The Ultimate Guide to Mastering Microsoft 365
Microsoft has delayed the retirement of basic authentication for the SMTP AUTH client submissions protocol to 2027 or beyond. New tenants will be the first to be blocked and Microsoft will disable basic authentication for SMTP AUTH in a way that existing tenants can reenable the protocol. Eventually, we’ll get a date for final retirement sometime in 2027. These things take time!
Entra multi-tenant applications can be used by any tenant – unless you restrict sign-in audiences to permit only specific tenants to use the application. In this article, we explain the preview feature and use the Microsoft Graph PowerShell SDK to restrict sign-in audiences by defining a list of permitted tenant identifiers in the properties of multi-tenant applications.
January 22 saw the announcement of the beta version of an Exchange Online Graph-based message trace API. The API can retrieve message trace records and their details and offers equivalent functionality to the message trace cmdlets in the Exchange Online management PowerShell module. However, sometimes applications simply want to access data without going through a module, and that’s what this API delivers.
Microsoft announced a set of Teams licensing changes to take effect in April 2026. The changes affect devices, Microsoft Places, and Teams events. Webinars and Teams town halls will be easier to manage without Teams Premium licenses, and organizations will be able to buy capacity packs to host events for up to 100,000 participants. The changes will leave some Microsoft 365 tenants cold while others will be delighted.
A new integration with Viva Engage is available for Teams. The integration adds communities to the Teams navigation bar. It’s kind of odd when a separate highly functional Communities app exists. It’s unclear who is demanding another point of integration between Viva Engage and Teams. The suspicion is that this work is due to internal politics rather than to facilitate better collaboration.
Monthly update #20 for the Automating Microsoft 365 with PowerShell eBook is now available for subscribers to download the updated EPUB and PDF files. Like any monthly update, #20 includes a mixture of new information, revisions, and even some bug fixes (changes to text or examples). Meantime, assembly clashes continue to be a bugbear for Microsoft 365 PowerShell modules. Microsoft should fix this problem!
This article explores how to use Entra ID audit records to create a weekly report about role assignment additions and deletions. After deciphering the information contained in the audit records, it’s easy to generate a report showing who made the assignments and if any critical role assignments are in the mix. We can then email the report to interested parties, all with some relatively simple PowerShell.
An article from 2018 uses the AzureAD and Exchange PowerShell modules to synchronize membership between a security and a Microsoft 365 group. The idea is to enable collaboration for the members of the security group. This version does the work with the Microsoft Graph PowerShell SDK. The code is better and it will work as an Azure Automation runbook, which is always nice.
Microsoft released the beta version of the SharePoint Online create Site API for the Microsoft Graph in late November 2025. Since then, Microsoft has dropped one of the three site templates. Playing with the API, we’ve discovered that the API can certainly create sites but that the SharePoint Graph API misses a heap of features, like adding members to the new site. Oh well, one step forward…
A change made for some Directory Graph APIs has flowed through to the Microsoft Graph PowerShell SDK and affected how the associated cmdlets work, including the beta cmdlet to restore a deleted user account and while replacing the user principal name. Fortunately, the workaround is easy, but it is upsetting when something that worked suddenly doesn’t, even if it is a beta cmdlet.
As part of the modernization of the Purview eDiscovery solution, Microsoft will simplify the content searches UX in February 2026 to remove features that are inappropriate for the way that content searches are intended to be used. The change is logical and reasonable because you should use a full eDiscovery case to access all the eDiscovery functionality.
A new Entra ID role is coming. The Teams External Collaboration administrator role allows users to manage external collaboration settings. Quite how often Microsoft 365 tenants need to manage these settings is unknown, but it’s a useful prompt to review the current set of roles used and users who are members of those roles. Time for an annual clean-up.
Restricted Content Discovery (RCD) is a feature that blocks access by Microsoft 365 Copilot and agents to the files stored in a SharePoint Online site. Instead of relying on tenant administrators, site administrators can now enable or disable RCD. It’s a natural evolution of what is an essential feature to keep sensitive and confidential information being leaked inadvertently by AI.
