Author:
Microsoft Shares Latest Findings from 2025 Work Trend Index: Unlocking Indonesia’s Potential Through Human-AI Collaboration
Read in Bahasa Indonesia here.
As Indonesia enters a pivotal year for digital transformation, Microsoft has released new, Indonesia-specific findings from the 2025 Work Trend Index. The report highlights how artificial intelligence (AI) is reshaping the rules of business and the way people work. Notably, 97% of business leaders in Indonesia say 2025 is the year to rethink core facets of strategies and operations, outpacing global trends.
This shift marks more than a technology trend – it reflects a fundamental change in how work gets done. Unlocking the potential of the new AI economy and seizing the momentum means going beyond technology adoption and embracing a new mindset: combining human leadership with intelligence on tap – readily accessible insights and capabilities powered by AI. Organizations across industries are navigating a rapid move toward human-AI collaboration, where digital agents work alongside people, enabling a new type of organization structured around intelligent workflows, agent-led teams, and a new leadership role – the agent boss. These are the hallmarks of what the study calls the Frontier Firm.
“The Frontier Firm is more than a new business model but a leapfrog opportunity for Indonesia. In an era where AI is reshaping every aspect of work, this moment allows us to bypass traditional limitations and drive breakthrough gains in productivity and innovation. With the right mindset and investments, Indonesian organizations can harness human-AI collaboration to unlock entirely new ways of working. One that is faster, smarter, and more impactfully. This is how we shape globally competitive businesses that reflect our local ingenuity and ambition,” said Dharma Simorangkir, President Director of Microsoft Indonesia.
Drawing on insights from 31,000 workers across 31 countries, LinkedIn hiring trends, and trillions of Microsoft 365 productivity signals, the report, titled “2025: The Year the Frontier Firm is Born,” reveals how organizations are evolving from traditional hierarchies into fluid, intelligence-driven ecosystems. These hybrid teams—humans working alongside AI agents—are enabling companies to move faster, make better decisions, and unlock new value across all levels of work.
The path to becoming a Frontier Firm unfolds in three key phases. First, AI serves as an assistant, eliminating repetitive tasks and boosting efficiency. Next, agents take on defined roles as digital colleagues, supporting tasks like research or project planning. In the final phase, AI agents begin to autonomously run entire workflows, with humans steering strategy and stepping in to resolve exceptions.
This evolution is not just theoretical; it’s emerging as a powerful economic driver, enabling businesses to leapfrog legacy systems and compete more effectively on the global stage. By adopting the Frontier Firm model, Indonesian companies have a unique opportunity to improve productivity, accelerate innovation in sectors like financial services, public services, as well as small and medium businesses, thereby fueling inclusive growth that supports Golden Indonesia 2045 Vision.
The study also highlights three key takeaways for leaders and professionals in Indonesia as AI begins to reshape the way we work and impact the job market in the coming year:
Investing in intelligence on tap to fill the capacity gap
- Around 63% of leaders in Indonesia say productivity must increase but 88% of the workforce—both employees and leaders— say they’re lacking enough time or energy to do their work.
- To address this, 95% of business leaders in Indonesia say they’re confident to use AI agents as supporting digital team members to extend work capacity within the next one or two years. Over half (52%) rank expanding team capacity with digital labor as a top priority, followed by capacity enhancement through upskilling.
- Employees at Frontier Firms in Indonesia are more than twice as likely to say their company is thriving—reflecting a stronger setiment than global and Asia-Pacific averages. Nearly three times as many report feeling optimistic about managing higher workloads and getting the chance to focus on more meaningful tasks.
Human-AI agent teams will reshape organizational structures
- In Indonesia, 59% of leaders say their company is already using AI agents to automate workflows—slightly higher than the Asia-Pacific average of 53%.
- Indonesian employees are also increasingly turning to AI because of its availability and utility. Nearly half (48%) say they prefer using AI over a colleague because it’s available 24/7. Others cite speed (28%) and creative thinking/ideas (38%) as key advantages. Interestingly, 66% of workers view AI as a brainstorming partner, while 33% of them see it more as a command-based tool.
Now, every employee can instruct and manage their own AI agents
- In the next five years, leaders in Indonesia expect their teams to take on new tasks, such as redesigning processes with AI (48%), building multi-agent systems (63%), and training (60%) and managing AI agents (58%).
- As AI redefines team responsibilities, 65% of managers expect AI training and upskilling to become a key responsibility for their teams.
- However, a noticeable gap remains: while 87% of leaders are familiar with AI agents, only 56% of employees share the same level of understanding. Bridging this gap is essential to ensuring inclusive AI adoption and long-term workforce resilience.
As 2025 will be remembered as the year the Frontier Firm was born, companies are poised for a digital transformation where AI agents become essential team members. To successfully integrate AI into the workforce, organizations must begin their AI-adoption journey by hiring digital employees, defining roles that can be automated, and treating AI as a crucial part of the team.
Yet adoption alone is not enough. Organizations must also determine the right balance between humans and AI (the human-agent ratio) to ensure that AI complements human creativity and judgment. Additional investments in AI literacy and continuous upskilling for employees will be key to enabling them to manage and collaborate effectively with AI.
“While the promise of AI is transforming the way we work, its true impact will only be realized when every employee is empowered to lead alongside it. In Indonesia, the gap in AI familiarity between leaders (87%) and employees (56%) is not just a statistic—it’s a call to action. This is our opportunity to invest in people, nurture new skills, and create a culture where everyone is equipped to become an agent boss. By closing this gap, we’re not only embracing technology—we are unlocking the full potential of our workforce, shaping a future of work that is more inclusive and innovative,” added Dharma.
Enabling the era of human-agent collaboration with Microsoft 365
Alongside the 2025 Work Trend Index, Microsoft also announced the Microsoft 365 Copilot Wave 2 spring release, introducing new features designed to support the next era of human–AI collaboration, including:
- AI-powered Search to help users quickly find relevant information at workplace.
- A Create experience for business that unlock design and content creation skill for everyone, bringing ideas to life.
- Copilot Notebooks for transforming data into actionable insights.
- Agent Store to access and deploy AI agents tailored to specific tasks within the workflow.
“The latest updates from the Microsoft 365 Copilot Wave 2 spring release mark a significant leap in how we work with AI, unlocking a new path of working. Features like Copilot Search, Agent Store, new Create and Notebook capabilities, general availability of frontier agents such as Researcher and Analyst show we are entering a future where humans and AI don’t merely coexist, but collaborate. This aligns with our goal to empower every individual and organization in Indonesia to work smarter, faster, and more creatively, a Copilot for every employee, an agent for every business process—while building the skills to thrive in the era of human–agent teamwork,” said Ricky Haryadi, Sr. Go To Market Lead – AI at Work (ASEAN) Microsoft.
For further reading, visit Microsoft’s Official Blog, Work Trend Index 2025 Report, and Microsoft 365 news announcement to learn more about the new era of human- agents collaboration.
Microsoft to Block Third-Party App Access to User Sites and Files
New Microsoft-Managed App Consent Policy to Control User Consent for Apps
Message center notification MC1097272 (17 June 2025) announces Microsoft’s intention to restrict access to some legacy protocols and introduce a new managed app consent policy to the ability of users to grant consent to third-party apps that want access to files and sites.
Microsoft says that they are updating default settings to help Microsoft 365 tenants “meet the minimum security benchmark and harden your tenant’s security posture.” As far as I can tell, this appears to be a reference to section IM-2 of the Microsoft cloud security benchmark. For good measure, Microsoft throws in the Secure Future Initiative and Secure by Default principle to provide further justification for the change.
