Authenticator Embraces a New Method for Account Backup and Restore

My article about adding QR codes to the Microsoft Authenticator app for Entra ID guest accounts is one of the more popular on the Office365itpros.com site. Given the increasing use of multifactor authentication to protect Microsoft 365 accounts and the need for stronger authentication methods to replace insecure SMS-based challenges, it’s unsurprising that the Authenticator app is a popular choice. The app is easy to use and it’s a strong authentication method, so many boxes are ticked.

Where the Authenticator app falls down is when a user gets a new phone, either by choice or through necessity. The gloss of buying a brand-new iPhone is diminished by the pain of reconfiguring the authenticator app to regain access to accounts. Microsoft wants to remove that pain with a “more seamless and secure backup and restore experience using iCloud and iCloud Keychain.”

The change is reported in message center notification MC1111780 (8 July 2025) and will be delivered in an app update that’s expected to roll out in September 2025 with full worldwide deployment scheduled to complete in October 2025. Tenant administrators cannot affect the progress of the roll out, and the change is effective after the installation of the updated app on an iOS device (the Authenticator app also supports iPad devices).

Eliminating the Need for a Microsoft Personal Account

Today, the Authenticator app needs a Microsoft personal account (Figure 1) to backup account names and third-party time-based one-time password (TOTP) credentials used by sites like GitHub and Twitter (the site issues a challenge that is satisfied by a six-digit number generated by the Authenticator app).

Instead of using a Microsoft account for backup and recovery, Authenticator will use the iCloud keychain. Setup of new devices is therefore performed completely within the iOS ecosystem, so it’s smoother and less prone to error. Users don’t have to do anything to benefit from the update. It is enabled automatically if the device runs iOS 16.0 or later and the user’s iOS account enables iCloud and iCloud keychain. It’s likely that relatively few iOS users don’t have these components enabled. Apple is very successful at convincing iOS users to move to new versions of the operating system, so the iOS 16.0 requirement is unlikely to be an issue either, especially in corporate environments.

After the update, Authenticator backs up all account names and third-party TOTP credentials using the iCloud keychain. Nothing else is backed up, specifically Entra ID credentials are not stored, so after moving to a new iOS device, users must sign into their accounts to complete setup.

A Need for User Communication

During the period between now and September 2025, Microsoft will flag the upcoming change with messages in the Authenticator app to inform users about a “new way to backup your account” on its main screen. The settings screen will have a message about replacing the existing iCloud backup mechanism with an enhanced version. It’s possible that users will generate some help desk calls when they read these messages, so organizations should consider some proactive communications to explain what’s happening in non-technical, practical terms.

Finding iOS Devices That Might be Affected

With an eye on communications, the need exists to identify the users of iOS devices that might use the Authenticator app. One of the advantages of having a large repository of PowerShell scripts is the availability of code that can be repurposed. The trick is to figure out what bits to use.

After thinking about it, I decided to reuse some code to report user-preferred authentication methods to find users who’ve opted to use push-based methods. The devices in use can be Android or iOS, so it’s necessary to refine the set to select those who use iOS. The Get-MobileDevice and Get-MobileDevice Statistics cmdlets reveal the operating system used by devices that synchronize with Exchange Online with apps like Outlook for iOS. By checking the devices used by the folks who’ve signed up for push-based methods, we can find and report the people who are actively using iOS. You can download the script from the Office 365 for IT Pros repository. Some sample output is shown below.

Users of iOS devices that are actively in use
---------------------------------------------

User         UPN                                DeviceOS
----         ---                                --------
Jeff Guillet Jeff.Guillet@office365itpros.com   iOS 18.5 22F76
John James   John.James@office365itpros.com     iOS 18.5 22F76
Tony Redmond Tony.Redmond@office365itpros.com   iOS 18.5 22F76

This is a good example of using different sources of Microsoft 365 data to answer a question. Of course, you must know about the sources available to you, but that comes with experience.

