Author: Tony Redmond
How to Find Who Assigned Retention Labels to SharePoint Files
Use Audit Events to Track Down Retention Label Assignments
A reader of my article about how to write a PowerShell script to report files and folders in a SharePoint Online document library observed that while the report details the retention labels assigned to items, it doesn’t say who assigned the labels. This is absolutely true, and it’s because SharePoint Online doesn’t note details of the last retention label assignment (date, user, etc.) in the information available through the Files Graph API. If the data isn’t available, it cannot be included in a report.
But retention label assignment is an auditable action. Details of assignments are captured by SharePoint Online and ingested into the unified audit log roughly 30 minutes after someone assigns a retention label to an item.
Searching for Retention Label Assignments
It’s easy to search the audit log for the logged events (the “TagApplied” operation is used here; the ComplianceSettingChanged could also be used) and report that information. Here’s some simple code to find the relevant audit events:
[array]$Records = Search-UnifiedAuditLog -Operations TagApplied -StartDate $StartDate -EndDate $EndDate -Formatted -SessionCommand ReturnLargeSet -ResultSize 5000 If ($Records.Count -eq 0) { Write-Output "No TagApplied events found in the last 30 days" Break } Else { # Get rid of duplicates $Records = $Records | Sort-Object Identity -Unique Write-Output ("Processing {0} retention label assignment events..." -f $Records.Count) }
If the search is likely to return more than 5,000 events, it’s probably best to use the Graph AuditLogQuery API to perform an asynchronous search. Background searches can find hundreds of thousands of audit records if necessary.
The search finds assignment events when labels are applied manually by a user or automatically by an auto-label policy. In many careful scans of the audit log, I cannot find any events captured when files are uploaded to a document library and receive the default retention label configured for that library. The documentation says that events are triggered when retention labels are applied manually or automatically to a document but perhaps default retention labels are omitted.
Parsing the Audit Records
After finding relevant events, the next step is to remove any duplicates and sort the set by date.
$Records = $Records | Sort-Object Identity -Unique $Records = $Records | Sort-Object {$_.CreationDate -as [datetime]} -Descending
The code then loops through the set to extract details and create a report. The name of the retention label and details of the file such as its name and host site and folder are in the AuditData structure, which must be converted from JSON to a PowerShell object to allow easy extraction of the properties.
The next issue is to find out who assigned the retention label. This is simple when users assign retention labels manually because the audit record stores the user principal name in the UserIds property. It’s less straightforward when auto-label policies are involved because the UserIds property contain the GUID of the retention policy rule that caused the label assignment to occur.
To translate the rule GUID back to a policy name, we need to find the GUID of the policy (because that’s how the rule links to its policy) and then extract the policy name. The code to resolve the rule GUID is not difficult, but it depends on being able to lookup the registered compliance policy rules and policies in the tenant. I use hash tables for this purpose and populate the tables with the Get-RetentionCompliancePolicy and Get-RetentionComplianceRule cmdlets.
Two GUIDs couldn’t be resolved by this method. I assume these represent background processes run by SharePoint Online to apply policies, so I declared the GUIDs in an array:
[array]$SharePointAutoLabelId = 'eba15bfd-c28e-4433-a20e-0278888c5825', 'a405a596-28e7-43c6-8ac7-76e0fc13ee0f'
If the GUIDs are found in audit records, the code reports them as “SharePoint Auto Label process.” One of the two GUIDs (‘eba15bfd-c28e-4433-a20e-0278888c5825’) is involved with the application of retention labels for document versions for cloudy attachments captured by a special policy, so I think it’s reasonable to assume that the other GUID represents some other form of background processing. Figure 1 shows some sample output.

You can download the full script from the Office 365 for IT Pros GitHub repository.
Chasing Default Retention Label Assignments
Although using the audit log to answer the question about who assigned retention labels to files is reasonably accurate, I’m unhappy to find that default retention label assignments aren’t audited. Or at least, I can’t find the right audit event to report. I’ve asked Microsoft about the issue and hopefully they can clarify what’s going on.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
Duplicate Mail User Objects Created for Guest Accounts
EX1015484 Issue Causes Duplicate Exchange Online Mail User Objects Linked to Entra ID Guest Accounts
I am indebted to MVP Joe Stocker for sharing information about incident EX1015484 (duration from February 20 7:38AM PST to February 27 5AM PST). The problem as reported by Microsoft (Figure 1) is that when administrators create new Entra ID guest accounts, duplicate objects appear in Exchange Online that prevent email delivery to the guest accounts.

Creating Mail User Objects
Entra ID and Exchange Online use a dual-write mechanism to update objects. Guest accounts originate when external users are added to Teams or Microsoft 365 groups, or when an administrator invites an external user to join the tenant from the Entra admin center.
When Entra ID creates a new guest user account, Exchange Online creates a mail user object. The existence of the mail user object allows guest users to be included in distribution lists. The mail user object has an email address, so email can be sent to the object, and the transport system is able to route messages to the guest account. Exchange Online removes a mail user object automatically following the removal of the guest user account from Entra ID. If the deleted Entra ID account is restored, the mail user object reappears.
Duplicated SMTP Addresses
In the case of EX1015484, it seems like Microsoft shipped a feature update with a bug that created mail user objects with duplicate SMTP email addresses. The Exchange transport system insists that email-enabled objects have unique email addresses because that’s the basis for routing messages to their final destinations.
Apparently, tenants need to contact Microsoft support to remove the duplicate objects. You can’t just remove duplicate mail user objects because of the dual-write mechanism. Entra ID is the directory of record, so any attempts to run Remove-MailUser to delete an object linked to a guest account will fail:
Remove-MailUser -Identity a9f35d52-572e-4438-a129-08d8c00ae88b Confirm Are you sure you want to perform this action? Removing the mail enabled user Identity:"a9f35d52-572e-4438-a129-08d8c00ae88b" will delete the mail enabled user and the associated Windows Live ID "elifon_contoso.com#EXT#office365itpros.onmicrosoft.com". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Remove-MailUser: ||An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Resource 'a9f35d52-572e-4438-a129-08d8c00ae88b' does not exist or one of its queried reference-property objects are not present. DualWrite (Graph) RequestId: 61220f4c-90ea-4fa5-bf1f-c07b5d10c26d The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
Removing the guest accounts from Entra ID and restoring them after a few minutes might well work. I can’t say because the problem didn’t affect any tenant that I have access to.
In any case, Joe posted some PowerShell to find mail-enabled objects with duplicate SMTP addresses:
Connect-ExchangeOnline; Get-Recipient -ResultSize unlimited | Select-Object -ExpandProperty EmailAddresses | Where-Object {$_ -like "smtp:*"} | Group-Object -Property {$_.ToString().ToLower()} | Where-Object {$_.Count -gt 1} | Select-Object @{Name="SMTPAddress";Expression={$_.Name.Substring(5)}}, Count | Sort-Object -Property Count -Descending
The code is faster when a filter is applied to select mail user objects. Here’s my version:
Connect-ExchangeOnline; Get-ExoRecipient -RecipientTypeDetails MailUser -ResultSize unlimited | Select-Object -ExpandProperty EmailAddresses | Where-Object {$_ -like "smtp:*"} | Group-Object -Property {$_.ToString().ToLower()} | Where-Object {$_.Count -gt 1} | Select-Object @{Name="SMTPAddress";Expression={$_.Name.Substring(5)}}, Count | Sort-Object -Property Count -Descending
I tested the amended code by removing the check for addresses with a count greater than 1, so I am pretty sure that it works. Feel free to improve the code!
Problems Happen
It’s regrettable that EX1015484 happens, but that’s the nature of software. The issue has been resolved, and you will no longer encounter mail user objects with duplicate SMTP addresses in your tenant. It’s worth running the code shown above just in case that the problem hit your tenant and left some bad objects behind.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Artificial Intelligence and Microsoft 365 Administration
Artificial Intelligence and PowerShell for Tenant Administration – An Unlikely Couple?
I’ve been asked by a few people to comment about Lokka, the new creation of Merill Fernando, a program manager in the Microsoft Entra ID group. Lokka is a proof of concept exploring how the combination of AI Large Language Models (LLMs) and the Model Context Protocol (MCP) can bring value to Microsoft 365 administration. In this case, by generating Graph API queries in response to administrator prompts. For example, “How many user accounts belong to the marketing or sales departments.”
Merill’s a very inventive individual whose capacity to invent extends to his eye-catching tweet asking the question if Lokka is the end of PowerShell for Microsoft 365 administrators (Figure 1).

Helping Administrators with Simple Queries and Examples
Of course, the advent of a proof of concept like Lokka doesn’t mean that Microsoft 365 administrators suddenly need to lose all interest in PowerShell. AI tools can certainly be helpful in responding to queries that aren’t covered by the standard admin center GUI. They can also educate administrators by showing them how to use PowerShell to run Graph AI queries.
The Exchange Server 2007 product was the first Microsoft server to embrace PowerShell. One of the brainwaves in that product was how the Exchange Management Center (EMC) console displayed the PowerShell code it executed when it performed actions. Figure 2 shows how the EMC in Exchange Server 2007 displayed the code used to create a new mailbox.