No Problem with Blocking Obsolete and Insecure Protocols
I don’t think anyone will complain about blocking browser access to SharePoint and OneDrive via the Relying Party Suite (RPS – another relatively unknown component for most Microsoft 365 tenants). Legacy protocols are blocked in the SharePoint tenant configuration, and this change reinforces the block.
Get-SPOTenant | Select-Object LegacyBrowserAuthProtocolsEnabled
LegacyBrowserAuthProtocolsEnabled
---------------------------------
True
Likewise, I don’t think anyone will complain about blocking the FrontPage Remote Procedure Call (FPRPC) protocol for Office file opens. It’s an outdated protocol that attackers have leveraged (here’s an example).
App Consent Policy to Prevent Third-Party Access to Files and Sites
My interest was drawn to the third block, which will introduce a Microsoft-managed app consent policy to require administrator consent for third-party apps that access files and sites. There are a bunch of app consent policies already present in tenants that you can see by running the Get-MgPolicyPermissionGrantPolicy cmdlet from the Microsoft Graph PowerShell SDK (any policy prefixed by “microsoft” is a Microsoft-managed app consent policy):
Get-MgPolicyPermissionGrantPolicy | Format-Table Id, DisplayName, Description -AutoSize
Like many other Microsoft 365 policies, the policy is a container, and the real settings (“condition sets”) are found by running the Get-MgPolicyPermissionGrantPolicyInclude cmdlet. For example, this app consent policy allows administrators to manage all aspects of all apps in a tenant:
Get-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "microsoft-application-admin" | Format-List
ClientApplicationIds : {all}
ClientApplicationPublisherIds : {all}
ClientApplicationTenantIds : {all}
ClientApplicationsFromVerifiedPublisherOnly : False
Id : 811d2da7-443c-43da-96e7-28d285b234e9
PermissionClassification : all
PermissionType : application
Permissions : {all}
ResourceApplication : any
AdditionalProperties : {}
ClientApplicationIds : {all}
ClientApplicationPublisherIds : {all}
ClientApplicationTenantIds : {all}
ClientApplicationsFromVerifiedPublisherOnly : False
Id : 60461179-740e-4d8b-9e00-1456a338c44b
PermissionClassification : all
PermissionType : delegated
Permissions : {all}
ResourceApplication : any
AdditionalProperties : {}For more details, see the Graph documentation for permission grant policies. There’s no UX in the Entra admin center to manage app consent policies. This article throws more light onto how to build your own app consent policies.
I don’t believe that users should be able to grant consent to use any app within a tenant. Disabling the ability for users to register apps in Entra user settings is recommended (Figure 1). If some users need to register apps, do what the documentation says and assign the Application Developer role to their accounts.
If you do allow users to register apps, it’s likely that they will need to grant consent for delegated permissions to allow apps to access the user’s data. This is an area to monitor to make sure that apps are not asking for unexplainable permissions. It’s easy to check permission consents through audit records.
If you follow my advice and don’t allow users to register applications, you’ll need to make sure that the admin consent request workflow is operational. Obviously, you should monitor and report consent approvals (the article links to a PowerShell script to do the job).
The ChatGPT Conundrum
What’s interesting about Microsoft’s move is that it neatly blocks the ability of users to grant consent for the ChatGPT app that allows them to upload files from SharePoint Online and OneDrive for Business for processing by one of the ChatGPT models. A cynic might say that Microsoft is taking this step to make sure that Microsoft 365 Copilot has sole access to files stored in SharePoint Online and OneDrive for Business. A more benign reading is that Microsoft is simply making sure that users can’t inadvertently grant access to third-party apps to access and read their Microsoft 365 files.
In any case, I don’t think people should upload files to ChatGPT because this activity creates all sorts of security concerns. Fortunately, it’s easy to find and block the ChatGPT app if it’s already in a tenant. In addition, ChatGPT cannot process encrypted files protected by sensitivity labels because it doesn’t have the access right needed to open protected files.
Don’t Drop Your Guard
No can argue that we do need to do better to secure tenants, so the changes proposed by Microsoft are welcome. The changes will begin rolling out in mid-July and are due to be in all tenants sometime in August 2025.
There are still too many tenants that don’t protect user accounts with multifactor authentication, which is why bad actors keep using password spray attackers in an attempt to compromise accounts. A recent report describes a password spray attack by a group called SneakyStrike against Entra ID accounts. The report is a little overhyped, but it’s a good reminder that attackers still patiently look for weak tenants to penetrate.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Updating the Entra ID Custom Banned Password List with PowerShell
Use Microsoft Graph PowerShell SDK Cmdlets to Maintain the Entra ID Custom Banned Password List
Vasil Michev is busy these days. Apart from his day job, he’s doing the technical reviews for the Office 365 for IT Pros (2026 edition) and Automating Microsoft 365 with PowerShell (2nd edition) eBooks, both due for release on July 1, 2025. Technical editing is an important part of our publication process because it’s an annual end-to-end review of all content to help authors refine their chapters, eliminate old and unnecessary text, and consider what they should be covering.
And still Vasil finds time for his own writing, such as a recent article about using the Microsoft Graph PowerShell SDK to update the banned password list for Entra ID accounts. Given that the Graph PowerShell SDK is a major topic for Automating Microsoft with PowerShell, my attention was immediately drawn to the article to understand what it described and consider it for inclusion in the book. It is now, along with 350+ pages of other PowerShell content about automating different aspects of Microsoft 365 activities.
Global Banned Password List
The Entra ID password protection feature maintains a global list of banned passwords. Microsoft maintains the list and updates it on an ongoing basis from telemetry for Entra ID authentication. All attempts to change account passwords are checked against the global banned list to make sure that the new password is reasonably strong. In other words, it’s not something like “Mypassword” or “Cats.” Tenant administrators cannot affect how Entra ID uses the global list of banned passwords, nor can they add or remove values from the list. It’s just part of how Entra ID works, and this part of password protection is included in the version of Entra ID included with all Microsoft 365 tenants.
Custom Banned Password List
If a tenant has Entra P1 or P2 licenses, they can implement a custom banned password list. The custom list supplements the global banned password list. The custom list is limited to 1,000 entries, but those entries are “key base terms” of between 4 and 16 characters. In other words, Entra ID blocks variations and combinations of the terms in the custom banned password list.
When a custom banned password list is available, Entra ID combines its entries with the global banned password list. The idea is that tenants might want to stop people using organization-specific terms like the names of locations or buildings in passwords because these terms might be easy for attackers to guess in a spray attack. Of course, you shouldn’t be depending on passwords and should deploy multifactor authentication to protect accounts, but it’s worthwhile protecting passwords as much as possible.
Blocking Passwords
Figure 1 shows some of the entries in the custom banned password list as viewed through the Entra admin center. You can see that the last entry is for “VictorMeldrew.” This is a key base term for password checking.
In Figure 2, an administrator has attempted to change an account password through the Microsoft 365 admin center. The password looks strong, but Entra ID rejects it because it includes a key base term. Telling the administrator that the password is easily guessable is just the way Microsoft chose to say: “can’t use that password.”
Updating the Custom Banned Password List with a Script
Vasil’s article covers the basics of creating a directory settings object to hold password protection settings, including the custom banned password list. I used that information to create a script that’s more like something you might use as production code, which you can download from GitHub.
The code:
- Checks if the correct permission (Directory.ReadWrite.All) is available to read, create, and update directory settings. This is a very high-level permission that should be restricted as tightly as possible. You should also monitor the apps that hold this permission to make sure that they are used correctly.
- Import a list of key base terms from a CSV file and checks that each term is at least 4 and no more than 16 characters long.