Chat and meetings have their agents, and now the Teams channel agent is available to help members understand what happens inside channels. Like any AI agent given limited sets of data to reason over, the channel agent does a good job of finding nuggets hidden in conversations. The issue is that the channel agent doesn’t currently work for channels that have external members, like guest accounts. That’s a big downside.
Microsoft is rationalizing the options to revoke sessions for a user account in the Entra admin center by removing an old revoke MFA sessions button. That seems like a perfectly reasonable thing to do. When administrators want to revoke sessions for an account, the best way is to create a PowerShell script to perform the necessary steps. That way you don’t need to worry about buttons.
After considering customer feedback, Microsoft cancelled the mailbox external recipient rate limit for Exchange Online. The idea behind the new limit was simple – it makes life more difficult for spammers to use Exchange Online as a platform. Unhappily, customers didn’t like losing the ability to send relatively small amounts of external email for different reasons. C’est la vie.
Microsoft announced the availability of a Slack to Teams migration tool in the Microsoft 365 admin center. The new tool exists to assist the 79 million monthly active users of Slack who might want to move to Teams and don’t know how to get there. ISVs have been helping people move from Slack to Teams for years, so other migration options exist.
During the quiet holiday period, I tested the new Purview Data Security Investigations (DSI) solution, which seems to be put together from bits of Microsoft 365 together with Security Copilot and some generative AI. Assembling new solutions from existing components makes sense because it reduces engineering effort. Without real data, it’s hard to know how effective DSI is, but the cost of an investigation came as a real surprise.
MC1211579 (3 January 2026) announces the retirement of four legacy SharePoint compliance features in favor of Purview Data Lifecycle management and Records management. It’s always unsurprising when Microsoft chooses to remove old features developed for on-premises and replaces them with better online options, which is exactly what’s happening here. Some tenants might face additional licensing requirements for Purview.
Microsoft is rolling out a UX update for the Teams admin center to make it easier to manage external collaboration settings. The new UX doesn’t introduce any new features. Instead, its goal is to hide some of the policies and settings complexity that sometimes afflicts the Teams application. It’s a good change, even if it probably won’t make much difference.
Monthly Update #127 for the Office 365 for IT Pros eBook (2026 edition) is now available for current subscribers to download from Gumroad.com. In this note, we explore some of the options the writing team is considering for the next edition of the book. Microsoft 365 doesn’t stop changing, so it makes sense for the best Microsoft 365 book available today to change to reflect new developments.
A LinkedIn post explained how the UK Revenue and Customs authority train 30,000 people to use Microsoft 365 Copilot effectively. It’s a reminder that introducing complex software to a user community takes careful planning and support, including the provision of well-planned training to help people exploit the new software as quickly as possible. Otherwise, some of those expensive licenses might be wasted.
While examining mailbox properties, I noticed that the EnforcedTimeStamps property held some information that I just couldn’t explain. Google search was no help, but Microsoft Copilot told me that the information related to the management of compliance holds. Basically, the data are guardrails to help the Managed Folder Assistant do the right thing, which is nice, even if no documentation exists.
MC1169572 announces that administrators can add classifications to DLP alerts to help with reporting. But how do you report DLP alerts? As it turns out, it’s relatively easy to retrieve DLP alerts via the Microsoft Graph Security API. Using the Get-MgSecurityAlertV2 cmdlet from the Microsoft Graph PowerShell SDK makes it even easier to find and report the data.
The Web Account Manager (WAM) authentication broker becomes the default method for handling interactive Microsoft Graph PowerShell SDK connections from V2.34 onwards. The rapid release of a new version (V2.33 appeared 12 days beforehand) is usually a sign of a big problem, but in this case the reason is more likely to be a security vulnerability that’s just come to light. We’ll find out after the holidays.
Update #19 of the Automating Microsoft 365 with PowerShell eBook is now available. Subscribers can download the updated PDF and EPUB files from Gumroad.com. A paperback version is also available, but we can’t update the print characters. In any case, a new SharePoint create Site API is in beta, and a new version of the Microsoft Graph PowerShell SDK is available. Both have their moments, as we discuss here.
Microsoft has launched a tenant-to-tenant migration orchestrator solution in public preview to migrate mailboxes, OneDrive accounts, and Teams chat between tenants. ISVs have been active in the T2T space for a long time. They probably won’t welcome the new Microsoft offering, but at least the migration orchestrator legitimizes the concept of tenant-to-tenant migration.
