Author: Tony Redmond
Monthly Update #122 Available for Office 365 for IT Pros eBook
August 2025 Update Available for Subscribers to Download

The Office 365 for IT Pros team is delighted to announce the availability of monthly update #122 for Office 365 for IT Pros (2026 edition). This is the first update since the publication of the 2026 book, and it includes a bunch of changes covering new information unearthed or researched over the last month. You can see more details about the updates in our change log.
Subscribers for the 2026 edition can fetch the updated files using the link in the receipt emailed to them from Gumroad.com after their purchase. The link is personalized to the subscriber and always fetches the latest files. See our FAQ for more information.
Many previous subscribers have renewed for the 2026 edition. We are humbled by the level of support we receive from the technical community. If you are a previous subscriber, you should have received email from us with instructions about how to extend your subscription at a heavily discounted rate. Because we became tired of Gumroad.com emails being blocked as spam, we sent individual emails to thousands of previous subscribers. I believe every subscriber should have received a note from us by now. If not, please contact us at o365itprosrenewals AT office365itpros.com.
Microsoft Cloud Keeps on Growing
Microsoft released their FY25 Q4 results on July 30. One of the eye-popping figures was a big leap in Microsoft Cloud revenue to $46.7 billion (up 27% year-over-year). That’s $21 billion more in a quarter than Microsoft earned in FY23 Q1 and represents an annualized run rate of $186.8 billion. Microsoft 365 continues to grow strongly with its revenue up 16% year-over-year. Seat growth is slowing and was 6% year-over-year, mostly in SME and frontline workers. Slower seat growth is inevitable given the size of the installed base (over 430 million, according to CFO Amy Hood when discussing the Microsoft FY25 Q3 results). The growth in revenues is due to upsell to more expensive licenses, including Microsoft 365 Copilot.
Speaking about Copilot, in the best traditional of misleading figures given out during results briefings, Satya Nadella said “Our family of Copilot apps has surpassed 100 million monthly active users across commercial and consumer.” The number claimed sounds impressive, but what everyone really wants to know is how many Microsoft 365 Copilot paid seats are in active use. It was followed by the assertion that “Purview is used by three quarters of Microsoft 365 Copilot customers to protect their data.” Again, no real data to measure anything against.
Interestingly, once again Microsoft didn’t give an updated number for Teams users. The number remains at the 320 million monthly active users claimed in October 2023.
Speaking of numbers, Microsoft reported a 99.995% performance against the Microsoft 365 SLA for the second quarter of 2025. That might come as news to any tenant that experienced a significant outage between April and June, but the result is unsurprising given the number of tenants and seats. It takes a massive outage involving tens of millions of seats over several hours to budge the SLA needle slightly. Outages happen all the time, but none at the level of severity necessary to impact the SLA
Update for the Automating Microsoft 365 with PowerShell eBook
As is our practice, we released an update for the Automating Microsoft 365 with PowerShell eBook earlier than the monthly Office 365 for IT Pros update. The PowerShell book is included with Office 365 for IT Pros, so subscribers should see 4 files when they access the update on Gumroad.com (PDF and EPUB files for both books).
The PowerShell book is available separately, but Office 365 for IT Pros subscribers do not have to purchase it. If you want to read a physical copy, you can buy a paperback version from Amazon.com. I haven’t actually seen the paperback yet, but I plan to get some author copies for delivery to the TEC 2025 conference in Minneapolis at the end of September. Come to TEC and you might get a signed copy! If not, you can still attend TEC sessions delivered by Tony, Paul, Brian, and Michel.
On to Monthly Update #123
Microsoft 365 doesn’t stop changing and we don’t stop analyzing and documenting the most important technical information for Microsoft 365 tenant administrators. It’s what we’ve done since 2015.
DLP Diagnostics Available in Purview Portal
New Way to Run DLP Diagnostics Through GUI Instead of PowerShell
The nature of any moderately large Microsoft 365 tenant is that it’s likely to have a collection of different types of policies. Making sure that Entra ID conditional access policies interact well together is essential to control inbound connections and a mistake there can lead to administrators locking themselves out of a tenant. Making mistakes in data lifecycle management (retention) policies can also have grave consequences, such as the famous example from 2020 in the KPMG tenant when an error in a retention policy deleted a bunch of Teams chats. Errors in Data loss prevention (DLP) policies can lead to less obviously bad outcomes, but only because a mistake could end up with sensitive information leaking outside the organization without anyone’s knowledge.
Four DLP Diagnostics
Which brings us to message center notification MC904540 (last updated 9 July 2025, Microsoft 365 roadmap item 418566), announcing that DLP diagnostic options are now available for commercial tenants in the Microsoft Purview compliance portal (Figure 1).

Microsoft originally published the message center notification on 4 October 2024 in anticipation of a preview in December 2024. Alas, problems along the way forced the developers to roll back and rethink the implementation. After additional work, the portal boasts a set of four DLP diagnostics tests that replace the tests previously performed through the ComplianceDiagnostics PowerShell tool.
There’s no word whether additional tests are on the way. However, MC904540 mentions “diagnosing issues encountered while using Microsoft Information Protection (MIP) and Data Loss Prevention (DLP),” so it’s possible that plans are in place to provide diagnostic tests for information protection too.
Testing the DLP Diagnostics
In any case, the DLP diagnostics are intended to help identify the root cause of issues and provide remediation options. I found that some of the tests worked well while others were less impressive. For example, the test to figure out why a DLP policy didn’t signal an alert following a rule match was right on the money when it detected that the DLP rule didn’t include settings to generate an alert (Figure 2). The fix was easy once the fault was identified.

The test to diagnose if a user is covered by a DLP policy was less successful. The output of the test (Figure 3) hid some rule and policy names, and the attention to detail in the output is poor. Like Figure 2, where the reference to “ODB” should be spelt out as OneDrive for Business, the lack of capitalization for “exchange” and the lack of spaces in “OneDriveForBusiness” are easily-fixed bugs.

Perhaps it’s just my tenant where these problems emerged. Perhaps it’s a weird combination of the age of some of the DLP policies and their configurations that cause policy and rule names to disappear. For whatever reason, it was disappointing to see the lack of attention to detail feature in the DLP diagnostics. Although it might seem strange to worry about this kind of thing, experience shows that when attention isn’t paid to the small things in software, big issues might lurk. GitHub Copilot is very good at picking up issues like this and supports multiple languages, so it is really surprising to see Microsoft ship software with so many obvious UX errors.
None of the tests performed by DLP diagnostics are particularly sophisticated and all could be easily done by an experienced administrator who knows the DLP solution. In fairness, the target audience for DLP diagnostics is likely to be tenant administrators who don’t work with DLP very often and need some help to figure out why something might be going wrong.
The Value of Data Loss Prevention
DLP is an important Purview solution that often doesn’t receive enough attention. Microsoft has worked hard to expand DLP capabilities, especially in the area of endpoint devices, and the policies work well for Exchange Online, SharePoint Online, and OneDrive for Business, all of which only require E3 licenses. Including Teams in the mix requires a jump to E5, which has always seemed weird to me. And if you want to use the very valuable DLP policy for Copilot to block AI access to sensitive files, you’ll need Microsoft 365 Copilot licenses.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
How to Block OWA and Use the New Outlook
Use a Conditional Access Policy to Block Access to OWA Instead of CAS Settings
Microsoft has updated its advice about how to disable access to OWA while retaining access to the new Outlook for Windows. The update is in MC922623, originally published in October 2024 and updated on 28 July 2025. In a nutshell, Microsoft recommends using a conditional access policy to block access to OWA rather than the mailbox-level OWAEnabled CAS (Client Access Server) setting in CAS.
Apart from the need to deploy Entra P1 licenses, that advice seems straightforward enough. But there are some issues to understand before rushing to deploy a new conditional access policy. Let’s discuss two important points.
Two CAS Settings
The first thing is that there’s actually two policy settings to consider: OWAEnabled and OneWinNativeOutlookEnabled (discussed in this article). Both settings need to be $true in the OWA mailbox policy assigned to user accounts to allow the new Outlook for Windows to load. It seems strange to have two settings, but it’s due to the technical debt accrued over the years managing OWA in Exchange Server and Exchange Online and the need to provide a control to deal with a new client. The fact that OWA and “Monarch” (the new Outlook for Windows) share a lot of code doesn’t help in some respects.
For the purpose of this debate, both OWAEnabled and OneWinNativeOutlookEnabled should be left as $true. In MC922623, Microsoft says keeping both settings at $true will have “no impact on users’ ability to access outlook for the web since the work was already done to block Outlook for the web with another policy.”
Well, that’s not strictly true (no pun intended). For instance, setting OWAEnabled to $false and OneWinNativeOutlookEnabled to $true might seem like the way to block OWA and allow the new Outlook. However, although this configuration blocks OWA, it also stops the new Outlook from being able to download or send messages. Another side-effect (aka, a bug) is that creating a message makes Outlook create multiple copies of the message in the Drafts folder. Overall, it’s best to play safe and ensure that both are kept at $true.
Updated CAS settings can take up to 15 minutes before they are effective.
The Conditional Access Policy to Block OWA
The reference in MC922623 to ”work done to block OWA” is to the conditional access policy (see instructions in the link above). What’s happening here is that Entra ID invokes the conditional access policy as part of its processing of inbound connections. If the inbound connection requests to use Office 365 Exchange Online (the app used by OWA – Figure 1), Entra ID can refuse the connection because the conditional access policy is configured to block OWA. The connection therefore terminates and never gets to Exchange Online for that server to process the connection and check the CAS mailbox settings to determine if mailbox access is permitted with the client.