Looking Forward to the Upgraded Authenticator App

I’m looking forward to the upgraded Authenticator app. My iPhone 14 is showing signs of age and it’s time to consider moving to a new iOS device (I’ve never used Android). If Microsoft’s promise is correct, the transition should be easier than ever before, and that’s a worthwhile change.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!

How to Copy Group Membership from One User Account to Another Account

Now that Microsoft has confirmed the final retirement of the Azure AD module in mid-October 2025, the pressure is on to find and update scripts used for operational purposes. The time for learning how to use the Microsoft Graph APIs is past. The focus is now on turning knowledge into Graph-powered scripts.

Which brings me to a question about how to copy group membership from one user account to another. It’s the kind of thing that features in many online forums. In this example, the answer is:

Get-AzureADUserMembership -ObjectId {source user object id}|foreach { Add-AzureADGroupMember -ObjectId $_.ObjectId -RefObjectId {new user object id} }

Another example of the art is found here. The point is that copying group membership from one account to another is clearly something that many people do. I can see why this might be so. For instance, you might want to copy group membership from an account to a new joiner’s account to include them in a bunch of teams.

Alas, the Graph is different to Azure AD, and converting a script to perform the task with the cmdlets from the Microsoft Graph PowerShell SDK is not straightforward. Here’s a few things to think about when dealing with Entra ID groups. The set includes Microsoft 365 groups, security groups, mail-enabled security groups, and distribution lists.

Copying All Group Memberships or Just Some

It seems sensible to make someone a member of work-related groups based on the memberships of another user, but what about groups that are not work-related or don’t align with a specific job or operating unit? The groups used by many teams and Viva Engage (Yammer) communities accommodate discussions about topics that are not strictly associated with the business of an organization, and membership of those groups are determined by an individual’s interest rather than what they do.

Marking Work-Related Groups

Sensitivity labels are the obvious answer to mark work-related groups, but that only works if a tenant uses sensitivity labels for container management and assigns specific labels for groups that are not work-related. Sensitivity labels have become more popular over the last few years, but they are only available to tenants with Office 365 E3 or above licenses. A custom attribute could be used, but that requires the organization to ensure that all groups used for work or non-work topics are clearly marked.

Handling Dynamic Entra ID Groups

Dynamic Entra ID groups use membership rules based on account properties to calculate group membership. It’s very possible to extract the membership rule for a dynamic Entra ID group and figure out what properties to update to add someone to the membership of a dynamic group, but the risk exists that such an update might interfere with the membership rules of other dynamic groups.

Exchange Distribution Lists

Exchange distribution lists are replicated from Exchange to Entra ID, meaning that when a cmdlet runs to find Entra ID groups, the set returned includes distribution lists. Mail-enabled security groups are a form of distribution list. If you want to copy the membership of mail-enabled security groups and regular distribution lists, you’ll need to do this with Exchange Online cmdlets instead of Microsoft Graph PowerShell SDK cmdlets.

Dynamic distribution lists are not replicated from Exchange Online to Entra ID, so the Graph PowerShell SDK cmdlets ignore these objects. If you want to copy membership to dynamic distribution lists, you’ll need to update mailbox properties to match the OPATH queries used by dynamic distribution lists.

Selecting the Right Cmdlet to Copy Group Membership

The Microsoft Graph PowerShell SDK has two cmdlets to fetch memberships held by a user. The Get-MgUserMemberGroup cmdlet performs a transitive lookup to return a set of identifiers for the groups that an account belongs to. The SecurityEnabledOnly switch parameter determines if the cmdlet returns only security-enabled groups or all groups:

[array]$Groups = Get-MgUserMemberGroup -UserId $User.Id -SecurityEnabledOnly:$false

The Get-MgUserMemberOf cmdlet returns groups, administrative roles, and administrative units (including dynamic administrative units) that a user is a member of. In other words, the objects fetched by the cmdlet must be filtered to extract the objects of interest. This command shows how to apply a client-side filter to find groups that don’t use dynamic membership:

[array]$Groups = Get-MgUserMemberOf -UserId $User.Id -All -PageSize 500 | `
    Where-Object {
        ($_.additionalProperties.'@odata.type' -eq '#microsoft.graph.group') -and
        (
            -not ($_.additionalProperties.groupTypes -contains "DynamicMembership")
        )
    } | Select-Object -ExpandProperty Id
If ($null -eq $SourceGroups) {
    Write-Host "No groups found for user $($SourceUser.DisplayName)." -ForegroundColor Yellow
    Break
}

The Get-MgUserMemberOf cmdlet is often preferable because it returns more than a simple list of group identifiers. As you can see from the example above, because the cmdlet deals with different object types, the additionalProperties property contains data that is of value to find specific groups.