Seeing the PowerShell code in action and being able to copy the commands for reuse helped administrators master basic PowerShell command for managing Exchange servers. Another example is how Merill’s Graph X-Ray tool gives administrators a glimpse into the Graph API requests run to perform some actions in the console.
Artificial Intelligence and PowerShell in the Microsoft 365 Admin Center
The Microsoft 365 admin center already has Copilot assistance that’s added automatically when a tenant buys some Copilot for Microsoft 365 licenses (Figure 3). The implementation is much like a Copilot Chat session where an administrator prompts Copilot for some information and receives a response containing instructions and possibly some PowerShell code. I imagine that the content used by Copilot is a restricted set of documentation, just like you can restrict a Copilot agent to reasoning over certain SharePoint and external web sites when it composes its responses.

The Importance of Training Material
There’s no doubt that we will see increasing use of AI to assist administrators with tasks as time progresses. The assistance will become more comprehensive, intelligent, and useful. However, the usefulness of any generative AI tool is bounded by the material used to create its LLMs. This means that the answers that an administrative agent can give, whether how-to instructions or PowerShell code snippets, depend on text scanned to build the LLM. If an answer exists to a question, the AI can respond. This includes incorrect answers because the LLM doesn’t know if content contained in source material is accurate. And if an answer isn’t available, the AI cannot respond without hallucinating. For example, Copilot has been known to include the names of PowerShell cmdlets that don’t exist in its responses.
The current set of AI tools we have don’t include insight or creativity. They can respond to known problems, but even so, responses are often based on whatever the most common answer is found in its source material. Those answers might be inefficient. Take the code suggested in Copilot’s response in Figure 3.
Get-MgUser | Where Department eq "Sales"
Several problems exist with the answer. First, the syntax is incorrect and won’t work because the piping to the Where-Object cmdlet is wrong (probably because Copilot absorbed an incorrect answer from some source). Second, the Department property is not retrieved by the Get-MgUser cmdlet unless explicitly requested.
Get-MgUser -Property Id, Displayname, Department | Where-Object {$_.Department -eq "Sales"}
Third, it’s always better to use a server-side filter to retrieve PowerShell objects. And in the case of user accounts, it’s also a good idea to filter out guest accounts.
Get-MgUser -Filter "Department eq 'Sales' and userType eq 'member'"
The takeaway is that generative AI can only be as good as the material used for its training. The current state of the art is such that AI can’t recognize when its output is incorrect.
PowerShell Still an Essential Tenant Management Skill
Even with the prospect of better, more complete, and more comprehensive AI tooling on the horizon, I still believe that Microsoft 365 administrators should take the time to acquire a working knowledge of PowerShell. For the foreseeable future, AI might well offer help to those who don’t even know how to start using PowerShell to manage a tenant.
Experience to date demonstrates that AI is unlikely to master the creativity that’s often needed to create something like a full-blown tenant licensing report, complete with costs anytime soon. Combining data from multiple sources to deliver a solution requires more ingenuity than running straightforward Graph requests. I await to be proven wrong that artificial intelligence and PowerShell can do more than perform straighforward, mundane tasks. In the interim, using GitHub Copilot to accelerate the development of PowerShell scripts might be the most productive way to use AI to improve Microsoft 365 automation.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
How to Stop People Using ChatGPT with OneDrive for Business Files
Block ChatGPT Access to OneDrive Files
ChatGPT allows people to connect their personal and work OneDrive accounts. Connecting to OneDrive doesn’t mean that ChatGPT can reason over OneDrive files in the same way that Microsoft 365 Copilot can when it generates responses. However, it does mean that users can upload files from OneDrive to interact with their content through ChatGPT. Figure 1 shows ChatGPT summarizes the content of a file uploaded from OneDrive for Business.

Of course, people shouldn’t store very confidential and sensitive information in OneDrive for Business accounts, but they do. And the temptation to use ChatGPT is obvious when the price of a Microsoft 365 Copilot license is high, so what can organizations do to stop this behavior.
ChatGPT Cannot Access Protected Files
One way to block ChatGPT access to OneDrive for Business is to encrypt the files with sensitivity labels. ChatGPT cannot process these files even after the owner of the file uploads them to ChatGPT. Sensitivity label encryption is based on rights management, and ChatGPT cannot authenticate with the rights management service to obtain the use license necessary to access files protected with sensitivity labels. That’s a pretty effective way to stop ChatGPT opening the file to copy its contents into memory to reason over the data. Microsoft 365 Copilot Chat faces much the same barrier if the sensitivity label assigned to a file doesn’t grant the EXTRACT usage right to the signed-in user (the new DLP policy for Microsoft 365 Copilot also uses sensitivity labels but blocks access in a different way).
Block Consent for Users
Not every Microsoft 365 tenant uses sensitivity labels, and even users in tenants that do don’t always protect files the way that they should. A more fundamental way to block ChatGPT access to OneDrive is to prevent users from being able to grant consent for apps (Figure 2). Make sure to select the “do not allow user consent” setting or allow consent for “low impact” apps.

If users can grant consent, the first user who attempts to connect their OneDrive for Business account to ChatGPT will create an enterprise app in Entra ID for ChatGPT with permissions to read user data (Figure 3).

This isn’t an abnormal situation because many app publishers (including Microsoft) create enterprise apps in customer tenants in the same way. However, it’s better to have administrative oversight over requests to create new enterprise apps. When created, the ChatGPT app will have a service principal to hold its permissions. The same application identifier (e0476654-c1d5-430b-ab80-70cbd947616a) is used in all tenants.
$ChatGPTApp = Get-MgServicePrincipal -Filter "displayName eq 'ChatGPT'" $ChatGPTApp DisplayName Id AppId SignInAudience ServicePrincipalType ----------- -- ----- -------------- -------------------- ChatGPT db277364-71ae-4fa4-9b02-370699b75a0a e0476654-c1d5-430b-ab80-70cbd947616a AzureADandPersonalMicrosoftAccount Application
App consent events are captured in the audit log and can be checked there.
Track What’s Happening
If the ChatGPT app exists in a tenant, it’s easy to check if anyone is using it by looking for sign-in events in the Entra ID log. Here’s some PowerShell to check the sign-in logs for anyone using the ChatGPT application:
[array]$Logs = Get-MgAuditLogSignIn -Filter "AppDisplayName eq 'ChatGPT'" -All $Logs | Group-Object UserDisplayName | Sort-Object Count -Descending | Format-Table Name, Count Name Count ---- ----- Kim Akers (She/Her) 5 René Artois 4
A more precise version checks for successful sign-ins using the ChatGPT application:
[array]$Logs = Get-MgAuditLogSignIn -Filter "AppDisplayName eq 'ChatGPT' and status/errorCode eq 0" -All
Remove the ChatGPT App
If the ChatGPT app is in use, the easiest way to block ChatGPT access to OneDrive for Business is to remove the service principal for its app:
Remove-MgServicePrincipal -ServicePrincipalId $ChatGPTApp.id
Access won’t terminate immediately because ChatGPT sessions might have obtained access tokens that are still valid, but once those tokens expire (within an hour), ChatGPT won’t be able to authenticate with Entra ID because the enterprise app is no longer present in the tenant. Anyone wanting to use ChatGPT to access OneDrive for Business files after that point will need to seek consent to use the app again. And by now, you’ll have blocked that route!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Why Teams Clients Prompt for Your Location
Location Privacy Setting for Teams is Now Separate to Windows
If you wonder why Teams has suddenly started to prompt for approval to use your precise location and location history when you sign into a client, the answer lies in message center notification MC993226 (last updated 7 March 2025). It’s all to do with an update to Microsoft privacy policies governing how apps can use location information. Microsoft refers to this as a “location consent experience” which applies to Windows (running version 24H2 or later) and Mac workstations, but not VDI clients.
Take the example shown in Figure 1. Teams knows that the location setting for the Windows PC permits location information to be shared with IT admins to help troubleshoot issues like network connectivity (Figure 2). Until the change became effective, Teams used the Windows setting, but now Teams has its setting to govern whether it can access location data.


VDI desktops obviously don’t support the same level of precision when it comes to location data, which is why they’re currently excluded from location privacy. For more information about how to manage location sharing in Teams, see the Microsoft support documentation.
Targeted release has started, and general availability is slated for deployment between late March and early April 2025. The update will be available in the commercial and government clouds. Microsoft notes that the new location privacy consent “does not apply to fully managed devices where users are restricted from user granted location access” and that current policies will continue working as before.
Location Privacy is a Per Tenant Choice
Teams displays the location notice for each tenant accessed during a client session. For instance, if you switch from your home tenant to a tenant where you’re a guest member, Teams displays the location notice again. The reason is that the location information gathered by Teams is provided on a tenant basis, so the notice acts as a prompt for the user to disable the information in the Privacy section of the Teams settings app (Figure 3).

