over the years. They don’t want to be forced to keep two very different client code bases functionally equivalent as new features roll out, (like using Microsoft Designer to generate custom images for announcement channel posts).

Maintaining two client code bases is an expensive proposition, as Microsoft knows well from their experience with Outlook. Reducing engineering and support costs is one of the prime motivating factors in the effort to deliver the Monarch “One Outlook” client. Microsoft is already pushing customers away from the old Win32-based Outlook for Windows desktop client with tactics like insisting that only Monarch will support Microsoft 365 Copilot.

No Votes for Customers

Forced client transition to gain new functionality is part of living with a cloud service. It happens. Customers don’t get to vote (unless you want to return to an on-premises deployment). Oh well, upward and onward toward the 102nd monthly update for the Office 365 for IT Pros eBook, due on December 1.

]]>
https://office365itpros.com/2023/11/01/office-365-for-it-pros-101/feed/ 0 62241
Teams Grows to 320 Million Monthly Active Users https://office365itpros.com/2023/10/26/teams-number-of-users-320-million/?utm_source=rss&utm_medium=rss&utm_campaign=teams-number-of-users-320-million https://office365itpros.com/2023/10/26/teams-number-of-users-320-million/#comments Thu, 26 Oct 2023 01:00:00 +0000 https://office365itpros.com/?p=62167

Teams Number of Users Keeps On Growing, Like the Rest of the Microsoft Cloud

On October 24, 2023 Microsoft reported their FY24 Q1 results. As usual, there was an upward bounce for Microsoft Cloud revenues to $31.8 billion (annualized run rate of $127.2 billion – Figure 1), an increase from $30.3 billion reported in the last quarter.

Microsoft Cloud Revenues since 2015
Figure 1: Microsoft Cloud Revenues since 2015

Some of the growth comes in an increase in overall user numbers, some comes from Microsoft’s success in extracting additional revenue from existing customers. As CFO Amy Hood noted, “Office Commercial, revenue growth will again be driven by Office 365 with seat growth across customer segments and ARPU growth thru E5.” ARPU is average revenue per customer and it increases when customers upgrade their basic licenses (for instance, from Office 365 E3 to Microsoft 365 E3) or buy add-ons.

Talking Copilot

Microsoft also highlighted some numbers that they want people to focus in on. For example, Satya Nadella was keen to talk about Microsoft 365 Copilot, noting that customers say that they “can’t imagine work without it.” This might be the case for the test users in the 40% of the Fortune 100 that Microsoft say are in the Copilot preview (including Visa, KPMG, Bayer, Suncorp, and the Mayo Clinic), but it remains to be seen how many will stump up the $30/month price for a Microsoft 365 Copilot license (plus the potential cost of upgrading to an eligible Microsoft 365 license) when it becomes generally available on November 1.

$30 seems like a high monthly charge, but if the Wall Street Journal is correct that Microsoft is losing money on GitHub Copilot because of the operational costs of AI-powered recommendations, then maybe the price of Microsoft 365 Copilot is reasonable.

Teams Keeps Growing

Microsoft certainly hopes that Copilot will be a hit, just like they hoped that Teams Premium will convince customers to upgrade from Teams standard. Microsoft said that 10,000 “paid” customers use Teams Premium. Last quarter, Microsoft said that there were 600,000 Teams Premium users, so it could be that they’re simply reporting numbers a different way and that each customer has 60 Teams Premium users. But I’m sure that this isn’t the case.

Last April, Microsoft reported that Teams had 300 million monthly active users. This time round, they increased the number by 20 million to 320 million (Figure 2).

Growth in Teams usage since 2019

Teams number of users
Figure 2: Teams number of users since 2019

320 million is a big number and it means that Teams is now used by roughly 80% of the entire Office 365 base. Microsoft said that the number of Office 365 commercial seats grew 10% year over year, which puts it at around 400 million. The 80 million who don’t use Teams must use Slack or something else, or perhaps the different user counts don’t quite match up.

Either way, Teams exerts enormous influence over Microsoft 365 with apps like OneDrive for Business and SharePoint Online experiencing huge growth in usage because of how Teams consumes their services.

EMS Grows By Three Million

The EM+S people succeeded in getting another mention for their progress. In FY23 Q4, Microsoft said “the enterprise mobility and security installed base grew 11% to over 256 million seats.” This time round, they said “the enterprise mobility and security installed base grew 11% to over 259 million seats.” The three million extra seats in a quarter definitely made a difference. Oddly, the current version of the earnings transcript available online makes no mention of EM+S, so maybe I was dreaming…


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2023/10/26/teams-number-of-users-320-million/feed/ 4 62167
How to Limit the Creation of New Teams to Private Access https://office365itpros.com/2023/10/19/teams-privacy-mode/?utm_source=rss&utm_medium=rss&utm_campaign=teams-privacy-mode https://office365itpros.com/2023/10/19/teams-privacy-mode/#comments Thu, 19 Oct 2023 01:00:00 +0000 https://office365itpros.com/?p=62040

Using Container Management Sensitivity Labels to Force Specific Teams Privacy Mode

Yesterday, I wrote about how to control the creation of Microsoft 365 groups (and teams) using Microsoft Graph PowerShell SDK cmdlets to update the directory object setting used for the tenant groups policy. This led to a question from a reader who referred to a Microsoft Technical Community discussion about how to force those allowed to create new teams to only create private groups. A private team is one where the team owners control the membership. By contrast, anyone can join a public team.

I’m not quite sure why this is any better than allowing people to have a choice between private and public (Figure 1) in terms of preventing group sprawl, but it is an interesting example of using sensitivity labels for container management.

The privacy options for a new team


Teams privacy mode
Figure 1: The privacy options for a new team

The technique outlined here only affects new groups created through Teams, Outlook, OWA, and SharePoint Online clients. It doesn’t affect existing groups nor will it stop an administrator creating a new public group through an administrative interface like PowerShell or the Graph APIs.

Implementing the Block on Public Teams

The steps to block new public teams starts with creating or selecting a container management sensitivity label (one that exerts control over teams, groups, and SharePoint sites). I have a well-populated set of sensitivity labels in my tenant, so I choose to use one called Confidential Access.

It’s critical that the privacy settings for the label dictate that groups and teams assigned the label can only have private access (Figure 2).

The privacy settings for a sensitivity label limit users to private
Figure 2: The privacy settings for a sensitivity label limit users to private

Next, create a label policy to publish the selected label to selected users. For instance, you could decide to publish the policy to the same users who are allowed to create new groups or limit publication to a subset. Unfortunately, you can’t choose a security group for the target set, so you’ll need to include each user separately (Figure 3) or use a Microsoft 365 group or distribution list to establish the scope for the policy.

argeting users to receive the label
Figure 3: Targeting users to receive the label

Make sure that the label policy requires users to apply a default label to sites and groups. Because only one label is covered by the policy, this is the only one that can be assigned by default (Figure 4).

The label policy settings define a default label
Figure 4: The label policy settings define a default label

Make sure that the label policy has the highest priority so that it takes precedence over any other label publishing policy. This is the usual state for the most recently-created label policy but it’s wise to check and adjust if necessary.

Wait for Effect

Publication is not immediate. Behind the scenes, Microsoft Purview processes the new label publishing policy and makes the label available to the target set of users. It could take up to 24 hours before the user account and relevant applications learn about the new policy and its settings.

When the label policy is in force, the dialog to create a new team prepopulates the sensitivity label with the default label specified in the policy. Because the label specifies that private access is the only permitted option, this action disables the choice of public access (Figure 5).

Forcing the use of the sensitivity label makes public access unavailable
Figure 5: Forcing the use of the sensitivity label makes public access unavailable

Changing Other Teams to Private Access

As mentioned above, implementing a sensitivity label for container management in the manner explained here does nothing to existing teams. If you want to make all teams private, you must search for teams with public access and update them to private access. Here’s some based on the Microsoft Graph PowerShell SDK to do the job.

Connect-MgGraph -Scopes Group.ReadWrite.All
[array]$Teams = Get-MgGroup -Filter "resourceProvisioningOptions/any(x:x eq 'Team')" | Where-Object {$_.Visibility -eq 'Public'} | Sort-Object DisplayName
If ($Teams) {
   Write-Host ("Processing {0} teams with public access..." -f $Teams.count)
}
ForEach ($Team in $Teams) {
   Write-Host ("Updating team {0} to private access..." -f $Team.DisplayName)
   Update-MgGroup -GroupId $Team.Id -Visibility 'Private' 
}

I’m still unconvinced that forcing all teams to be private will address the problems of group sprawl, or unused and obsolete teams. But it’s an interesting approach. Maybe it’ll work for you.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/10/19/teams-privacy-mode/feed/ 3 62040
Microsoft Removes Exchange Online User Photo Cmdlets https://office365itpros.com/2023/10/09/user-photo-cmdlets/?utm_source=rss&utm_medium=rss&utm_campaign=user-photo-cmdlets https://office365itpros.com/2023/10/09/user-photo-cmdlets/#comments Mon, 09 Oct 2023 01:00:00 +0000 https://office365itpros.com/?p=61833

Use Graph SDK Cmdlets to Manage User and Group Photos

According to message center notification MC678855 (2 October), effective November 30, 2023, Microsoft will retire the Exchange Online management cmdlets to manipulate photos for mailboxes (Get-, Set-, and Remove-UserPhoto). This is part of the work to improve the way Microsoft 365 manages and displays user photos and moves the photo storage location away from Exchange Online to Entra ID. Microsoft says that this will create “a coherent user profile image experience by retiring legacy profile photo services.

Basically, this effort resolves the inconsistencies that crept into user photo handling through Exchange and SharePoint doing their own thing, largely because of their on-premises roots. Delve attempted to fix the problem in 2015 but never really went anywhere. After that, Microsoft started to use Exchange Online to host photos and synchronize from there, but it’s a better idea to use Entra ID and have all workloads come to a common place for photo data.

Replacement User Photo Cmdlets

The replacement cmdlets for user photo management are in the Microsoft Graph PowerShell SDK:

  • Set-MgUserPhotoContent: Add a photo to an Entra ID account. You can add JPEG or PNG files of up to 4 MB. Entra ID can store photos with a large pixel count. I have commonly uploaded photos sized at 8256 x 5504 pixels. When applications fetch photos to use, they can specify what sized photo they wish Entra ID to provide ranging from a thumbnail (48 x 48 pixels) to a high-definition photo as used in Teams meetings.
  • Get-MgUserPhoto: Check if an account has photo data in the profilePhoto property.
  • Update-MgUserPhoto: According to the documentation, this cmdlet “updates the navigation photo in users.” That doesn’t make much sense, so I asked the SDK development group to ask what the text really means. As it turns out, this cmdlet is a duplicate of Set-MgUserPhotoContent, so you can ignore it.
  • Remove-MgUserPhoto: Remove user photo information from an account.

For example:

Set-MgUserPhotoContent -Userid Jim.Smith@office365itpros.com -Infile "c:\temp\Jim.Smith.jpg"

 A user photo updated in Entra ID
Figure 1: A user photo updated in Entra ID

Updating Scripts

From an administrator perspective, the impact of the change is a need to review scripts that call the old cmdlets to replace them with the SDK cmdlets. The changes to the script are likely to involve:

  • Call the Connect-MgGraph cmdlet to connect to the SDK.
  • Find target user accounts instead of mailboxes.
  • Remove the references to Get-UserPhoto and Set-UserPhoto.
  • Use the Get-MgUserPhoto cmdlet to find if a target mailbox has a photo and the Set-MgUserPhotoContent cmdlet to update the photo if necessary (and a suitable file is available).

To provide a working example, I updated the script mentioned in this article. You can download the full script from GitHub. Remember that Graph permissions work differently to the permissions granted when an account holds the Exchange administrator or Global administrator roles for a tenant. Using the SDK in an interactive session to update photos will only work if the signed in account holds one of the two roles mentioned above and consent is granted for the SDK app to use the Directory.ReadWrite.All permission.

Group Photos

Because it’s a mailbox cmdlet and supports the GroupMailbox switch, the Set-UserPhoto cmdlet can set photos for Microsoft 365 groups. The Set-MgUserPhotoContent cmdlet only handles user accounts. To update the photos for Microsoft 365 groups, it’s necessary to use the Set-MgGroupPhotoContent cmdlet. Alternatively, for team-enabled groups, you can use the Set-TeamPicture cmdlet from the Microsoft Teams module.

I wrote an article describing how to update photos for Microsoft 365 groups. Updating the associated script wasn’t quite as simple because the Get-MgGroupPhoto cmdlet doesn’t return a thumbnail identifier. The foundation of the original script is that the thumbnail identifier could tell the script if the group already had a photo. This is now not possible, so the updated script (available from GitHub) is a rewritten and simplified version of the original.