The downside of using a conditional access policy is that blocking access to the Office 365 Exchange Online app also stops the Teams browser client working (the Teams desktop app continues to work because it uses a different app). I think the reason why this happens is that the Teams browser app shares some components with OWA (like the calendar). Entra ID sees an inbound connection attempting to use an OWA component and terminates the connection in line with the conditional access policy. The dependency of Teams on Exchange Online is listed in Microsoft’s service dependency for conditional access policies guidance.
The nice thing about conditional access policies is that updated settings or new policies become effective almost immediately (Figure 2). Immediacy can also be a bad thing if you make a mistake and lock yourself out of the tenant.

Sometimes Hard to Have Clean Lines in Microsoft 365
The complex interconnected nature of Microsoft 365 sometimes makes it difficult to have nice clean demarcations between applications and workloads. The complex interconnected nature of Microsoft 365 sometimes makes it difficult to have nice clean demarcations between applications and workloads. As we see here, blocking one app with a conditional access policy can have unexpected consequences for other apps.
It’s nice to have choices in how to manage clients, and it makes sense to use a conditional access policy if you have Entra P1 licenses and you can accept the downside of losing Teams browser access. Otherwise, stay with the CAS settings and block access the old way.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!
Entra ID Governance Levies Charges for Guest Accounts
Monthly Fee for Guest Accounts That Use ID Governance Features
I recently revisited Entra ID access reviews to find a banner warning about charges for guest accounts that consume Entra ID Governance features (Figure 1). Apparently, the new charges started in June 2025 and are paid for on a metered basis through an Azure subscription associated with the Entra tenant.

The relevant documentation reveals the set of chargeable features for guest accounts. Access reviews for inactive guest accounts are on the list, and that’s why the banner showed up.
Charging is on a monthly active user basis (MAU). This is not the same as the MAU for general guest access to Microsoft 365 groups, teams, and sites, which covers normal activities for up to 50,000 guest accounts monthly. In this case, a monthly active user is any guest account that takes advantage of one of the listed Entra ID governance feature during a month. Every ID Governance MAU incurs a charge of $0.75 (six times the price charged for guest accounts that surpass the 50,000 MAU threshold for normal activity).
Going back to access reviews, if my calculation is correct, a tenant using access reviews to detect and remove inactive guests (as recommended by Microsoft) with access reviews scheduled on a quarterly basis will incur a $3 cost per guest account (4 x 0.75 x number of guests). That might seem like small beans, but costs have a corrosive habit of accruing over time.
DIY Inactive Guest Reviews
It’s not as if Microsoft performs any great magic to detect inactive guests. It’s perfectly feasible to write your own inactive guest removal process and schedule the process using Azure Automation. Your version might not be as pretty as Microsoft’s is, but you can build more intelligence into the review by including searches against audit log data to detect activities other than sign-ins. And a DIY process won’t require Entra P2 licenses either.
Coding a Report of Likely Costs
The Microsoft documentation includes the helpful advice that “You can identify actions that will be billed to the Microsoft Entra ID Governance for guests add-on by looking at your audit logs.” Even a small tenant will have large quantities of data in the Entra ID audit log, so some automation is needed. The data from the Entra ID audit log is eventually ingested into the unified audit log, but in this case, we’ll work with the Entra ID data.
The steps required to find audit log entries that mark chargeable transactions are:
Run the Connect-MgGraph cmdlet to open an interactive Microsoft Graph session. The session needs consent for the AuditLog.Read.All permission, and the signed in user must be an administrator with a role that allows access to the audit logs, like Reports Reader or Security administrator. Finally, the account must have an Entra P1 license, which is needed for API access to audit logs.
Now run the Get-MgAuditLogDirectoryAudit cmdlet to retrieve the audit log entries to analyze. Because Microsoft bills monthly, it seems logical to fetch the logs for the current month:
$FirstDayOfMonth = (Get-Date -Day 1).ToString('yyyy-MM-ddT00:00:00Z') [array]$AuditRecords = Get-MgAuditLogDirectoryAudit -All -Filter "activityDateTime ge $FirstDayOfMonth and result eq 'success'"
I can’t find a good server-side filter to find the audit records for chargeable events, so a client-side filter does the trick:
[array]$GovernanceRecords = $AuditRecords | Where-Object { $_.additionalDetails.key -eq "GovernanceLicenseFeatureUsed"}
The next part scans the governance records to find if guest users are involved. If so, data is extracted and reported:
If ('"Guest"' -in $Record.TargetResources.ModifiedProperties.NewValue) { $UserDisplayName = ($Record.TargetResources.ModifiedProperties | Where-Object {$_.DisplayName -eq "DisplayName"}).NewValue $UserEmail = ($Record.TargetResources.ModifiedProperties | Where-Object {$_.DisplayName -eq "Email"}).NewValue $UserUPN = ($Record.TargetResources.ModifiedProperties | Where-Object {$_.DisplayName -eq "PrincipalName"}).NewValue $UserId = ($Record.TargetResources.ModifiedProperties | Where-Object {$_.DisplayName -eq "TargetId"}).NewValue }
After all records are processed, a report file containing every chargeable event for guest records is available. To reduce the set to individual users, the script sorts the data to extract unique values:
[array]$GovernanceUsers = $GovernanceReport | Sort-Object UserId -Unique | Select-Object UserId, UserDisplayName, UserEmail, UserUPN
Finally, the script reports the results (Figure 2).

You can download the script I wrote from the Office 365 IT Pros GitHub repository.
No Great Insight from Azure Billing
The billing reports for the Azure subscription that is charged has a line item for “P2 monthly active users.” I haven’t seen a detailed list of the guest accounts covered by the charge. Perhaps Microsoft will include this information in the future. If not, I guess it should be easy to correlate the charges levied against a subscription with the list of guest accounts extracted from the audit logs.
Learn more about how the Microsoft 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.
August 2025 Update for Automating Microsoft 365 with PowerShell eBook
Version 14 of Automating Microsoft 365 with PowerShell eBook Available for Download

The Office 365 for IT Pros team is delighted to announce the release of version 14 of the Automating Microsoft 365 with PowerShell eBook. The book is included in the Office 365 for IT Pros eBook bundle and is available for separate purchase by those who are only interested in PowerShell. Naturally, we recommend the full Office 365 for IT Pros bundle! We’ve also updated the paperback edition of Automating Microsoft 365 with PowerShell that’s available on a print on demand basis from Amazon.com.
This update includes new information about Microsoft Graph APIs, the Microsoft Graph PowerShell SDK, code examples, insights gleaned from experience of using Graph APIs and cmdlets in scripts and with Azure Automation, and so on. Version 14 spans 350 content-rich pages and is essential reading for anyone who wants to work with a Microsoft 365 tenant through PowerShell.
If you have an Office 365 for IT Pros subscription or have purchased the separate version of Automating Microsoft 365 with PowerShell, you can download the updated PDF and EPUB files now. Use the View content link in the receipt you were emailed after taking out your subscription to get the files.
Microsoft Graph PowerShell SDK Updates
Speaking of the Microsoft Graph PowerShell SDK, Microsoft released V2.29 on July 9, 2025, and followed up with V2.29.1 a few days later. Regretfully, there was a total lack of formal communication from Microsoft about why the point release was needed so soon after V2.29 appeared. Sources behind the scenes say that a tooling problem was identified that Microsoft felt they should fix. The Microsoft.Graph.BackupRestore module was the only one affected by the V2.29.1 update.
Be aware that the issue with Azure Automation PowerShell runtimes and the Microsoft Graph PowerShell SDK persists. In a nutshell, use PowerShell V5.1 modules and runbooks with the Graph PowerShell SDK (including V2.29.1) until better news emerges.
Metered API Changes
On July 25, Microsoft published message center notification MC1122144 to announce that they are changing how metered APIs in Microsoft Graph incur costs based on usage. Effective August 25, 2025, a set of APIs will no longer be chargeable and it will not be necessary to set up an Azure subscription to pay for the metered use of the APIs.
To say that this announcement was surprising is an understatement. The set of APIs include the assignSensitivityLabel API used to assign sensitivity labels to Office files and PDFs stored in SharePoint Online and OneDrive for Business (here’s how to assign labels with PowerShell). I guess tenants can now build their own auto-label policies to apply sensitivity labels to target content. The APIs also include the Teams chat export API, which is a good example of what Microsoft calls a high-capacity API (access to data at scale). Perhaps Microsoft now considers that its infrastructure can cope with demands from apps to access large quantities of Teams data.
In any case, after August 25, 2025, Azure will register no further billing events when apps call the APIs and customers will receive a final bill.
On to Version 15 of the PowerShell eBook
PowerShell doesn’t remain static and nor do the modules used in Microsoft 365 tenants. We’ll continue working on the Automating Microsoft 365 with PowerShell eBook to add more content by covering additional Graph APIs and new cmdlets introduced in other Microsoft 365 modules, as well as adding more practical examples to demonstrate the principles of using PowerShell to solve real-world problems.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
New Outlook for Windows Enables S/MIME Inheritance Control
Same NoSignOnReply Control for S/MIME Inheritance for Replies as Outlook (Classic)
Message center notification MC1072404 (last updated 21 July 2025) announces the provision of a control over S/MIME inheritance for email replies. The new setting allows tenant administrators to determine whether S/MIME signatures are inherited by default when people use the Reply and Reply All options to generate responses to signed messages.
Essentially, this is the same capability as previously implemented through ADMX Group Policy template files for Outlook (classic), so it’s part of the ongoing work to make sure that the new Outlook is as functional as Outlook classic before the eventual retirement of the old client sometime in 2029 (that date might change if features aren’t in place).
As an online client, the new Outlook depends more on server-based controls than the policy settings stored in the system registry as used by traditional Office apps. Support is rolling out now and should be complete worldwide by early August 2025. Deployment then moves to GCC and should be finished there by late August 2025.
Dropping OWA
When first announced, Microsoft included OWA along with the new Outlook for Windows. This is logical because the two clients share a lot of code. The new Outlook supports functionality that isn’t in OWA, like PSTs (including the recently-introduced export to PST feature) and better offline access, but generally the two clients support the same set of server settings. This is not the case here as Microsoft has decided not to support S/MIME inheritance for replies in OWA.
Updating S/MIME Settings
MC1072404 states that the NoSignOnReply setting is available in Entra ID. This might mean that the tenant S/MIME configuration is stored in Entra ID. However, the Set-SMIMEConfig cmdlet is very much part of both Exchange Server and Exchange Online (the cmdlet goes back at least as far as Exchange 2013 – I can’t recall if it was available for previous versions). Most of the settings manipulated by the cmdlet affect how OWA deals with S/MIME. The NoSignOnReply setting is explicitly excluded for OWA.
In any case, the default value for NoSignOnReply is $true. This means that reply messages created with Reply or Reply All do not inherit the S/MIME signature (Figure 1) from the original message. However, if the original message is encrypted, the replies inherit the same encryption. Microsoft notes that the default setting is useful when an organization has not configured S/MIME signatures for all users.