Location Data for Teams
MC993226 says that Teams is specifically interested in the SSID and BSSID. The SSID (service set identifier or network name) is the identifier for a Wi-Fi network. The BSSID (Basic service set identifier) is the MAC address of the network access point or Wi-Fi router used by a device to connect to a network.
Teams uses this information for the Call Quality Dashboard to track call quality at the organization level. Knowing someone’s location is also critical for location-based call routing to work. The data is also used for dynamic emergency calling in Teams Phone to allow the location of emergency calls to be identified. If your organization doesn’t have a Teams Phone subscription and a calling plan, you won’t have access to emergency calling. On the surface, if you don’t use Teams Phone, it seems like you don’t need to worry about location privacy.
Microsoft hasn’t given a firm number for Teams Phone users since July 2021 when they said that 80 million people used Teams Phone. However, although Microsoft has been nudging customers to use Teams Phone for years, the reported number doesn’t say how many users have paid calling plans instead of just using Teams Phone for VOIP calls.
Location Privacy is Important
Obviously, Microsoft would like users to consent to sharing location data with Teams as otherwise features won’t work as designed. I don’t think that anyone will complain too much about location data being shared with Teams to measure the quality of calls or to know where someone is when they make an emergency call. Using location data for other purposes, such as knowing the hot desk that someone is working at might be another matter, which is why keeping an eye on location privacy is important.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.
Microsoft’s Attempts to Improve the Teams UI Are Not Always Successful
Auto-Hide Inactive Channels and the New Chat and Channels Interface Just Don’t Work for Some People
It’s hard to create a client user interface that works well on Windows, Mac, and browsers that satisfies the often very different demands which exist in a very large user base (320 million or so, in what’s now a very old official figure). Yet that’s the task that the Teams development group sets itself as it rolls out interface changes. Sometimes, things don’t go to plan.
Solving the Auto-Hide Inactive Channels Mess
Take the plan to auto-hide inactive channels so that old and potentially obsolete channels wouldn’t get in the way of real work. On paper, it sounds like a wonderful idea. Channels do age over time and people do lose interest in what happens in some channels. Manually hiding a bunch of old channels could occupy a rainy Sunday afternoon, but who wants to do that.
The original intention is explained in Microsoft 365 roadmap item 325780, where we discover that “Teams will automatically detect inactive channels you haven’t interacted with in a while, and automatically hide them for you.” Soon after the launch of the feature in July 2024, Microsoft ran into user discontent.
The important word in Microsoft’s description is “automatically.” When software performs an action without human prompting, the results of the processing can be overlooked. In the case of Teams, people reported that important channels disappeared from the Teams and channels list. According to the unexplained algorithm used by Teams, the now-hidden channels appeared inactive and unused, and so liable for hiding. Users could find and unhide channels (Figure 1), but the extra work is a hassle.

The upshot is that Microsoft announced in MC804771 (March 21, 2025) that “Teams will offer users suggestions on channels that are inactive, and the user is prompted to review their inactive channels and hide them only if they choose.” The change to an opt-in model is expected to roll out to general availability “later in 2025.” Let’s hope that Microsoft does a better job this time around.
Moving Away from The New Chat and Channels Experience
Which brings me neatly to the new Teams Chat and Channel experience, trumpeted by Microsoft as being streamlined to help you collaborate more effectively. I’ve used the new interface since its earliest beta release as a new take on how to use channels. After Microsoft released the full version in October 2024, my review led off with “Microsoft’s waffle about the new experience is pure marketing spin.” That note reflected some of my frustration with trying to make the new experience work for me, despite having the opportunity to discuss the matter in depth with some of those responsible for the new interface.
After a further six months of trying, I’ve concluded that I work better with the old experience. I like the separation between chats and Teams. I find it easier to stay on top of current activities and find that I don’t overlook things the way that I do when chats and teams are comingled.
I know others share the same opinion, even if Microsoft’s fabled telemetry tells a different story (but those who construct and control the telemetry get to decide what the story is). I do know of people who love working in the new way, even if it doesn’t work for me. I suspect that the reaction to the new interface is highly individual and greatly influenced by how people work with Teams. As I noted in my review, in some tenants I use chat mostly. In others, it’s channel-based, and in others it’s a combination. I find that chat-centric activities are best in the new experience, but I still decided to revert to the old interface everywhere.
Both the Old and the New
The nice thing is that Teams supports both the old and new experience. In other words, the software respects user choice and doesn’t attempt to force people to do things in the one true way. It’s always better when user choice is respected, especially when changes are introduced in user interfaces. Maybe those responsible for the auto-hide inactive channels feature might have learned that lesson.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
Copilot in Outlook Gets a Revamp
Tweaks to Copilot for Outlook Make the Functionality More Accessible
On Tuesday, I reported that I thought the new Facilitator agent in Teams chat is a good example of AI performing a task well. It’s evidence of how the initial rush of deploying AI everywhere to anything that could have a Copilot label applied is moderating into better implementations.
Message center notification MC892651 (last updated 18 March 2025, Microsoft 365 roadmap item 397092) could be regarded as being in the same category. In this case, the UI for Copilot interactions in the Outlook has what Microsoft terms as “major design improvements” for the new Outlook on Windows and Mac desktops, OWA, and Outlook mobile clients. Outlook classic remains unaltered.
Perhaps because it involves major improvements or a wide range of clients, the deployment of the update has been delayed. Microsoft originally intended to have full deployment done by late February 2025. That date is now late April 2025. When this happens, it normally means that Microsoft had to halt the deployment to fix some problems.
No New Functionality in Revamped UI
According to Microsoft, the revamped UI doesn’t include any new functionality. I never saw the ‘rewrite like a poem’ option before (which might have improved some of my email enormously), so the fact that the new layout and navigation makes this option accessible (Figure 1) is proof that the overhaul works.

Of course, things work differently on mobile devices, but the changes seem to make things better there too (Figure 2).

By comparison, the Copilot options in Outlook classic are a tad austere (Figure 3), just like the options were like in the other clients before the change. The changes made in the other clients proves once again that good design is important when it comes to making technology accessible to users.

UI Great, Text Awful
I like the UI changes and think they improve how Copilot for Outlook works. However, the changes do nothing to improve the quality of the written text generated by Copilot, which remains bland and overly effusive to my taste. I guess that’s my personal approach to email shining through because I favor brief to-the-point messages over lengthy missives.
The late Mark Hurd (CEO of HP at the time) once advised me to always put the most important information in a message into the first paragraph so that recipients could quickly review items in their inbox without needing to read long messages on mobile devices (Blackberries and iPAQs then). Technology has moved on, but the advice is still true, especially as so many different forms of mobile devices are now in use. Maybe Copilot for Outlook needs a rewrite in one brief paragraph option.
More Change to Come
Although it sometimes seems much longer, we’re still only two years into the Copilot era. We’ll see more changes like this as Microsoft refines and enhances how Copilot is integrated into apps. Now that they’ve given Outlook a nice new UI, perhaps they’ll do the same for Excel and PowerPoint to make it easier to use Copilot in those apps. Or maybe that’s just me moaning because I’m not as proficient as I should be with those apps.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Use Data Loss Prevention to Stop Copilot Chat Processing Documents in Its Responses
DLP Policy for Microsoft 365 Copilot to Restrict Access to Sensitive Documents
Ever since the introduction of Microsoft 365 Copilot in March 2023, organizations have struggled to stop the AI consuming confidential or sensitive documents in its responses. Some of the early tools, like Restricted SharePoint Search, were blunt instruments hurried out as responses to customer requests. Microsoft’s current best answer is SharePoint Restricted Content Discovery (RCD), a feature licensed through SharePoint Advanced Management (SAM). All tenants with Microsoft 365 Copilot licenses are due to receive SAM licenses. I haven’t seen SAM appear in my tenant yet, but not doubt its deployment is ongoing.
Microsoft says that the key use case for RCD is to “prevent accidental discovery of [files stored in] high-risk sites.” RCD works by limiting the ability of end users to search selected sites. By excluding sites from search, RCD prevents Copilot Chat using the files stored in those sites in its responses. It’s still possible for Copilot to use information from a sensitive document if the user has the file opened in an app like Word. At this point, the sensitive content is open in memory and available for Copilot to process.
Blocking files from user access doesn’t stop system functions like eDiscovery working.
Blocking Access to Individual Files
RCD is a good way to cast a protective net across multiple sites. But what about protecting individual files that might be in sites that aren’t covered by RCD? Until now, the answer has been to use sensitivity labels to stop Copilot Chat using sensitive files to generate its responses. Although sensitivity labels can stop Copilot using the content of protected files, it cannot prevent Copilot finding reference protected files through a metadata search.
Creating a DLP Policy for Microsoft 365 Copilot
A solution to that problem might be coming in the form of a new type of Data Loss Prevention (DLP) policy. The feature is described in message center notification MC937930 (last updated 6 February 2025, Microsoft 365 Roadmap ID 423483). DLP policies are usually used to block external sharing of confidential information, like Teams meeting recordings. Blocking files for internal consumption is a new step.
Essentially, tenants can create a DLP policy to check for specific sensitivity labels and block Copilot Chat access to files with those labels. The functionality is now in preview and is scheduled for general availability in June 2025 (complete worldwide by the end of July 2025). Some gaps are always expected in preview code, and the gaps right now include alerts, incident reports, policy simulation, and audit records. In other words, it’s very hard to know when a DLP policy match happens to block access. But testing indicates that the DLP policy works.
The DLP policy for Microsoft 365 Copilot is a special form of policy in that the policy only covers Copilot and no other type of data (Figure 1).

The rules used in a DLP policy for Microsoft 365 Copilot are simple. The policy checks if a file has a specific sensitivity label, and if the sensitivity label is found, DLP executes the action to “prevent Copilot from processing content” (Figure 2). A rule can check for the presence or one or more sensitivity labels. In some respects, it might be easier to create a separate rule for each label.