Another Example of Change

This transition is yet another example of recent change in the Microsoft 365 PowerShell space. Exchange Online has just turned off Remote PowerShell and we’re on the final stretch of deprecation for the Microsoft Online Services module (the cmdlets that deal with license assignment have already stopped working). Keeping up to date with cmdlet changes can take some time but it’s an essential task.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2023/10/09/user-photo-cmdlets/feed/ 2 61833
Microsoft Limits Loop App to Microsoft 365 Product SKUs https://office365itpros.com/2023/09/28/loop-app-microsoft-365/?utm_source=rss&utm_medium=rss&utm_campaign=loop-app-microsoft-365 https://office365itpros.com/2023/09/28/loop-app-microsoft-365/#comments Thu, 28 Sep 2023 01:00:00 +0000 https://office365itpros.com/?p=61758

Current Test Users Unaffected

Microsoft released the preview version of the Loop app in March 2023. At the time, anyone with an Office 365 or Microsoft 365 license could sign up to use the app providing that their administrators allowed access in their tenant. Six months later, it appears that Microsoft is preparing to make the Loop app generally available. According to message center notification MC668811 (18 September), Microsoft plans to introduce a new service plan (Loop app with workspaces) to control access to the app.

The new service plan is being introduced to a limited number of product SKUs:

  • Microsoft 365 Business Standard (SME)
  • Microsoft 365 Business Premium (SME)
  • Microsoft 365 E3 (enterprise)
  • Microsoft 365 E5 (enterprise)

The change will roll out in late September 2023 and continue into early 2024.

No Office 365 SKUs

The interesting thing is that Microsoft is not licensing the Loop app for either the Office 365 E3 or E5 product SKUs. That’s a considerable set of enterprise accounts that technically will be unable to use the Loop app. However, Microsoft says that “Customers using the Loop app in preview … will continue to be able to create and view Loop workspaces for the immediate future.”

In other words, if your account has an Office 365 E3 or E5 license and you used the Loop app during its preview, you can keep on using your Loop workspaces (stored in Syntex repository services) until Microsoft decides restrict access to accounts with access to the new service plan at some point in the future. Licensing through the new Loop with workspaces service plan covers the creation of new workspaces. Users with other Office 365 or Microsoft 365 licenses can continue to contribute to a Loop workspace, including pages in a workspace.

Microsoft says that they will “share more information about the pricing and availability of the Loop app in the coming months.” At that point, it might be possible for users with an Office 365 or Microsoft 365 plan that doesn’t include the Loop with workspaces service plan to buy access through an add-on.

Unless they restricted access to specific users via a cloud policy, there’s no way for tenant administrators to discover the level of Loop app activity within user accounts. Unlike normal SharePoint Online sites, tenant administrators don’t have access to statistics or other information about content stored in Syntex repository services.

If you’re worried about the potential exposure to additional license upgrade costs, you could proactively disable access to the Loop app through a setting in the Microsoft 365 admin center (Figure 1).

Microsoft 365 admin settings for the Loop app
Figure 1: Microsoft 365 admin settings for the Loop app

Continued Access to App-Level Loop Components

It’s important to emphasize that the licensing requirement for the Loop app only affects the Loop app, its workspaces, pages, and components. Access to Loop components in Teams chat, Whiteboard, Word Online, or Outlook continues as before. Storage for these components is in the owner’s OneDrive for Business account. Disabling access to the Loop app in the Microsoft 365 admin center doesn’t affect app-level use of Loop components either.

Pushing to Microsoft 365

Unfortunately, restricting access to the Loop app to a small number of Microsoft 365 product SKUs is another example of Microsoft driving customers to upgrade to Microsoft 365 subscriptions. The same tactic is seen with Microsoft 365 Copilot, which is also restricted to the same set of Microsoft 365 product SKUs.

There’s no technical reason for the restriction. It’s simply a matter of Microsoft deciding to package their software in a way intended to convince customers that upgrading to a more expensive Microsoft 365 subscription is a good deal. It’s a great way for Microsoft to increase their cloud revenues.

In some cases, moving to Microsoft 365 is the right thing to do. In other circumstances, you might not get the anticipated return on your investment. It’s definitely a decision that requires careful consideration.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/09/28/loop-app-microsoft-365/feed/ 2 61758
Microsoft Makes Microsoft 365 Copilot Generally Available https://office365itpros.com/2023/09/22/microsoft-365-copilot-ga/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-copilot-ga https://office365itpros.com/2023/09/22/microsoft-365-copilot-ga/#comments Fri, 22 Sep 2023 01:00:00 +0000 https://office365itpros.com/?p=61691

Enterprise Customers Can Buy Microsoft 365 Copilot on November 1, 2023

Microsoft 365 Copilot and other AI SKUs

Originally unveiled last March and then put through a testing program involving 600 customers (who paid a substantial amount for the privilege), Microsoft announced (September 21) that Microsoft 365 Copilot will be generally available for enterprise customers on November 1, 2023. Although they didn’t expand what they mean by “enterprise customers,” I’m sure that Copilot will be available for tenants running the two “eligible” SKUs targeted at small businesses (Microsoft 365 Business Standard and Business Premium). This page covers Copilot for the SME segment.

Time to Prepare Budgets

After checking their IT budgets to see if they can find the funds necessary to upgrade to one of the eligible products and then pay the hefty $30/user per month charge for Copilot, interested customers can contact Microsoft sales to buy licenses.

The agenda for this week’s The Experts Conference (TEC) event included several sessions about using artificial intelligence with Microsoft 365. Interestingly, when polled, none of the conference attendees indicated that their companies were interested in deploying Copilot. Cost is a big issue, but so is the work necessary to prepare tenants for Copilot, including user training and support. For more information, see the Microsoft 365 Copilot overview page.

The lack of interest at TEC might be misleading. For instance, software is more interesting when it’s available and companies can learn about real-life scenarios from other customers to understand how to justify the spend. It’s also true that the Microsoft sales force hasn’t yet gone into high gear to sell Copilot. Now that a general availability date is known, that pressure can be expected to increase.

Copilot Lab the Most Interesting Part of Announcement

When I talk about Copilot, I refer to it as an inexperienced artificial assistant that needs a lot of coaching to achieve good results. Users provide coaching through the prompts they input to tell Copilot what to do. Good prompts that are concise and provide context are much more likely to generate what the user wants than fuzzy requests for help.

The average user is not an expert in prompt formulation. Even after 25 years of using Google search, many struggle to construct focused search terms. The same is true for people searching for information within a tenant using Microsoft Search. Some know how to use document metadata to find exactly what they want. Others rely on being able to find items using document titles.

Without good prompts, Microsoft 365 Copilot will fail utterly. The AI cannot read user minds to understand what someone really wants. It’s got to be told, and it’s got to be told with a level of precision that might surprise.

All of which means that the announcement of Copilot Lab is a really good idea. Essentially, Copilot Lab is a learning ground for people to discover how to construct effective prompts (Figure 1), including being able to share prompts that they create.

Copilot Lab (from Microsoft video)

Microsoft 365 Copilot
Figure 1: Copilot Lab (from Microsoft video)

The implementation seems very like the way that Power Apps allows users to create apps from a library of templates. Anyone facing into a new technology appreciates some help to get over the initial learning hurdle, and that’s what I expect Copilot Lab will do.

Microsoft Copilot Chat

The other new part of the Microsoft 365 Copilot ecosystem is a chat application that looks very much like Bing Enterprise Chat (Figure 2). The big differences are that Microsoft Copilot Chat has access to information stored in Microsoft 365 repositories like SharePoint Online that are available to the signed-in user. Microsoft 365 chat is available through https://www.microsoft365.com/copilot and in Teams chat.

Microsoft 365 Chat (from Microsoft video)
Figure 2: Microsoft 365 Chat (from Microsoft video)

The Monarch Issue

Another issue raised at TEC was the insistence Microsoft has that the Outlook Monarch client is the only version that will support Copilot. While it’s true that Microsoft wants customers to move to the new Outlook, user resistance is palpable and could become a barrier to adoption. Although there’s value to be gained by Copilot summarizing notes from a Teams meeting or creating a Word document or PowerPoint presentation based on existing content, many people still organize their working life around Outlook. And that’s Outlook classic, not a web-based version that’s still missing functionality like offline access (coming soon, or so I hear).

If Microsoft really wanted to, I think they could create an OWA Powered Experience (OPX)-based plug-in for Outlook classic (like the Room Finder) to integrate Copilot. Where there’s a will, there’s a way. In this instance, the will seems to be missing. And that’s just a little sad.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/09/22/microsoft-365-copilot-ga/feed/ 2 61691
Enable the MailItemsAccessed Event for Exchange Online Mailboxes https://office365itpros.com/2023/09/11/mailitemsaccessed-event-important/?utm_source=rss&utm_medium=rss&utm_campaign=mailitemsaccessed-event-important https://office365itpros.com/2023/09/11/mailitemsaccessed-event-important/#comments Mon, 11 Sep 2023 01:00:00 +0000 https://office365itpros.com/?p=61526

Time to Review Mailbox Auditing Configurations

Updated 8 November 2023

Paul Robichaux’s recent article describing five errors Microsoft made which led to the Storm-0558 attack made me think about the MailItemsAccessed event. This was the first “premium” or high-value audit event launched by Microsoft in an attempt to monetize auditing through the introduction of what is now Microsoft Purview Audit (Premium) (aka Microsoft 365 advanced auditing). Purview Audit Premium is included in Office 365 E5 and Microsoft 365 E5 and other add-on licenses. Purview Audit Standard is available to Office 365 E3 and Microsoft 365 E3 customers.

Update: Microsoft says that Office 365 E3 customers won’t see the MailItemsAccessed event until the summer of 2024.

In his article, Paul points out that tenant administrators for a federal executive civilian branch agency noted unusual activity captured in MailItemsAccessed events. Exchange Online captures these events (Figure 1) when mailboxes belonging to licensed accounts access mail messages. Being able to know that someone (or some process) other than the owner accessed messages in a mailbox is a good indication that something’s wrong.

Details of a MailItemsAccessed audit event
Figure 1: Details of a MailItemsAccessed audit event

To emphasize the point about how important MailItemsAccessed events can be, Microsoft’s documentation explains how to use the events in a forensic investigation. This is what might have happened to detect some of the Storm-0588 infiltration. According to a Cybersecurity and Infrastructure Security Agency (CISA) report analyzing Storm-0558, “The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.”

The Cost of Security

As Paul notes, some organizations don’t use MailItemsAccessed because they didn’t want to pay for enhanced auditing. Although avoiding cost is a reasonable perspective, it does raise the issue of why Microsoft insists that customers pay extra to log events that are so important for investigation of potential incidents. Some feel it’s an example of extracting additional revenue from a captive market. After all, the 400 million Office 365 monthly active users don’t exactly have a choice of auditing provider.

On July 19, Microsoft decided that it was best to reverse course and announced that they would make enhanced logging available to Office 365 E3/Microsoft 365 E3 tenants, saying “customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.”

Audit Updates Coming in September 2023

According to Microsoft, they will deploy the necessary updates to expose the additional audit events and to increase audit event retention to 180 days to all commercial and government customers during September 2023. The update hasn’t reached my tenant yet because any attempt to enable the MailItemsAccessed event for a mailbox with an Office 365 E3 license fails as follows:

Set-Mailbox -Identity Lotte.Vetler -AuditOwner @{Add="MailItemsAccessed"}

Set-Mailbox: |Microsoft.Exchange.Management.Tasks.RecipientTaskException|Auditing of MailItemsAccessed event is only available for users with appropriate license. Please visit the documentation to know more about this.

When the update lands, Microsoft hasn’t said if they will retrospectively enable the MailItemsAccessed event for mailboxes with Office 365 E3 or Microsoft 365 E3 licenses. It’s entirely possible that Microsoft will not update mailbox audit configurations to add the MailItemsAccessed event for existing mailboxes. We also don’t know if Microsoft will enable new mailboxes for the event in the same way that they enable the event automatically for mailboxes licensed for Purview Audit Premium. A arguable case exists that managing mailbox audit configurations is an operation best left to tenants, especially if tenants use non-standard mailbox auditing configurations.