- Uses the Get-MgBetaDirectorySetting cmdlet to check if a directory setting object for password protection is defined in the tenant. If not, the script runs the New-MgBetaDirectorySetting cmdlet to create and populate a new directory setting object with the list of key base terms (and other default values). The directory setting object is derived from the directory settings template for password rules. The template always has an identifier of 5cf42378-d67d-4f36-ba46-e8b86229381d.
- If a directory setting object for password protection is available, fetch the list of current key base terms and combine it with the new list to generate a combined list. The Update-MgBetaDirectorySetting cmdlet then updates the directory setting object with the combined list.
- Export the newly-updated list to a CSV file.
If you prefer to use the input CSV file as the definitive set of key base terms and not combine the input set with the current set, it’s easy to comment out the two lines that create a combined list.
The only semi-weird thing about the list of key base terms is that it uses tabs for delimitation (which is why the code splits the list using [char]9).
Hopefully the script is of some use. If not, I won’t be offended. Check out the 320-plus scripts in the Office365Itpros GitHub repository. You might find something more useful there!
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
Microsoft Pushes European Sovereign Solutions
Marked Lack of Detail around Microsoft 365 Local
Microsoft’s June 16 announcement about “sovereign solutions empowering European organizations” (Figure 1) is obviously an attempt by Microsoft to reassure European customers that continuing to use Microsoft (U.S.-based) technology is a safe choice at a time when many question the policies of the current U.S. administration.
To be fair to Microsoft, they’ve been on the path to respect data sovereignty for many years, starting with the original “Black Forest” implementation of Office 365 for German customers to a point where multiple national-level datacenter regions are available within Europe. Microsoft’s continued efforts to provide comfort to customers who want their data stored in-country and under the control of European law is commendable.
However, the announcement of Microsoft 365 Local confused everyone. According to the announcement, “Microsoft 365 Local provides customers with additional choice by bringing together Microsoft’s productivity server software into an Azure Local environment that can run entirely in a customer’s own datacenter.”
Apart from the Name, No Trace of Microsoft 365
Applying the Microsoft 365 branding to the offering implies some form of connection to Microsoft 365. But apart from a need to connect to Azure., this solution seems to have nothing much to do with Microsoft 365 cloud services. Instead, it appears to be the on-premises versions of Exchange Server, SharePoint Server, and Skype for Business Server running on an Azure Local instance, defined as “a machine or a cluster of machines running the Azure Stack HCI operating system and connected to Azure.”
At this point, Microsoft hasn’t shared details of how the services connect together, but I assume that Active Directory is in the mix too. We also don’t know if the Azure-based local infrastructure operates as a separate deployment, can be integrated into an existing on-premises organization, or operate as part of a hybrid organization.
In other words, Microsoft 365 Local is a modernized example of a packaged Azure-based installation of Exchange, SharePoint, and Skype for Business built according to a reference architecture and accessed via the same kind of clients that people use today to connect to on-premises servers. Unsurprisingly, Microsoft 365 Local doesn’t include Teams because Teams relies so heavily on services from Exchange, SharePoint, OneDrive, Planner, and a bunch of Azure microservices.
The packaging might be innovative, and Microsoft marketing will certainly call the announcement a triumph for branding, but it has nothing to do with Microsoft 365. Anyone who steps back from using Exchange Online with its close integration with SharePoint Online will quickly discover how different things are.
Some Organizations Will Love Microsoft 365 Local
Although I hate the name, a place exists for a solution like Microsoft 365 Local. Some companies want to control their own destiny, which is why they continue running on-premises software; others don’t have sufficient external network capacity to be dependent on cloud services.
Other companies simply want to not have to deal with the blizzard of changes that Microsoft 365 customers have to cope with, or the constant nagging from Microsoft to adopt and use its AI-based tools like Microsoft 365 Copilot. European customers have a strong track record of respecting user privacy, and solutions like the recently-launched AI-powered People Skills are unlikely to be popular with unions or works councils.
Being able to purchase a packaged solution that is hopefully better integrated out-of-the-box is a nicer option than having to convince Exchange Server and SharePoint Server (for instance) to work together, an exercise that is usually guaranteed to frustrate. Presumably the solution leverages the subscription version of the three on-premises servers and will be paid for via an Azure subscription in the same manner as Azure Local.
Lack of Detail is Frustrating
The trouble is the total lack of detail currently available about Microsoft 365 Local. The above is inspired guesswork based on reading between the lines of Microsoft’s announcement. Many questions remain unanswered. Customers will need pricing and availability details from the various hardware vendors listed in the announcement are before they can decide if Microsoft 365 Local is for them. Migration from current on-premises deployments is another issue to resolve as is deployment alongside existing deployments.
The lack of detail is frustrating, but this is a classic marketing playbook: announce a product to gauge interest and follow up if the interest is there. It will be interesting to see what Microsoft 365 Local can deliver and at what cost.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
People Skills Rolling Out Within Microsoft 365
New Service to Manage People Skills in an Organization
The April 23, 2025, announcement about the general availability of People Skills, “a powerful new data layer in Microsoft 365 Copilot” is now being followed by the deployment of People Skills to tenants as described in MC1060842 (last updated 3 June 2025, Microsoft 365 roadmap item 485726). Microsoft expects deployment to complete worldwide in mid-July 2025.
People Skills Licensing
Along with the deployment, MC1060845 says that Microsoft is updating Office 365 and Microsoft 365 licenses to include the People Skills Foundation service plan (PEOPLE_SKILLS_FOUNDATION, 13b6da2c-0d84-450e-9f69-a33e221387ca). According to the licensing section of the People Skills documentation, “People Skills comes with your Microsoft 365 or Viva licenses and doesn’t need a separate license.” Other People Skills licenses are available, and Microsoft once again is in danger of confusing customers with licensing. I think Figure 1 boils the licensing situation down to two buckets.
Users with the foundation service plan (included with licenses such as Office 365 E3) can “search to add skills from your taxonomy or imported skills to create a skills profile using the Microsoft 365 profile editor.” In other words, these users can access skill information through the Microsoft 365 profile card and Outlook’s Org Explorer and update their skills via the Microsoft 365 profile editor. Users with Microsoft 365 Copilot licenses can do more, like use the Skills agent to look for people with specific skills in the organization. Or as Microsoft puts it, the agent “helps employees and leaders explore, manage, and use organizational skills for personal growth and strategic planning.”
This list of where skills data appears in Microsoft 365 is worth reading. Not everything is available today, but you can see where Microsoft is heading.
Setting Up People Skills
Before any skills appear in public view, a tenant must go through the People Skills setup process. The setup option is available in the Settings (choose Viva, then data management) or Copilot sections of the Microsoft 365 admin center. Microsoft recommends a quick setup (Figure 2) to configure the People Skills service with default settings, including a skills library of some 16,297 different areas of expertise that people might have.
The setup process runs in the background and takes at least a day to finish. It seems like much of the time taken is to allow skills interferencing by AI to happen. This means that an AI agent examines the details of users and their activity (Graph-based access to email, Teams messages, and documents) to figure out what skills each user might have. For instance, someone with a “Software architect” job title probably knows something about software architecture, and their communications with other users will probably reveal what areas of software architecture they work in. If this sounds creepy, you can disable the feature using Viva policies managed through PowerShell.
For example, these commands reveal the set of features that can be managed through the PeopleSkills module and create a new policy to disable skills interferencing for members of a specific distribution list:
Get-VivaModuleFeature -ModuleId PeopleSkills Add-VivaModuleFeaturePolicy -Module PeopleSkills -FeatureId SkillsInferencing -IsFeatureEnabled $false -GroupIds NoSkills@office365itpros.com -Name TurnOffSkillsInterferencing
The Get-VivaModuleFeatureEnablement cmdlet checks if the feature is disabled for a user:
Get-VivaModuleFeatureEnablement -ModuleId PeopleSkills -FeatureId SkillsInferencing -Identity Marty.King@office365itpros.com FeatureId Enabled --------- ------- SkillsInferencing False
Note that if Skills inferencing has already happened for a user, it will take several days for the information to disappear from their user profile. Speaking of profiles, Figure 3 shows how AI-inferenced skills appear in my Microsoft 365 profile card. The skills listed here aren’t confirmed. In other words, they are skills that the AI agents thinks that I might have based on the knowledge available to it (I won’t get upset by the poor spelling of PowerShell).