Testing the DLP Policy for Microsoft 365 Copilot
To test the new DLP policy, I created several documents referring to regulations governing cryptocurrency in Iceland (a topic selected at random because I knew that my tenant was unlikely to store any files relating to the topic). I used Copilot for Word to generate the text for each file and added a reference to a mythical regulation to the text of each document to give Copilot an easy target to find. The first check asked Copilot Chat to find documents relating to cryptocurrency in Iceland with special relevance to the regulation. The sensitivity labels assigned to the documents were not covered by a DLP policy for Microsoft 365 Copilot, and Copilot found all the documents (Figure 3).

After applying sensitivity labels covered by the DLP policy for Microsoft 365 Copilot to two of the three documents, the search was rerun and Copilot found only one document (Figure 4).

I don’t pretend this to be a full test. However, it’s the only way to check preview software that doesn’t generate audit records or other traces to show when DLP policy matches occur to force DLP to execute the defined actions.
New DLP Policy Shows Promise
I’ll look forward to retesting the DLP Policy for Microsoft 365 Copilot after the software reaches GA and the full array of auditing and reporting options are available. The nice thing is that users see no trace of a sensitive document show up in Microsoft 365 Copilot Chat. Unlike basic sensitivity label protection, which allows Copilot Chat to show metadata found in its searches, the DLP policy is silent. And that’s just the way you’d want it to be when dealing with sensitive data.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Gabung di elevAIte, Jobstreet by SEEK Dorong Kesiapan Kerja Talenta AI Indonesia Bersama Microsoft
Read in English here
Jakarta, 20 Maret 2025 – Jobstreet by SEEK resmi bergabung ke dalam elevAIte Indonesia, inisiatif pelatihan AI dari Kementerian Komunikasi dan Digital Republik Indonesia dengan Microsoft, yang melibatkan mitra pemerintahan, industri, institusi pendidikan, serta komunitas, untuk membekali 1 juta talenta Indonesia dengan keterampilan yang relevan di era transformasi AI. Dalam inisiatif ini, Jobstreet by SEEK akan berfokus untuk menyiapkan talenta Indonesia dengan soft skills dan hard skills yang dibutuhkan di dunia kerja, serta menghubungkan talenta AI dengan industri yang membuka lowongan pekerjaan.
Menurut laporan Work Trend Index 2024 dari Microsoft dan LinkedIn, 92% knowledge workers di Indonesia sudah menggunakan generative AI di tempat kerja; lebih tinggi dibandingkan angka global (75%) dan Asia Pasifik (83%)*. Kementerian Ketenagakerjaan Indonesia juga mendukung adanya pemanfaatan terkait penggunaan generative AI di kalangan mahasiswa dan profesional sebagai salah satu skill digital yang dibutuhkan untuk pekerjaan**. Di sisi lain, berdasarkan survei yang dirilis tahun 2024 oleh Statista Consumer Insights, ditemukan bahwa Indonesia menempati peringkat keempat sebagai negara yang paling antusias menggunakan AI dalam kesehariannya***. Data-data ini mencerminkan potensi besar yang dimiliki Indonesia dalam mengintegrasikan teknologi terdepan ini di dunia kerja.
“Jobstreet by SEEK melihat potensi besar terkait penggunaan generative AI dalam bekerja, maupun dalam kehidupan pribadi sehari-hari oleh orang Indonesia. Kerjasama dengan Kementerian Komunikasi dan Digital Republik Indonesia dan Microsoft melalui inisiatif elevAIte Indonesia menjadi salah satu komitmen kami untuk mendorong penggunaan generative AI di Indonesia guna meningkatkan produktivitas dan kualitas SDM Indonesia, serta menghubungkan mereka dengan ekosistem industri yang tepat. Dengan populernya penggunaan produk Microsoft di lingkungan perkantoran, teknologi Copilot ini menjadi hal penting untuk dikuasai oleh para pekerja di Indonesia”, ujar Sawitri, Head of Country Marketing Indonesia, Jobstreet by SEEK.
Kombinasi soft skills dan hard skills di industri kerja
Sebagai langkah awal mempersiapkan para talenta Indonesia dengan keterampilan AI, Jobstreet by SEEK menghadirkan rangkaian video pelatihan Microsoft 365 Copilot yang dipandu oleh Kevianda Kamarullah selaku Modern Work & Copilot Specialist dari Microsoft dan Jovial da Lopez selaku Kreator Konten dan Penggiat AI. Rangkaian video pelatihan ini, tersedia di menu KarirKu dalam aplikasi Jobstreet by SEEK yang tersedia secara gratis di AppStore dan Play Store, mencakup berbagai modul yang difokuskan pada penggunaan fitur Copilot dalam pekerjaan sehari-hari. Mulai dari analisis data hingga pembuatan dokumen. Dengan menggunakan AI, waktu pemrosesan dapat dikurangi secara signifikan, memungkinkan profesional untuk fokus pada tugas-tugas yang lebih strategis.
Rangkaian video mengungkap tips dan trik bagaimana memanfaatkan Microsoft 365 Copilot sebagai asisten dalam bekerja dan mempercepat pekerjaan. Video pelatihan ini juga memaparkan cara-cara memanfaatkan Copilot untuk mendukung pekerjaan di berbagai profesi, misalnya sebagai staf administrasi, customer service officer, pemasaran digital, hingga membantu tim sales untuk mengejar target penjualan mereka.
Selain untuk membantu pekerjaan seperti penyusunan laporan dan presentasi, merangkum dokumen, maupun revisi dokumen secara lebih cepat, video pelatihan ini juga mengungkapkan tips dan trik pemanfaatan asistensi Copilot untuk pencarian pekerjaan, misalnya untuk membuat CV profesional dan berlatih sesi tanya jawab wawancara kerja. Pengguna yang telah menyelesaikan video seri pelatihan ini akan mendapatkan “Sertifikat Pelatihan Dasar Microsoft 365 Copilot” & “Sertifikat Pelatihan Microsoft Word dengan Copilot”.
“Memasuki era baru generative AI, keterampilan AI menjadi kebutuhan yang mendesak bagi setiap individu. Baik itu keterampilan untuk menggunakan AI, maupun untuk membangun inovasi baru dengan AI. Kami sangat bersemangat menyambut Jobstreet by SEEK ke dalam inisiatif elevAIte Indonesia. Kami berharap kolaborasi ini dapat memperluas jangkauan kita untuk menyiapkan talenta Indonesia dengan kemampuan AI yang relevan, agar talenta kita memiliki daya saing tinggi di industri,” ujar Arief Suseno, AI National Skills Director, Microsoft Indonesia.
Ekosistem industri yang memerlukan talenta AI
Pertumbuhan adopsi generative AI di Indonesia sejalan dengan implementasi Strategi Nasional Kecerdasan Artifisial, terutama dalam pilar pengembangan sumber daya manusia. Terlebih lagi, fokus pada peningkatan keterampilan digital pekerja telah menciptakan lingkungan yang kondusif bagi penerimaan teknologi baru seperti generative AI.
Menyadari bagaimana industri turut berubah dan berinovasi dengan teknologi AI, Jobstreet by SEEK pun akan membuat komunitas yang dapat menghubungkan talenta AI dengan mitra industri penyedia kerja di platform Jobstreet. Rencananya, komunitas ini akan mulai diperkenalkan pada bulan April 2025.
###
*Microsoft & LinkedIn Work Trend Index 2024
**https://www.tempo.co/ekonomi/hanya-19-persen-pekerja-indonesia-punya-keahlian-digital-begini-pesan-menaker-yassierli-soal-pemanfaatan-ai-1205326
***https://www.statista.com/chart/33118/respondents-excited-about-ai-in-daily-life/
Jobstreet by SEEK Joins elevAIte to Boost AI Talent Readiness in Indonesia with Microsoft
Jakarta, 20 March 2025 – Jobstreet by SEEK has officially joined elevAIte Indonesia, an AI training initiative by the Ministry of Communication and Digital of the Republic of Indonesia and Microsoft. This initiative brings together government, industry, educational institutions, and community partners to equip one million Indonesian talents with the necessary skills to thrive in the AI-driven era. As part of this program, Jobstreet by SEEK will focus on preparing Indonesian professionals with essential soft and hard skills while connecting AI talent with job opportunities in the industry.
According to the 2024 Work Trend Index report by Microsoft and LinkedIn, 92% of knowledge workers in Indonesia are already using generative AI at work—a significantly higher percentage than the global average (75%) and the Asia-Pacific region (83%)*. The Indonesian Ministry of Manpower also supports the adoption of generative AI among students and professionals as a crucial digital skill for the future workforce**. Furthermore, a 2024 survey by Statista Consumer Insights ranked Indonesia as the fourth most AI-enthusiastic country worldwide***, underscoring the nation’s strong potential to integrate advanced technology into the workplace.
“Jobstreet by SEEK recognizes the immense potential of generative AI in both professional and everyday life for Indonesians. Our collaboration with the Ministry of Communications and Digital and Microsoft through the elevAIte Indonesia initiative reflects our commitment to promoting generative AI adoption to enhance Indonesia’s workforce productivity and quality while connecting them to the right industry ecosystem. With Microsoft’s products widely used in office environments, mastering Copilot technology will be crucial for workers in Indonesia,” said Sawitri, Head of Country Marketing Indonesia, Jobstreet by SEEK.
Blending Soft and Hard Skills for the AI-Powered Workplace
To equip Indonesian talent with AI-related skills, Jobstreet by SEEK is launching a series of Microsoft 365 Copilot training videos, featuring Kevianda Kamarullah, Modern Work & Copilot Specialist at Microsoft, and Jovial da Lopez, a content creator and AI advocate. These training videos, available in the KarirKu section of the Jobstreet by SEEK app—free to download from the App Store and Play Store—cover various modules on leveraging Copilot features in daily work tasks, from data analysis to document creation. By utilizing AI, professionals can significantly reduce processing time, allowing them to focus on more strategic responsibilities.
The Microsoft 365 Copilot Basic Training and Microsoft Word with Copilot Training video series reveals tips and tricks for utilizing Microsoft 365 Copilot as a workplace assistant and accelerating task completion. The training videos also explain how to use Copilot to support work in various professions, such as administrative staff, customer service officers, digital marketers, and sales teams, and help them achieve their sales targets.
In addition to assisting with tasks such as report and presentation preparation, document summarization, and document revision more quickly, these training videos also reveal tips and tricks for using Copilot assistance for job searches, such as creating professional CVs and practicing interview sessions. Users who complete this training video series will receive a “Basic Microsoft 365 Copilot Training Certificate” & “Microsoft Word with Copilot Training Certificate.”
“Entering the new era of generative AI, AI skills are urgently needed by every individual. Whether it’s skills to use AI or to build new innovations with AI. We are very excited to welcome Jobstreet by SEEK into the elevAIte Indonesia initiative. We hope this collaboration can expand our reach to prepare Indonesian talents with relevant AI skills, so our talents have high competitiveness in the industry,” said Arief Suseno, AI National Skills Director, Microsoft Indonesia.
The Ecosystem of Industries Needing AI Talent
The growth of Generative AI adoption in Indonesia aligns with the implementation of the National Artificial Intelligence Strategy, especially in the pillar of human resource development. Moreover, the focus on enhancing workers’ digital skills has created a conducive environment for the acceptance of new technologies like Generative AI.
Recognizing the evolving AI-driven job market, Jobstreet by SEEK plans to establish a dedicated community to connect AI talent with industry employers via its platform. This community is expected to be introduced in April 2025.
###
* Microsoft & LinkedIn Work Trend Index 2024
** https://www.tempo.co/ekonomi/hanya-19-persen-pekerja-indonesia-punya-keahlian-digital-begini-pesan-menaker-yassierli-soal-pemanfaatan-ai-1205326
*** https://www.statista.com/chart/33118/respondents-excited-about-ai-in-daily-life/
Updating Email Addresses After Removing Domains
The Microsoft 365 Admin Center Makes It Easy to Remove Domains
I’ve been cleaning up the set of accepted domains configured for my Microsoft 365 tenant. After we launched the Office 365 for IT Pros eBook, I acquired several domains like Office365ExchangeBook.com that seemed to be relevant to the book. Years later and the office365itpros.com domain persists with a large legacy of published articles and scripts. No real advantage has been gained from the other domains, so the decision was taken to drop the unwanted domains and remove them from Microsoft 365.
Removing a domain is easier than adding a domain. Go to the Domains section (under Settings), select the unwanted domain, and select Remove domain from the menu. This method works for vanity domains (the type that you pay domain registrars to own) but not for fallback or service domains used for MOERA addresses.
When you use the Microsoft 365 admin center to remove a domain, the portal thoughtfully shows the mail-enabled objects that will be affected by the removal (Figure 1). You can then remove any proxy addresses assigned to the highlighted objects that use the domains.