An Example Script

A working example is usually helpful to demonstrate how to put principles into action. I’ve written a script that’s downloadable from GitHub to show how to fetch the set of groups from one account and copy the membership to another. The script (Figure 1) includes code to handle the different types of Entra ID groups and to check that it only attempts to add groups that a user isn’t already a member of. It’s enough to serve as the basis for a solution that might meet the needs of your tenant. I’ll let you make the decision about enhancements, such as removing the membership of the source user as groups are processed.

If you need more help to convert old Azure AD scripts, why not invest in a copy of the Automating Microsoft 365 with PowerShell eBook? It includes a bunch of useful examples like those above. The book is available separately or as part of the Office 365 for IT Pros eBook bundle.

July 1 Announcement of Exchange Server SE Launches the Subscription Era for Exchange Server

Right on schedule, July 1 saw the Exchange engineering team celebrating Microsoft’s new fiscal year by announcing the general availability of Exchange Server Subscription Edition (SE). I’m always suspicious about announcements just made at the end or start of a fiscal year because updates can be timed to satisfy artificial deadlines set by executives (to justify their bonuses). I don’t think that applies in this case because Exchange Server SE is a lightly rebranded version of Exchange 2019. At least, that’s what you might conclude by reading the slim list of changes (like a version number update).

Mentioning the Release to Manufacturing (RTM) build brought back memories of waiting for physical media containing a new release of Exchange Server, going right back to 1994 and the initial builds of “Touchdown” made available to customers. It was a charming look back into the past. Now we simply head online to grab the latest bits (Figure 1) and read the deployment instructions.

Moving to Evergreen Support

The big change is the move away from Exchange development based on three-year cycles (extended to six for Exchange 2019) to “evergreen” development. In some respects, the quarterly cumulative updates for Exchange Server showed the way forward in terms of keeping software refreshed. However, Exchange Server still followed the traditional support model based on versions whereas Exchange Server SE remains supported if customers keep the software refreshed with updates released by Microsoft.

Nine months ago, Microsoft flagged the end of support for Exchange 2016 and Exchange 2019 on October 14, 2025. After this date, Microsoft will no longer provide technical support for problems (aka bugs). The writing is on the wall: to continue in a supported state, customers must adopt Exchange Server SE or move to Exchange Online. Obviously, we’re now deep into the prime vacation period and thoughts might be more focused on suntan lotion than server upgrades, but this is an issue that cannot be overlooked, especially in hybrid environments where Microsoft requires on-premises servers that host connectors to Exchange Online to remain supported.

Email Bombs Away

If you don’t read the Microsoft Defender for Office 365 blog, you might have missed the update about protection against “email bombs.” Essentially, an email bomb is a form of attack against a mailbox where a large volume of messages (the bomb) hit a mailbox. The messages often originate from legitimate sources such as newsletters, but the target user never signed up receive the messages. Given the large quotas assigned to Exchange Online mailboxes, it’s unlikely that an email bomb will cause the mailbox to exceed quota, but the arrival of large numbers of unwanted and unexpected messages is certainly a distraction. And when someone’s distracted, they might make bad decisions, such as accepting help from an attacker who poses as a support representative.

In any case, an update to Microsoft Defender for Office 365 can monitor for the characteristics of email bombs, such as a sudden significant spike in the number of messages received by a mailbox. The spike is detected by comparison against the historical pattern of email traffic observed for the mailbox together with spam signals. When an attack is detected, Defender redirects the problem messages into the mailbox’s Junk Email folder. Microsoft says that they have blocked between 20K and 30K email bombs daily since the initial deployment of the technology in early May 2025.