My advice is to take control of the situation and:

  • Check that mailbox auditing is enabled for all mailboxes. This note in Microsoft documentation implies that mailboxes with Purview Audit Standard still need to enable auditing to force flow of mailbox audit events from Exchange Online to the unified audit log. This was certainly the case, but a quick test with a new mailbox created today saw mailbox events appear in the unified audit log. In any case, it’s best to be sure.
  • Include the MailItemsAccessed event in the audit configuration for all mailboxes. Some years ago, I wrote a script to make sure that auditing was enabled for all mailboxes. It is easy to adapt the script to update mailbox audit configuration with the MailItemsAccessed event.
  • Consider a more automated approach to maintain mailbox audit configurations. Using a scheduled PowerShell runbook managed by Azure Automation is a mechanism well suited to this kind of task. If the runbook operated on a weekly basis, the user accounts created during the last week can be found with code like this:

$LastWeek = (Get-Date).AddDays(-7)
$T = Get-Date $LastWeek -format "yyyy-MM-ddThh:mm:ssZ"
[array]$Users = Get-MgUser -Filter "createdDateTime ge $T" -Property Id, UserPrincipalName, CreatedDateTime, DisplayName

The MailItemsAccessed Event Really is High-Value

No one likes being caught on the back foot when things go wrong. But if problems occur, it’s good to have as much data as possible. The MailItemsAccessed event increases the amount of information available about what attackers might have done inside Exchange Online mailboxes. That’s one good reason to make sure to capture the events and know how to use them during forensic investigations.

Create a task for yourself to check mailbox audit configurations at the end of September 2023 and make sure that the MailItemsAccessed event is captured. You know it makes sense.


Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

]]>
https://office365itpros.com/2023/09/11/mailitemsaccessed-event-important/feed/ 17 61526
Microsoft Adds Code Blocks to Loop App https://office365itpros.com/2023/09/05/loop-app-code/?utm_source=rss&utm_medium=rss&utm_campaign=loop-app-code https://office365itpros.com/2023/09/05/loop-app-code/#respond Tue, 05 Sep 2023 01:00:00 +0000 https://office365itpros.com/?p=61416

Collaboration to Develop Code in Loop

On May 23, 2023, Microsoft hinted in a tweet that they would soon bring code blocks to Loop. The idea is that users can insert code blocks in Loop workspaces and pages to collaborate with other people to develop ideas, fix bugs, and otherwise explore code. Last week, code blocks finally showed up in the Loop app (still in preview). The new type doesn’t appear in the set of Loop components currently available in Teams chat and Outlook. This is probably a timing issue and upcoming builds are likely to include the code component soon.

Writing PowerShell in the Loop App

The Office 365 for IT Pros eBook contains over 1,200 PowerShell examples, so I decided to use the Loop app to write some PowerShell. In a page, I typed “/” to see the set of blocks available and chose “Code” from the list. I then started to write PowerShell code (Figure 1).

Writing PowerShell code in the Loop app
Figure 1: Writing PowerShell code in the Loop app

The editor used for the code block is very simple. It’s like the editor invoked by Teams when people insert code snippets in chat or channel messages. Don’t expect to find code syntax checking of the type available in Visual Studio Code because none exists. Cmdlet parameters and variable names don’t autocomplete either.

But having a simple way to input rough code might be OK. The purpose of the code block is to share code with others to develop a collaborative solution to a problem. Once those involved have collaborated to find an answer, the resulting code can be copied into a development environment to check for syntax errors before testing.

Sharing Code Through Teams and Outlook

Astute observers will note that the code shown in Figure 1 is in a Loop component. That’s because I wanted to share the code with others through Outlook and Teams. Because the Loop integration with these apps only supports Loop components, it’s necessary to create a Loop component from the code block. This action results in the creation of a shareable file in Syntex Repository Services. You can then copy the component (or rather, generate a link to the component) and paste it into Teams chat (Figure 2) or an Outlook message.

Editing code in a Loop component in Teams chat
Figure 2: Editing code in a Loop component in Teams chat

It’s possible that by the time you read this text, you’ll be able to create a Loop code component in Teams and Outlook and do the reverse by including that component in a page in the Loop app.

Will People Use Code Blocks in Loop

Although it’s nice to be able to create code in the Loop app, a big question remains whether anyone will use Loop as the basis for collaboration for code-based projects. If the code block was more intelligent and incorporated syntax checking, then I would be more positive. For now, the code block is a good way to jot down some rough approximate ideas in pseudo code with the big caveat that whatever’s produced must be copied to a development environment for validation and testing.

The fact that Loop remains an internal-facing application with no ability to share outside a tenant is also problematic. Many of the folks I ask questions of when I run into a coding issue work outside of my tenant. I can’t drop some code into Loop and ask those people to collaborate with me in a code block or code component because they can’t access the code. I guess I’ll continue to paste code into Teams federated chat or email when I need an external answer to a problem.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/09/05/loop-app-code/feed/ 0 61416
Microsoft Strikes Deal with European Commission to Unbundle Teams https://office365itpros.com/2023/09/04/microsoft-365-eea-license/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-eea-license https://office365itpros.com/2023/09/04/microsoft-365-eea-license/#comments Mon, 04 Sep 2023 01:00:00 +0000 https://office365itpros.com/?p=61405

New Microsoft 365 EEA Licenses Available on October 1

Microsoft 365 EEA Licenses

Microsoft’s 31 August announcement of a new licensing structure for Office 365 and Microsoft 365 enterprise licenses in the European Economic Area (EEA) and Switzerland makes common sense. It recognizes that it makes no sense for Microsoft to clash with the European Union over an anti-competition complaint made by Slack in July 2020 because Microsoft includes Teams in many of its Office 365 and Microsoft 365 SKUs.

The new Microsoft 365 EEA License arrangement comes into force from October 1, 2023. In a nutshell, customers who have current SKUs that include Teams don’t have to do anything and can continue to use and renew these licenses (including Teams) as before.

After October 1, new customers in the EEA can only buy Office 365 and Microsoft 365 licenses which exclude Teams. The new licenses are only available to “net new” customers in the EEA, and the new licenses are priced slightly cheaper than current offerings. For example, Office 365 E3 with Teams currently costs EUR25.10. The new Office 365 E3 EEA license is priced at EUR23.10. If a customer who buys the EEA license decides that they want Teams, they must buy a separate Microsoft Teams EEA license for EUR5/user/month.

Those who excel at math can quickly see that the new Microsoft 365 EEA license combination costs EUR3 more for customers that want Teams. Such is the cost of facilitating competition and choice. See this list for full details of the new license pricing.

A Good Deal

Despite the additional cost imposed on EEA customers, this is a good deal. No one (except lawyers) would win if Microsoft had a long drawn-out dispute with the European Commission. Driving to a deal now removes the need for interminable discussions about the integration of Teams in Microsoft 365.

Slack certainly wouldn’t gain any benefit. Their original protest happened in a completely different context when Slack might have felt that they were an alternative to Teams. The simple fact is that Slack wasn’t in July 2020 and is even less so today. Teams is so embedded into the Microsoft 365 and Azure ecosystems that Slack was never really an alternative to any customer who valued the interaction between Teams and the other Microsoft 365 workloads like Exchange Online, SharePoint Online, OneDrive for Business, Planner, and so on.

Microsoft says that “We believe that business customers in Europe and around the world expect a modern work solution to include modern communication and collaboration capabilities.” This might not have been true when we first saw Teams in 2016, but it’s absolutely true today. The fact that Teams has more than 300 million daily active users is evidence of how customers use the kind of communication capabilities available in Teams. It’s also an example of how the old adage that “possession is nine-tenths of the law” holds true. Microsoft has a huge installed base for Teams that’s been acquired through the Microsoft 365 ecosystem. Cutting Teams away at this point probably won’t impact Microsoft greatly.

Better Access to Teams APIs

Slack has attempted to integrate with Teams over the years and might feel that Microsoft doesn’t expose enough APIs to allow their code to integrate deeply with Teams. The Graph APIs have improved over the years but it’s true that they can be opaque at times. On the upside, the Teams app store included 2,154 apps on September 2, 2023, so Microsoft is doing something right in terms of attracting app developers to the platform.

To address issues around API access, Microsoft says that they “will create new support resources to better organize and point application developers to the existing and publicly available application programming interfaces (APIs) and extensibility in Microsoft 365 and Office 365 apps and services that connect with Teams.” Now, this might end up as no more than better documentation and API examples (always welcome), but I doubt that will be sufficient to assuage the anti-competition doubts of the European Commission. It will be interesting to see what Microsoft does here to make Teams a more open platform for third parties.

Microsoft also made a commitment to make the Office web apps more accessible to third party apps, saying “we will develop a new method for hosting the Office web applications within competing apps and services much like Microsoft accomplishes in Teams.” In other words, a third party app should be able to call Office viewers or the Office web apps to process documents accessible to Teams (in SharePoint Online or OneDrive for Business) without leaving the app.

The European Commission has not signalled yet whether they consider Microsoft’s initiative to be sufficient to dismiss the complaint. The nature of these things is that a certain amount of behind-the-scenes negotiation happened to prepare the way, so it’s likely that this move is enough, even if it still needs final sanction.

Microsoft 365 EEA Licenses Clear the Deck for Copilot

In some respects, Copilot for Microsoft 365 is a much bigger threat to the likes of Slack than including Teams in Office 365 and Microsoft 365. Copilot explicitly requires user data to be in Microsoft 365 (natively or through Graph connectors) before it can be used to respond to user prompts. Whether the European Commission considers using artificial intelligence to process user data to be an anti-competitive tactic remains to be seen. But for now, Microsoft has done enough to clear the deck to prepare for the introduction of Copilot for Microsoft 365 without worrying too much about complaints filed three years ago.


Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates ensure that our subscribers stay informed.

]]>
https://office365itpros.com/2023/09/04/microsoft-365-eea-license/feed/ 2 61405
Microsoft Removes Reuse Files Feature from Word https://office365itpros.com/2023/08/31/reuse-files-word/?utm_source=rss&utm_medium=rss&utm_campaign=reuse-files-word https://office365itpros.com/2023/08/31/reuse-files-word/#comments Thu, 31 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61286

Perhaps an Indication that Copilot Does a Better Job?

When I read message center notification MC668802 (18 Aug 2023), the thought went through my mind that Microsoft’s intention to retire the Reuse Files in Word feature might be a reflection of their focus on Copilot for Microsoft 365.

Starting in August 2023, users won’t see the Reuse Files option in the Word ribbon. However, you can still search for and use the feature. When you launch Reuse Files, Word uses Graph API calls to find documents that it thinks you might want to copy content from or include a link to in your current file (Figure 1).

Reuse Files feature in Word
Figure 1: Reuse Files feature in Word

Introduced in late 2020, I thought that the idea of being able to build new documents by reusing work previously done is good. However, Microsoft says that by January 2024, they will remove all traces of the Reuse Files feature from Word. Microsoft didn’t say anything about the availability of Reuse Files in Outlook (for Windows). Nor did they say if the Reuse Slides feature in PowerPoint will disappear sometime in the future.

Improving Your Subscription by Removing Reuse Files

In MC668802, Microsoft says that they are “committed to improving your Microsoft 365 subscription” and “we occasionally remove features and benefits that duplicate equivalent offerings.”

The comment about duplicating equivalent offerings is what brings me to Copilot. It can be argued that the reuse files feature could be replicated by simply opening a Word document and copying text from it into your file. The difference is intelligence. The Reuse Files feature uses Graph API requests to find files that the app thinks might be of use. Unfortunately, the initial set of files that it lists are usually just the last set of files that you’ve worked on, and the files found when you enter a search term don’t always seem to match the request.

At $30/user/month (plus an eligible Microsoft 365 subscription), Microsoft 365 Copilot is expensive. The required investment makes it imperative that organizations select those allowed to use Copilot with care, even if you believe the hype that users only need to get a couple of dollars value from using Copilot to offset its cost. But what we know of Copilot to date is that it applies a lot of artificial intelligence technology to find information to respond to user prompts (queries). In addition, tenants that use Copilot have a semantic index to help find appropriate information. That’s something which doesn’t exist in normal tenants.

Perhaps Microsoft is removing “AI Lite” features like Reuse Files from the playing field to give Copilot a clear run. Put another way, not having features like Reuse Files in the Microsoft 365 apps emphasizes the usefulness and capabilities of Copilot for Microsoft 365.

Maybe an Innocuous Decision

It’s entirely possible that I am reading too much into an innocuous decision by Microsoft to remove a feature that isn’t used very much. Microsoft might have decided that the engineering effort required to maintain and support the Reuse Files feature isn’t worth it because of low usage (or because the feature really isn’t very good). After all, if users don’t know about a feature, they won’t use it (OWA search refiners might be another example).

Only Microsoft knows, and they cloud the decision in words that make it seem that the removal of the Reuse Files feature is for our own good. Maybe it is. Who knows?