The Problem of PowerShell
But sometimes you might remove a domain with the Remove-AcceptedDomain cmdlet and so lose the benefit of the checks performed by the Microsoft 365 admin center. This is fair enough because if you make changes to a tenant configuration through PowerShell, you should understand the consequences of the action. I wish I did…
If you forget to adjust email addresses for objects affected by the domain removal, you’ll see errors like this when attempting to update an address:
Set-UnifiedGroup -Identity c38ef1e1-1957-4e5f-bcde-1eae7bb234f3 -PrimarySmtpAddress 'Soccer.Fans@office365itpros.com' Set-UnifiedGroup: ||You can't use the domain Office365ExchangeBook.com because it's not an accepted domain for your organization.
Quite reasonably, the cmdlet complains that it can’t update the primary SMTP address for the Microsoft 365 group because it’s detected an invalid entry in the set of proxy addresses. To correct the issue, we need to find all the mail-enabled objects that has primary or proxy addresses that use the removed domain and remove or replace the offending addresses.
The PowerShell Solution
You can download the script I used from the Office 365 for IT Pros GitHub repository. Essentially, the script breaks down into three parts. First, the script retrieves the current set of accepted domains and identifies the default domain:
[array]$Domains = Get-AcceptedDomain $PrimaryDomain = $Domains | Where-Object { $_.Default -eq $true } | Select-Object -ExpandProperty DomainName [array]$Domains = $Domains | Select-Object -ExpandProperty DomainName
Second, the script checks mailboxes, Microsoft 365 groups, distribution groups, and dynamic distribution groups to find instances where proxy addresses don’t belong to an accepted domain. The details of the affected objects are recorded in a list. Here’s how the script deals with mailboxes:
Write-Host "Checking mailboxes..." [array]$Mailboxes = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox, RoomMailbox, EquipmentMailbox, discoveryMailbox ForEach ($Mailbox in $Mailboxes) { $ExternalAddresses = $Mailbox.EmailAddresses | Where-Object { $_ -like "SMTP:*" -and ($_.Split(':')[1].Split('@')[1] -notin $Domains) } If ($ExternalAddresses) { $ReportLine = [PSCustomObject][Ordered]@{ DisplayName = $Mailbox.DisplayName PrimarySmtpAddress = $Mailbox.PrimarySmtpAddress EmailAddresses = $ExternalAddresses -join ", " Type = "mailbox" Identity = $Mailbox.Alias } $Report.Add($ReportLine) } }
Finally, each of the objects found by checking proxy addresses against accepted domains is processed to remove any bad proxy addresses and assign new primary SMTP addresses where necessary.
Not Perfect Code
I don’t pretend that this script is perfect code. All I can say is that it did the job for me and cleaned up primary and proxy addresses for my tenant and might therefore be useful to others in the same situation. What this experience goes to prove is that sometimes executing clean-up operations is better done through the GUI where you can take advantage of the work done by engineers to anticipate what needs to be done after adjustments are made to a tenant.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
Facilitator Agent Brings AI-Powered Notetaking to Teams Chat
Facilitator Agent Extracts Value from Teams Chat
In an article last month, I discussed why Microsoft 365 Copilot works better for some people than it does for others. The article is based on a blog by Abram Jackson, a program manager working on Microsoft 365 Copilot, and one of the points he makes is that AI fails when it doesn’t have the right data to process. This is why Copilot is so good at summarizing a bounded set of data such as a Teams meeting transcript or email thread and less good at other tasks.
Which brings me to a new bounded AI use in the Teams Facilitator “collaborative communication” agent (see message center notification MC1017117, last updated 10 March 2025, Microsoft 365 roadmap item 476811). The agent has been available in targeted release and is heading for general availability in April 2025. Facilitator is available for meetings and chats, but here I focus on chats because this is an area where AI hasn’t ventured before. According to Microsoft, “the Facilitator creates and maintains an up-to-date summary of important information as the conversation happens, including key decisions, actions items, and open questions to resolve.”
The administrator documentation and user documentation and doesn’t need to be repeating here. Essentially, you’ll need a Microsoft 365 Copilot license to use Facilitator (otherwise known as AI Notes). Note generation is supported for English now with support for more languages in the pipeline.
Control over who can use Facilitator is exerted by allowing people access to the Facilitator app in the Teams admin center. Microsoft says that after general availability, the app is enabled by default and can be used in chats by enabling the AI Notes option (click the icon to the right of the Copilot icon). Let’s see what happens.
Using AI Notes in a Chat
When a chat starts, it’s an empty thread and there’s nothing for AI to process. In fact, AI cannot process information until it has sufficient data to understand what’s happening. This is what’s happening in Figure 1. Facilitator is enabled for the chat but only three messages are in the thread and that’s not enough.

This isn’t a problem because the intention behind Facilitator is that it will help chat participants understand what’s been discussed in a thread. It’s easy to understand the conversation after three messages. It’s much more difficult to do so after a hundred messages in a fast-moving debate. The same situation occurs for Microsoft 365 Copilot in a Teams meeting where a certain amount of data must accumulate in the meeting transcript before Copilot becomes active.
As the chat develops, Facilitator begins to generate notes (Figure 2) to capture the major points raised in the chat, any decisions made, and any questions that remain unanswered. Facilitator updates the notes displayed in the pane periodically and highlights new information that a chat participant hasn’t seen. Like other Copilot implementations, reference numbers allow users to access the source for a note.

At the end of the chat, any of the chat participants can ask Facilitator a question by using an @Faciliator mention and entering the question (Figure 3).