When the setting is $false, replies inherit the S/MIME signature from the original message. If this is undesirable (for instance, it’s the wrong signature), the user must open S/MIME settings and remove the signature.
Set-SMIMEConfig -NoSignOnReply $false
Details of the S/MIME configuration can be retrieved using the Get-SMIMEConfig cmdlet.
Sites that Duplicate Message Center Notifications are Useless
While checking details of MC1072404, I noticed that there are many sites that simply take the text of message center notifications and publish them as written. No attempt is made to add any value whatsoever in terms of interpretation, insight, or additional information. It’s a wonder to me why people republish message center notifications in this manner. They might get a few page views, but apart from that they clutter up the internet with duplicated material. In fact, given the way that generative AI summaries are now used by Google and other search engines, the number of page views that these sites gain must be much decreased.
We do report on message center notifications, but only when we think we have something useful to add that helps readers understand the nature of the change and how it impacts the Microsoft 365 ecosystem. We don’t always get things right, but at least we’re not a “me too” site.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Entra ID Introduces Linkable Token Identifiers for Audit Events
Identifier Makes it Easier to Track User Activities in a Single Session
An interesting July 21 Technical Community announcement describes the introduction of linkable token identifiers for audit events. Essentially, when a user authenticates a session with Entra ID, the session is stamped with a unique GUID (the linkable token identifier). The linkable token identifier is persistent for the session and is inherited by workloads that support the token and inserted into the audit events generated by those workloads accessed during the session.
The idea is that by tracing the linkable token identifier, you can find out what the user did during a session. Linking audit events through the new identifier makes it easier for investigators to query audit data to discover the set of actions taken during a session and their sequencing. This might be necessary to check if an attacker has compromised an account and is exfiltrating data or taking other actions that you don’t want to happen. Of course, account compromise is less likely to happen when user accounts are protected with strong multifactor authentication like the Microsoft Authenticator app, but that’s another story.
The linkable token identifiers are now available in Entra sign-in logs, Exchange Online audit events, SharePoint Online audit events, Teams audit events, and Graph activity logs. Figure 1 shows the identifiers listed in the Entra sign-in log.

Using Audit Searches to Track Activities
Audit events end up in the unified audit log and the article includes a screen shot showing the results of a search using a linked token identifier. Unhappily, the article doesn’t explain that you must use a keyword search to find events linked to a certain identifier (Figure 2).

The reason why a keyword (free text) search is necessary is that workload developers are inconsistent in how they include linkable token identifiers in the AuditData payload of their events. As you’d expect, Entra ID includes a simple SessionId property in the payload, but other workloads like Exchange Online and SharePoint Online refer to the token as AADSessionId.
Finding and Reporting Activities Based on Identifiers
Which brings me to subject of how to search the audit log with PowerShell for all events with a linkable token identifier. The process is reasonably simple. For example, using the Search-UnifiedAuditLog cmdlet, the code is something like this:
[array]$Records = Search-UnifiedAuditLog -Formatted -StartDate $StartDate -EndDate (Get-Date) -UserIds $UserId -FreeText $Session -SessionCommand ReturnLargeSet -ResultSize 5000 If ($Records.Count -eq 0) { Write-Host "No audit records found for session $Session" Continue } Else { $Records = $Records | Sort-Object Identity -Unique $Records = $Records | Sort-Object {$_.CreationDate -as [datetime]} Write-Host ("Found {0} audit records for session {1}" -f $Records.Count, $Session) }
Reporting Audit Events for All Sessions
The code uses a free text search to find all audit events that include the specified linkable token identifier between two dates, removes any duplicates events from the returned set, and sorts the set by the created date.
But how about extending this to generate a report for all events for all sessions within the 30-day period that Entra ID retains sign-in logs. After all, multiple sessions might be created around the same time, and only one of the sessions might be suspicious. To do this, we need to find the full set of sign-in events captured for a user and find the linkable token identifiers in that set. Here’s how to find that information using the Get-MgBetaAuditLogSignIn cmdlet from the Microsoft Graph PowerShell SDK (the beta cmdlet is needed to return the identifiers):
[array]$Logs = Get-MgBetaAuditLogSignIn -Filter "userPrincipalName eq 'lotte.vetler@office365itpros.com'" -All [array]$Sessions = $Logs | Group-Object SessionId -NoElement | Select-Object -ExpandProperty Name
The $Sessions array now contains the linkable token identifiers, and to generate the report, it’s a matter of looping through the set of identifiers to use each with Search-UnifiedAuditLog to generate the set of audit events for the session. Figure 3 shows the kind of report that can be created from the generated data.

The code I used to create the report is available for download from the Office 365 for IT Pros GitHub repository. In addition to the HTML report, the script also generates a CSV or XLSX file (an Excel worksheet is created if the ImportExcel module is available).
Good for Investigators
I’m sure that investigators will appreciate being able to easily connect the dots to discover what happened during a session. Adding linkable token identifiers to audit events is an example of a low-touch, high-value enhancement for Microsoft 365 tenants. It would be nice if all updates had the same impact.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
How to Remove Members from Microsoft 365 Groups with PowerShell
Removing Members from Groups Can be Complicated
Recently, I discussed how to use Microsoft Graph PowerShell SDK cmdlets to copy the memberships of Entra ID groups from one user to another. I commented that in some cases you might want to remove the memberships for the source user but left that code to the reader to develop and incorporate into the script.
Within an hour of publication, I received a couple of messages asking how to remove users from group memberships. It’s a fair question because the cmdlets used for the task differ across group types. Specifically:
- For Microsoft 365 and security groups, use the Remove-MgGroupMemberByRef cmdlet from the Microsoft Graph PowerShell SDK. At least, that’s the facile answer. As explained below, the real answer is more complicated.
- For distribution lists and mail-enabled security groups, use the Remove-DistributionGroupMember cmdlet from the Exchange Online management module.
Some ask why the membership of mail-enabled security groups is managed using Exchange cmdlets. The answer lies in the mail-enabled nature of these groups. Because they are mail-enabled, their source directory is the Exchange ExODS (Exchange Online Directory Store) rather than Entra ID. Synchronization and dual-write updates keep the two directories in step.
In any case, removing a user account from a distribution list or mail-enabled security group is straightforward:
Remove-DistributionGroupMember -Identity $GroupId -Member $UserId -Confirm:$false -ErrorAction Stop Write-Host ("User {0} removed from distribution list {1}" -f $TargetDisplayName, $GroupDisplayName) -ForegroundColor Yellow
Why Things are More Complicated with Microsoft 365 Groups
Because of the need to respect how group ownership works, things are a little more complex with Microsoft 365 groups, including the groups used for Teams, and Viva Engage. The rules are:
- If you remove a member, you must check if the account is a group owner. If so, you remove the group owner first and then remove the member.
- However, if the account is the only group owner, you can’t remove them because this would leave the group in an ownerless state.
The Microsoft 365 administrative portals don’t permit the removal of the last owner and insist that groups have at least one owner. It’s possible that groups get into an ownerless state if the account of the last owner is deleted. At that point, the groups ownership governance policy can attempt to find a new owner (if the tenant has Entra P1 licenses) or you can write a PowerShell script to look for a new owner.
Code to Remove Members from Microsoft 365 Groups
The logic for removing a group member is therefore:
- Use the Get-MgGroupOwner cmdlet to fetch the set of group owners and check the set to see if the member being deleted is a group owner.
- If yes, and the number of owners is one, exit.
- If yes, and more than one owner exists, run the Remove-MgGroupOwnerByRef cmdlet to remove the owner first and then run the Remove-MgGroupMemberByRef cmdlet to remove the member.
The usual approach for this kind of processing is to create a function, so here’s an example of a function that takes the user identifier, group identifier, and group display name as parameters (the latter is purely for output purposes) to process the removal of a user account from a Microsoft 365 group or security group:
function Remove-UserFromM365Group { # Remove a user account from a Microsoft 365 group, checking if the user is an owner first. # If the user is an owner and they are not the last owner, # the function removes the user from as both an owner and a member of the group. param ( [Parameter(Mandatory = $true)] [string]$UserId, [Parameter(Mandatory = $true)] [string]$GroupId, [Parameter(Mandatory = $true)] [string]$GroupName ) $Outcome = $null [array]$Owners = Get-MgGroupOwner -GroupId $GroupId | Select-Object -ExpandProperty Id if ($UserId -in $Owners) { if ($Owners.count -eq 1) { Write-Host ("The {0} group has only one owner - can't remove the last owner" -f $GroupDisplayName) -Foregroundcolor Red $Outcome = "Failed - can't remove the last owner of a group" return $Outcome } Write-Host ("User {0} is an owner of group {1} - removing both owner and member links" -f $TargetDisplayName, $GroupDisplayName) -ForegroundColor Yellow try { Remove-MgGroupOwnerByRef -DirectoryObjectId $UserId -GroupId $GroupId } catch { Write-Host ("Failed to remove user {0} as owner from group {1}: {2}" -f $TargetDisplayName, $GroupDisplayName, $_.Exception.Message) -ForegroundColor Red $Outcome = "Failed to remove owner" return $Outcome } } try { Remove-MgGroupMemberByRef -DirectoryObjectId $UserId -GroupId $GroupId } catch { Write-Host ("Failed to remove user {0} as member from group {1}: {2}" -f $TargetDisplayName, $GroupDisplayName, $_.Exception.Message) -ForegroundColor Red $Outcome = "Failed to remove member" return $Outcome } $Outcome = ("User {0} removed from group {1}" -f $SourceDisplayName, $GroupDIsplayName) return $Outcome }
Better PowerShell developers than I could probably tidy the function, but the code works and demonstrates the principles behind removing members from a Microsoft 365 group (or security group), which is what I set out to do. I’ve updated the original script in GitHub, and you can download the complete code from the Office 365 for IT Pros repository.
Figure 1 shows how to run the script, specifying a source account, a target account, and a Boolean parameter controlling whether to remove the transferred memberships from the source account.