Clearing the Deck

Microsoft removes relatively few features from Microsoft 365. Clutter is one example, replaced by Outlook’s Focused Inbox. It’s nice to think that Microsoft removes items to improve our subscriptions. I suspect that the truth is that feature removals clear the deck and make it easier for Microsoft rather than users.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2023/08/31/reuse-files-word/feed/ 1 61286
Teams Admin Center Withdraws Dark Mode Support https://office365itpros.com/2023/08/28/teams-admin-center-dark-mode/?utm_source=rss&utm_medium=rss&utm_campaign=teams-admin-center-dark-mode https://office365itpros.com/2023/08/28/teams-admin-center-dark-mode/#comments Mon, 28 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61332

Surprise Announcement Highlights Inconsistencies Across Microsoft 365 Consoles

Microsoft’s 17 August announcement that they are not proceeding with support for dark mode in the Teams admin center (TAC) came as a surprise. Originally announced in message center notification MC567496 (2 Jun 2023), I covered the news briefly on June 6 and pointed out that dark mode for TAC had some problems with custom tenant colors. This didn’t seem like a big issue at the time. It’s the kind of fit-and-finish bug that tends to be taken care of before final release.

I don’t know why Microsoft decided not to deliver dark mode for TAC. Microsoft’s announcement simply says “We have made the decision not to proceed with this feature at this time,” which could mean anything. What’s for sure is that the toggle to enable dark mode has disappeared and won’t come back until Microsoft decides what to do next.

The news about TAC got me thinking about why Microsoft doesn’t have a common platform for Microsoft 365 administrative consoles. Despite efforts to make the consoles look and feel similar, the interfaces have their own foibles.

Authorization and Tokens

Take authorization as an example. The admin consoles use modern authentication, so the consoles need to acquire OAuth 2.0 access tokens and renew the tokens when they expire. Making token renewal a seamless experience for administrators seems to be a very complex technical challenge for the console developers.

The Microsoft 365 admin center manages things best. Behind the scenes, the console takes care of token renewal without a hitch. I seldom experience issues with this console, even after keeping the admin center open for extended periods. The SharePoint Online admin center is also pretty good. Other consoles struggle to deliver an elegant solution to token refresh.

For example, the new-and-improved Exchange admin center flashes errors up when it discovers the need to renew an expired token. Flash is the operative word because an error message appears and disappears in the blink of an eye. However, it’s there and I know it’s there and I worry that something more problematic than a brief pause in token renewal is the root cause. It seems like an issue that is highly solvable.

The Microsoft Purview compliance portal takes a more pedantic stance and insists that administrators should sign in regularly (Figure 1). At least you know where you are and what to do to proceed, and an arguable case exists that the compliance portal gives access to solutions that protect confidential information. But the inconsistency in behavior is obvious and jarring.

The Purview compliance portal requires a new sign in
Figure 1: The Purview compliance portal requires a new sign in

Teams Admin Center

And then we come to the Teams admin center. This console is fond of launching and appearing to work as normal before suddenly deciding that it should sign out the connected user (Figure 2). This action forces the user to reauthenticate before they can connect to TAC. And it can force the user to sign in again to other Microsoft 365 apps.

A sign out invoked by the Teams admin center
Figure 2: A sign out invoked by the Teams admin center

I’ve complained to Microsoft about TAC’s odd connection procedure several times. Each time I’m told things will improve. And to be fair to Microsoft, the issue occurs much less frequently now than it did in the past. Perhaps recent changes to the TAC contained some new code to address the problem. But I don’t trust TAC because I’ve experienced the sign-out issue within the last few weeks. I’m now keeping a watching brief on TAC to see if the issue reappears and if so, whether I can identify specific circumstances that might provoke the sign-out.

Dark Mode Support Across Admin Consoles

With the decision made not to support dark mode for TAC, the situation is that two of the five main Microsoft 365 admin consoles support dark mode while three do not:

  • Support dark mode: Microsoft 365 admin center (Figure 3), Exchange Online admin center.
  • Do not support dark mode: Teams admin center, Microsoft Purview compliance portal, SharePoint Online admin center.

Option to set dark mode in the Microsoft 365 admin center
Figure 3: Option to set dark mode in the Microsoft 365 admin center

The inconsistent implementation of dark mode is only an indication of the lack of consistency which still exists across the Microsoft 365 admin consoles. It demonstrates that Microsoft still has work to do to make Microsoft 365 administration a unified space. And when they’re doing that, making access token renewal work the same way across all consoles would be a great thing to do.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant

]]>
https://office365itpros.com/2023/08/28/teams-admin-center-dark-mode/feed/ 1 61332
Microsoft Prepares Partners for Microsoft 365 Copilot https://office365itpros.com/2023/08/25/microsoft-365-copilot-partners/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-copilot-partners https://office365itpros.com/2023/08/25/microsoft-365-copilot-partners/#comments Fri, 25 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61350

Get Software, Prompts, and Content Right to Make Microsoft 365 Copilot Work

Ever since Microsoft announced Copilot for Microsoft 365 last March, I’ve spent time to learn about concepts like generative AI to better understand the technology. I’ve also tracked Microsoft’s announcements to interpret their messaging about Copilot and analyzed the costs organizations face to adopt Copilot. Given the hefty licensing costs, I’ve reflected on how organizations might go about deciding who should get Copilot. You could say that I’ve thought about the topic.

Which brings me to a Microsoft partner session delivered yesterday about preparing for Microsoft 365 Copilot. I wrote on this theme last June, so wanted to hear the public messages Microsoft gives to its partners to use in customer engagements.

Get the Right Software

Mostly, I didn’t learn anything new, but I did hear three messages receive considerable emphasis. The first is that customers need the right software to run Microsoft 365 Copilot. Tenants need:

  • Microsoft 365 apps for enterprise.
  • Outlook Monarch.
  • Microsoft Loop.
  • Microsoft 365 Business Standard, Business Premium, E3, or E5.

Apart from mentioning the semantic index, nothing was said about the focus on Microsoft 365 SKUs. The semantic index preprocesses information in a tenant to make it more consumable by Copilot. For instance, the semantic index creates a custom dictionary of terms used in the organization and document excerpts to help answer queries. The idea is that the semantic index helps to refine (“ground”) user queries (“prompts”) before they are processed by the LLM.

Nice as the semantic index is, there’s nothing in the selected Microsoft 365 SKUs to make those SKUs amendable to the semantic index. Microsoft has simply selected those SKUs as the ones to support Copilot. It’s a way to drive customers to upgrade from Office 365 to Microsoft 365, just like Microsoft insists that customers use Outlook Monarch instead of the traditional Outlook desktop client.

Mastering Prompts

Quite a lot of time was spent discussing the interaction between users and Copilot. Like searching with Google or Bing, the prompts given to Copilot should be as specific as possible (Figure 1).

Constructing a Copilot prompt in Word

Microsoft 365 copilot
Figure 1: Constructing a Copilot prompt in Word (source: Microsoft)

It’s rather like assigning a task to a human assistant. Prompts are written in natural language and should:

  • Be Precise and detailed.
  • Include context (for instance, documents that Copilot should include in its processing).
  • Define what output is expected (and what format – like a presentation or document).

The aim is to avoid the need for Copilot to interpret (guess) what the user wants. A human assistant might know what their boss wants based on previous experience and insight gained over time, but Copilot needs those precise instructions to know what to do.

Constructing good prompts is a skill that users will need to build. Given that many people today struggle with Google searches twenty years after Google became synonymous with looking for something, it’s not hard to understand how people might find it difficult to coax Copilot to do their bidding, even if Copilot is patient and willing to accept and process iterative instructions until it gets things right.

Microsoft 365 Copilot is different to other variants like those for Security and GitHub that are targeted at specific professionals. A programmer, for instance, has a good idea of the kind of assistance they want to write code and the acid test of what GitHub Copilot generates is whether the code works (or even compiles). It’s harder to apply such a black and white test for documents.

The Quality of Content

Microsoft talks about Copilot consuming “rich data sets.” This is code for the information that users store in Microsoft 365 workloads like Exchange Online, Teams, SharePoint Online, OneDrive for Business, and Loop. Essentially, if you don’t have information that Microsoft Search can find, Copilot won’t be able to use it. Documents stored on local or shared network drives are inaccessible, for instance.

All of this makes sense. Between the semantic index and Graph queries to retrieve information from workloads, Copilot has a sporting chance of being able to answer user prompts. Of course, if the information stored in SharePoint Online and other workloads is inaccurate or misleading, the results will be the same. But if the information is accurate and precise, you can expect good results.

This leads me to think about the quality of information stored in Microsoft 365 workloads. I store everything in Microsoft 365 and wonder how many flaws Copilot will reveal. I look at how coworkers store information and wonder even more. Remember, Copilot can use any information it can find through Microsoft Search (including external data enabled through Graph connectors), which underlines the need to provide good guidance in the prompts given to Copilot. Letting Copilot do its own thing based on anything it can find might not be a great strategy to follow.

Lots Still to Learn

Microsoft 365 Copilot is still in private preview (at a stunning $100K fee charged to participating customers). Until the software gets much closer to general availability, I suspect that we’ll have more questions than answers when it comes to figuring out how to deploy, use, manage, and control Copilot in the wild. We still have lots to learn.

If you’re in Atlanta for The Experts Conference (September 19-20), be sure to attend my session on Making Generative AI Work for Microsoft 365 when I’ll debate the issues mentioned here along with others. TEC includes lots of other great sessions, including a Mary-Jo Foley keynote about “Microsoft’s Priorities vs. Customer Priorities: Will the Two Ever Meet?” TEC is always a great conference. Come along and be amused (or is that educated?)


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/08/25/microsoft-365-copilot-partners/feed/ 1 61350
Microsoft Replaces User Data Search with Standard eDiscovery https://office365itpros.com/2023/08/14/user-data-search-replaced/?utm_source=rss&utm_medium=rss&utm_campaign=user-data-search-replaced https://office365itpros.com/2023/08/14/user-data-search-replaced/#respond Mon, 14 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61107

A New Method to Handle GDPR DSRs

This one is for the compliance purists, or at least, those concerned with dealing with GDPR data subject requests (DSRs). Message center notification MC664475 (3 Aug 2023) announces that Microsoft is retiring the User data search tool (previously called the Data subject requests tool) with effect from August 30, 2023. Active cases will move to eDiscovery (standard) and can be processed to completion there.

DSRs came about when GDPR gave individuals (the data subjects) the right to recover any information an organization held about them. A DSR is a formal request for that information which the receiving organization must respond to within a month. Microsoft’s user data search solution is a wizard that creates a special form of a standard eDiscovery case with a search designed to find the relevant information.

Microsoft says that there’s been an increase in DSRs and note that the User data search tool is not as functional as eDiscovery standard. The tool doesn’t take advantage of changes and improvements added to eDiscovery standard recently, so it makes sense to replace the tool and concentrate on a single set of features.

Search Query to Find All User Data

To help with the transition, Microsoft published a sample Keyword Query Language (KQL) query to find emails and documents authored by the subject of a user data search. The query is:

participants:"<user name>" OR author:"<user name>" OR createdby:"<user name>"(c:c)(ItemClass=IPM.Document)(ItemClass=IPM.Note)(ItemClass=IPM.Note.Microsoft.Conversation)(ItemClass=IPM.Note.Microsoft.Missed)(ItemClass=IPM.Note.Microsoft.Conversation.Voice)(ItemClass=IPM.Note.Microsoft.Missed.Voice)(ItemClass=IPM.SkypeTeams.Message)

The query can be used with a content search or eDiscovery case search. The important thing is to make sure that the search covers all Exchange Online and SharePoint Online locations.

I tested the search query with a content search. I made three changes. First, I entered the user principal name of the user to search for. Second, I removed the “(c:c)” entry from the search as this term is usually only inserted by the query editor when it checks the syntax and completeness of queries. Finally, I removed the trailing double quotation mark as it wasn’t needed. Figure 1 shows the query as input into the KQL editor. The syntax check advises that the query is quite dense and difficult to read, but that doesn’t affect the effectiveness of the query.

Entering the KQL query for a user data search
Figure 1: Entering the KQL query for a user data search

Figure 2 shows the search statistics. Remember that content searches always perform an initial estimate based on search indexes, which is what we see here. The final output for a search is generated when exporting search results. However, the estimate creates a good picture of where content related to the user is present. In this instance, it’s mostly in Exchange Online mailboxes, which implies that the user didn’t create many documents stored in SharePoint Online or OneDrive for Business.

Reviewing statistics for a user data search
Figure 2: Reviewing statistics for a user data search

Searching is Only the Start

Running a search to find information is only the start of satisfying a DSR. Among points that should be considered are:

  • Content searches and eDiscovery standard can only find information in cloud locations. In hybrid environments, you might need to run searches against on-premises servers.
  • Because of the way that Exchange Online delivers separate messages to recipient mailboxes, there’s likely to be many duplicates in the search results.
  • When you export search results, Exchange Online decrypts protected messages. Only eDiscovery premium decrypts protected documents when exporting those files, so some other arrangements might be needed to remove sensitivity labels from protected documents before their content is checked and the files can be passed to the user.
  • Searches do not address the need to remove information about a data subject (the right to be forgotten defined in Article 17 of the GDPR). However, the reports generated for a search tell you where data matches are found and act as a guide for checking individual locations and items to decide whether items are relevant and what content should be removed. Remember, not all data found for a data subject needs to be removed from locations as it is legally permissible to keep data under certain circumstances, such as the requirement to comply with a legal obligation.