Alternatively, a participant with access to the AI Notes can copy the notes and paste them into the chat. This is a good way to share AI Notes with chat participants who don’t have a Microsoft 365 Copilot license as those people cannot enable and view AI Notes for the chat.
External Participants Turn Off Facilitator
The Facilitator agent can’t be used in chats that involve external participants (guest users or external federated chats). This is likely because no mechanism is available in a chat to allow people to grant consent for their messages to be processed by an agent. When people join a meeting, they have the chance to grant consent for transcription, and it’s the transcript that’s used by Microsoft 365 Copilot to summarize the meeting or answer questions about the proceedings.
Facilitator is a Nice Tool to Have
I like Facilitator very much. It’s an example of focused application of AI LLMs to reason over a bounded set of data to generate results that works well in practice. Facilitator is not enough to justify the full price of a Microsoft 365 Copilot license, but it is step in the right direction and is a sign that we’re moving away from what some call the “party tricks” of Copilot to the implementation of some really useful tools.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Time to Remove the Old Report Message Add-Ins
Report Message and Report Phishing Deemed Unsafe by Microsoft
Message center notification MC1030003 (12 March 2025) brings news that the built-in Report button (Figure 1) is available for all Outlook clients (from these versions on). The older Report Message and Report Phishing add-ins are now in maintenance mode. Although they continue to work, Microsoft recommends that the add-ins should be removed before the time comes when Microsoft retires and finally removes the now-obsolete add-ins.

Microsoft cites many benefits for the new Report button, including support for reporting email delivered to shared mailboxes, better localization, and the ability to report messages from different places, like the preview window. My favorite is that users can’t report their own messages as junk because Outlook disables the Report button for messages sent by the mailbox owner. For now, this feature only seems to work in OWA and the new Outlook and sometimes it doesn’t work, but it’s certainly a good thing.
If users don’t see the Report button, it could be that the user reported settings in the Microsoft Defender portal need to be adjusted. These settings control whether users can submit messages suspected to be junk email or phishing attempts to Microsoft for analysis.
Some organizations don’t permit people to report email because they don’t want Microsoft personnel to be able to read the reported messages. That’s certainly a valid perspective, but phishing techniques evolve on an ongoing basis and a reported message could disclose a new technique that allows Exchange Online Protection to detect and block dangerous content. Overall, I think it’s best to allow users to report bad email.
Unsafe Add-ins
Rather alarmingly, the FAQ for the built-in Report button says that “there are security issues with the add-in which makes them unsafe for the organization” without saying or even hinting what those issues might be. The FAQ also says that the add-ins “can’t architecturally support functionality that customers keep asking for.” Again, no further information is given to back up the claim. It’s more likely that the problem is that these add-ins are COM-based. Microsoft is dumping this technology as it moves forward with the new Outlook for Windows.
Checking the Report Add-ins
Unless good reason exists not to use built-in client functionality, it’s best to use it rather than add-ins. Given the profusion of integrated apps that could appear in tenants due to Copilot agents, administrators are likely to be busy managing those apps. Getting rid of a few obsolete add-ins won’t ease the agent burden, but it’s step in the right direction.
Taking my own advice to heart, I checked in the Integrated apps section of the Microsoft 365 admin center to see if the Report Message and Report Phishing add-ins were still in use. As you can see from Figure 2, just one active user was detected.

The download option creates a CSV file that gives some details about the app and when it was used, but it doesn’t point to who is using the app. The app properties might be configured to allow access to the add-in to specific users or groups, and that could give a clue to who might be using it. But you’re out of luck if the app is configured for tenant-wide access.
Removing an Add-in
It’s always best to let users know that a change in coming. Microsoft says that people prefer the single Report button. In any case, changing from the add-in to the built-in report button shouldn’t prove too difficult for anyone, so I went ahead and removed the add-in from the set of Integrated apps (Figure 3).

It takes some time for a change like this to make its way to clients. Microsoft documentation says that it can take up to 24 hours before a newly deployed app appears in a client. The same applies to app deletions. My experience is that it can take longer before all clients receive updates. However, removed add-ins should disappear in a couple of days.
I’m glad to report that the removal of the old Report Phishing add-in from my tenant went according to plan. No squawking from annoyed users has happened so far. Maybe they haven’t noticed the change yet.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
SharePoint Online PowerShell Module Gets Modern Authentication
Old-Fashioned Identity Client Jettisoned for OAuth
Message center notification MC1028318 (March 11, 2025) says that the SharePoint Online PowerShell module will replace the IDCRL authentication protocol with OAuth (modern authentication). Microsoft says that the replacement is “part of our ongoing efforts to enhance security and adopt modern authentication practices.”
Some might ask why it’s taken so long for Microsoft to make the decision to switch the module to OAuth. Microsoft has not given the SharePoint Online PowerShell module much tender loving care over the last few years. For instance, the module hasn’t been upgraded to PowerShell 7 and remains an outlier in this respect within the set of PowerShell modules used within Microsoft 365.
It’s not as if an adequate Graph-based replacement exists. The SharePoint Settings Graph API appeared in mid-2022 and hasn’t made much progress since. It’s just one of the reasons why the SharePoint PnP module is so popular.
The Identity Client Run Time Library
IDCRL is the Identity Client Run Time Library. It’s a very old authentication protocol that was used by products like Lync 2010 Server to authenticate with Exchange Online and Lync Online. IDCRL was also used by the Office desktop apps. Microsoft replaced IDCRL in the Microsoft 365 Apps for enterprise in September 2020 (MC222132).
More pertinently, SharePoint Online used IDCRL for authentication until recently, including with CSOM-based applications.
Upgrade in Modules Released after March 28, 2025
Microsoft issues new versions of the Microsoft.Online.SharePoint.PowerShell module regularly, mostly to add cmdlets or parameters needed to manage features like intelligent versioning. In this case, the change to OAuth is effective for modules released after March 28, 2025 (versions higher than 16.0.25814.12000).
You can download the latest version of the SharePoint Online management module from the PowerShell gallery (Figure 1). Once installed, the Connect-SPOService cmdlet automatically uses modern authentication (also called “modern TLS protocols”) instead of IDCRL. Although the implementation is designed not to affect how scripts work, you might see warning messages because Microsoft will deprecate the ModernAuth parameter in the future (the parameter is now obsolete).

Although I accept Microsoft’s statement that the upgrade to OAuth-based authentication should not affect scripts, it’s always wise to test and verify in case the specific use of the module in a tenant is an edge case that Microsoft doesn’t test. Given some of the recent problems with other PowerShell modules, testing an updated module before putting it into production is always wise.
One Small Step Forward
Given Microsoft’s focus on removing outdated authentication protocols from across Microsoft 365 workloads, it’s surprising that the SharePoint Online management PowerShell module is only now being updated. It’s well behind the modules to manage other major workloads like Exchange and Teams. But then again, as I keep on saying, the signs over the last few years is that Microsoft really doesn’t devote too much attention to the SharePoint Online management module, and that’s a real pity.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Why Only Web-Based Outlook Clients Can Recall Encrypted Email
Client-Side Limitation or Licensing Limitation?
Microsoft launched the new message recall feature for Exchange Online in October 2022 and shipped the code in early 2023. I duly wrote about the feature and noted the restriction for email protected by sensitivity labels. The EHLO blog describing message recall says:
Does recall work for encrypted email?
Message Recall within Classic Outlook is not available for messages encrypted with OME or using MIP labels. When attempting to recall these messages, the recall option will be greyed out in Classic Outlook and unavailable. This is a client-side limitation and is by design. To recall these messages, access your mailbox using OWA or the New Outlook for Windows, and recall your message from there.
Microsoft subsequently revamped the new message recall in August 2024. Nothing more was said about sensitivity labels. All we know is that a client-side limitation stops Outlook classic being able to recall protected messages while OWA and the new Outlook can both recall protected messages with ease (Figure 1).

Having the Right License is Always Important
Roll forward to message center notification MC882266 (last updated 23 October 2024, Microsoft 365 roadmap item 413431) where we discover that a component called Microsoft Purview Information Protection Advanced Message Encryption lies at the heart of the matter. According to the notification, user accounts must have a Microsoft 365 E5 or Office 365 E5 license to be able to recall encrypted email from their Sent Items folder. The same limitations that the mailbox must be in Exchange Online and that recall is only possible for messages sent to recipients within the same organization exist.
Notice that there’s no mention of client-side limitations. When such limitations are mentioned, it implies that some software problem exists within a client that prevents the client from being able to do something. Outlook classic is perfectly capable of working with sensitivity labels that encrypt messages.
In fact, Outlook classic is the most capable client in terms of working with encrypted messages because it can operate offline, including the ability to issue message recall requests for unprotected email by selecting a message and using the option in the File menu (Figure 2). The recall option isn’t available if the selected message has a sensitivity label with encryption.

Recall requests are kept in the Outbox folder until a network connection is available. Synchronization then occurs to send the recall request to Exchange Online for processing.
The ability of Outlook classic to work offline almost as well as when online is where the real issue might lie. OWA and the new Outlook are both designed to work online and that’s how they usually work. It’s therefore easy for the clients to check the licensing status of the signed in user, specifically to check that the account holds the Azure Information Protection Premium P2 service plan that’s included in the Microsoft 365 E5 and Office 365 E5 products. Outlook classic would need additional code to check user licensing when online so that it could work offline, much like the client stores rights management use licenses to allow it to work with protected messages when offline.
It can be argued that the limitation exists both in the client (can’t check a license unless Outlook classic is online) and licensing (can’t recall protected messages unless the right license is available), so the somewhat torturous text MC882266 is accurate without being clear.
Message Recall in Outlook Mobile
Meanwhile, message center notification MC1025213 (7 March 2025, Microsoft 365 roadmap item 471444) announces that Outlook for iOS and Android can recall messages. The option is available from the […] menu after selecting a message (Figure 3). Outlook mobile clients cannot recall protected messages.