A new Exchange Online feature allows administrators to remove multiple types of holds from mailboxes (usually inactive mailboxes). It’s a great way to release holds that might be keeping inactive mailboxes lingering in a tenant. The feature doesn’t remove holds used to retain items required for eDiscovery or other compliance purposes. Even so, this is definitely a feature that needs to be carefully tested.
Microsoft is launching version expiration policies in SharePoint Online for audio and video files. The approach is the same as used for intelligent versioning of Office files stored in SharePoint Online and OneDrive for Business and can be configured at the tenant, site, and document library level. If your tenant uses Clipchamp, this could be a way to save expensive SharePoint storage.
Exchange Online will require email clients to use Exchange ActiveSync (EAS) V16.1 to connect from March 1, 2026. Email clients that use older versions of EAS won’t be able to synchronize with Exchange Online to upload outbound messages or download messages, attachments, and calendar items. There should be relatively few clients using an old version of EAS, but it’s wise to check.
Microsoft has released a set of security benchmark recommendations for Microsoft 365 tenants that it calls baseline security mode. The recommendations cover authentication, file access, and Teams and the idea is that these are settings that Microsoft believes have proven their value over the years. The only criticism that you might have is about the potential clash for conditional access policies, but that’s not serious.
After the fuss around the initial introduction of the Anthrophic models into Microsoft 365 in September, we learn that Microsoft will enable access for all in January 2026. It would have been so much better had Microsoft said that they were working on the data protection arrangements with Anthrophic, but that didn’t happen. Is all well now? We’ll see in January…
The MCP Server for Enterprise is one of a set of preview servers released by Microsoft to show how MCP servers can help Microsoft 365 tenants get real work done. I’m sure things will improve, but the current state of the preview is that it can do a splendid job to answer simple questions, but once things get more complex, don’t depend on any of the PowerShell code the server generates.
The addition of Autocorrect for messaging is a small but important change for Teams messaging brings Teams up to speed with the other Office applications. It’s taken Teams a little longer than it perhaps should have to support Autocorrect and the implementation is not as functional as it is in Outlook, but that’s not a reason to overlook the update.
After all the fuss about Teams users inviting people to chat via email, tenant administrators realize that knowing where users are active as guest accounts is not as easy as it might seem. Part of the problem is that data about user activity is mostly controlled by host rather than home tenants. However, it’s possible to extract some information from audit sign-in logs to figure out where tenant users go as guests.
Customers will see their bills increase from July 1, 2026, when Microsoft 365 pricing increases go into effect, adding up to $3/month for licenses. This is the first increase since March 2022, and it moves the baseline Office 365 E3 license to $26/month and Microsoft 365 E5 to $60/month. Microsoft justifies the increases based on the functionality and apps it delivers. Time for a licensing review!
A December 2 announcement says that Exchange Online will block access to Exchange Web Services for users with kiosk or frontline worker licenses from June 2026. In fact, the Exchange Online service description has always excluded EWS access for these licenses, but the necessary code to enforce the exclusion was never implemented. It will be in March. Time to check licenses…
Microsoft recommends passwordless authentication to help secure Microsoft 365 tenants. The latest is synced passkeys, something that apparently leads to “syncability,” whatever that might mean. In any case, after some struggles, I managed to enable synched passkeys for my iPhone and then started to consider how to remediate user accounts that are flagged with a high-risk (compromised) status when they can’t simply update their password.
Paul Robichaux and I led a session about Microsoft 365 Compliance at the European SharePoint Conference in Dublin on December 2, 2025. During the session, we discussed how intelligent versioning works and its value in saving storage, priority cleanup and its ability to delete files even if the files are under retention hold, and the recent revamp of the Purview eDiscovery solution. We were thrilled at the attendance. Here’s what happened.
The latest versions of the SharePoint Online PowerShell module support app-only authentication (certificate-based authentication) for the Connect-SPOService cmdlet. In other words, applications can now connect to SharePoint Online to run administrative cmdlets by presenting a registered Entra ID app and an X.509 certificate instead of the credentials for a human SharePoint administrator. It’s a good change, even if I still prefer using the Graph APIs for SharePoint automation.