The work to prepare to handover information to the person who requested the DSR starts when the search export finishes. Unlike the search and export operations, reviewing the exported material is a manual process that can become very time consuming, especially for people who aren’t accustomed to responding to DSRs.

Sensible Change

Compliance nerds (like me – as evident in this article about using targeted collections in content searches) will understand why Microsoft removed a specialized tool in favor of a more generic approach. Let’s hope that the engineering resources released by the move help to improve content searches and eDiscovery standard. Better performance for content searches would be a start. They haven’t improved much in that respect since the introduction of the new UI in 2021.

]]>
https://office365itpros.com/2023/08/14/user-data-search-replaced/feed/ 0 61107
Microsoft Makes it Easier for Tenants to Enable the Loop App https://office365itpros.com/2023/08/09/enable-loop-app-tenant/?utm_source=rss&utm_medium=rss&utm_campaign=enable-loop-app-tenant https://office365itpros.com/2023/08/09/enable-loop-app-tenant/#comments Wed, 09 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61129

One Click to Make the Loop App Available to All Users

In an unannounced August 7 change (no blog post, no message center notification), Microsoft pushed an update to the Microsoft 365 admin center to introduce a one-click control in the Microsoft 365 admin center to enable Loop for a tenant. The new setting is located in the Services section of Org settings (Figure 1).

Option to enable Loop in the Org Settings section of the Microsoft 365 admin center
Figure 1: Option to enable Loop in the Org Settings section of the Microsoft 365 admin center

Selecting the option displays the screen shown in Figure 2. Click the option Microsoft Loop workspaces are available to all users in my organization and the job is done. There’s no need to configure SharePoint Online with PowerShell or deploy a cloud policy to enable users.

Option to enable Loop for everyone
Figure 2: Option to enable the Loop app for everyone in a tenant

As explained in the Microsoft documentation, organizations now have two options to deploy Loop.

  1. Use the one-click approach to make Loop available to everyone.
  2. Use a cloud policy to restrict access to the set of user accounts specified in a group.

I’m all for making things easier, so view the new setting as a good change. It’s also indicative of the kind of change that happens as an app makes its way through preview toward general availability. When Loop reaches general availability, the app is likely to be available to all users by default. This is the normal approach taken by Microsoft and there’s no reason to believe that they’ll do something different for Loop.

One thing that might change with general availability is how to exert granular control over Loop so that some users can use the app and others cannot. Today, control is via a cloud policy. In the future, it might be via a service plan that’s part of the license assigned to user accounts.

What Happens Behind the Scenes

If you opt to enable Loop for everyone, the code behind the Microsoft 365 admin center option enables all the prerequisites for Loop and sets a tenant setting to allow Loop for all. It then checks if a cloud policy already exists. If a policy is in place, Microsoft updates its settings to allow the tenant setting to take precedence (Figure 3).

Once the tenant setting is enabled, the cloud policy to control Loop is disabled
Figure 3: Once the tenant setting is enabled, the cloud policy to control the Loop app is disabled

Loop PWA in Microsoft Store

Speaking of Loop, another recent change is the appearance of a Loop app in the Microsoft Store (Figure 4). This is a PWA wrapper around the Loop web app that allows Loop to install as a desktop app.

The Loop PWA in the Microsoft Store
Figure 4: The Loop PWA in the Microsoft Store

The good news is that the Loop PWA works well. I’ve been using it for a couple of weeks and haven’t run into any issues. It’s not a desktop app in the traditional sense, but it’s more than a good enough alternative.

Loop Everywhere

Apart from the Loop app, Loop components are available in Teams chat (but still not channel conversations), Teams meetings (agenda, notes, and to-do lists), OWA, Outlook desktop, and Outlook Monarch. The ecosystem is building out and appears to be on the way to replacing OneNote eventually. I’d like to make more use of Loop in my day-to-day work, but as most of my projects involve external people who don’t have user accounts in my tenant, the inability of Loop to accommodate collaboration with anyone except internal users is a block. Hopefully, Microsoft will lift that restriction soon.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/08/09/enable-loop-app-tenant/feed/ 4 61129
Managing Assigned Licenses for Deleted User Accounts https://office365itpros.com/2023/08/07/deleted-user-account-licenses/?utm_source=rss&utm_medium=rss&utm_campaign=deleted-user-account-licenses https://office365itpros.com/2023/08/07/deleted-user-account-licenses/#comments Mon, 07 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61072

Why Some Deleted User Accounts Store License Assignment Information And Some Do Not

A reader asks why the Microsoft 365 admin center displays a license for a deleted user account (Figure 1). The follow-up question is how they can remove the license and reassign it to another user.

Deleted user account with license assignment information
Figure 1: Deleted user account with license assignment information

The answer is that they don’t need to do anything. When an administrator removes a user account, Entra ID moves the account into its deleted items container (aka the wastebasket). The deleted account remains there for 30 days, during which time an administrator can restore the account (see the big blue button in Figure 1). The ideal situation is for a restored account to come back with all its settings intact, including assigned licenses. Entra ID tracks the licenses that the deleted account once had so that it can reassign the licenses to the newly-restored account.

Any licenses assigned to a deleted user account become available following the account’s deletion. This includes accounts used for shared mailboxes where assigned licenses exist to enable features like archiving. No one wants to keep expensive licenses on ice pending account restores, so often the licenses end up being assigned to other accounts.

It Depends on How User Accounts Are Deleted

The interesting thing is that the presence of assigned licenses for deleted accounts depends on the method used to delete the account. When an administrator deletes an account through the Microsoft 365 admin center, the process removes license assignments before removing the account, which means that if you examine the properties of the deleted account afterward, no licenses are present (Figure 2).

Deleted user account with no license assignment information
Figure 2: Deleted user account with no license assignment information

However, if you use PowerShell or the Microsoft Entra admin center to remove an account, the deleted account object retains license information. The licenses are not assigned, but the license information is present in the properties of the deleted user object. This is why Figure 1 shows that a deleted account has a license.

The reason why the Microsoft 365 admin center removes licenses and other administrative interfaces do not is due to the multi-phase process the Microsoft 365 admin center uses for account removal. The process includes steps such giving another user access to the user’s OneDrive for Business account (Figure 3) to allow for the recovery of any important information before the permanent removal of the user account.

Steps in the Microsoft 365 admin center account deletion process
Figure 3: Steps in the Microsoft 365 admin center account deletion process

PowerShell and the Microsoft Entra admin center only concern themselves with the removal of the user account object, and that’s why some deleted user accounts have license assignment information and others do not.

Care Needed When Restoring Deleted Accounts

The Microsoft 365 admin center user restore process warns administrators to:

  • Assign licenses after restoring the account.
  • Change the account password.

A user account has no access to Microsoft 365 services after it is restored until these steps are complete.

By comparison, if you restore a deleted account through the Microsoft Entra admin center or PowerShell, the license assignments noted in the account properties become active again. This can lead to an over-assignment condition where too many user accounts have licenses for specific products, like Office 365 E3. In this situation, administrators must buy additional licenses or remove licenses from other accounts (or delete other accounts).

To check if the properties of any deleted accounts include license assignments, you can run these Microsoft Graph PowerShell SDK commands to fetch details of deleted accounts and report if any license data exists:

Connect-MgGraph -Scope Directory.Read.All
[array]$DeletedUsers = Get-MgDirectoryDeletedItemAsUser -Property DeletedDateTime, Id, displayName, userPrincipalName, assignedlicenses | Sort-Object DeletedDateTime -Descending
ForEach ($User in $DeletedUsers) {
  If ($User.assignedLicenses) {
     $Licenses = $User | Select-Object -ExpandProperty assignedLicenses
     [string]$Skus = $Licenses.SkuID -Join ", "
     Write-Host ("Deleted user {0} has license information noted in their account properties {1}" -f $User.displayName, $Skus ) }
}

If you use PowerShell to script the recovery of user accounts, you should check for license assignments and validate that available licenses are available before recovering the account. This article explains how to fetch subscription information using the Get-MgSubscribedSku cmdlet and the subscriptions API, including the count of assigned and available licenses. It’s easy to check if a license for a SKU is available before assigning it to a recovered account.

Alternatively, go ahead and recover the account and fix the licensing problem later through the Microsoft 365 admin center.

Processing Differences Exist

This discussion reveals a difference in behavior between the raw processing performed by Graph APIs and the wrapper around the APIs implemented in the Microsoft 365 admin center. Sometimes the differences bubble up to the surface and the reasons for the differences aren’t immediately clear until you poke around to discover why things happen the way that they do. Isn’t that often the case in IT?


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/08/07/deleted-user-account-licenses/feed/ 5 61072
Microsoft Launches Simplified Sharing for Microsoft 365 Apps https://office365itpros.com/2023/08/04/simplified-sharing-experience/?utm_source=rss&utm_medium=rss&utm_campaign=simplified-sharing-experience https://office365itpros.com/2023/08/04/simplified-sharing-experience/#comments Fri, 04 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61049

Making Sharing of Files and Folders Easier

Apart from Microsoft 365 roadmap item 124933, I can’t find a formal announcement about the Simplified Sharing Experience, but I have been aware that Microsoft recently updated the share dialog used by Microsoft 365 apps to make it easier and more straightforward to use. According to a LinkedIn post, (Figure 1) Microsoft ran an A/B experiment to test the new dialog. I guess I was one of the testers! In any case, the new sharing dialog is now available in all Microsoft 365 tenants. Users of OneDrive consumer will see the upgraded dialog in the second half of 2023.

Microsoft spreads the news about the simplified sharing experience
Figure 1: Microsoft spreads the news about the simplified sharing experience

The Role of the Share Dialog

The share dialog is what people see when they share a document or folder with others inside or outside their organization. According to Microsoft, the dialog is used over 800 million times monthly across 52 different Microsoft 365 experiences (desktop, browser, and mobile). In other words, Microsoft 365 apps offer users the opportunity to share in 52 different places across the suite. The most common of the experiences are likely in SharePoint Online, OneDrive for Windows, and Teams.

Microsoft says that they focused on creating a dialog that makes it simpler for users to perform core sharing tasks. When someone invokes the new screen (Figure 2) to share a file or folder, they see a simpler layout pre-populated with the default sharing link as specified by the tenant or site policy (in this case, the sharing link allows access to people within the organization). The name of the sensitivity label assigned to the document is also shown to provide a visual indicator about its relative confidentiality.

Revamping sharing link dialog
Figure 2: The revamped sharing link dialog

To complete the link, add the people to notify and enter a note to tell them what to do, and click Send to have the message sent by email or Copy link to copy the sharing link to the clipboard.

If you need to change the type of sharing link, select the cogwheel to expose the link settings (Figure 3). Again, everything is very straightforward and simple. If you choose a link that allows external sharing, I’m told that the new design “makes users more comfortable with sharing.” I’m not quite sure what this means, but any of the sharing that I’ve done with people outside the organization has worked smoothly.

Editing the setting for a sharing link
Figure 3: Editing the setting for a sharing link

Microsoft has also overhauled the Manage access dialog to help people manage the set of users and groups that have access to a file or folder (Figure 4).

The revamped manage access dialog
Figure 4: The revamped manage access dialog

Microsoft says that customer feedback about the new dialog is very positive. It’s worth noting that this is not the first time that Microsoft has revamped the sharing dialog. The last major overhaul was in 2020-21 when Microsoft rationalized on a common sharing dialog for all apps, notably for Teams.

The Importance of Sharing

Getting sharing right is clearly important. When Microsoft launched the Delve app in 2015, it resulted in a crescendo of protest from tenants who suddenly found that Delve suggested documents to users when the organization thought that Delve should not. Of course, the software did nothing wrong. Delve respected the access rights given to users when it computed the set of interesting documents to suggest (using an early version of Graph document insights). The problem was entirely down to poor management and access control, often at the level of complete SharePoint Online sites. Users might not have realized that they had access to the documents in poorly-protected sites, but software can’t be blamed if it goes looking for documents to suggest to a user and finds some that are available.

We’re heading for a similar situation with Microsoft 365 Copilot. The Copilot software depends on finding information with Graph queries to help satisfy user prompts. Like Delve, Copilot will find files that are available to the user who prompts for help, and the results generated for the user might include some confidential. And if the user doesn’t bother to check the content generated by Copilot, the information might then be revealed with people who shouldn’t have it. This is the danger of oversharing, and it’s certainly an issue for organizations contemplating Microsoft 365 Copilot need to resolve before implementation.