I’m not sure about some of these skills (like decision making). By selecting the Update your profile option, I can select which skills I agree I have (Figure 4), add some more skills that the AI overlooked by selecting from the skills inventory, and confirm the set. Confirmed skills show up with a blue tick mark when people view the profile card.
Graph API
A ListSkills Graph API is available for the Profile resource type to list the set of skills for a user account. The API uses the User.Read delegated permission and no application permission is available. In other words, you can’t use the API to create a report of skills for every user in the organization. Here’s how to use the Get-MgBetaUserProfileSkill cmdlet from the Microsoft Graph PowerShell SDK to list the skills of the signed in user:
Get-MgBetaUserProfileSkill -UserId (Get-MgContext).Account | Sort-Object DisplayName | Format-Table DisplayName, allowedAudiences, CreatedDateTime DisplayName AllowedAudiences CreatedDateTime ----------- ---------------- --------------- Application Development organization 11/06/2025 08:46:52 Application Programming Interfaces (API) organization 11/06/2025 08:46:52 Artificial Intelligence (AI) organization 11/06/2025 08:46:53 Business Intelligence (BI) organization 11/06/2025 08:46:53 Business Management organization 11/06/2025 08:46:52 Business Negotiation organization 11/06/2025 08:46:52 Change Management organization 11/06/2025 08:46:53
Some People Skills Oddities
Of course, the combination of skills determined by AI and the user might not actually be true. I could claim to be a Hyper-V expert (I’m not), and the AI might think that I know something about SharePoint Online because I’ve written about the topic often. Oddly, the AI concluded that I know something about Exchange but not about SharePoint, Teams, Planner, or other Microsoft 365-related topics. Although PowerShell is a skill, Microsoft Graph isn’t listed in the skills inventory. I tried to add some custom skills by following the steps in the documentation (requiring a CSV upload to SharePoint is bizarre), but the admin center couldn’t find the CSV uploaded to a site that I owned, no matter what form of a path I used.
The skills used by the latest iteration of skill highlighting and management within Microsoft 365 are not the same as those captured in SharePoint Online or Delve (User Profile Application or UPA skills). According to the documentation, once you enable People Skills, the UPA skills are hidden from the user profile card. This might happen in the future, but I see both sets of skills listed today. Another future is migration of UPA skills to People Skills. Microsoft says that this will happen but hasn’t yet clarified how or when. Perhaps migration isn’t in their current skill set?
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
Using a Copilot Agent in SharePoint to Interact with Office 365 for IT Pros
Use Office 365 for IT Pros PDF Files as Knowledge Sources for Copilot
The announcement in message center notification MC1078671 (20 May 2025) that Copilot Studio can deploy agents to SharePoint Online sites (in Copilot Studio terms, SharePoint Online is a channel) gave me an idea. SharePoint has supported agents since October 2024, but those agents are limited to reasoning over the information contained in a site. Copilot Studio can create more flexible and powerful agents that can consume different forms of knowledge, including external web sites and files. Uploaded files are stored in the Dataverse, or the mysterious SharePoint Embedded containers that appeared in tenants recently.
My idea is to use the Office 365 for IT Pros eBook as a source for a Copilot agent. Our subscribers can download updated book files every month in PDF and EPUB format. Copilot can consume text files, including PDFs, as knowledge sources (message center notification MC1058260, last updated 9 June 2025, Microsoft 365 roadmap item 489214). If you have Microsoft 365 Copilot licenses, it seems logical to create an agent that uses the PDFs for the Office 365 for IT Pros and Automating Microsoft 365 with PowerShell eBooks as knowledge sources.
You could even expand the set of knowledge sources to https://office365itpros.com and https://practical365.com to include articles written by our author team. Once the agent is configured, it can be published to a SharePoint Online site for users to interrogate. Sounds good? Let’s explore what you need to do to make the idea come alive.
Adding Files to a Copilot Agent
During an investigation of the various ways to create Copilot agents, I created an agent in Copilot Studio called the Microsoft 365 Knowledge Agent. The agent already reasoned over office365itpros.com and practical365.com. I uploaded the PDF files for the two books to the agent so that the agent now reasons over the two websites and two PDF files (Figure 1). You might notice that I have disabled the options for the AI to use its LLMs and to search public websites when composing answers. That’s because I want the agent to limit its responses to the set of defined knowledge sources.
The upload dialog says that files cannot be “labeled Confidential or Highly Confidential or contain passwords.” This might reflect old information as Microsoft has support for files protected by sensitivity labels in preview. The implementation seems very like support for sensitivity labels in Bizchat in that a user cannot access a file protected by a label if the label doesn’t grant them access to the content. I also assume that Copilot Studio will eventually support the DLP policy for Microsoft 365 to stop confidential files with specific labels being used as knowledge sources.
It can take some time for Copilot Studio to process uploaded files to prepare their content for reasoning, depending on their size. Office 365 for IT Pros is a 1,280-page 27 MB eBook, so it took several hours before Copilot Studio declared the file to be ready. You can upload a maximum of 500 files as knowledge sources for an agent.
Updating the Copilot Agent Instructions
Next, I adjusted the instructions for the agent. Here’s what I used:
- Respond to requests using information from specific curated websites and the files uploaded as knowledge sources.
- Ensure the information is accurate and relevant to the topic.
- Provide well-structured and engaging content.
- Avoid using information from unverified sources.
- Maintain a professional and informative tone.
- Be responsive and prompt in handling requests.
- Focus on topics related to Microsoft 365 and Entra ID technology.
- Write in a professional, clear, and concise manner.
- Output PowerShell code formatted for easy copying and use by readers.
- Ensure the PowerShell code is accurate and functional.
- Do not guess when answering and create new PowerShell cmdlets that don’t exist. Always check that a cmdlet exists before using it in an answer.
Coming up with good instructions for an agent is an art form. I’m sure that these can be improved, but they work.
Publish the Copilot Agent to SharePoint Online
The next task is to publish the agent. To publish the agent to a SharePoint Online site, I selected SharePoint as the target channel (Figure 2) and then selected the site that I wanted to host the agent. I suspect that Copilot Studio caches site information because it wasn’t possible for search to find a new site for several hours after the site’s creation. Publishing to a site creates an .agent file in the default document library in the site.
An agent can only be deployed to a single site. If you make a mistake and deploy the agent to the wrong site, you’ll need to undeploy and remove the site from the agent configuration and then deploy the agent to the correct site.
Out of the box, the only person who can use the agent at this point is the publisher. To make the agent available to all site members, a site administrator needs to mark the agent as approved. The agent then shows up in the list of agents accessed through the Copilot button in the meu bar. Any user with a Microsoft 365 Copilot agent can use the agent as part of their license. Access for other users must be paid for on a pay-as-you-go basis.
Using the Copilot Agent in SharePoint
Interacting with the agent to ask questions from the knowledge contained in Office 365 for IT Pros is just like any other Copilot interaction. Compose a prompt and submit it to the agent, which contemplates the request and responds based on the knowledge available to it (Figure 3).
SharePoint Online is not the only publication channel available to an agent. I also connect the agent to Microsoft 365 and Teams. Figure 4 shows how to chat with the agent in Teams.