Microsoft Defender for Office 365 includes a lot of useful protection against different types of email threat. For more details, including licensing, see the service description.

Ongoing Updates

Email security is never a static topic. Whether you’re upgrading on-premises servers to the latest version of Exchange Server to harden servers against external attack or deploying new software to detect and deflect attacks, this is an area we need continuous focus on. The joys of staying up-to-date!

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

MCP Server for Microsoft Learn Delivers Real-Time Access to Microsoft Documentation

Technologists love new technology, even if new technology often disappoints or doesn’t live up to over-hyped expectations. This fact of IT life has been true for as long as I can remember and has applied to mainframes, minicomputers, PCs, and the cloud.

I was reminded about the truth that technology can disappoint when I saw the reactions of many to the news that Microsoft has a Model Context Protocol (MCP) server to allow real-time access by agents to Microsoft documentation (essentially, the contents of the learn.microsoft.com website). The server is currently in public preview.

Most of the reactions I saw were of the “gee-whiz, what a great thing” variety, probably based on the expectation of what an agent might do with Microsoft documentation rather than any experience of the MCP server in action. It will take time before people figure out how to take advantage of Microsoft documentation (question to self, what is the meaning of “official” documentation?).

Using the MCP Server with GitHub Copilot

In any case, it’s easy to add the MCP server to Visual Studio Code, which is what I use to write PowerShell code. The documentation includes a one-click installation which wasn’t quite a one-click activity but worked in the end. When the MCP server for Microsoft Learn is installed, GitHub Copilot can use it as a tool to help answer user prompts. As it happens, I’ve been reviewing some text for the Automating Microsoft 365 with PowerShell eBook and asked GitHub Copilot for some help. Figure 1 shows the response.

At first glance, the response looks perfectly reasonable. The only trouble is that it’s wrong. The cmdlets cited in the answer don’t exist and haven’t existed since the Microsoft Graph PowerShell SDK divided its single module into production and beta modules in V2.0 of the SDK (released in July 2023).

Issues Linger in Documentation

The effectiveness of AI-based tools depend on the accuracy of their input sources. Generative AI can’t create new knowledge. It can only generate responses based on source content, and those responses will be flawed when imperfections exist in the source. The problem here is that the “official documentation” for how to customize item insights privacy was written sometime in 2021 and hasn’t changed much since. According to the page header, Microsoft last updated it on 31 January 2025. However, the content still details the use of incorrect cmdlets.

I know that the information was valid in 2021 because I covered the topic for Practical365.com in April 2021. The problem is that the cmdlets still use a beta endpoint, so the correct cmdlets are Update-MgBetaOrganizationSettingItemInsight and Get-MgBetaOrganizationSettingItemInsight. I don’t blame the writer responsible for the page for missing the esoteric change made to split the Microsoft Graph PowerShell SDK into two modules. The example code is simple. What could go wrong with it?

Official Microsoft Documentation isn’t Perfect

All of this illustrates the fallacy of treating “official” documentation as an infallible source of truth. The Microsoft Learn documentation is a source of valuable information that often delivers great answers. But its content suffers from the same problem as blogs and other online sources of information in that technology moves so fast these days that documentation is in a state of constant flux. Keeping hundreds of thousands of pages current is a never-ending task, even if the technology was relatively stable.

Microsoft 365 is a very dynamic and complex technical environment where features can be affected by licensing, configuration, user settings, and add-ins. Include some recent layoffs of Microsoft writers and a bunch of automatically generated documentation and suddenly, the foundation for the “official” documentation doesn’t look quite as solid. There’s still lots of very useful information in Microsoft Learn even if it’s not quite as perfect as some might think.

Seeking Help for Better Code

It makes perfect sense to use new tools to extract more advantage from existing resources. Perhaps the MCP Server for Microsoft Learn will help to address the knowledge deficit of people struggling to understand how to write better code using Microsoft technologies like the Graph APIs through its integration with GitHub Copilot. We’ll only know if this is the case over time when developers have a chance to understand if the presence of the server improves their code.