Removing Members from Groups Requires Knowledge
The question about removing group memberships is a great example of why it’s important to understand the technology and how Microsoft 365 really works before attempting to automate operations. Many blogs give partial answers. Without knowledge, you can’t fill in the gaps to create a complete answer, which is why we have the Office 365 for IT Pros eBook including the companion Automating Microsoft 365 PowerShell eBook.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
Be Careful with Retention Labels Configured with Created Date Expiration
Older Files With Long Retention Periods Might Disappear Unexpectedly
Microsoft introduced retention policies and retention labels as part of its Office 365 Data Governance Framework in April 2017. These components are part of the Purview Data Lifecycle Management solution now. Capabilities have evolved a lot since 2017 in areas like special auto-label policies for “cloudy” attachments, disposition reviews, and the use of trainable classifiers, but the basics remain the same. Retention policies or retention labels track how old items are and when those items reach a threshold, a retention action happens. Often, the action is to delete the item.
Which brings me to a puzzling experience I had a few weeks ago when spreadsheets that I use to track various topics disappeared. The items that I noticed all came from my OneDrive for Business account, and when I checked there, I found the items in the first stage recycle bin. The question was what action moved the items into the recycle bin.
Old Retention Labels Might Have Simple Settings
The answer was simple. When Microsoft introduced retention labels and policies, I created a batch of labels and started to use them to manage content. At the time, things were simpler, and retention operated on creation date. Today, you can choose for retention to operate on the basis of the last modified date, which is the setting I use in more recently-created retention labels. Monitoring the last modified date is better because it means that files that remain in active use are not removed by retention processing, which is probably what you want.
The retention label applied to the disappeared files had a long retention period (Figure 1) but counted the retention period from the created date. It just so happened that all the files that ended up in the recycle bin were created in early 2015 and had therefore reached the end of the retention period. The next time Purview processed OneDrive, it duly noted the fact and took the retention action to move the files into the recycle bin.

Mystery Solved
The mystery of why my files suddenly disappeared from view was solved, but there’s a serious lesson to be learned here. It is quite likely that other Microsoft 365 tenants have retention policies or labels that operate on a “when created” rather than “last modified” basis. Checking the created date for files is very effective at clearing out old material but falls down when that material, although old, is still in active use.
The problem is that you can’t simply update a retention label to change its retention settings. You can change the retention period to increase or decrease the number of days for Purview to retain an item, but you cannot change “when created” to “last modified.” Increasing the retention period is a pragmatic way to solve the immediate problem, but it means that some files that should be removed will stay around for longer, and that’s a bad thing in an era when AI tools cheerfully consume even the oldest and most outdated information to generate responses.
A better long-term solution is to replace old retention labels with updated versions that use the last modified date. This article explains how to use the Get-MgDriveItemRetentionLabel cmdlet from the Microsoft Graph PowerShell SDK to read the retention label applied to files and the Update-MgDriveItemRetentionLabel to apply a replacement label (the same cmdlet can apply a default retention label to a folder). Another Practical365.com article looks at some of the business reasons why it might be necessary to replace retention labels on files, including a script to do the job.
Solving the Problem in Code
In my case, I took the script I wrote to report files stored in a OneDrive for Business account and ran it to identify what retention labels are applied to files in OneDrive. I then created a replacement retention label with the same retention period but with modified date as the test for retention. Finally, I copied the reporting script and modified the function that reads retention label data to look for the label (or labels) to replace and called the Update-MgDriveItemRetentionLabel cmdlet to assign the new label. You can download the script from the Office 365 for IT Pros GitHub repository.
Unfortunately, the gods of scripting (or APIs) intervened and the underlying Graph API developed a problem when updating labels. The same issue surfaced in the SharePoint PnP module. I’ve reported the problem and hope that Microsoft solve the issue soon. In the meantime, I updated the retention labels manually for several important files to make sure that Purview wouldn’t remove them. It’s disappointing that the script doesn’t work at present, but it will in the future.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Changes Coming to Smoothen Edges in Microsoft Authenticator App
Better Use of Number Matching and a Refined First Run Experience

The developers of the Microsoft Authenticator app have certainly been busy recently. Following on their announcement that a September 2025 update will make backup and restore easier, we now have the news released in message center notification MC1117816 (18 July 2025) that an update around the same time to simplify the sign-in experience and improve onboarding for users.
Modified Number Matching
In 2022, Microsoft added number matching to the Microsoft Authenticator app to reduce “MFA fatigue,” a symptom that can happen when users are asked to approve a stream of multifactor authentication challenges and can do so with a simple click. If a user responds with a series of clicks (without too much thinking), it makes it easier for an attacker to slip a bad challenge into the stream. Displaying a number and asking the user to match the number from a set of choices forces the user to pay attention. If they don’t, they probably won’t satisfy the challenge. Number matching became generally available in May 2023.
Good as number matching is at seizing user attention, it can sometimes run into difficulties. The most obvious is when Authenticator responds to a sign-in request for an app running on the app. The notification that a response is necessary can appear over the sign-in screen, meaning that the user can’t see the number they need to enter to satisfy the response.
To solve the problem, Microsoft is replacing the number choice with a simple yes or no. The experience is seamless on Android because all apps will pick up the new mechanism. On iOS, users of the Single Sign On (SSO) plug-in will still need to switch to the Authenticator app to complete the sign-in, but number matching won’t be required.
Users signing in from another device will still use number matching to satisfy the multifactor authentication challenge.
I have not seen the change in action, but I am familiar with the issue that Microsoft is attempting to solve. Indeed, so many notifications can pop-up on a busy device that tracking down authentication requests can be challenging. Anything that’s done to smoothen the user experience will be welcome.
Improving the First-Run Experience (FRX)
Microsoft is also making changes to the initial setup of the Authenticator app to give Entra ID accounts priority over personal accounts. I think this makes sense. The more that can be done to make multifactor authentication seamless for Entra ID users, the better the chances of driving the adoption of multifactor authentication in Microsoft 365 tenants. Attackers still target vulnerable accounts with techniques like password sprays.
According to Microsoft, 99.9% of compromised Entra ID accounts don’t use multifactor authentication. That figure should be sobering enough for any tenant administrator to take immediate action to improve their security stance by insisting that all user accounts are protected with multifactor authentication.
And if the Microsoft Authenticator app is easier for people to use, the resistance to moving from more traditional methods of satisfying challenges, like SMS, will be reduced. Some nagging is likely still needed (here’s a script to help) to convince tenant users to adopt strong multifactor authentication methods, but anything to remove barriers is a good idea.
Microsoft also says that they plan to make the option to scan a QR code more obvious. Again, this is goodness because many sites use QR codes as part of the multifactor authentication enrolment process.
Not Big Changes
Neither of the changes described here are in the category of earthshattering updates. Instead, the changes refine how the Microsoft Authenticator app works to make it easier for the average person to use. That’s a good thing, and I look forward to seeing the changes appear in September 2025.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!
Teams Gains New Accent Colors
Keep the Default Accent Color or Choose New One
I thought that life was complete when Teams delivered multiple emoji reactions for messages. Now I know I was mistaken because MC1115312 (14 July 2025, Microsoft 365 roadmap item Microsoft 365 roadmap item 497139) announces the arrival of customizable accent colors, which begin to roll out for Teams desktop and browser (but not mobile) clients in late July 2025. Worldwide deployment is scheduled to be complete by the end of August 2025.
I’m unsure of quite how many people have ever woken up saying how nice it would be if Teams supported a selectable accent color – or how many people understand the purpose of an accent color. Mozilla documentation explains that an accent color is a cascading style sheet (CSS) property that sets the color of certain user interface controls.
Selecting a Theme Accent Color
Given that the Teams UX is basically a big browser app, it doesn’t come as a surprise that a style sheet property is involved, but what does it do? Well, users can select a color from a set presented in the Appearance section of the Settings app (Figure 1). According to Microsoft, this is a “visual customization” of the Teams interface that “enhances the user experience.”