The Only Downside is Our Monthly Updates
We know that Office 365 for IT Pros is a big eBook. Sometimes it’s hard to find the precise information that you’re looking for using the standard search facilities. Being able to have an agent reason over the books (and optionally, associated web sites) is an excellent way to have AI do the heavy lifting of finding and extracting knowledge in a very accessible way. The only downside is that you need to update the agent with the new files and republish to the target channels after we release our monthly updates. But that’s not a difficult task – and I am sure that a way will be found to automate the step in the future.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
AI Generative Summaries Make Life Even Harder for Technology Websites
Another Fall in Organic Traffic Because People Get What They Need from Generative Summaries
Last November, I wrote about the impact generative AI was having on technology websites. Things have become tougher since with the introduction of generative summaries. Take Figure 1 as an example. I asked Google a question and instead of responding with a list of websites that might contain good answers, Google generates a summary overview of the available information. There’s no need to go anywhere near the article that I published on June 6 because there’s enough information available in the summary to answer the question for most people.
Bing has its own take on generative summaries. I didn’t use it as an example because Bing search results are so horribly bad, especially when it comes to finding content in my site.
The result of the Google changes is a further decline in website traffic. And it’s not just me saying that this is the case. A recent Bain & Company survey found that “80% of US consumers rely on “zero-click” search results, meaning they get the information they need from the search engine’s results page and don’t click through to another website.”
Bain attributes the change in user behavior to the effect of AI search engines and generative summaries, resulting in a 15% to 25% reduction in organic web traffic, or page views created by people who find a website through unpaid search engine results (the listings displayed by Google, Bing, and other search engines) rather than through paid advertising or other marketing channels.
Why Does Falling Organic Traffic Matter?
The thing about generative AI is that it can only generate based on knowledge that exists in its LLMs or can find in a website. Generative AI doesn’t create new knowledge: to some extent, generative AI steals and reuses the work done by many people to understand, analyze, document, and discuss information about all the different topics indexed by the search engines and eventually create those generative summaries.
The model works when search engines directed everyone to the source websites. Those who write are happy that the web views recorded for their site reflect interest in their work. They might also benefit from advertising on the site. Depending on the page views, the revenue from advertising might be enough to live on. More usually, it might cover the domain and hosting fees.
Sites run by commercial companies to publicize their offerings commonly publish information to attract people to the site. The quality of the information varies greatly. Some (CodeTwo Software is an example in the Microsoft 365 space) is well written and very useful. Other sites hype up the problems solved by their current product (the need to spend lots of money to manage Entra ID apps is a common theme today) or dramatically over-emphasize why their product is needed. One example in that category is a site that tells people to run the EDBUTIL utility to defragment Exchange Server databases (last needed with maybe Exchange 2003).
From what I can see from the data for several websites, new content still receives attention and high page views because it is often linked to notifications sent via email, Twitter, Bluesky, or other media channels. A few days later, that material will be absorbed by AI and become less valuable in terms of driving the page views that search engines once sent to the host sites.
Writers Will Stop Sharing Content
The point is that if people and companies don’t see a return on their investment, they won’t write as many articles as they have in the past. A well-written and researched article might take four to six hours to put together, and longer if some PowerShell or other code examples are needed. Who wants to put in that effort, or pay writers to do that work, if page view numbers are continuing to fall month-over-month. Life is too short to throw away hours of effort for no reward (fiscal or just the pleasure of knowing that people read your content).
A real strength of technical communities focusing on topics like Exchange, SharePoint, Teams, and development technologies has been the willingness of people to share their knowledge and expertise, except perhaps via paid subscriptions to Substack or Patreon sites where exclusive access to content can be offered, perhaps for a period before open publication.
If open access to knowledge weakens, we will all be worse off. No amount of generative AI can guide people to a solution that hasn’t ever been documented. The information in the LLMs will gradually degrade because less new knowledge is being publicly shared. Over time, new knowledge might become less and less available to the LLMs and generative AI will become less valuable because it can only output old material.
Publishing the 2026 Edition
For now, the content shared on office365itpros.com will remain public and open to all. I have considered using Substack to host articles that aren’t related to book updates, with free subscriptions to that content for people who buy the Office 365 for IT Pros eBook. We might still go down that route, but for now we’re concentrating on publishing the 2026 edition on July 1, 2025.
I’m interested in hearing what people think about the effect AI has on content that many depend on to do their job. Please let us know your thoughts by posting a comment.
When the Invoke-MgGraphRequest Cmdlet Needs Help to Fetch Responses
Running Graph API Requests and Checking the Response
Whenever I need to run a Graph API request where a Microsoft Graph PowerShell SDK cmdlet isn’t available (or doesn’t work as expected), my normal go-to solution is the Invoke-MgGraphRequest cmdlet. The cmdlet works well and is extremely useful when testing a new API because it uses the authenticated connection established by the Connect-MgGraph cmdlet. In other words, you don’t need to obtain an access token to run requests because the cmdlet uses the token held by the session, including the scopes (permissions) detailed in the token.
The Graph Explorer App and Its Permissions
However, sometimes the Invoke-MgGraphRequest cmdlet comes up short and a different tool is needed for testing. That’s where the Graph Explorer can help. Like the Microsoft Graph PowerShell SDK, the Graph Explorer is implemented as an enterprise Entra ID app (appid de8bc8b5-d9f9-48b1-a8ad-b748da725064). And like the Microsoft Graph PowerShell Command Line tools app, the Graph Explorer app accumulates a set of delegated permissions over time as consent for permissions is granted to allow requests to run (that’s why the Graph Explorer UI includes a prominent Modify Permissions button).
The permissions allow signed-in users to run Graph API requests and access data available to them. Sometimes too many permissions can get in the way of testing, so it’s a good idea to review the permissions and remove any that seem not to be necessary.
Running an eDiscovery Purge Job
In this case, I was experimenting with the eDiscovery method to purge mailbox data based on a search. This is not the compliance search purge action. It’s an action to purge data found by eDiscovery premium searches. The Clear-MgSecurityCaseEdiscoveryCaseSearchData SDK cmdlet runs purge requests, using a command this:
Clear-MgSecurityCaseEdiscoveryCaseSearchData -EdiscoveryCaseId $Case.Id -EdiscoverySearchId $Search.Id -BodyParameter $PurgeParameters
The problem is that the cmdlet only reports failures (like a malformed payload). It doesn’t report the successful submission of the background purge job it creates, nor does it report the progress and eventual result of the purge job. Submission is like lobbing a stone into a deep black pit.
At first glance, using Invoke-MgGraphRequest doesn’t do any better. Once again, nothing happens, and no insight is available into the progress of the purge job.
$Uri = ("https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{0}/searches/{1}/purgeData" -f $Case.Id, $Search.Id)
Invoke-MgGraphRequest -Uri $Uri -Body $PurgeParameters -Method POST
The documentation for the API says that a successful submission returns a 202 Accepted response code, and a response header containing the location of the Purge data operation created to commit the purge. The question is how to see that information.
Graph Explorer Reveals Responses
The Graph Explorer is designed to be a training and debugging tool. As you can see in Figure 1, it displays the 202 Accepted response, and it shows the response header. To see what’s happening with the purge job, copy the location URL and run a GET request against it (in Graph Explorer or using Invoke-MgGraphRequest) and you’ll see details such as the current progress of the purge job.
Invoke-MgGraphRequest Comes Through in the End
You can’t run Graph Explorer in a script. Although the app is great for testing, it can’t work in a production environment. All of which brought me back to the Invoke-MgGraphRequest documentation, where I discovered the ResponseHeadersVariable parameter, which outputs response headers to a variable if generated by an API request. We can’t see the 202 response for a job submission, but we can fetch details of the purge job by extracting the URI from the variable and using it to query the job status. Apparently, the purge succeeded!