I won’t complain if the MCP Server reduces or eliminates the tendency for GitHub Copilot to hallucinate by proposing cmdlets or parameters that don’t exist. Much as I admire GitHub Copilot exhibiting its artistic side when creating previously unknown cmdlets, it’s something that wears over time.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!

Completely Revised Version of Automating Microsoft 365 with PowerShell

Last year, the Office 365 for IT Pros team took the decision to carve out a chapter covering using PowerShell with Microsoft 365 and create a separate eBook. This doesn’t mean that the Office 365 for IT Pros eBook doesn’t include PowerShell examples because it still does feature many examples, especially for Teams, SharePoint Online, and Exchange Online. However, we were conscious of the growing influence and importance of the Microsoft Graph APIs and the Microsoft Graph PowerShell SDK and wanted to reflect the critical nature of these components. There’s no doubt that if tenant administrators understand how to interact with Microsoft 365 resources via the APIs (and PowerShell makes this relatively straightforward), it’s much easier to understand how Microsoft 365 works.

This realization brought us to create Automating Microsoft 365 with PowerShell, which we believe is the most complete treatment of using PowerShell to get things done inside a Microsoft 365 tenant that’s available today. Certainly, when you combine all the examples from Automating Office 365 with PowerShell and Office 365 for IT Pros, there’s lots of informative and useful PowerShell code to automate operations in a Microsoft 365 tenant.

An Imperfect First Edition

The first edition wasn’t perfect. Pulling out a bunch of PowerShell content from a book and attempting to make it a coherent story is always a challenge. The challenge becomes more complicated with the changes Microsoft made to the Graph APIs and the Microsoft Graph PowerShell SDK, many of which were to fix problems that should never have happened.

We’ve been working to make the coverage smoother, more informative, and more impactful since the launch of the first edition and have just completed a full end-to-end review of everything in the book. Code has been corrected, tightened, and expanded to make it more useful, and we have added a bunch of new material. We even included the late-breaking news that Microsoft has set a retirement date for the AzureAD module for mid-October 2025. The need for good information about how to migrate scripts that use the AzureAD module to the Microsoft Graph PowerShell SDK has never been more obvious.

The result of that work is delivered in the second edition, which is available today.

Second Edition Available Free to Subscribers

Because we appreciate the support of people who subscribe to our books and understand that sometimes the quality of the first edition of Automating Microsoft 365 with PowerShell wasn’t where we wanted it to be, we are making the second edition available free of charge to anyone who subscribed to the first edition. If you’re a subscriber, all you need to do is use the download link in the receipt emailed to you when you bought the subscription. This link always downloads the latest version of the book, and it will now download the second edition files (EPUB and PDF).

Automating Microsoft 365 with PowerShell is also included in the Office 365 for IT Pros eBook bundle. Subscribers to Office 365 for IT Pros 2026 edition, which we anticipate releasing tomorrow (July 1, 2025) will get the second edition along with the files for Office 365 for IT Pros (2026 edition). We’re also making the second edition available to subscribers to Office 365 for IT Pros (2025 edition). Once again, use the download link in your receipt to fetch the updated files.

Subscribers who download the second edition are eligible to receive updates up to and including June 30, 2026.

Regretfully, we cannot update the paperback version of the book that people have bought. However, the updated text is now available from Amazon.com, for those who like their technical material in a printed form.

Looking Forward to 2026

We’ll continue to work on the second edition of Automating Microsoft 365 with PowerShell over the coming months. There will be new Graph APIs to cover, gaps to fill in, and we know that the Microsoft Graph PowerShell SDK has some work to do to restore its reputation with customers. Nearly four million downloads of V2.25 of the Microsoft Graph PowerShell SDK speak to its popularity and usefulness. What everyone needs now is better quality and stability in the Graph APIs and SDK. When Microsoft delivers new versions, we’ll be there to parse, analyze, and report on the news.

Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

Microsoft Leaves Gaps in Technologies for ISVs to Fill – Like Agent Governance

Every time Microsoft makes a big move, ISVs seek to take advantage with a new product. It’s the way of the work. Microsoft creates technology and ISVs fill the holes left in that technology. In some respects, the cloud is a difficult place for ISVs. There’s less to tweak than in an on-premises environment and although the Graph APIs have extended their coverage to more areas of Microsoft 365 over the last few years, significant gaps still exist for major workloads like Exchange Online and SharePoint Online.

But a new technology creates a new opportunity because everything starts from scratch. Microsoft’s big move into artificial intelligence with Copilot hasn’t created too many opportunities because Copilot depends on a massive infrastructure operated by Microsoft that’s inaccessible except through applications like BizChat. Agents are different. They’re objects that need to be managed. They consume resources that need to be paid for. They represent potential security and compliance problems that require mitigation. In short, agents represent a chance for ISVs to build products to solve customer problems as Microsoft heads full tilt to its agentic future.

Building an Infrastructure for Agent Governance

To be fair to Microsoft, they’ve started to build an infrastructure for agent management. Apart from a whitepaper about managing and governning agents, the first concrete sign is the introduction of agent objects in Entra ID. Microsoft is thinking about how agents can work together, and how that communication can be controlled and monitored. That’s all great stuff and it will deliver benefits in the future, but the immediate risk is the fear that agents might run amok inside Microsoft 365 tenants.

Microsoft reports that there are 56 million monthly active users of Power Platform, or 13% of the 430 million paid Microsoft 365 seats. That’s a lot of citizen developers who could create agents using tools like Copilot Studio. Unless tenant administrators disable ad-hoc email subscriptions for the tenant, developers could be building agents without anyone’s knowledge.

Don’t get me wrong. I see great advantages in agent technology and have even built agents myself, notably a very useful agent to interact with the Office 365 for IT Pros eBook. One thing that we’ve learned over the last 30 years is that when users are allowed to create, they will. And they’ll create objects without thought, and those objects will need to be cleaned up eventually, or, as Microsoft discovered, the mass of SharePoint Online sites created for Teams became a real problem for Microsoft 365 Copilot deployments. Incorporating solid management and governance from the start is of great benefit for new technologies.

Rencore Steps Up with Copilot Agent Governance

All of which brings me to Rencore’s announcement of two new modules for their governance product to deal with Copilot and agent governance and Power Platform governance (Figure 1). Matthias Einig, Rencore’s CEO, has been forceful about the need to take control of these areas and it’s good to see that he’s investing in product development to help Microsoft 365 tenants take control before agents get any chance to become a problem.

I have not used the Rencore product and do not endorse it. I just think that it’s great to see an ISV move into this area with purpose and intent. It seems like Rencore aims to address some major pain points, like shadow IT, the cost of running Copilot agents, over-sharing, and “agent sprawl.” All good stuff.

I’m sure other ISVs will enter this space (and there might be some active in the area already that I don’t know of). This will be an interesting area to track as ISVs seek new ways to mitigate the potential risks posed by agents.

No Time to Relax

Product from one ISV does not mean that we can all relax and conclude that agent management is done. It’s not. The continuing huge investment by Microsoft in this space means that agent capabilities will improve and grow over time. Each improvement and new feature has the potential to affect governance and compliance strategies. Don’t let your guard down and make sure that your tenant has agents under control. And keep them that way.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Token Protection, PRTs, Device Binding, and Session Keys

Last year, I discussed how to use a conditional access policy to apply a new session control called token protection. The idea is to protect against token theft by requiring connections to have a token (the Primary Refresh Token, or PRT) that has a “cryptographically secure tie” with the device that the connection originates from. The PRT is “bound” to a device key that’s securely stored in the device’s Trusted Platform Module (TPM). PRTs are supported on Windows 10 or later devices.

The PRT is an “opaque blob” that’s specific to a user account and device. The Entra ID authentication service issues a PRT following a successful connection by a user when the device is registered, joined, or hybrid joined. Entra ID also issues a session key, an encrypted symmetric key to serve as proof of possession when a PRT attempts to obtain tokens for applications. If an attacker attempts to hijack a connection with an access token they’ve stolen, they’ll fail because they don’t have access to the device key.