The ten colors in the set range from the default (a wishy-washy light blue) to Red to Teal to Pink to Grey. You can’t add extra colors, so Teams can’t comply with expensive corporate brandings that feature an exact shade defined in a Pantone code. There is no administrative control available to set an accent color for users or to disable the option to select an accent color. Choosing an accent color is a purely cosmetic change that is user-driven to reflect personal rather than corporate choice.
You might scoff about the need to respect corporate branding, but I remember a heated debate inside Digital Equipment Corporation when a new CEO decided to refresh the iconic logo with new colors. Cue a surprisingly vicious fight between people who liked different shades of burgundy…
How Teams Uses an Accent Color
When you select a new accent color, Teams uses that color for many different elements in its user interface. The best example I could come up with is from the new threaded layout for channels where the accent color is used to highlight the base topic for a thread. I chose Red as my account color, and you can see the effect in Figure 2. Other elements that use the color include the count of notifications at the top of the screen, hyperlinks, and the display names of conversation participants.

After selecting such a bold color, you can appreciate why the Teams developers chose a muted color as the default (the first color in the list of available accent colors). Figure 3 shows an even more garish appearance using a yellow accent. Of course, beauty is in the eye of the beholder, and you might consider this to be just the kind of thing you want to see when browsing conversations.

Teams uses the chosen accent color in both home and host tenants, so if you’re a guest member of teams in other tenants, your selected color shows up there too. However, the color choice is specific to a workstation, and if you use Teams on another device, you’ll get whatever color is selected there.
One oddity I noticed is that selecting a color in Teams affects the display of other applications. For example, this blog is hosted by WordPress, and the Jetpack stats view (of page views, etc.) changed its color when I selected a new color in Teams. This might just be coincidence, but that’s less likely when the same thing happens on two PCs.
Customization is Good
I don’t think anyone can argue that the provision of options to allow users to customize their working environment is a bad thing. However, sometimes I wonder why effort is expended on developments like selectable accent colors when so much else could be done to address other issues.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Microsoft Introduces Exchange 2016/2019 Extended Security Program
Six Months of an Extended Security Update Program from October 2025 to April 2026

Those who aren’t dedicated followers of the EHLO blog might have missed two interesting posts this week. The first covers delicensing resiliency for Exchange Online and the news that Microsoft is reducing the threshold for this feature to 5,000 tenant mailboxes. I think the feature should be available to all Exchange Online tenants, but let’s leave that debate aside.
Coping with the consequences of a mailbox becoming delicensed isn’t such an issue for Exchange on-premises organizations. They have their own challenge, notably the need to upgrade to Exchange Server Subscription Edition (SE) before Exchange 2016 and Exchange 2019 exit support on October 14, 2025.
Updating a Server to Exchange Server SE is Boringly Easy
The second EHLO post of the week offers a lifeline to organizations who don’t believe that they can deploy Exchange Server SE by the October 2025 deadline. Performing an in-place server upgrade to Exchange Server SE is the easiest Exchange upgrade an on-premises administrator is likely to ever know. It’s been described as “boring” because literally nothing happens apart from version numbers being updated and a few other minor tweaks. The fact that Exchange 2019 and SE share the same documentation for system requirements testifies to the closeness of the two products.
Microsoft designed the upgrade to the first iteration of Exchange Server SE to be boring to remove the barrier where administrators believe that an Exchange upgrade is a major event with many potential problems lurking under the surface waiting to make a server inoperative. Read the documentation, follow the steps laid down, and your update will proceed smoothly.
Factors Stopping Upgrades Happening
Although the server upgrade is easy, there’s usually some other factors that come into play that can slow deployment. Now is peak vacation period so people might not be available. The organization might decide to introduce new hardware or roll out Windows Server 2025. This might be especially so when the organization runs Exchange 2016 on an older version of Windows Server (here’s the operating systems matrix). In any case, lots of preliminary steps might need to be resolved before anyone sits down to update a server.
To help organizations that are struggling to get their ducks in a row to allow the deployment of Exchange Server SE to proceed, Microsoft is therefore introducing a six-month Extended Security Update program. The idea is simple: After August 1, 2025, customers can contact their Microsoft account team to request a subscription to a new product SKU that entitles them to receive security updates for Exchange 2016 and Exchange 2019 for six months. The price of the SKU is per-server, and it’s assumed that the Microsoft account team knows how many servers a customer operates so that they can calculate an initial price before any discounts are negotiated. If you don’t have a Microsoft account team, call the local Microsoft office and get them involved.
There are several important points to consider before proceeding to enrol in the Extended Security Program:
- The agreement only lasts six months and Microsoft doesn’t plan to extend it past April 14, 2026.
- During the agreement, Microsoft will deliver security updates for problems that the Microsoft Security Response Center deems to be critical or important. In other words, a security issue must meet a threshold before Microsoft will create a security update for Exchange 2016/2019.
- Security updates issued through the program will be released privately to program participants. You won’t be able to download the updates from the Microsoft download center.
- There’s no guarantee that any security problems will emerge between October 15, 2025, and April 14, 2026. In other words, this is insurance in case a problem happens, and no refunds are coming if the security landscape remains calm throughout the six-month program lifetime.
- Microsoft says that they will inform program participants if a security update is available on Patch Tuesdays during the covered period.
- The Extended Security Update Program does not affect the end-of-lifetime support dates for Exchange 2016 and Exchange 2019. Those dates remain as they are. This program only covers security issues.
Not a Revenue Generating Opportunity
Cynics will say that this is yet another example of Microsoft adjusting deadlines, this time to create an opportunity for a little extra revenue by charging customers for six months of security insurance. Pragmatists will recognize just how slow Exchange Server updates have been since Exchange 2000 appeared. Given the engineering costs involved, I doubt Microsoft will make much if anything from the Extended Security Update program. This is no more and no less than a lifeline for those who need that extra time.
Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work, which includes topics like Exchange Server SE that are important to hybrid Microsoft 365 deployments.
Exchange Online Reduces Delicensing Resiliency Threshold to 5,000 Mailboxes
Delicensing Resiliency Protects Against Data Loss – Should Be Available to All