In Case of Protected Recall, Look for OWA
I’m not sure how many people will want to recall encrypted messages. If you find yourself in this situation, it’s easy to fire up OWA or the New Outlook and issue the recall request. Of course, the added time required to remember to use a different client and perform the message recall might mean that the recipient has read the text, but that’s a risk you must take.
Keep up to date with developments like the new Outlook by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
How to Send Outlook Newsletters with Email Communication Services
Use ECS to Send Outlook Newsletters to Thousands of External Recipients
After writing about the new Outlook Newsletters app last week, I was asked if any workaround existed to allow newsletters to be sent to external recipients. If you only need to send a newsletter to a few external recipients, the easy answer is to create an Exchange Online mail contact for each recipient. Assuming that a distribution list is used to distribute a newsletter, the mail contacts can be added to the distribution list membership and so receive their copy when the Exchange transport service expands the membership to dispatch the newsletter to its final destinations.
This approach works for any external SMTP address, defined as an SMTP address that doesn’t belong to one of the accepted domains registered for the tenant. I often use the technique to capture copies of messages sent to distribution lists as posts in a Teams channel. Figure 1 shows an example of such a mail contact. Note that the contact is hidden from address books to prevent its discovery by users who browse the GAL.

Scaling Up to Cope with External Recipients
However, adding individual mail contacts for external recipients is not a method that’s easy to scale up. You can automate the process with PowerShell by using the New-MailContact cmdlet to create mail contacts and the Add-DistributionGroupMember cmdlet to add mail contacts to a distribution list, but that’s probably too much trouble for the delivered value.
Besides, using distribution lists to send messages to large numbers of external recipients will run foul of the new tenant external recipient rate limit (delayed for implementation until 1 May 2025), not to mention the individual mailbox external recipient rate limit that’s due for implementation in October 2025. A better solution is required.
Sending an Outlook Newsletter with Azure Email Communication Services
Azure Email Communication Services (ECS) is a pay-as-you-go service based on Exchange Online that’s expressly intended to process external email sent at high volumes, like newsletters directed at customers. The problem is that Outlook Newsletters use “regular” Exchange Online and have no connection to ECS, so we need a way to bridge the gap.
My solution, imperfect and manual as it is, goes like this:
- Create and send an Outlook newsletter as normal.
- Open the copy of the newsletter in the Sent Items folder of the author’s mailbox (or the copy received by any recipient).
- Copy the HTML body and paste it into a Word document. Make sure to select the keep source formatting option to remain the layout. The result should look something like the document shown in Figure 2.
Save the Word document as a web page (HTML file). The output HTML file should contain all the formatting instructions and pictures for the newsletter.

If you look at the script referenced in the article about ECS, you’ll see that the setup necessary to send a message through ECS using PowerShell is very similar to sending a message with the Microsoft Graph PowerShell SDK. Essentially, you create and populate a message structure before submitting it to ECS to be sent. Part of the message structure is the message body, which can be formatted as HTML.
When I worked with ECS last year, I discovered that ECS was very sensitive to the HTML in a message structure and refused to process HTML generated from Word. That issue seems to have gone away because I was able to load the HTML for the Outlook newsletter into a string variable like this:
[string]$HtmlContent = Get-Content Newsletter.htm
Next, I amended the script code to change the message subject and use the HTML content loaded in from the newsletter and used the code to send newsletters to several hundred email addresses as a test. Here’s the code that does the work.
[int]$i = 0 Write-Host "Processing messages... " ForEach ($Recipient in $RecipientList.Email) { # Construct the TO addresses for the message [array]$ToRecipientAddress = Get-MessageRecipients -ListOfAddresses $Recipient $i++ Write-Host ("Sending email to {0} ({1}/{2})" -f $Recipient, $i, $RecipientList.count) # Build a hash table containing the settings for the message $Email = @{ # The sender's email address senderAddress = $senderAddress # Create a unique identifier for this message headers = @{ id = ("{0}-{1}" -f (Get-Date -format s), $ToRecipientAddress.address) } # The content of the email, including the subject and HTML body content = @{ subject = "Office 365 for IT February 2025 Articles" html = $HtmlContent } # The recipients of the email recipients = @{ to = $ToRecipientAddress bcc = @( @{ address = "o365itprosrenewals@office365itpros.com" displayname = "Office 365 for IT Pros Support" } ) } # The reply-to addresses for the email - doesn't have to be the same as the sender address ReplyTo = @( @{ address = "o365itprosrenewals@office365itpros.com" displayName = "Office 365 for IT Pros Support" } ) userEngagementTrackingDisabled = $false } # Convert the email settings structure to JSON $EmailSettings = $Email | ConvertTo-Json -Depth 10 $MailStatus = $null # Define the URI to post to when sending a message with ECS. # The same URI is used for all messages. The body of the message dictates who receives the email $Uri = ("https://{0}/emails:send?api-version=2023-03-31" -f $CommunicationEndpoint) # Submit the message to the Email Communication service try { $MailStatus = Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $EmailSettings -UseBasicParsing } catch { Write-Host ("Failed to send email to {0}" -f $Recipient) } } Start-Sleep -Seconds 2 $Recipient = $null }
Combine Different Components to Solve a Problem
The results aren’t perfect. Some email clients complain that the messages contain trackers (used by Outlook Newsletters to track the number of recipients that open newsletters. Some clients can’t display the inline graphics (Outlook classic does the best job). Tweaking of the HTML before it is processed by ECS might fix these problems. It’s worth noting that we’re dealing with preview software sending messages through an unsupported route, so some difficulties are to be expected.
Even though this is a use that Microsoft doesn’t support, it seems possible to use Outlook Newsletters for what it’s good at (creating nice-looking newsletters) and send the output to as many external recipients as you want through ECS. Given the imminent limitation for external recipient traffic being imposed by Exchange Online, using ECS might just be a solution for those who depend on being able to send high volumes of email to customers. ECS is harder to set up than simply sending messages from Outlook, and its traffic costs money, but ECS does get the job done.
After Microsoft ships Outlook Newsletters, they might support the use of ECS. It seems like a sensible next step!
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
Microsoft Imposes 1-Year Retention for Teams Meeting Attendance Reports
Attendance Report Retention Policy Already in Force
Microsoft decision (announced in message center notification MC1022529 on March 4, 2025) to implement a retention policy for meeting attendance reports is interesting on multiple levels. The title of the notification is misleading because this is a new rather than an updated retention policy.
The attendance report retention policy is in force now and means that “all meeting attendance reports will be stored for one year after meeting end date to align with the Microsoft privacy policy.” I don’t see any specific mention of meeting attendance reports in Microsoft’s privacy policy, but I’m sure it’s covered somewhere. At least, it is to the satisfaction of Microsoft’s lawyers.
The term “retention policy” can confuse because it usually refers to the policies managed by Microsoft Purview data lifecycle management, aka Microsoft 365 retention policies. Teams chats and channel conversations can be managed by Microsoft 365 retention policies, but in this case, the retention policies are specific to Teams, just like the retention applied to Teams meeting recordings.
Attendance Report Basics
Attendance reports are available to meeting organizers. They can also be accessed programmatically using Graph APIs. In the case of meeting recordings, Microsoft research discovered that very few recordings were viewed more than 60 days after an event. It seems likely that exactly the same case pertains for attendance reports.
I doubt that many organizers go back and check the attendance for long-finished meetings. Certainly, organizers possibly review the attendance report for some meetings, but I don’t think this is common practice. Those who do can see details like the time meeting attendees joined and left the meeting, and if they reacted during the event (Figure 1).

Clicking on an attendee reveals details of that person’s “engagement” with the meetings (Figure 2). Some are less effusive during calls and dislike using reactions to express their view on proceedings. Others are more demonstrative. It’s all very much a personal choice, as is enabling cameras during calls.