Simplified Sharing Experience One Step Along the Path

The new sharing dialog won’t solve oversharing. It’s just one step along the path to help users share information with the right people in the right way.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/08/04/simplified-sharing-experience/feed/ 9 61049
Clipchamp Coming to Microsoft 365 Commercial Customers https://office365itpros.com/2023/08/02/clipchamp-for-work/?utm_source=rss&utm_medium=rss&utm_campaign=clipchamp-for-work https://office365itpros.com/2023/08/02/clipchamp-for-work/#comments Wed, 02 Aug 2023 01:00:00 +0000 https://office365itpros.com/?p=61064

Clipchamp for Work, but Only for Microsoft 365 Commercial Customers

Clipchamp for Work

In a July 31 announcement, Microsoft says that they will make Clipchamp for Work available to Microsoft 365 commercial customers through the targeted release program in the coming weeks. The news is covered by Microsoft 365 roadmap item 124826.

Although the advent of Clipchamp for Work is good news, it’s tempered by Microsoft’s statement that

Clipchamp will be added to the following Microsoft 365 SKUs: Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Business Standard, and Microsoft Business Premium. Clipchamp will not be added to Office 365 SKUs.”

Ignoring the Office 365 enterprise SKUs is part of Microsoft’s tactics to force customers to upgrade to Microsoft 365 SKUs to drive the average revenue per user (ARPU) and increase the profits flowing from its cloud business past the $111.6 billion mark announced for Microsoft’s 2023 fiscal year.

The same method is being used with Microsoft 365 for Copilot, which only supports the Microsoft 365 E3 and E5 enterprise SKUs. Moving from Office 365 E3 to Microsoft 365 E3 costs an extra $13/user/month. Although a case can be argued that features like Windows 11 Enterprise and Enterprise Mobility and Security which are bundled into the Microsoft 365 enterprise SKUs represent good value for the extra cost, the fact remains that some customers don’t want to be forced to upgrade. Adding a very capable video editor to the Microsoft 365 enterprise SKUs probably won’t make any difference when it comes to deciding whether to upgrade, but it is one more factor to consider.

Adding on to Stream

Making Clipchamp for Work a new Microsoft 365 service plan makes sense. Like Stream for SharePoint, Clipchamp for Work stores its videos in SharePoint Online and OneDrive for Business, so it’s very different to the Clipchamp consumer version. Microsoft won’t provide a migration mechanism to move videos from the consumer to commercial version.

Stream for SharePoint added features steadily since its release, recently adding inline playback in Teams, automatic transcript generation, and a teleprompter when recording videos. However, Stream for SharePoint lags behind Stream classic in terms of video editing capabilities. Stream classic never offered much, but at least it could trim some excess from the start and end of videos.

Clipchamp fills the void and adds a lot more functionality besides such as a gap remover (merge videos together seamlessly) and a video cropper. Microsoft also promises that “Filters, effects, and text overlays give your editing a professional and personalized look. With the green screen filter in Clipchamp, you can adjust your backgrounds to suit your professional context and environment. Transitions can easily be added as a finishing touch to give your video that high-quality look.”

Clipchamp for Work includes an in-browser video editor. You’ll be able to create a new video by launching Clipchamp from the Microsoft 365 app launcher or from OneDrive for Business. Clipchamp can edit videos stored in OneDrive for Business and SharePoint Online, including Teams meeting recordings. The point about using SharePoint storage for videos is to take advantage of integration with the rest of the Microsoft 365 suite such as sharing, compliance, data lifecycle management (retention), and information protection.

Clipchamp Brings Proper Video Editing to Microsoft 365

When Microsoft bought Clipchamp in September 2021, the speculation was that Microsoft would add Clipchamp quickly to Office 365. Well, that hasn’t happened. Apart from needing to get used to the Microsoft 365 ecosystem so that single sign-on works and Clipchamp can process videos stored in SharePoint Online, the delay in reaching this point is likely due to waiting for Stream on SharePoint to mature and the migration from Stream classic to complete, which it now mostly is.

I’m glad to see a proper video editor in Microsoft 365. Video communications are becoming more important all the time. It’s just a pity that Microsoft won’t make the Clipchamp functionality available to their loyal Office 365 enterprise customers. We’ll just have to keep on using Camtasia instead.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

]]>
https://office365itpros.com/2023/08/02/clipchamp-for-work/feed/ 2 61064
Microsoft Briefs Partners about Microsoft 365 Backup and Microsoft 365 Archive Products https://office365itpros.com/2023/07/31/microsoft-365-backup-2/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-backup-2 https://office365itpros.com/2023/07/31/microsoft-365-backup-2/#comments Mon, 31 Jul 2023 01:00:00 +0000 https://office365itpros.com/?p=61005

More Details Revealed About Microsoft 365 Backup and Microsoft 365 Archive During Inspire session

A week or so after the launch of Microsoft 365 Backup and Microsoft 365 Archive at their annual Inspire conference (for partners), I took the time to listen to the recording of the session covering the topic delivered at the event. It’s hard to get much detail from a 14-minute session after filtering out all the marketing messages delivered by the avuncular Chris McNulty, but I found some interesting points to ponder.

As a reminder, these products are not yet available. They might be toward the end of 2023. Then again, product dates have an unfortunate habit of slipping, especially when they’re for solutions in a new area. This is doubly true when dealing with solutions targeted at backup and restore and touted as a great solution for ransomware because of their “unprecedented speed and scale.

McNulty started with some statistics:

  • Microsoft 365 users add two billion documents and emails daily. I assume this figure includes Office documents, PDFs, Loops, OneNote notebooks, emails, Teams messages, and everything else that can be stuffed into SharePoint Online, OneDrive for Business, and Exchange Online. In September 2022, Microsoft said that Exchange Online processes 9.2 billion messages daily, 2.4 billion of which are spam. However, it’s unclear if these figures include system messages that are transient and not stored.
  • Microsoft 365 user activity consumes 200 petabytes of storage monthly. Much of the data is unstructured. I assume that imports from SharePoint Server and other non-Microsoft 365 sources consume some of this storage. While providing such a large amount of storage is a heavy expense for Microsoft, its existence inside Microsoft 365 creates opportunities. For instance, it is the raw material for Microsoft 365 Copilot.

Microsoft also said that the estimated annual cost of ransomware is $20 billion (2021). They also noted a 74% increase in password attacks in one year, which is yet another good reason for Microsoft 365 tenants to make better use of multi-factor authentication even if attacker tactics like password sprays are less effective due to the removal of basic authentication.

Microsoft 365 Backup

The basic value proposition for Microsoft 365 Backup is simple: the ability to backup and restore data more rapidly than any other backup solution. This is because the data remains within Microsoft 365 and therefore doesn’t have to be copied across an internet connection. Partners have access to the Microsoft APIs for backup, restore, and archiving to allow them to integrate Microsoft 365 in their solutions. In this context, Microsoft will take care of the background processing and the partner looks after the user interface and integration with backup and restore solutions that handle other non-Microsoft workloads to create a single pane for all backup and restore operations.

Of course, keeping backups of your SharePoint Online, OneDrive for Business, and Exchange Online data within the Microsoft trust (security) boundary is a double-edged sword. Keeping all your data eggs in the one Microsoft basket is convenient, enables fast restore, and easy to use because operations are integrated in the Microsoft 365 admin center.

Jacklynn Hiranaka’s demonstration of backup and restore showed how easy it is to configure full backup for a tenant (Figure 1). She made the point that once backup is enabled, it becomes effective immediately. This is likely because Microsoft can utilize techniques like capturing SharePoint changes in the Preservation Hold Library or Exchange changes in Recoverable Items to generate backup items. You can imagine how restores operate like a supercharged version of the SharePoint Restore this library feature or Exchange’s Recover deleted items.

Microsoft 365 Backup in the Microsoft 365 admin center (source: Microsoft)
Figure 1: Microsoft 365 Backup in the Microsoft 365 admin center (source: Microsoft)

Even more impressive was the assertion that Microsoft 365 Backup can perform parallel restores for SharePoint Online, OneDrive for Business, and Exchange Online to restore information very quickly.

Microsoft 365 Archive

Brad Gussin covered details of Microsoft 365 Archive. This is a SharePoint Online option (Exchange Online has its own archiving). You can already archive Teams and put the associated SharePoint Online sites into a read-only mode. Microsoft 365 Archive puts inactive SharePoint sites into a state where administrators can still manage the sites (to bring them back into an active state) but the data is no longer “hot” (available for immediate user access).

The major advantage gained by moving sites to an archived state is that the storage they consume is no longer charged against the tenant’s SharePoint storage quota. The data is still in SharePoint, but just like the storage consumed by Syntex Repository Services to hold Loop app data, it’s not accessible in the normal way.

Administrators will be able to search for inactive sites and decide which sites to archive. Site owners can protest this action and negotiate with administrators to keep their sites online. Once the final decision to archive, the process to archive sites takes a couple of hours. Actions to archive or reactivate sites are available through the SharePoint Online admin center (Figure 2) or PowerShell. Microsoft hasn’t specified how the PowerShell option will work, but it could be through an updated Set-SPOSite cmdlet or perhaps dedicated cmdlets to archive and reactivate sites. Long-term, Microsoft plans to enable finer granularity by supporting archival at the file level.

Microsoft 365 Archive in the SharePoint Online admin center
Figure 2: Microsoft 365 Archive in the SharePoint Online admin center

Microsoft 365 features such as data loss prevention, data lifecycle management (retention processing), information protection, and search remain in place for archived sites. eDiscovery can find items in archived sites (using the search indexes) and retrieve items using search exports.

A cynic might say that Microsoft created the need for an archive solution by restricting the amount of storage made available to tenants (1 TB plus 10 GB per eligible license) and the way that retention processing consumes quota. The more intelligent versioning planned for document libraries might help restrain storage consumption, but overall it’s still true that SharePoint Online storage is expensive when compared to the abundant storage made available to OneDrive for Business accounts.

No Pricing Available

Microsoft hasn’t revealed how much Microsoft 365 Backup and Microsoft Archive will cost. I’ve been surprised by some recent Microsoft pricing decisions (like the $7/user/month demanded for slightly more intelligent Entra ID access reviews). The good thing is that backup for Microsoft 365 is a competitive market. Microsoft has some strong advantages, but if it goes too far in terms of inflated pricing, customers will vote with their wallets and go elsewhere.


Learn about using SharePoint Online, Exchange Online, and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

]]>
https://office365itpros.com/2023/07/31/microsoft-365-backup-2/feed/ 1 61005
Teams Gets Inline Playback for Stream Videos https://office365itpros.com/2023/07/28/stream-video-playback-teams/?utm_source=rss&utm_medium=rss&utm_campaign=stream-video-playback-teams https://office365itpros.com/2023/07/28/stream-video-playback-teams/#comments Fri, 28 Jul 2023 01:00:00 +0000 https://office365itpros.com/?p=60985

Stream Video Playback Inline in Chats and Channel Conversations

Fresh from the artificial intelligence mysteries of the Maybelline beauty app and the prospect of losing content in teams with a thousand channels, Teams users can take advantage of the change announced in MC649917 (Microsoft 365 roadmap item 127596). The change means that videos stored in Stream for SharePoint play inline within messages posted in a chat or channel conversation.

Enabling better Stream video playback within Teams might not sound very exciting, but it avoids the need for Stream to open a browser window and launch its client to play the content (Figure 1). Most people might even consider the capability to be better than boasting red lips in a meeting.

Playing a Stream video in a team channel

Stream video playback
Figure 1: Stream video playback in a channel conversation

Microsoft is currently rolling out the update and expects all tenants to have it by late August.

Some Stream Issues with Teams

While checking out the new functionality, I ran into some problems with the links between Teams and Stream. First, the Stream app in Teams still connects to Stream classic. Given that the migration to Stream on SharePoint started last October, I’m surprised that app only accepts URLs for videos on the old platform. It would seem easy to detect if a tenant uses Steam on SharePoint and take appropriate action.

Second, the sharing options available in Stream includes the chance to share a video to a Teams chat or channel. The options works like the Share to Teams feature in Outlook in that it allows the user to select a target in Teams to share with. Unfortunately, Share to Teams in Stream couldn’t find many of the teams and chats that I use, including the test team I created to host 1,000 channels (Figure 2).

The Stream share to Teams option can't find teams
Figure 2: The Stream share to Teams option can’t find teams

When Stream managed to share to a team channel, it created a simple link to the video  (Figure 3) that launches the Stream player when invoked. There’s no sign of enhanced Stream video playback here.

Figure 3: The link written by Stream into a team channel

Obviously, the Stream team needs to do some more work to make the connection with Teams as seamless as it should be. I’ve reported both issues to Microsoft.