According to an EHLO July 15 post, Microsoft has decided to reduce the threshold for delicensing resiliency from the original level of 10,000 mailboxes announced in November 2024 to 5,000. In other words, the feature to protect against inadvertent data loss due to mailboxes becoming unlicensed is only available for tenants with more than 5,000 mailboxes.
I think the feature should be available to all Exchange Online tenants. Apart from some notional accounting savings accrued by removing unlicensed mailboxes from tenants without a 30-day grace period, Microsoft has no good justification for restricting delicensing resiliency to large tenants. Here’s why.
A Sticking Plaster for Group-Based Licensing
First, delicensing resiliency is a sticking plaster fix to a problem in Microsoft group-based licensing that can cause an account to end up in a situation where it has no license that includes an Exchange Online service plan. When this happens, Exchange Online detects the unlicensed state of the mailbox and disconnects the mailbox to make it inaccessible. The grace period granted through delicensing resiliency allows administrators the time to recognize and correct license allocation mistakes.
The problem was more evident before Exchange Online supported license stacking (the ability for an account to have several licenses with Exchange Online service plans). Stacking allows a mailbox to remain licensed even when an Exchange license is removed from an account. But group-based licensing can become complex when multiple groups are used to assign licenses, including dynamic groups. A change to someone’s membership of a group (or a change to a property that includes them in a dynamic membership) can result in license removal and hence a mailbox disconnection.
It would be better if Microsoft sorted out group-based licensing to remove the possibility of accounts becoming unlicensed. Perhaps the Microsoft 365 admin center, which took responsibility from Entra ID for the management UX for group-based licensing in 2024, could develop a “what if” feature to show administrators what will happen if a change is made to a group and warn against removal of access to critical apps like Teams and Exchange. And in the interim, Exchange Online could make delicensing resiliency available to all tenants.
OneDrive for Business is the Other Major User Personal Storage
It’s not as if such a step would be something new and dramatic. The default retention period for OneDrive for Business accounts belonging to deleted user accounts is 30 days, and that period can be extended to allow nominated individuals to check OneDrive to harvest essential business information. OneDrive and mailboxes are the two primary personal storage locations within Microsoft 365. A similar level of access to the two types of objects should be possible following license removal (often because of account deletion).
Use Retention to Make Unlicensed Mailboxes into Inactive Mailboxes
Another reason for extending delicensing resilience to all tenants is that “big” tenants usually can protect against inadvertent deletion by putting a retention or litigation hold (or holds) on mailboxes to ensure that Exchange Online puts deleted mailboxes into an inactive state. This is another good way to ensure that mailboxes remain available even if a deletion in error occurs. Inactive mailboxes are available to any size of tenant that can set retention holds and there’s no arbitrary number of mailboxes that must be met.
Delicensing resiliency is easier for tenants to use than inactive mailboxes are because the mailboxes remain online and connected. Inactive mailboxes need to be reconnected through administrator intervention. That might have an advantage because the administrator might then understand that a problem exists in how the tenant manages licenses.
All We Need is Simplicity and Consistency
Although there is goodness in building features that protect against data loss, it would be even better if Microsoft was consistent in its policies and practices for controlling user data across the entire Microsoft 365 suite. We’re 14 years into the Office 365 era and while great progress has been made in some area to achieve consistency across workloads, gaps still exist. Blaming the roots of on-premises products is not acceptable any longer. Joined-up thinking is needed, and that doesn’t appear to be the case here.
In the interim, if your tenant has more than 5,000 mailboxes, update your organization configuration to enable Delicensing Resliency using the following command:
Set-OrganizationConfig -DelayedDelicensingEnabled:$true
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!
Copilot Studio Agent Vulnerability to Prompt Injection
Copilot Studio Agent Sends Salesforce Customer Data to Attacker
The July 7 report (“A Copilot Studio Story 2: When AIjacking Leads to Full Data Exfiltration“) from Zenity Labs is sobering reading for anyone considering how to introduce Copilot agents within a Microsoft 365 tenant. In a nutshell, Zenity created a replica of a “flagship example” of an agent created using Copilot Studio built by McKinsey & Co and proved that a an email containing a prompt injection sent to the agent could result in the generation of an emailed response containing customer data sent back to an attacker.
I have an instinctive suspicious of reports issued by security researchers because there are too many examples of overhyped text designed purely to enhance the credentials of the company. In this instance, the Microsoft Security Response Center took the issue seriously, so we should too.
The Problem is Still There
We’ve been down this path before with Copilot because researchers reported how they had compromised BizChat at sessions at the Black Hat USA conference in 2024. Copilot agents didn’t exist at the time, but the same method of sending a message for Copilot to process that convinced Copilot to do bad things was used.
Zenity reported the exploit described in the article to Microsoft, who fixed the problem in late April 2025, most likely through the deployment of a “prompt shielding mechanism.” The net result is that attackers cannot use the same avenue to exfiltrate large quantities of data. However, the kicker is that the fix works for the attack as described, but as Zenity says “Unfortunately because of the natural language nature of prompt injections blocking them using classifiers or any kind of blacklisting isn’t enough.” In other words, attackers can find new ways to use natural language prompts to convince agents to do silly things.
The Stupidity of Agents
The problem is, despite all the hype around artificial intelligence, Copilot agents are essentially stupid. They cannot distinguish between good and bad users, nor can they decide that an action demanded of them is wrong or inappropriate. As we head into an era where agents can talk to agents, the need for increased oversight about what agents do and how they do it is all too apparent.
Managing agent objects in Entra ID is a good way to incorporate agents within the infrastructure, but that doesn’t do anything to reveal what agents do in response to different user prompts, including prompts deliberately intended to do harm. You could pour over the details of Copilot interactions captured by the aiInteractionHistory API or the compliance records captured in user mailboxes by the Microsoft 365 substrate searching for evidence of attacker intervention, but what would you look for? Searching for the one API record where 500 Salesforce customer records are sent to an address in Russia might be the equivalent of seeking the proverbial needle in a haystack.
Although ISVs can work on the problem of agent governance, it’s obvious that ISVs can only work with agents using the APIs and data made available by Microsoft. Dealing with prompt injections is something that will remain a Microsoft competence.
As AI tools become more embedded into our work, the more attackers will be interested in seeking gaps. The battle between Microsoft and the bad guys to protect Copilot (apps and agents) is likely to be a ping-pong contest of exploit followed by remediation
The Goodness of Copilot Studio Agents
Don’t get me wrong. I like the ease of use that Copilot Studio brings to the agent creation process. Even an old duffer like me can create and publish an agent from Copilot Studio (Figure 1). We’re simply at the point in the evolution of AI tooling where security, governance, and management struggle to keep up with the pace of innovation and overhyped expectations.

It would be an overreaction to block users from being able to develop agents with Copilot Studio. Some controls are necessary and restricting those who develop agents to a limited group with oversight before publication seems like a reasonable step. I’m sure that more comprehensive development methodologies and structures will emerge over time and will be discussed on the web and at conferences. I’m looking forward to hearing what the experts say at the TEC event in Minneapolis at the end of September. Come along and join the debate!
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Microsoft 365 Copilot Search Now Available
Copilot Search Delivers Even More Intelligence?
Prior to Microsoft’s Copilot launch in March 2023, search was simple. Google dominated and had educated people into performing keyword-based searches to find information. Today, the situation isn’t quite so straightforward. AI-generated executive summaries are the norm for Google and other search engines. Keyword-based searching is very different now.
Copilot came with promise of radically better search. I think Microsoft 365 Copilot has lived up to this promise, but only for Graph-based searches for documents, messages, and email, Web-based searches depend on Bing, and that dependency makes web results less than spectacularly wonderful. Some thought that semantic search would make a big difference, but given that Copilot functions without semantic search, its influence is marginal at best.
Copilot Search Mark 2
Microsoft has a reputation for getting things right on the second or third attempt, which brings us to the launch of Microsoft 365 Copilot search, “a new AI-powered, enterprise-grade search experience” for tenants with Microsoft 365 Copilot licenses. The technology is described in message center notification MC1108844 (3 July 2025, Microsoft 365 roadmap item 490778). The new search is available in targeted release tenants now and is scheduled for general availability starting in mid-July 2025.
According to Microsoft, “Copilot Search leverages Microsoft Graph and Microsoft 365 Copilot connectors to index content across Microsoft 365 and third-party apps. It interprets user context, natural language, behavioral signals, and organizational relationships to deliver highly personalized, context-aware answers to complex queries.” That’s quite a mouthful. After using the new search for several days, it reminds me of the Microsoft Search in Bing feature (retired in March 2025) with a hint of Delve, all wrapped up with BizChat. Microsoft says that the integration with BizChat enables users to move seamlessly from search to task execution.
Copilot Search in Action
After reading the documentation, I headed to the Microsoft 365 Copilot app and selected the Search option, making sure that the option to use the new search was selected. I’ve written extensively about Entra ID license management, so proceeded to see what Copilot Search could find. Figure 1 shows the results. Instead of a simple list of results with the ability to filter by type (files, sites, people, messages, and so on), Copilot Search presents what Microsoft considers to be a more intelligent view, including an extract from the Copilot chat response to the question posed in the search. The full chat response is available by clicking the Continue reading button. In essence, you then participate in a full-blown conversation with Copilot.

The Modified drop-down offers filters for the past 24 hours, past week, past month, and past year. Under Results, you can refine the results based on items found in SharePoint Online, the web (other sites), Outlook mail, and Teams messages (not shown in Figure 1). Loop workspaces and pages are also scanned by search and are included in SharePoint results rather than having their own type.
The web results are generated from Bing, so the normal caveat applies to the accuracy and usefulness of Bing. Microsoft documentation is heavily favored by Bing, so it’s of no surprise that the top two results listed come from that source. Better results are generated if you include a target website address to search. For example, “What Practical365.com articles cover the topic of Entra ID license management”
Like BizChat, the DLP policy for Copilot stops Office documents and PDF files assigned specific sensitivity labels turning up in search results.
Pity About Bing, but Copilot Search Excels with Graph Searches
Like any search, the new Copilot search takes some getting used to before it becomes an effective and efficient tool in user hands. The dependency on Bing weakens the ability of Copilot search to beat Google or other search engines, but the ability to find items in Graph-grounded searches is unmatched. That, and the smooth integration with BizChat and the ability to save output in Copilot pages will likely please people enough to drive usage.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Microsoft Graph PowerShell SDK V2.29 Now Available
New Version Released on July 9
On July 9, 2025, Microsoft released V2.29 of the Microsoft Graph PowerShell SDK to the PowerShell Gallery (Figure 1). The release notes are available but don’t really throw much light into what’s been updated and the set of issues registered in GitHub for the SDK hasn’t gone down, so it’s hard to know exactly what changes Microsoft has made in V2.29. The only way to check is to install V2.29 and run some cmdlets, which is what I did. I used the script described in this article to refresh my PC and picked up recent updates for SharePoint Online and Teams along with the SDK.