Invoke-MgGraphRequest -Uri $Uri -Body $PurgeParameters -Method POST -ResponseHeadersVariable Response
[string]$ResponseLocationURI = $Response.Location
$ResponseURI = [system.uri]$ResponseLocationURI
$ResponseData = Invoke-MgGraphRequest -Uri $ResponseURI -Method Get
Name Value
---- -----
createdDateTime 05/06/2025 13:44:58
id f580a3b0c72b4c849912520e04bc39e7
percentProgress 100
@odata.context https://graph.microsoft.com/v1.0/$metadata#security/cases/ediscoveryCases('7fc26cf0-bc8d-421c-8ad1-bea9782f564c')/operations/$entity
action purgeData
status succeeded
@odata.type #microsoft.graph.security.ediscoveryPurgeDataOperation
completedDateTime 05/06/2025 13:47:23
createdBy {[user, System.Collections.Hashtable], [application, ]}
The learnings here are that the Graph Explorer is a very useful debugging tool and that you should check every cmdlet parameter, even for cmdlets that have become second nature.
How to Block Ad-Hoc Email-Based Subscriptions
No MSOL Module, So How Can You Block Email-Based Subscriptions
By now, I assume that every Microsoft 365 tenant administrator knows about the deprecation of the MSOL and AzureAD PowerShell modules. The MSOL module is already retired; the Azure AD module will be retired any day now. Some of the cmdlets in the modules have already stopped working because of the withdrawal of a dependent service.
Which brings me to a note I read in a Microsoft article the other day solemnly informing me that I should block users from signing up for “viral” trial subscription of Copilot Studio by running the Set-MsolCompanySettings cmdlet to block ad-hoc or email-based subscriptions as follows:
Set-MsolCompanySettings -AllowAdHocSubscriptions $False
Of course, the cmdlet is now retired and unavailable, but as the page hasn’t been updated since October 2024, it strikes me that perhaps people haven’t noticed.
In any case, it’s terrifically difficult to maintain total accuracy in documentation for an area that is in a state of constant flux. After coping with change in Microsoft 365 for the last ten years to keep the Office 365 for IT Pros eBook updated, I think I’m an authority on this topic.
The more important issue raised by the documentation deficiency is what is the replacement for the Set-MsolCompanySettings cmdlet? There’s no mention of the cmdlet in Microsoft’s change map page, which helps people find equivalent commands in the Microsoft Graph PowerShell SDK.
No Block for Copilot Studio in the Microsoft 365 Admin Center
It all depends on what you want to do. In this case, the advice given in the page is how to block ad-hoc subscriptions of the type that Copilot Studio allows people to sign up for over a 60-day period. Although Microsoft 365 Copilot is on the list, Copilot Studio is not one of the products governed by the self-service settings in the Microsoft 365 admin center (Figure 1), so Copilot Studio can’t be blocked here or by using the MSCommerce PowerShell module. Copilot Studio uses email-based subscriptions to allow anyone to sign up using an Entra ID or other account, so that’s probably why it’s not on the self-service trials list.
Use the Entra Authorization Policy to Block Email-Based Subscriptions
This brings us to the Entra ID authorization policy. Using the Get-MgPolicyAuthorizationPolicy cmdlet (the Microsoft Graph PowerShell SDK cmdlet that maps the Get method for the resource) to examine the policy settings for my tenant, I see:
Get-MgPolicyAuthorizationPolicy | Format-List AllowEmailVerifiedUsersToJoinOrganization : False AllowInvitesFrom : everyone AllowUserConsentForRiskyApps : False AllowedToSignUpEmailBasedSubscriptions : True AllowedToUseSspr : True BlockMsolPowerShell : True DefaultUserRolePermissions : Microsoft.Graph.PowerShell.Models.MicrosoftGraphDefaultUserRolePermissions DeletedDateTime : Description : Used to manage authorization related settings across the company. DisplayName : Authorization Policy GuestUserRoleId : 2af84b1e-32c8-42b7-82bc-daa82404023b
The formal documentation for Set-MsolCompanySettings is no longer available, but some source text in GitHub defines the use of AllowAdHocSubscriptions as “to allow users to sign up for email based subscriptions.” That seem to match the AllowedToSignUpEmailBasedSubscriptions setting, so let’s see what happens if I update the setting to false by running the Update-MgPolicyAuthorizationPolicy cmdlet:
Update-MgPolicyAuthorizationPolicy -AllowedToSignUpEmailBasedSubscriptions:$false
The Policy.Read.All permission is required to read the policy settings, and the Policy.ReadWrite.Authorization permission is required to update policy settings.
After updating the policy settings, I removed the Microsoft 365 Copilot license from a user account. This license contains a service plan for Copilot Studio. Removing the license means that the user is forced to take out an email-based subscription to use Copilot Studio.
After going to the Copilot Studio page, the user can click the Try for free button to start their trial. After proving that they’re a human, the process detects that the user has an Entra ID account and asks them to sign in. After signing in, Entra ID checks the tenant authorization policy and declines to go further to complete the email-based subscription because of the policy block (Figure 2).
To revert, update the setting to true.
Update-MgPolicyAuthorizationPolicy -AllowedToSignUpEmailBasedSubscriptions:$true
The user can now complete the sign-in process and access Copilot Studio (Figure 3).
No One-to-One Mapping for the Old Cmdlet
My original question asked what is the replacement for the Set-MsolCompanySettings cmdlet? The answer is that there isn’t a single 1:1 replacement. The Entra ID authorization policy takes care of authorization settings for the tenant, such as email-based subscriptions and whether the tenant allows self-service password reset (SSPR). Some of the other settings are supported in the Entra admin center UX. As to changing tenant id or setting the default usage location for user accounts, I’ll have to go searching…
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
SharePoint Online Dumps OTP Authentication for Sharing Links
Change Applies on July 1 to Tenants that Integrated SharePoint with Entra ID B2B Collaboration
The announcement in message center notification MC1089315 (6 June 2025) that Microsoft is dumping the old one-time passcode (OTP) authentication mechanism for SharePoint Online and OneDrive for Business sharing is unexpected, but only because it took Microsoft so long to make the change.
After July 1, 2025, external users who have received a sharing link from a user in a tenant that uses OTP authentication will discover that they have lost access to the shared content (files, folders, or sites). Microsoft says that they’re making the change to “enhance security.” I think this is correct, and the change delivers an additional benefit to Microsoft because it gets rid of an old feature.
A History of One-time Passcodes in SharePoint Online
OTP-based sharing links (aka, the “Secure external sharing recipient experience”) predates the support of Entra ID B2B Collaboration (guest accounts) within SharePoint Online. That support arrived as a result of guest access to Office 365 groups (now Microsoft 365 groups) in September 2016. Guest accounts took a while to catch on, and Office 365 groups only became really popular after the advent of Teams in early 2017. Indeed, Teams didn’t surpass 20 million active users in November 2019 before massive growth occurred in Teams usage during the Covid-19 pandemic.
Although Teams growth propelled similar growth in groups and SharePoint usage, there was no great push to move tenants off OTP authentication to SharePoint and OneDrive integration with Azure AD (now Entra ID). External sharing worked, so why bother?
Microsoft began the process to get off OTP by integrating OTP with Entra ID B2B Collaboration in October 2021. Essentially, the change ensured that external users who received OTP sharing links had guest accounts created for them in the tenant directory. The next step made sure that new tenants created after March 31, 2023, could only use B2B collaboration.
The plan now revealed “only impacts organizations that have already enabled or plan to enable SharePoint and OneDrive integration with Microsoft Entra B2B.” In other words, nothing changes for tenants that did not link SharePoint Online and OneDrive for Business to Entra ID B2B Collaboration. I wonder what proportion of the SharePoint community still use one-time passcodes exclusively for sharing.