Downloading Attendance Report Data
The download option for attendance reports preserves the attendance report data in a CSV file. If you want to preserve information about meetings held before November 1, 2024, you have until late August 2025 to download that data. That’s curious, because a one-year retention policy implies that these reports should be available for a full year. For instance, the attendance reports for meetings held in October 2024 should be available until October 2025, and so on. Tenants can’t change the retention period, alter the retention period, or influence when retention jobs run to remove attendance reports.
My assumption is that Microsoft began stamping attendance reports with retention dates on or around November 1, 2024, and took the decision to run a one-time clean-up of older attendance reports on some unspecified date in late August 2025. Attendance reports have been around for several years. Microsoft discarded the old format in February 2021 and have been tweaking the current format ever since. The one-time cleanup operation will set a baseline for ongoing retention in the future.
No Option to Avoid
Microsoft 365 tenant can’t avoid the new attendance report retention policy. The justification for the new policy is Microsoft’s privacy policy and it’s probably a justifiable course of action considering the probability that people will want to go back and view old attendance data years after an event. Besides, organizers can preserve attendance data if they need to, so there’s not much to complain about.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Exchange Online Restricts the Number of Dynamic Distribution Groups
New 3,000 Threshold for Dynamic Distribution Groups in April 2025
Fresh from its decision to impose a tenant-wide external recipient run rate (now delayed until May 2025), Microsoft announced another restriction for Exchange Online on March 5, 2025 by limiting the number of dynamic distribution groups (DDGs) in a tenant to 3000 (message center notification MC1024399). Once the limit is reached, no further dynamic distribution groups can be created until some have been removed. Microsoft plans to introduce the restriction in early April 2025.
To discover how many dynamic distribution groups are in a tenant, run this PowerShell command:
(Get-DynamicDistributionGroup).count
A Surprising Move
It’s a surprising move. Dynamic distribution groups require service resources to resolve recipient filters to individual recipients when messages pass through the transport pipeline. Microsoft announced “modern” DDGs in December 2021 (rolled out in mid-2022) to save resources and reduce the time required to process list expansion by calculating list membership on a scheduled basis in the background rather than on-demand.
Dynamic distribution groups support both precanned and custom recipient filters, and expansion of some complex custom filters is likely quite demanding. Recently, Microsoft fixed a bug in wildcard support in DDGs that affected custom filter resolution for many customers. No hint was given then or earlier that tenants might be using too many DDGs. I suspect that very few tenants surpass the new 3,000 limit.
Entra ID supports a much higher 15,000 limit shared between dynamic Microsoft 365 groups and dynamic administrative units. Both the dynamic Entra ID object types require Entra P1 licenses whereas dynamic distribution groups are covered in the standard Exchange Online license. Dynamic distribution groups are not Entra ID objects and do not synchronize from Exchange Online to Entra ID. Nevertheless, it seems odd that Exchange Online should choose a much lower limit than pertains for dynamic Microsoft 365 groups. Conspiracy theorists will no doubt conclude that the new limit is yet another not-so-subtle hint from Microsoft that they’d prefer if customers use Microsoft 365 groups instead of distribution groups.
The actual answer might be that this is a simple check to stop people abusing dynamic distribution lists. Many components that consume service resources are limited in one way or another. This could just be another example of Microsoft introducing a threshold to impose an upper limit on the resources DDGs can consume.
Checking for Inactive Dynamic Distribution Groups
If your tenant is near the new limit, you might want to check for inactive Dynamic distribution groups. The easiest way to do this is using the report available in the Reports section of the Exchange admin center (Figure 1). As you can see, all 27 of the DDGs in my tenant are unused, probably because so much of my recent work has focused on Microsoft 365 Groups and Teams.

The report supports filtering for 7, 30, and 90 days and a custom start date (within the last 80 days). The information shown in the report comes from message tracing data (which goes back a maximum of 90 days). If you want more control over the reported data, you can use the technique explained in this article to run historical message trace reports and analyze that data with PowerShell (the article explains how to do this for normal distribution groups, be sure to change the reference to the Get-DistributionGroup cmdlet to Get-DynamicDistributionGroup).
Time to Trim Dynamic Distribution Groups
I don’t have knowledge about any abuse that might have driven Microsoft to clamp down on dynamic distribution groups, Given that it is very easy to build a recipient filter that addresses everyone in the tenant, it’s understandable that abuse could occur in the form of a significant increase in email volume generated when such a DDG is used. In the past, this might have caused an email storm, but Microsoft built checks for email storms into Exchange Online several years ago.
In any case, the limit will come into effect in early April 2025. Before then, it’s time to check the set of dynamic distribution groups with the aim of trimming unused DDGs. And if you can’t get the number of DDGs under the limit, consider converting them to dynamic Microsoft 365 groups.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
The New Outlook Gains Colored Folder Icons
Outlook Users Never Realized the Desperate Need for Colored Folder Icons
The announcement in message center notification MC993229 (31 January, 2025), Microsoft 365 roadmap item 472921) that the new Outlook (or as it’s referred to in the announcement, “the new Microsoft Outlook for Windows desktop” and OWA are allowing users to personalize folder icon colors is in the category of “why” features. Apparently, the idea is to make it easier for people “to visually differentiate and personalize folders.” The feature is available in targeted release tenants and will be generally available worldwide during March 2025.
I don’t want to pour cold water on innovation, but the thought did go through my mind that the Outlook classic desktop client has survived and prospered since 1997 without different colored folder icons. The same is true for OWA, introduced around the same time, and seemingly unaffected by monocolor folder icons.
Using Outlook Colored Folder Icons
But now we have colored folder icons and the world is a better place. At least, it might be if you’re not color blind (like me) and have difficulties differentiating between nuanced shades. In the spirit of adventure, I resolved to bring a dash of color into my email life and set out to update some folders.
The first thing to note is that you can leave Outlook alone and it will use automatic colors. In other words, Outlook chooses how to present the folder icon. I’m not quite sure what color is used, but it’s functional and never caused me a moment’s worry until now, mostly because I never thought about choosing a new color for folder icons.
In Figure 1, the Archive folder is selected, and its folder icon is colored silver, one of the options in the folder icon palette. Some of the other folders have new colors too. Whether this makes those folders more recognizable or visually differentiated is in the eyes of the beholder.
To reveal the option to choose a new color for a folder icon, click the […] folder menu alongside its name. To produce the screen shot shown in Figure 1, I selected the folder menu for the Sent Items folder. As you can see, Sent Items still uses the automatic default chosen by Outlook. To update the folder icon color, choose one of the available selection like cranberry, light teal, or lime (note to self, who would have thought that I would ever write about applying lime as a color to any Outlook component?).

In any case, it all works, and you can spend a few minutes colorizing your folder icons.
Filers versus Pilers
I don’t know what impetus pushed the Outlook team to introduce colored folder icons at this point in the product’s development. It seems like many users eschew the use of folders apart from the default set because they depend on search to find items of interest when necessary. Piling items into a small set of folders is a habit encouraged by reliable search, something that took Outlook a long time to acquire.
I’m a filer in that I use folders to organize information. I’m not as diligent about filing as I once was in the days when search worked intermittently. Smaller mailbox quotas meant that it was sometimes necessary to clear out lots of items to make space for new email. Large mailbox quotas and retention processing have largely taken care of the need to delete items from mailboxes manually. I guess we need to fill the time once spent removing unwanted debris from mailboxes with other activities, like choosing colors for folder icons.
But Seriously
Some will criticize the Outlook developers for spending valuable engineering time implementing features like folder icon colors. If Microsoft is really serious about convincing the curmudgeons who use Outlook classic to move to the new client before support ceases for Outlook classic in 2029, shouldn’t they be solving the major pain points that stop people switching? Of course, Microsoft should deliver solutions like solid PST support (due imminently according to MC966639), but assigning a bunch of extra engineers to work on the pain points might not create solutions any faster. Which is why the engineers need to be kept occupied by pushing forward the frontiers of information technology with colored folder icons.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Using iOS Build Numbers in Exchange ActiveSync Device Access Rules
Now Possible to Include iOS Build Numbers in ActiveSync Device Access Rules to Allow Access for Devices Running Specific Builds
I last looked at Exchange Online Mobile Device management in June 2023, when I wrote about reporting devices that synchronize with Exchange mailboxes using ActiveSync. At the time, I said that not many changes had recently occurred in Exchange Mobile Device Management. After all, Microsoft wants customers to use Intune, and Exchange Mobile Device Management is very much the runt in the Microsoft device management litter.
Which brings me to message center notification MC916298 (23 October 2024) and now fully available in tenants worldwide. It’s the first change in ActiveSync Device Access rules that I can remember since Microsoft updated rules to support Outlook for iOS and Android after its Acompli acquisition in late 2014. The best articles about how to configure device access rules still date from that period. Exchange ActiveSync is not an area of high change.
Query Strings and iOS Build Numbers (or Build Strings)
The change is that Apple iOS build information is now supported in the query string used to check the O/S version on mobile devices attempting to connect to Exchange Online mailboxes. MC916298 says “build number,” but Apple uses alphabetic identifiers like 22D72 (Figure 1).

Leaving semantics aside, the point is that organizations can create ActiveSync device access rules based on the information reported by iOS devices. For example, this code creates an access rule that allows IOS devices running iOS 18.3.1 22D72:
New-ActiveSyncDeviceAccessRule -AccessLevel Allow -Characteristic DeviceOS -QueryString "iOS 18.3.1 22D72"
To block iOS devices with a specific build, change the access level to Block.
I guess that the new capability exists to allow tenants to insist that iOS devices use a specific build for whatever reason that they might have. It’s just another level of granularity to detect devices.
Testing a Block Using iOS Build Numbers
The documentation for the New-ActiveSyncDeviceAccessRule cmdlet hasn’t been updated recently (it features examples blocking iOS devices running 6.1.1), so don’t expect much additional information from that source. However, I can guarantee that the access rule shown above works. I know this because I removed all the other access rules from my tenant and created one that was slightly different to the one shown above (IOS 18.4.1 rather than iOS 18.3.1). After a pause of about 15 minutes for the rule changes to replicate and become effective, the access rule blocked any attempt by Outlook for iOS to synchronize with mailboxes (Figure 2).

Users of non-compliant iOS devices also received email to tell them that their devices couldn’t connect and was blocked from synchronizing with Exchange Online (Figure 3). Interestingly, the blocked devices have never shown up in the quarantined device list in the Exchange admin center.

After being shouted at by several users who were unhappy that their email wouldn’t synchronize, I deleted the incorrect access rule and replaced it with the proper version. Within 15 minutes, email flowed again and all was well.
Time to Check Device Access Rules
Apart from playing with IOS build numbers, the exercise in testing device access rules was useful because it forced me to clean out the old and obsolete device access rules that had accumulated in my tenant. There was a time when these rules were critical. Given the dominance of Outlook for iOS and Android, I suspect that many tenants have just one rule (to allow access to those clients. Defining more sophisticated access rules are only needed to control clients that use the Exchange ActiveSync protocol for everything, like the native Apple mail app. Oh well, on to the next thing.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.