Azure AD PowerShell Finally Going Away
Microsoft recently set the final (no, it won’t be shifted again) retirement date for the Azure AD and Azure AD Preview modules. The underlying infrastructure powering these modules will be turned off in mid-October 2025. It’s not like the slow withdrawal of the MSOL module where some cmdlets (license management) stopped working and others limped on until the module’s retirement in March 2025. Once the shutters come down in mid-October, the Azure AD cmdlets stop working and scripts fail. It’s time to migrate code to use the Microsoft Graph PowerShell SDK, or if you insist, the Entra module (which is based on the SDK).
Testing Microsoft Graph PowerShell SDK V2.29
Migrating to an unstable platform is a bad idea, and the sad fact about the Microsoft Graph PowerShell SDK is that some recent versions have been unmitigated disasters. Released in May, V2.28 of the SDK fixed many problems. The good news is that the suite of commands that I use to test new SDK versions uncovered no problems in dealing with users, groups, sites, mailboxes, and other objects. The new version seems to be as stable as V2.28.
Given the size of the SDK and the number of cmdlets (44,555 spread across the V1.0 and beta modules according to the Get-Command cmdlet), there’s no way that the tests I do will reveal every potential problem in an SDK release. All I can say is that the code in the scripts that I use for testing work without a problem. You can download many of the scripts that I test with from the Office 365 for IT Pros GitHub repository.
Before committing to upgrading a production environment to V2.29, I suggest that you update a couple of workstations and test scripts there. If everything checks out, you can then proceed with a tenant-wide rollout.
Azure Automation Blues
When Microsoft released V2.28 of the SDK, they acknowledged a problem with PowerShell V7.2/V7.1 runtime support in Azure Automation. In a nutshell, it all comes down to the version of .NET supported by the SDK. Microsoft said that the problem would be resolved when Azure Automation supported the V7.4 PowerShell runtime. At the time, support was supposed to appear around June 15. That date was missed and when I checked today, only Azure Automation runbooks configured for the V5.1 runtime worked. V7.1 and V7.2 runbooks barf with an “Invalid JWT access token” error caused because the Connect-MgGraph cmdlet cannot run to authenticate the session.
Until you hear differently, stay with PowerShell V5.1 for your Azure Automation runbooks. Microsoft will eventually get all of the pieces that it owns and maintains into alignment. It’s just sad when obvious gaps appear between important Microsoft 365 automation components.
Still Positive
Despite the recent issues with the Microsoft Graph PowerShell SDK, I’m still very positive about the SDK. Sure, there’s a learning curve to master when coming from more traditional modules like Azure AD. Yes, the issues are maddening and Microsoft’s seeming inability to drive quality in an essential component is infuriating. But despite all that, the SDK allows you to get behind the scenes of Microsoft 365 in a PowerShell-friendly manner, and that’s what really counts.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
Easier Configuration Promised for the Microsoft Authenticator App
Authenticator Embraces a New Method for Account Backup and Restore
My article about adding QR codes to the Microsoft Authenticator app for Entra ID guest accounts is one of the more popular on the Office365itpros.com site. Given the increasing use of multifactor authentication to protect Microsoft 365 accounts and the need for stronger authentication methods to replace insecure SMS-based challenges, it’s unsurprising that the Authenticator app is a popular choice. The app is easy to use and it’s a strong authentication method, so many boxes are ticked.
Where the Authenticator app falls down is when a user gets a new phone, either by choice or through necessity. The gloss of buying a brand-new iPhone is diminished by the pain of reconfiguring the authenticator app to regain access to accounts. Microsoft wants to remove that pain with a “more seamless and secure backup and restore experience using iCloud and iCloud Keychain.”
The change is reported in message center notification MC1111780 (8 July 2025) and will be delivered in an app update that’s expected to roll out in September 2025 with full worldwide deployment scheduled to complete in October 2025. Tenant administrators cannot affect the progress of the roll out, and the change is effective after the installation of the updated app on an iOS device (the Authenticator app also supports iPad devices).
Eliminating the Need for a Microsoft Personal Account
Today, the Authenticator app needs a Microsoft personal account (Figure 1) to backup account names and third-party time-based one-time password (TOTP) credentials used by sites like GitHub and Twitter (the site issues a challenge that is satisfied by a six-digit number generated by the Authenticator app).

Instead of using a Microsoft account for backup and recovery, Authenticator will use the iCloud keychain. Setup of new devices is therefore performed completely within the iOS ecosystem, so it’s smoother and less prone to error. Users don’t have to do anything to benefit from the update. It is enabled automatically if the device runs iOS 16.0 or later and the user’s iOS account enables iCloud and iCloud keychain. It’s likely that relatively few iOS users don’t have these components enabled. Apple is very successful at convincing iOS users to move to new versions of the operating system, so the iOS 16.0 requirement is unlikely to be an issue either, especially in corporate environments.
After the update, Authenticator backs up all account names and third-party TOTP credentials using the iCloud keychain. Nothing else is backed up, specifically Entra ID credentials are not stored, so after moving to a new iOS device, users must sign into their accounts to complete setup.
A Need for User Communication
During the period between now and September 2025, Microsoft will flag the upcoming change with messages in the Authenticator app to inform users about a “new way to backup your account” on its main screen. The settings screen will have a message about replacing the existing iCloud backup mechanism with an enhanced version. It’s possible that users will generate some help desk calls when they read these messages, so organizations should consider some proactive communications to explain what’s happening in non-technical, practical terms.
Finding iOS Devices That Might be Affected
With an eye on communications, the need exists to identify the users of iOS devices that might use the Authenticator app. One of the advantages of having a large repository of PowerShell scripts is the availability of code that can be repurposed. The trick is to figure out what bits to use.
After thinking about it, I decided to reuse some code to report user-preferred authentication methods to find users who’ve opted to use push-based methods. The devices in use can be Android or iOS, so it’s necessary to refine the set to select those who use iOS. The Get-MobileDevice and Get-MobileDevice Statistics cmdlets reveal the operating system used by devices that synchronize with Exchange Online with apps like Outlook for iOS. By checking the devices used by the folks who’ve signed up for push-based methods, we can find and report the people who are actively using iOS. You can download the script from the Office 365 for IT Pros repository. Some sample output is shown below.
Users of iOS devices that are actively in use --------------------------------------------- User UPN DeviceOS ---- --- -------- Jeff Guillet Jeff.Guillet@office365itpros.com iOS 18.5 22F76 John James John.James@office365itpros.com iOS 18.5 22F76 Tony Redmond Tony.Redmond@office365itpros.com iOS 18.5 22F76
This is a good example of using different sources of Microsoft 365 data to answer a question. Of course, you must know about the sources available to you, but that comes with experience.
Looking Forward to the Upgraded Authenticator App
I’m looking forward to the upgraded Authenticator app. My iPhone 14 is showing signs of age and it’s time to consider moving to a new iOS device (I’ve never used Android). If Microsoft’s promise is correct, the transition should be easier than ever before, and that’s a worthwhile change.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!
Improving the Processing of Protected Messages in Shared Mailboxes
Mail-Enabled Security Groups with Full Access to Shared Mailboxes Makes Access to Protected Messages Easier to Control
Microsoft Purview Message Encryption (previously Office 365 message encryption) or OME allows users to apply two pre-defined rights management-based templates called Do Not Forward and Encrypt Only to protect email. Messages sent to other Microsoft 365 tenants can be read inline by Outlook clients while recipients of messages sent to other email services can read the protected content through the OME portal. Protection extends to email attachments.
Unlike the sensitivity labels created for tenants, administrators cannot edit the settings of the OME templates. The same settings apply in all tenants where OME is configured. For instance, when Outlook clients open messages protected by the Do Not Forward template, the clients disable the Forward, Save As, and Print options and don’t allow the recipient to change the recipient list for a reply.
Improving Access to Protected Messages Delivered to Shared Mailboxes
Shared mailboxes are an important part of the Exchange Online messaging landscape. Since the introduction of Azure Information Protection in 2016, Microsoft has steadily improved the ability of users with access to shared mailboxes to process protected messages. A recent important enhancement is described in message center notification MC794814 (21 May 2024, Microsoft 365 roadmap item 385345), which reports that members of a mail-enabled security group with access to a shared mailbox can read and respond to protected messages.
The caveat is that members of the mail-enabled security group can only read protected messages generated after Microsoft deploys the feature to a tenant. Rollout completed in September 2024, so that shouldn’t be a problem now. Older protected email cannot be read because the “protected wrapper” around those messages doesn’t support access via a mail-enabled security group.
Figure 1 shows a message protected with the Do Not Forward template being read in Outlook (classic). In this case, my account is a member of a mail-enabled security group granted Full Access permission for the Complaints mailbox.

No Need for Direct User Assignment
The important point here is that direct user assignment to the shared mailbox with automapping enabled is no longer required. Direct assignment means that an administrator grants Full Access permission for the shared mailbox to a user account. Automapping is a process where Exchange Online adds a shared mailbox to a profile so that the Outlook (classic) client automatically opens the shared mailbox. This method still works, but now you have the option to use a mail-enabled security group to control shared mailbox membership instead.
Although the mail-enabled security group method works very nicely to allow users to open and read protected messages, remember that separate delegation is required to allow people to send email from the shared mailbox. This can be a Send As or Send on Behalf Of permission.
Why mention a feature launched last year when every Microsoft 365 tenant struggles to manage the ongoing flood of new product feature announcements? Well, the new method seems to have passed people by, so I thought it would be good to highlight it and give the mail-enabled security group approach a little boost. In addition, although MC794814 focused on the Do Not Forward and Encrypt Only templates, it seems like users granted access to a shared mailbox via a mail-enabled security group can read email protected by sensitivity labels too, if the rights assigned in those labels allow access.
Support in OWA and the New Outlook
OWA and the New Outlook are usually faster at deploying enhancements for protected messages. These clients work online and fetch the necessary authorization (use licenses) as required. Outlook (classic) can work offline, so getting the use licenses is more complicated.
OWA and the New Outlook also support the ability to work with protected messages when access is granted via a mail-enabled security group. Figure 2 shows OWA being used to read a protected message in a shared mailbox.