Why Does This Matter?

As noted in my article last year, it’s possible to create a conditional access policy with a session control requiring token protection. In other words, when a connection attempts to satisfy the conditions of the policy, it must be able to prove that its PRT is bound to the device where the connection originates and the user making the request. This process is managed by a component called Web Account Manager (WAM).

But conditional access policies can only work if everything involved in the connection understand what’s going on. At the time I wrote the last article, limited support existed for token protection. The reason for this article is that interactive Microsoft Graph PowerShell SDK sessions now support token protection (see details about support for token protection by other applications here). This opens the possibility of extending additional protection for administrators and developers who might work on sensitive data through the Graph SDK.

The reason why you might want to do this is revealed in a recent Entra ID change that shows the resources a user can access when they satisfy a conditional access policy to connect. In this case, the connection is to an interactive Graph PowerShell SDK session, and the resources available in that session depends on the delegated permissions held by the Microsoft Graph Command Line Tools service principal. The set of permissions tends to swell over time as administrators grant consent to permissions needed to work with different cmdlets, but as Figure 1 shows, a Graph PowerShell SDK session can have access to many different resources.

Enabling Token Protection for Graph Interactive Sessions

Normally, interactive Graph PowerShell SDK sessions don’t use WAM. To enable WAM for Graph sessions, run the Set-MgGraphOption cmdlet before running Connect-MgGraph. As the documentation says, the cmdlet sets global configuration options, so the configuration setting stays in force for all Microsoft Graph interactive sessions on the workstation until it is reversed.

Set-MgGraphOption –EnableLoginByWAM $true
Connect-MgGraph

If the device isn’t registered or joined, the conditional access policy condition for token protection isn’t satisfied and the sign-in attempt is rejected with a 530084 error code. The cause is obvious if you examine the policy details captured in the sign-in event (Figure 2).

WAM doesn’t affect app-only authentication for the Graph SDK, including Azure Automation runbooks that use modules and cmdlets from the Graph PowerShell SDK.

Token Protection and Elevated PowerShell Sessions

The Web Account Manager option doesn’t work in elevated PowerShell sessions (run as administrator). Attempts to connect fail with the error “InteractiveBrowserCredential authentication failed: User canceled authentication.”

The solution is two-fold. First, revert to normal authentication on the workstation by running the Set-MgGraphOption cmdlet to set EnableLoginByWAM to $false. If you don’t, authentication fails because a protected token isn’t available (Figure 3). The second step is to remove users who need to run Graph cmdlets in elevated PowerShell sessions from the scope of the conditional access policy. This avoids the user running into problems on other workstations.

Token Protection and Microsoft Graph PowerShell SDK Versions

The WAM option also doesn’t work with the latest versions of the Microsoft Graph PowerShell SDK. This is likely due to Microsoft’s decision to remove support for .NET6 from V2.25 on. In V2.28 of the SDK, the error when running Connect-MgGraph is:

InteractiveBrowserCredential authentication failed: Could not load type 'Microsoft.Identity.Client.AuthScheme.TokenType' from assembly 'Microsoft.Identity.Client, Version=4.67.2.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae'.

While Microsoft gets their act together and decides how to fix the issue, the only option is to remain using V2.25. PCs that have upgraded to the current V2.28 release must downgrade to V2.25.

Token Protection is Just Another Tool

Token protection is not for everyone. Its linkup with conditional access policies is another tool for administrators to consider when figuring out how to secure their tenant. My recommendation is that you test the feature and make a measured decision whether it has any value for your organization. Remember that this is an evolving space and other applications are likely to support token protection over time. Maybe one of those applications will be exactly the one you want to secure.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Thanks to the Office 365 for IT Pros Subscribers

In a time when some question the value of books, we deeply appreciate the support of the folks who subscribe to the Office 365 for IT Pros eBook. AI tools like ChatGPT and Copilot can find and synthesize information scoured from across the internet to respond to questions, but so far generative AI cannot provide the context or insight that understanding technology often needs.