The Result of the Change
MC1089315 rates this change to be “highly relevant.” In other words, it will affect how users work because:
- After July 1, all new sharing links generated for external people will use Entra ID B2B Collaboration and the sharees will receive email containing the sharing link generated by the Entra ID Invitation Manager service. This shouldn’t cause too much upheaval because the process is reasonably painless. I use it all the time to share documents with several other Microsoft 365 tenants and haven’t had any issues with sharing links that I can remember.
- After July 1, all previously issued sharing links based on one-time passcodes generated by SharePoint Online and OneDrive for Business will stop working. Obviously, this aspect of the change could cause confusion when a link sent to users doesn’t work. July 1 is a Tuesday, and it’s entirely possible that many sharing links with one-time passcodes arrive in user mailboxes on Monday, June 30. If the recipients action the links immediately, they can access the shared content. If they delay, the links stop working. It’s as simple as that.
Microsoft says that users will be told “Sorry, something went wrong. This organization has updated its guest access settings. To access this item, please contact the person who shared it with you and ask them to reshare it with you.” What’s gone wrong is that Microsoft decommissioned one-time passcodes. However, the statement is accurate that the only way to resume access to the shared content is to receive a new sharing link generated based on B2B collaboration. The potential for impact on users and the knock-on effect on help desks is clear.
MC1089315 notes that users will be required to complete multi-factor authentication (MFA) registration as part of the Entra ID B2B onboarding process. That’s strictly only true if the tenant that hosts the content requires MFA, most likely with a conditional access policy to block access unless an MFA challenge is satisfied. Even if your tenant doesn’t use MFA today (which it should), it is the hosting tenant that gets to choose whether MFA is required.
A Good Change
I bet this change will cause confusion and some upheaval in the weeks after July 1. After that, everything should calm down as the old OTP-based sharing links work their way out of the system. It’s good to have consistency and security and having one method to secure sharing links seems like a good change to make. At least, it is in my book.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
How to Block PST Files for the New Outlook for Windows
Use an OWA Mailbox Policy Setting to Block PST Access
A reader asked if it is possible to disable the ability of the new Outlook to open PST files, noting that some internet posts say that it’s not yet possible. One example from April 2025 points to the list of Microsoft 365 roadmap items related to PST files and suggests that support is coming.
Well, support is available through the OutlookDataFile setting in OWA mailbox policies. The default is to allow new Outlook clients to access PST files (a longstanding request for many people), but organizations that don’t want people to ever use PST files can easily block access.
Figure 1 shows the default access where users can add PST files for the client to open. As the note says, the current level of support extends to mail items only.
Good reasons exist to justify being able to open PST files. Access to old email is an obvious reason. eDiscovery investigations often use PST files to export mailbox items found by searches for review by external experts.
The downside of allowing access to PST files is the temptation for people to move items from mailboxes into PSTs. This action makes items invisible for compliance purposes. It also makes email inaccessible to AI tools like Microsoft 365 Copilot. More worringly, PSTs encourage bad behavior, such as people filling PSTs with email that they want to preserve when they leave a company. Using sensitivity labels blocks this habit because although users can keep protected items in a PST, they won’t be able to access the items if they can’t authenticate with an account that has access rights to the items.
Mailbox Policy Settings
An OWA mailbox policy is a collection of settings that govern how OWA works. Exchange Online supports multiple OWA mailbox policies, allowing administrators to create and assign different policies to user mailboxes.
The new Outlook is tightly linked to OWA, so it’s unsurprising to find that OWA mailbox policy applies to the new Outlook too, such as the setting to block downloading of attachments. In this case, OWA doesn’t support PST access at all, so the setting is unique to the new Outlook.
Block PST Access in the OWA Mailbox Policy
To block PST access, run the Set-OWAMailboxPolicy cmdlet to update the OutlookDataFile setting. This command updates the setting to Deny to block all access to PSTs:
Set-OwaMailboxPolicy -Identity OWAFullAccess -OutlookDataFile Deny
The effect is shown in Figure 2. The Outlook Data Files option is now hidden.
Other values for the OutlookDataFile setting are:
- NoExport: Users can’t export from a mailbox to a PST.
- NoExportNoGrow: Users can’t export from a mailbox to a PST or copy items from a mailbox to a .pst file.
- NoExportNoOpen: Users can’t export from a mailbox to a PST, or open new PSTs.
- NoExportNoOpenNoGrow: Users can’t export from a mailbox to a .PST, copy items from a mailbox to a PST, or open new PST files.
These settings are the equivalent of the policy available to control PSTs in Outlook classic.
The effect of the new setting is not immediate. It takes time for Exchange Online to propagate the update to all the mailbox servers used by a tenant, and a further period before clients pick up and apply the setting. The time required might be as short as a few hours and as long as twelve hours. If you’re going to apply a block on PST usage, it’s best to implement the policy before people start to use the new Outlook.
PSTs are Ancient Baggage
Introduced in 1997, PSTs are an archaic part of the history of Exchange. Unfortunately, just like public folders (1996), customers can’t quite get rid of either. I guess we’ll just have to manage the beasts, which is what the mailbox setting described here does for PSTs in the new Outlook, aka Outlook designed for the 2030s dragging along ancient baggage…
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Respond to Teams Messages with Multiple Emoji Reactions
Multiple Emojis Apparently Creates More Nuanced Responses
My life became complete when message center notification MC1084032 appeared on 27 May 2025 to announce that Teams users can add multiple emoji reactions when they respond to messages. Microsoft 365 roadmap item 491468 explains the need for the new capability, saying that allows users “to express a wide range of emotions effectively. Use combinations of emojis for a richer and more nuanced response, quickly conveying your feelings and thoughts, like agreement, urgency or sentiment, without extra replies—keeping discussions focused and efficient.”
Obviously, I never realized how deficient I have been in restricting myself to a single emoji reaction per chat or channel message. Now users can add up to 20 emojis in their response to messages, including custom emojis (maybe the new sticker generator promised for Paint will make it easier to create custom emojis).
Adding Multiple Emoji Reactions
Technically speaking, the ability for a user to post multiple emoji reactions isn’t hard to implement. The Graph chatMessage: setReaction API deals with posting reactions. The implementation is mostly client-side to lift the previous single reaction and permit up to 20 reactions instead (Figure 1). Users add emoji reactions through the more reactions button under the text of a message. Keep on clicking the button to add emojis. To remove an emoji added in error, select it from the set of emojis again.
Posting a reaction adds it to the collection of reactions for the target message. Although multiple reactions can come from individual users now, it’s really no different to managing a collection containing multiple individual reactions from multiple users.
The reaction list at the bottom of a message might be very colorful, but given that Teams supports over 800 emojis plus custom emojis, inviting users to create combinations of 20 emojis might result in more confused rather than nuanced responses.
As now, Teams lists the reactions in order of popularity (Figure 2) and ensures that the user viewing a message always sees their responses. In other words, Teams filters the response collection by the viewing user to list the most popular responses first. Other responses in the order they are posted then fill out the set of up to 20 emojis displayed under the message.
Schedule and Clients
Rollout is scheduled for early June 2025 to targeted release tenants followed by general availability in mid-June 2025. Full deployment, including to the GCC, GCC High, and DoD clouds should be complete by mid-August 2025. The new capability will be available in Teams desktop, browser, and mobile clients.
No administrative control is available to allow tenants to restrict users to fewer than 20 emojis. There’s also no way to disable the standard set of emojis at either a tenant or team level. I guess at this point no self-respecting messaging service could operate without supporting emojis in one form or another.
Will Users Notice Multiple Emoji Reactions?