Microsoft Purview message encryption is available to all tenants with Office 365 E3 licenses and above. The Do Not Forward and Encrypt Only templates are very useful and the number of tenants using sensitivity labels grows all the time. Easier access to protected messages in shared mailboxes is welcome, even if it’s taken me far too long to acknowledge the update.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Copying Group Membership with the Microsoft Graph PowerShell SDK
How to Copy Group Membership from One User Account to Another Account
Now that Microsoft has confirmed the final retirement of the Azure AD module in mid-October 2025, the pressure is on to find and update scripts used for operational purposes. The time for learning how to use the Microsoft Graph APIs is past. The focus is now on turning knowledge into Graph-powered scripts.
Which brings me to a question about how to copy group membership from one user account to another. It’s the kind of thing that features in many online forums. In this example, the answer is:
Get-AzureADUserMembership -ObjectId {source user object id}|foreach { Add-AzureADGroupMember -ObjectId $_.ObjectId -RefObjectId {new user object id} }
Another example of the art is found here. The point is that copying group membership from one account to another is clearly something that many people do. I can see why this might be so. For instance, you might want to copy group membership from an account to a new joiner’s account to include them in a bunch of teams.
Alas, the Graph is different to Azure AD, and converting a script to perform the task with the cmdlets from the Microsoft Graph PowerShell SDK is not straightforward. Here’s a few things to think about when dealing with Entra ID groups. The set includes Microsoft 365 groups, security groups, mail-enabled security groups, and distribution lists.
Copying All Group Memberships or Just Some
It seems sensible to make someone a member of work-related groups based on the memberships of another user, but what about groups that are not work-related or don’t align with a specific job or operating unit? The groups used by many teams and Viva Engage (Yammer) communities accommodate discussions about topics that are not strictly associated with the business of an organization, and membership of those groups are determined by an individual’s interest rather than what they do.
Marking Work-Related Groups
Sensitivity labels are the obvious answer to mark work-related groups, but that only works if a tenant uses sensitivity labels for container management and assigns specific labels for groups that are not work-related. Sensitivity labels have become more popular over the last few years, but they are only available to tenants with Office 365 E3 or above licenses. A custom attribute could be used, but that requires the organization to ensure that all groups used for work or non-work topics are clearly marked.
Handling Dynamic Entra ID Groups
Dynamic Entra ID groups use membership rules based on account properties to calculate group membership. It’s very possible to extract the membership rule for a dynamic Entra ID group and figure out what properties to update to add someone to the membership of a dynamic group, but the risk exists that such an update might interfere with the membership rules of other dynamic groups.
Exchange Distribution Lists
Exchange distribution lists are replicated from Exchange to Entra ID, meaning that when a cmdlet runs to find Entra ID groups, the set returned includes distribution lists. Mail-enabled security groups are a form of distribution list. If you want to copy the membership of mail-enabled security groups and regular distribution lists, you’ll need to do this with Exchange Online cmdlets instead of Microsoft Graph PowerShell SDK cmdlets.
Dynamic distribution lists are not replicated from Exchange Online to Entra ID, so the Graph PowerShell SDK cmdlets ignore these objects. If you want to copy membership to dynamic distribution lists, you’ll need to update mailbox properties to match the OPATH queries used by dynamic distribution lists.
Selecting the Right Cmdlet to Copy Group Membership
The Microsoft Graph PowerShell SDK has two cmdlets to fetch memberships held by a user. The Get-MgUserMemberGroup cmdlet performs a transitive lookup to return a set of identifiers for the groups that an account belongs to. The SecurityEnabledOnly switch parameter determines if the cmdlet returns only security-enabled groups or all groups:
[array]$Groups = Get-MgUserMemberGroup -UserId $User.Id -SecurityEnabledOnly:$false
The Get-MgUserMemberOf cmdlet returns groups, administrative roles, and administrative units (including dynamic administrative units) that a user is a member of. In other words, the objects fetched by the cmdlet must be filtered to extract the objects of interest. This command shows how to apply a client-side filter to find groups that don’t use dynamic membership:
[array]$Groups = Get-MgUserMemberOf -UserId $User.Id -All -PageSize 500 | ` Where-Object { ($_.additionalProperties.'@odata.type' -eq '#microsoft.graph.group') -and ( -not ($_.additionalProperties.groupTypes -contains "DynamicMembership") ) } | Select-Object -ExpandProperty Id If ($null -eq $SourceGroups) { Write-Host "No groups found for user $($SourceUser.DisplayName)." -ForegroundColor Yellow Break }
The Get-MgUserMemberOf cmdlet is often preferable because it returns more than a simple list of group identifiers. As you can see from the example above, because the cmdlet deals with different object types, the additionalProperties property contains data that is of value to find specific groups.
An Example Script
A working example is usually helpful to demonstrate how to put principles into action. I’ve written a script that’s downloadable from GitHub to show how to fetch the set of groups from one account and copy the membership to another. The script (Figure 1) includes code to handle the different types of Entra ID groups and to check that it only attempts to add groups that a user isn’t already a member of. It’s enough to serve as the basis for a solution that might meet the needs of your tenant. I’ll let you make the decision about enhancements, such as removing the membership of the source user as groups are processed.

If you need more help to convert old Azure AD scripts, why not invest in a copy of the Automating Microsoft 365 with PowerShell eBook? It includes a bunch of useful examples like those above. The book is available separately or as part of the Office 365 for IT Pros eBook bundle.
Copilot Audio Overviews for OneDrive Documents
Create Audio Overviews for Word and PDF Files and Teams Transcripts
Message center notifications MC1061100 (updated 2 July 2025) and MC1060872 (updated 3 July 2025) both focus on audio overviews generated from documents (Word and PDFs) and Teams meetings (transcripts) stored in OneDrive for Business and Copilot Notebooks. This is yet another example of Microsoft applying AI to Microsoft 365 information. The question is whether having an audio review of a file is of real value or a demonstration of technology that might be used once and then forgotten.
This feature requires a Microsoft 365 Copilot license.
Generating an Audio Overview
The implementation is simple. The Copilot menu for a supported file type in the OneDrive for Business browser interface includes the Create an audio overview option (Figure 1).

Selecting the option causes Copilot to process the file. Logically, it seems like Copilot summarizes the file into a format similar to a Teams transcript and uploads the output to the Azure Audio Stack for transformation into an audio stream (users can save the summary as an .MP3 file in the Recordings folder of their OneDrive for Business account). For now, only English language audio overviews are available, and only files in English can be processed. Copilot politely refused to process documents that contained non-English text, even when the majority of the text was in English. On the other hand, Copilot had no problem processing files containing computer code, such as the PowerShell examples.
Given that Copilot can generate document summaries in different languages and the support for many languages in the Azure Audio Stack, it seems likely that support for other languages will come soon. I also expect to see UX provided to allow users to select other settings, such as the voices used for output (see below).
MC1060872 says that the OneDrive mobile app can generate audio overviews. I haven’t seen the mobile option appear yet.
Audio Overview Styles
The default style summarizes the key points in a document. If you prefer, you can switch the overview to a podcast style using the option in the […] menu. Essentially, the summary is a report of a document read by a single person. The podcast style usually generates a shorter audio stream that’s delivered by two “hosts” (a male voice and a female voice, both with neutral American accents). Figure 2 shows an overview being played with the transcript visible together with the option to switch style.

The audio overview option advises that generation could take a few minutes. I discovered that this is accurate and that overviews for even very large files were available in a couple of minutes. For example, I asked Copilot to generate an audio overview of the Word document for the latest Office 365 for IT Pros eBook. This is a large and complex file (28 MB, 1,250 pages, 22 chapters, and many figures and tables), so I thought it would be a good test. The audio overview was available in less than two minutes. You can download and listen to the summary and podcast versions using the links below to get an idea about the quality and type of output generated for an audio overview.
The DLP Block for Microsoft 365 Copilot
Interestingly, the DLP policy for Microsoft 365 Copilot blocks Copilot from generating audio overviews. I shouldn’t be surprised at this because the idea behind the policy is to stop Copilot from processing confidential files assigned specific sensitivity labels. As noted above, Copilot generates an audio overview using a transcript summary produced from a file. To create the summary, Copilot must be able to extract the file content but is blocked by the DLP policy.
When asked to create an audio overview from a protected file that comes within the scope of the DLP policy, Copilot chews on the problem for a few minutes before concluding that it can’t do anything and errors out (Figure 3). OneDrive must be refreshed before further files can be processed.

Although it’s good that the DLP policy for Microsoft 365 Copilot does its job, the poor user experience in the OneDrive for Business browser interface is evidence that the folks who created the audio overview option never considered that a policy might block Copilot access to a file. It would be much better if the UX displayed an immediate error message to say that Copilot cannot process a file instead of making the user wait for a few minutes before Copilot times out.
Are Audio Overviews Valuable?
I might not be the right target market for audio overviews. I suspect that this feature is directed towards people who can’t use regular Copilot document summaries. In this context, I think audio overviews will be very useful. Another scenario where the feature might shine is the ability to save audio overviews of files to OneDrive for listening to during commutes or other journeys. Like all the AI-driven features, the value comes down to the individual. I’m not sure I will ever use a Copilot-generated audio overview again, but I know how to create one if I need it.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.