An ecosystem like Microsoft 365 can become terribly complicated through different combinations of products, licenses, and configurations. Throw in hybrid organizations and there’s enough to melt an administrator’s mind. We don’t pretend that we have more answers than AI can generate; we do say that our answers are based on hard-won experience and a ton of research into why Microsoft 365 works the way that it does. In other words, we ask “why” when AI just accepts what something is.

Heading for a July 1 Release

It’s just seven days to go before we release Office 365 for IT Pros (2026 edition), including Automating Microsoft 365 with PowerShell (2^nd edition). The writing team is still heads-down to make sure that the content is compelling, informative, and up to date, and that any of the issues raised by technical editor Vasil Michev are addressed.

We’ve received some questions about how we will release the 2026 edition. Thankfully, people want to know when they can subscribe to the new edition. With that in mind, here’s our plan.

The Release Plan

The first task is to complete all the updates to the chapters, resolve any open issues, chase down the last-minute glitches, and have a coffee. We can then proceed to do the following:

• Generate the PDF and EPUB files for the two books, check that everything is OK, and if all checks out, upload the new files to Gumroad.com. We then switch the shortcut URL for the current version from the 2025 edition to the 2026 edition.
• The 2025 edition files will remain online to allow subscribers to that edition to download the final updates. We made some small tweaks to the Office 365 for IT Pros (2025 edition) files since releasing update #120 on June 1. The current update number for the 2025 edition is 120.4, dated 21 June 2025. We will start the 2026 edition at update 121.0.
• We will send an offer to current subscribers to allow them to extend their subscription to cover the 2026 edition and receive monthly updates for the next year. To reward the folks who renew subscriptions immediately a new edition is available, the price to extend a subscription in July 2025 is $18.95. After August 1, 2025, the price to extend a subscription increases to $24.95.
• Anyone who bought a full-price ($49.95) copy of the 2025 edition in June 2025 will receive a full discount code to extend their subscription for the 2026 edition.
• The update offer and codes are distributed via email to the addresses registered when people subscribed to the 2025 edition. If an email address is incorrect, you won’t receive anything from us. In this case, send email to contact@office365itpros.com to tell us what’s going on. If we can find you on our subscriber list, we’ll respond with the code.
• Some tenants consider email from Gumroad.com as spam. Our email isn’t and we have experimented with sending email using the Exchange HVE and Azure ECS solutions during the last year. HVE is now out of the picture because Microsoft has decided that it will only handle internal email, but anyway, mass mailings about new versions are always sent from Gumroad.
• New subscriptions for the 2026 edition cost $59.95. This is our first price increase since 2015. According to Copilot, the price should be $67.73, but accepting an AI recommendation without question is never a good idea. We believe that the increase is more than justified by the massive amount of information contained in the two books, which can be reasoned over by a Copilot agent if you want.
• The Automating Microsoft 365 with PowerShell eBook is bundled with Office 365 for IT Pros and doesn’t have to be bought separately. People who subscribed to the first edition of the PowerShell book can download the second edition free of charge. It’s our way of saying thanks to those who bought the first edition while we built out the content.
• For those who like paper books, a version of Automating Microsoft 365 with PowerShell is available in paperback from Amazon.com. This is the same text as the electronic version, except that hyperlinks are converted to footnotes. The paperback also has an index because it’s harder to search through paper. Regretfully, we haven’t found a way to update a paperback remotely, so buying a paper copy of the PowerShell book is like buying any other paperback.
• Anyone who received a free copy of the 2025 edition from us or another source (companies commonly buy multiple copies to give to customers) can use the code to extend their subscription for $18.95. Alternatively, ask the source for the free copy – maybe they have free copies of the 2026 edition to distribute.

2026 or Twelfth?

Some ask us why we name the book after the year ahead. We do so because we match Microsoft’s fiscal year. Their FY26 begins on July 1, 2025. We could call this release Office 365 for IT Pros (12^th edition). Maybe that would be clearer, but the date does help in terms of telling people how recent the content is.

Enjoy the 2026 edition!