SharePoint Sorts Out its User Photos

Finally for the week, it’s interesting to read the message center notification MC653734 (July 21) covering “image coherence for SharePoint Online” (a truly horrible title). The update addresses user photo management for accounts that don’t have Exchange Online licenses or use Delve to update their photos to fix the problem where user photos displayed in SharePoint are different to those shown elsewhere in Microsoft 365 (hence “image coherence”).

In August 2023, Microsoft will roll out a fix to force SharePoint Online to display images fetched from the “Microsoft People System (MPS)”, just like all the other Microsoft 365 apps. In practical terms, this means that SharePoint will fetch the thumbnail photos stored in Entra ID accounts via the Graph profilePhoto API.

The impact on  users is that they will have to upload photos via Delve or using the avatar at the top right-hand corner of SharePoint pages (Figure 4). Admins can continue to update user photos via the Entra ID admin center or with PowerShell.

Where SharePoint Online users can update their photo
Figure 4: Where SharePoint Online users can update their photo

I don’t imagine that this change will affect many people. It removes a lingering piece of functionality that originated in SharePoint server and brings the app in line with the norms of the rest of Microsoft 365, and that’s good.


Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

]]>
https://office365itpros.com/2023/07/28/stream-video-playback-teams/feed/ 1 60985
Microsoft Cloud Hits $111.6 Billion Annual Revenue https://office365itpros.com/2023/07/27/microsoft-cloud-revenue-110b/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-cloud-revenue-110b https://office365itpros.com/2023/07/27/microsoft-cloud-revenue-110b/#comments Thu, 27 Jul 2023 01:00:00 +0000 https://office365itpros.com/?p=60976

Microsoft FY23 Q4 Continues Strong Microsoft Cloud Revenues

As has become customary, Microsoft enjoyed another strong quarter of Microsoft Cloud revenues in the final quarter of their FY23 fiscal year. The headline numbers for the quarter have been reported and analyzed in depth elsewhere. I want to focus on the data relevant to the Microsoft 365 ecosystem. For those interested in following up, I suggest reading the transcript of the analyst briefing together with the other information released by Microsoft.

Microsoft Cloud Hits $110 Billion

The first point is that annual revenues for the Microsoft Cloud exceeded the $110 billion mark. The figures for the four quarters are:

  • Q1: $25.7 billion.
  • Q2: $27.1 billion.
  • Q3: $28.5 billion.
  • Q4: $30.3 billion.

Total: $111.6 billion.

On annualized run rate basis (taking the last quarter and multiplying by four), the run rate is now $121.2 billion, up $21.2 billion since the results reported for FY22 Q4. Figure 1 shows the steady growth in Microsoft Cloud annualized revenues since 2015.

Annualized revenues for the Microsoft Cloud since 2015
Figure 1: Annualized revenues for the Microsoft Cloud since 2015

The really interesting bit of information revealed by Satya Nadella was that “Azure all-up accounting for more than 50% of the total” ($110 billion). Microsoft is notoriously slow at giving out firm data about product revenues. A year ago, I tried to estimate how much Office 365 contributes to Microsoft cloud revenues. Taking numbers revealed in the briefing we can say that:

  • Azure (50% of $110 billion) = $55 billion.
  • Dynamics (“surpassed $5 billion in revenue over the past fiscal year”) = $5billion.
  • LinkedIn (“surpassed $15 billion for the first time”) = $15 billion.
  • Office 365 ($111.6 billion – ($55 + $5 + $15) = $36.1 billion. Microsoft said that “Office 365 commercial revenue increased 15% and 17% in constant currency, a bit better than expected with particular strength in E5.” Microsoft expects revenue grpwth of 16% for Office 365 in FY24.

The Office 365 outcome is less than I expected, but the Azure number is far higher than I thought.

Microsoft Cloud Revenue, Profitability, and Copilot

Microsoft CFO Amy Hood said that “Microsoft Cloud gross margin percentage increased roughly 3 points year-over-year to 72%.” The Microsoft Cloud is obviously a rich source of profit for Microsoft, even if they have substantial capital expenditure to equip their datacenters with computing and network equipment needed to deliver the service and prepare for new services, like Microsoft 365 Copilot.

Hood was confident that Microsoft’s “upsell and attach motions, particularly with Microsoft 365 E5.” She has made much the same comment to analysts for the past several quarterly briefings. Microsoft is very focused on driving the annual revenue per user (ARPU) to fuel growth in overall cloud revenues and profitability.

An interesting remark from the CFO observed that “Growth of new business continued to be moderated for products sold outside the Microsoft 365 suite including standalone Office 365, (and) EMS.” This isn’t surprising because the Microsoft sales force is focused on selling Microsoft 365 rather than the traditional Office 365 or EMS licenses.

Speaking of Microsoft 365 Copilot, they said “We are now rolling out Microsoft 365 Copilot to 600 paid customers through our early access program, and feedback from organizations like Emirates NBD, General Motors, Goodyear, and Lumen is that it’s a game changer for employee productivity.” Of course, as Hood acknowledged, Microsoft is unable to book revenue for Microsoft 365 Copilot until the product is generally available. No one knows how customers will respond to the pricing strategy both in terms of the high $30/user/month license cost and the need for enterprise customers to move to Microsoft 365 E3 or E5 to become “eligible” for a Copilot deployment.

Some Other Numbers

Microsoft always embellishes its results with some numbers for product usage. Often, the numbers are

  • Power Automate now has 10 million monthly active users.
  • Teams Premium has more than 600,000 seats (Microsoft likes to use the word “surpassed” when discussing results). Six hundred thousand seats sounds like a big number, but it’s only 0.2% of the Teams 300 million monthly active user count, which puts the number into perspective.
  • Teams Phone is the market leader in cloud calling, with more than 17 million PSTN users, up 45% year-over-year.” Sounds like a lot of customers are junking traditional PBXes to move to Teams Phone.
  • Viva now has 35 million monthly active users.” Microsoft didn’t say what parts of the Viva Suite attract this usage. It would be interesting to know if usage comes from repurposed bits (like Viva Engage/ex-Yammer) that don’t bring in any extra revenue, or newer components (like Viva Topics or Viva Learning) where customers need to buy new licenses.
  • The newly rebranded Microsoft Entra ID (ex-Azure AD) now has “more than 610 million monthly active users.”
  • The enterprise mobility and security installed base grew 11% to over 256 million seats.”

Microsoft didn’t give new numbers for Office 365, but given that “paid Office 365 commercial seats grew 11% year-over-year,” the number for Office 365 paid seats is likely around 400 million. It looks as if Microsoft Cloud revenues are heading for another good year in FY24.


Keep up to date with developments like Microsoft 365 Copilot by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

]]>
https://office365itpros.com/2023/07/27/microsoft-cloud-revenue-110b/feed/ 4 60976
Microsoft 365 Backup for SharePoint Online and Exchange Online (Soon) https://office365itpros.com/2023/07/19/microsoft-365-backup/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-backup https://office365itpros.com/2023/07/19/microsoft-365-backup/#comments Wed, 19 Jul 2023 01:00:00 +0000 https://office365itpros.com/?p=60911

Microsoft Enters a Completive Microsoft 365 Backup Market

One of the big announcements at the Microsoft Inspire (partner) conference marked Microsoft’s debut into the Microsoft 365 backup market. At least. It’s an intention to participate in the market with a public preview of a Microsoft 365 Backup product for SharePoint Online, OneDrive for Business, and Exchange Online in the last quarter of 2023. At the same time, Microsoft plans to deliver a public preview of a Microsoft 365 Archive product to move “inactive or ageing” SharePoint Online data from “hot” (online) storage to cold storage. I can’t wait to “automate scaled mass archiving by running PowerShell scripts” to move SharePoint Online files to cold storage.

Seriously, both initiatives are welcome. Microsoft has some unique advantages (and some disadvantages) when it comes to moving data around from Microsoft 365 repositories, and it’s about time that Microsoft took some responsibility for protecting customer data with backups.

The Microsoft Advantage

Microsoft’s advantage over ISV backup partners is twofold. They have instant access to customer data stored in their datacenters and they control the APIs that allow access to the data.

ISV alternatives typically copy information from Exchange Online, SharePoint Online, and OneDrive for Business (and sometimes Teams messages) from their native repositories to their datacenter. Many issues come into play:

  • Shipping large quantities of data across the internet from Microsoft’s datacenter network to the ISV’s target datacenter. This process takes time and can be resource intensive, especially for restore operations.
  • Lack of suitable APIs to stream large quantities of data from Microsoft to the ISV datacenter. For instance, Exchange Web Services (EWS) is the foundation for many ISV backup solutions for Exchange Online. EWS was never designed for this purpose, but it works. Some ISVs use EWS to copy Teams compliance records and call it a Teams backup. Microsoft wants to move ISVs to use the Teams export API, but that comes with its own complications.

Microsoft 365 Backup doesn’t use another repository. Everything stays inside Microsoft 365, so restores (when necessary) happen extremely quickly, even at massive scale. The idea is that if a Microsoft 365 tenant is compromised by ransomware, it can very quickly switch back to the status that pertained at a point in time before the attack happened. It’s a compelling proposition, especially when integrated into the Microsoft 365 admin center (Figure 1). Of course, it would be even better if the tenant stopped the attack by taking steps such as implementing multi-factor authentication everywhere, but that’s another matter.

Microsoft 365 backup in the Microsoft 365 admin centre
Figure 1: Microsoft 365 backup in the Microsoft 365 admin centre (source: Microsoft)

Microsoft hasn’t said what licenses or costs are likely to be incurred with Microsoft 365 backup. I imagine that they will charge on a consumption basis, meaning that tenants will pay using an Azure pay as you go subscription based on how much data they process.

The Microsoft Disadvantage

The big disadvantage for Microsoft 365 Backup is that all data remains in Microsoft datacenters. Keeping all your eggs in one (datacenter) basket is not deemed to be a good thing because the remote possibility exists that the datacenter might suffer a catastrophic failure that leads to data loss. I don’t consider this to be something likely to happen, but I understand why companies like to maintain a separate copy of their data at a different location, just in case.

The ISV Play

Microsoft was careful to launch with ISV support. It doesn’t make sense to go to war with ISVs that have been serving Microsoft 365 customers for years. Microsoft has several launch partners that are signed up to use the backup and archive APIs so that “partners can integrate our capabilities into their data management and protection apps. With Microsoft 365 Backup and Microsoft 365 Archive APIs, our partners can uniquely provide a single and seamless experience that protects your data estate, whether inside or outside of Microsoft 365, in combination with our speed and storage innovations.” In other words, ISVs can use the APIs (and pay Microsoft for the privilege) to take advantage of faster backup and restore for Microsoft 365 data. We’ll see how this transpires in terms of costs and how the ISVs adopt Microsoft 365 backup APIs in their solutions.

No Teams Backup and Restore

Microsoft has deliberately targeted the easiest workloads for backup. Emails and documents are relatively easy objects to backup and restore. Microsoft has unfettered access to the data and can tweak APIs to make backup and restore operations easier so their implementation is faster and smarter. However, Microsoft 365 archive does not take on the biggest challenge that exists for backup today, and that’s to deliver seamless backup and restore capabilities for Teams.

Teams borrows from multiple Microsoft 365 and Azure services. It integrates data drawn from multiple sources and applications. This, and the lack of APIs to perform comprehensive backup and restore for Teams, is what creates the challenge. Given that Teams now has over 300 million monthly active users, it’s a pity that Microsoft hasn’t cracked a nut that they are uniquely positioned to take on. Perhaps full Teams backup and restore will come in time.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/07/19/microsoft-365-backup/feed/ 3 60911
How to Report Renewal Dates for Microsoft 365 Subscriptions https://office365itpros.com/2023/07/06/microsoft-365-subscriptions-ps/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-365-subscriptions-ps https://office365itpros.com/2023/07/06/microsoft-365-subscriptions-ps/#comments Thu, 06 Jul 2023 01:00:00 +0000 https://office365itpros.com/?p=60708

New Method to Retrieve Renewal Dates for Microsoft 365 Subscriptions

As part of my campaign to help people move off the old MSOL and AzureAD PowerShell modules to use the Microsoft Graph PowerShell SDK before Microsoft deprecates the modules, I wrote a script to demonstrate how to use the Graph SDK to create a licensing report for a tenant. One of the replies to the article observed that the output of the Get-MgSubscribedSku cmdlet didn’t provide the same information as the old Get-MsolSubscription cmdlet. Specifically, the SDK cmdlet doesn’t tell you the renewal date for a product (SKU).

Relief is now available, but not yet in an SDK cmdlet. Instead, you can fetch the renewal information using a new beta Graph subscriptions endpoint described in Vasil’s blog. This is different to the SubscribedSku API, which is what I think is the base for the Get-MgSubscribedSku cmdlet. The LicenseAssignment.Read.All or a higher permission (like Directory.Read.All) is needed to use the API.

Practical Example of Displaying Renewal Dates for Microsoft 365 Subscriptions

As an example of how you might use the information, I took the output generated by the Get-MgSubscribedSku cmdlet and reformatted it so that it looks like the output from the Get-MsolSubscription cmdlet. The cmdlet lists the SKU part number, active units (available units), warning units (licenses that have expired or have another problem), and consumed units (licenses assigned to user accounts). I wanted to add the renewal date and number of days until the renewal date.

To fetch the renewal dates, I then use the Invoke-MgGraphRequest cmdlet to query the https://graph.microsoft.com/V1.0/directory/subscriptions endpoint. If a SKU has a renewal date, it is in the nextLifecycleDateTime property. Some SKUs that don’t expire (like Power BI standard) don’t have renewal dates. Here’s an example of the information for a Viva Topics subscription that has a renewal date.

Name                           Value
----                           -----
skuId                          4016f256-b063-4864-816e-d818aad600c9
skuPartNumber                  TOPIC_EXPERIENCES
createdDateTime                05/02/2021 18:09:21
totalLicenses                  25
id                             de6eac24-b4b7-4f7e-abeb-9e4f10b36883
serviceStatus                  {System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hasht...
ocpSubscriptionId              eeda0292-642e-4901-9825-aa7dfc9b0efc
isTrial                        True
status                         Warning
nextLifecycleDateTime          30/07/2023 14:53:22

To make it easy to lookup the renewal data for a SKU, I created a hash table to store SKU identifiers and renewal dates. The final step is to loop through the SKU information and add the renewal date. Here’s the code:

Connect-MgGraph -Scopes Directory.Read.All -NoWelcome
# Get the basic information about tenant subscriptions
[array]$Skus = Get-MgSubscribedSku
$SkuReport = [System.Collections.Generic.List[Object]]::new()
ForEach ($Sku in $Skus) {
 $DataLine = [PSCustomObject][Ordered]@{
   SkuPartNumber = $Sku.SkuPartNumber
   SkuId         = $Sku.SkuId
   ActiveUnits   = $Sku.PrepaidUnits.Enabled
   WarningUnits  = $Sku.PrepaidUnits.Warning
   ConsumedUnits = $Sku.ConsumedUnits }
 $SkuReport.Add($Dataline)
}

# Get the renewal data
$Uri = "https://graph.microsoft.com/V1.0/directory/subscriptions"
[array]$SkuData = Invoke-MgGraphRequest -Uri $Uri -Method Get
# Put the renewal information into a hash table
$SkuHash = @{}
ForEach ($Sku in $SkuData.Value) { $SkuHash.Add($Sku.SkuId,$Sku.nextLifecycleDateTime) }

# Update the report with the renewal information
ForEach ($R in $SkuReport) {
  $DaysToRenew = $Null
  $SkuRenewalDate = $SkuHash[$R.SkuId]
  $R | Add-Member -NotePropertyName "Renewal date" -NotePropertyValue $SkuRenewalDate -Force 
  If ($SkuRenewalDate) {
   $DaysToRenew = -(New-TimeSpan $SkuRenewalDate).Days
   $R | Add-Member -NotePropertyName "Days to renewal" -NotePropertyValue $DaysToRenew -Force 
 }
}

$SkuReport | Format-Table SkuPartNumber, ActiveUnits, WarningUnits, ConsumedUnits, "Renewal date", "Days to renewal" -AutoSize

Figure 1 shows the output.

Reporting Microsoft 365 subscriptions with renewal dates.
Figure 1: Reporting Microsoft 365 subscriptions with renewal dates

Future SDK Cmdlet Will Probably Come

Obviously, it would be much better if an SDK cmdlet exposed renewal dates for Microsoft 365 subscriptions. Given that the subscriptions endpoint is new, it’s likely that a new SDK will appear after Microsoft’s AutoRest process runs to process the metadata for the endpoint. I’d expect this to happen sometime in the next few weeks.

In the interim, if access to subscription renewal dates is holding up the migration of some old MSOL or AzureAD scripts, a solution is available.


Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

]]>
https://office365itpros.com/2023/07/06/microsoft-365-subscriptions-ps/feed/ 5 60708
Microsoft Information Protection Upgrades to Enhanced Encryption Algorithm https://office365itpros.com/2023/06/23/aes256-cbc-mip/?utm_source=rss&utm_medium=rss&utm_campaign=aes256-cbc-mip https://office365itpros.com/2023/06/23/aes256-cbc-mip/#comments Fri, 23 Jun 2023 01:00:00 +0000 https://office365itpros.com/?p=60546

AES256-CBC Will Protect Office Documents and Email

Last year, some researchers expressed worries that the AES 128 ECB (Electronic Cookbook Mode) cipher used by Microsoft Information Protection to encrypt documents and emails could be compromised. Microsoft uses the cipher to ensure backward compatibility with older Office versions.

The need for backward compatibility appears to have lifted. Announced in MC590144 (June 15, 2023, Microsoft 365 roadmap item 117576), Microsoft Information Protection will start using AES 256 in Cipher Block Chaining (AES256-CBC) mode from late August 2023 with full deployment expected by the end of September 2023.

Sensitivity Labels Apply Better Protection

In practical terms, if you apply a sensitivity label (Figure 1) to an Office document, export an Office document to a PDF, or email (including meetings), or use the Purview Message Encryption feature (previously Office 365 message encryption or OME) to set Do Not Forward or Encrypt-Only for emails, the level of encryption protecting those items will increase. Items previously protected will receive the upgraded protection the next time the items go through an encryption/decryption cycle. For instance, if someone edits a protected document stored in a SharePoint Online document library, SharePoint will apply the improved encryption when it saves the file. Full details are available in this Microsoft Technology Community post.

All these sensitivity labels will be upgraded to AES256-CBC
Figure 1: All these sensitivity labels will be upgraded to AES256-CBC

Enhanced protection is available in the Microsoft 365 apps for enterprise, SharePoint Online, Exchange Online, Purview Message Encryption, the Azure Information Protection (AIP) unified labelling client (version 2.17 or later), AIP PowerShell module (2.17 and later), and the Purview Information Protection Scanner for on-premises repositories.

Third-party applications built using the Microsoft Information Protection SDK 1.13 or later support items protected with AES256-CBC. This includes the paid-for versions of Adobe Acrobat that can apply and manage sensitivity labels. It might take a little time for ISVs to issue upgraded versions of their products that support AES256-CBC.

Impact on Four Groups

Although the transition to AES256-CBC should be seamless for Microsoft 365 tenants, Microsoft calls out four groups of customers that the change will impact. These are organizations:

  • Using the subscription version of Office (Microsoft 365 apps for enterprise) with Exchange Server (on-premises or hybrid). The Exchange development group is working on a patch to allow Exchange Server to support AES256-CBC that should be available in July. However, the patch will only be available for Exchange Servers with support, so that means the latest versions of Exchange 2016 and Exchange 2019. Microsoft will automatically exclude organizations using the Azure Rights Management connector from using AES256-CBC until January 2024 to allow them time to apply server upgrades.
  • With applications built using the Microsoft Information Protection SDK. These organizations must upgrade their applications to V1.13 of the SDK.
  • Using perpetual versions of Office (2016, 2019, and 2021 LTSC). These versions can consume items protected with AES256-CBC, but some work is needed to allow clients to create items protected with the new cipher.
  • Using the current version of the AIP Viewer, PowerShell module, or Scanner. Workstations need to upgrade to the latest version of the unified labeling client to enable support for AES256-CBC for components installed by the client.

Failure to take action to upgrade installations before Microsoft rolls out the change in August 2023 will result in Exchange Server failing to decrypt protected email. More details are available in Microsoft’s Technical community post.

Moving to Stronger Encryption

Even if the potential for compromise required attackers to follow an unlikely path, Microsoft has answered the doubts expressed by researchers with this update. That’s a welcome change that will kick in during August 2023. Users shouldn’t be aware of the transition and won’t be impacted by the change if administrators of the highlighted organizations take action.

For more information about the transition to AES256-CBC, see Microsoft’s documentation.


Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

]]>
https://office365itpros.com/2023/06/23/aes256-cbc-mip/feed/ 1 60546
Reporting Mobile Devices Synchronizing with Exchange Online https://office365itpros.com/2023/06/20/exchange-mobile-device-management/?utm_source=rss&utm_medium=rss&utm_campaign=exchange-mobile-device-management https://office365itpros.com/2023/06/20/exchange-mobile-device-management/#comments Tue, 20 Jun 2023 01:00:00 +0000 https://office365itpros.com/?p=60489

Not Many Recent Changes in Exchange Mobile Device Management

It’s been a while since I wrote about how to extract details of mobile devices registered with Exchange Online mailboxes. Time marches on and it’s time to take another look at how to generate a report about mobile devices used with Exchange Online, not least because there are upgraded versions of some cmdlets to use, like Get-ExoMailbox and Get-ExoMobileDeviceStatistics that didn’t arrive until late 2019.

Device management in Exchange Online goes back to on-premises management for mobile devices connected to Exchange Server via Exchange ActiveSync. Apart from making sure that everything works, Microsoft hasn’t done much to device management in Exchange Online. Most of the development activity has focused on leveraging synchronization of Outlook mobile clients with Exchange Online using the Azure-based architecture introduced in 2018 to introduce new functionality, like support for sensitivity labels.

The way Exchange ActiveSync management works hasn’t change much. A glance at the device access rules (which control what devices a tenant allows to connect) in the Exchange admin center (Figure 1) reveals entries like Acompli (the company Microsoft acquired to get Outlook mobile), Windows Phone, iOS 6, and so on. The advantage of this poor man’s mobile device management system is its simplicity. Even as Microsoft advanced to the final deprecation of the old Exchange admin center, not an iota of new functionality appeared in mobile device management.

Mobile device management in the Exchange admin center

Exchange mobile device management
Figure 1: Mobile device management in the Exchange admin center

The subtle hint here is that mobile device management is better done in a purpose-built device management framework like Intune. And so you should, if you feel the need.

Reporting Mobile Device Status

Getting back to reporting the set of devices registered for Exchange mobile device management, the code to do the job is straightforward:

First, find the set of user mailboxes.

[array]$Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Sort-Object DisplayName
If (!($Mbx)) { Write-Host "Unable to find any user mailboxes..." ; break }

For each mailbox, check if it has any registered mobile devices with a command like this:

[array]$Devices = Get-MobileDevice -Mailbox $M.DistinguishedName

If some registered devices exist (the devices might be very old), use Get-ExoMobileDeviceStatistics to fetch information about the synchronization status of each device.

You see here that I use the distinguished name of a device to fetch its statistics. According to the cmdlet documentation, the identity parameter accepts the device Guid or identifier. I think this is a documentation error because:

  • Guid works, but it’s slow.
  • DeviceId returns a “cannot be found” error.
  • DistinguishedName is fastest (up to ten times faster than Guid).

Which means that we do this:

$DeviceStats = Get-ExoMobileDeviceStatistics -Identity $Device.DistinguishedName

Parse the information returned by Exchange mobile device management to extract whatever seems interesting. For example:

  • Operating system installed on the device.
  • First date of synchronization.
  • Last successful synchronization.
  • Device policy applied to device.
  • Last time Exchange applied a policy to the device.

An example script to generate the report about devices synchronizing with Exchange Online is available from GitHub. The script creates a HTML report (Figure 2) and a CSV file containing its output. Feel free to modify the script as you wish!

Reporting mobile devices connected to Exchange Online
Figure 2: Reporting mobile devices known to Exchange mobile device management

Removing Obsolete Devices

Mobile device statistics allow the identification of devices that are not synchronizing. Any device that doesn’t synchronize in 30 days is likely no longer in active use and becomes a candidate for removal (after someone checks its actual status). When their obsolete status is confirmed, you can remove devices by running the Remove-MobileDevice cmdlet. Running the cmdlet breaks the partnership (link) between the mailbox and device.

For instance, this code finds devices reported with more than 365 days since their last synchronization and deletes the first device from the returned set.

[array]$SyncDevices365 = $Report | Where-Object {$_.DaysSinceLastSync -gt 365}
Remove-MobileDevice -Identity $SyncDevices365[0].DeviceDN -Confirm:$False

No Prospect for Change

At this point, it’s hard to see that Microsoft will make any dramatic change to the Exchange device management framework. What exists now suffices for small to medium businesses, and anyone who needs something more sophisticated should head to Intune or check out third-party mobile device management solutions.


Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

]]>
https://office365itpros.com/2023/06/20/exchange-mobile-device-management/feed/ 8 60489