Microsoft doesn’t say where the demand came from to warrant the investment to update Teams to allow users to add up to 20 emojis in a composite reaction to a message. I certainly have never heard of such a request, but I guess I’m not in the category of user that this change will please. I don’t think I shall ever contemplate how to combine emojis into a symphony of nuanced response. A simple thumbs-up reaction normally does the trick.
In any case, I wonder how organizations will communicate the news of the new capability to users. What form of words will they use to explain how to use multiple emojis to send effective responses. I’ll look forward to learning more.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Exchange Online Upgrades Its Message Tracing Capabilities
Old Message Tracing Components Will be Deprecated in September 2025
The June 3 announcement that the new Exchange Online Message Trace facility is generally available creates some work for Microsoft 365 tenant administrators who use message trace in scripts. The roll-out of the update will happen between mid-June and July 2025. Tenants that participated in the public preview and have V3.7 or later of the Exchange Online management module can already use the new Get-MessageTraceV2 and Get-MessageTraceDetailV2 cmdlets.
In the announcement, Microsoft says that they will deprecate the old message tracing UI from the Exchange admin center and the old Get-MessageTrace and Get-MessageTraceDetail cmdlets beginning September 1, 2025. Microsoft will also deprecate the background reporting web service that responds to requests for online message trace data at the same time. The deployment is limited to commercial tenants and doesn’t currently affect sovereign clouds because of the need to certify code upgrades for those environments.
Time Slipping Away to Upgrade Code
Microsoft will take care of updating the Exchange admin center. Customers and ISVs that depend on the old implementation of message tracing must complete their upgrade by the end of August 2025 before the deprecation cycle begins. If you don’t, the risk is that code will stop working without notice.
Twelve weeks seems like a reasonable amount of time to find and update code. However, we’re heading into a peak vacation period when availability of developers becomes more problematic, so now’s the time to get going.
Checking What’s Needed to Upgrade Scripts
To check out what’s needed, I upgrade two scripts. The first script reports email sent to external recipients by members of a distribution list. The second reports the numbers of outbound and inbound messages sent from domains (Figure 1). The updated scripts are both available in the Office 365 IT Pros GitHub repository (see links in the articles).
Updating the first script was easy. All I needed to do was swap out calls to the Get-MessageTrace cmdlet and replace them with Get-MessageTrace2.
The second script was harder because it used paging to fetch pages containing 1,000 message tracing records. Microsoft’s public preview announcement said that they removed support for pagination. The new mechanism behaves awfully like pagination in that you need to fetch message tracing events in batches of up to 5,000 records until all available data is retrieved. Unlike the pagination used by Graph-based APIs, next link URLs are not used to indicate the point the next set of events start. Instead, fetching based on a mixture of dates and email addresses.
An example is worth many words, so if you’re confused about how to fetch message tracing data, have a look at the script for the second example.
Extended Range of Historical Data Available
According to the public preview announcement, Microsoft plans to deliver the ability to query up to 90 days of historical message tracing data. Initially, Microsoft plans to have 30 days of historical message tracing data available online. However, a single query is limited to ten days, so fetching the message tracing data for 30 days requires three separate queries, each covering a 10-day period. If you fetch data for more than 10 days, Exchange responds with the error message:
Error fetching message trace data: ||The interval between StartDate and EndDate can’t be longer than 10 days.
Not a Difficult Transition
Moving to the new message tracing facility isn’t hard. It shouldn’t take too long to upgrade scripts as the changes are straightforward (and having an example helps). Time is likely to be the problem. Too many competing demands for PowerShell coding, too little time to get everything done.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.
Mailbox Import-Export Graph APIs Leave No Audit Trail
Use the Import-Export Graph API to Copy Data from Mailboxes Without a Trace
A recent LinkedIn post by a security practitioner set some alarm bells ringing when it disclosed that the Graph Mailbox Import-Export APIs processed mailbox content without creating audit events to track activity. Given that a) any operation that can exfiltrate mailbox data could be a highly prized tool for attackers and b) the extensive auditing capabilities built into Microsoft 365, this oversight is more than surprising.
What’s poignant about the situation is that Microsoft released the Mailbox Import-Export Graph APIs as part of their campaign to eliminate Exchange Web Services (EWS). EWS is deemed to be insecure and was used to exfiltrate mailbox data from many sensitive executive mailboxes in the Midnight Blizzard attack on Microsoft’s own tenant in March 2024.
Since then, Microsoft has been on a campaign to eradicate EWS from Microsoft 365 as quickly as practicable. The deadline for all apps to stop using EWS is October 2026, and Microsoft plans to eliminate EWS from first-party apps by October 2025, with recent moves to lay the path for Exchange Online and Teams to stop using EWS to share free-busy information and other data.
To be fair to Microsoft, the Mailbox Import-Export Graph API is in preview and beta software usually has a few holes to fill before it can become generally available. On the other hand, Microsoft launched the API in January 2025 and you’d imagine that someone in the development team would have noticed by now. The good news is that Microsoft has acknowledged the issue. I don’t imagine that it will take them long to begin generating audit events for import and export activities.
For an independent take on using the Mailbox Import-Export Graph API, I recommend reading the articles published by MVP Glen Scales.
Testing Auditing of Permanent Removals
Another step in the EWS removal process came with the launch of APIs to permanently remove mailbox items (including calendar items, contacts, and events). Given the issue reported above, I wanted to check if Exchange Online generated audit events for the permanent removal APIs. It’s not inconceivable that an attacker would seek to remove some items from a mailbox, and so much the better if they can do it without detection.
I processed some permanent deletions for mailbox objects and then ran an audit search for hard deletions (which is what these events are).
[array]$Records = Search-UnifiedAuditLog -StartDate '29-May-2025 10:00' -EndDate (Get-Date) -Formatted -SessionCommand ReturnLargeSet -ResultSize 5000 -Operations 'HardDelete'
Audit events for the permanent deletions duly turned up.
Permanent Removals of Calendar Events
I then processed a permanent deletion of a calendar event by finding some events in my own calendar, selecting one, and deleting it:
[array]$Events = Get-MgUserCalendarView -UserId $userId -Startdatetime "2025-01-01T19:00:00-08:00" -Enddatetime "2025-02-20T19:00:00-08:00"
$Event = $Events[1]
$Uri = $("https://graph.microsoft.com/v1.0/users/{0}/Events/{1}/permanentdelete" -f $UserId, $Event.Id)
Invoke-MgGraphRequest -Uri $Uri -Method Post
Again, Exchange Online captured a hard delete audit event for the deletion (Figure 1)
Deleting different types of mailbox items permanently generates audit events. I expected this to be the case because these are not new APIs. Instead, Microsoft extended existing APIs to support permanent deletion, and the extension picked up the existing auditing mechanism.
Auditing is Critical
Some might consider the inclusion of auditing to be a small point when an API is in beta. It’s an arguable point, but the counter is that attackers don’t care if an API that can do a job for them is a beta or production API. All they worry about is the outcome, which could be a bunch of data noiselessly moved out of a tenant.
Of course, the tenant must be compromised beforehand, but evidence exists of cases where attackers penetrated a tenant and waited months before seizing an opportunity to do damage. A beta API that doesn’t generate audit records sounds like just the kind of tool attackers might like to use.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
New Outlook and OWA Control for Viewing Protected Email
Force Two-Click Confirmation to View Email Protected by Sensitivity Labels
Recently I noticed that OWA behaved differently when previewing email protected by sensitivity labels. Because it’s an online client, OWA has always been able to seamlessly retrieve the authorization to open and display protected messages from the rights management service. Now a message said that organization policies mandate clicking “View message” to access the email content (Figure 1).
It’s no big deal to comply with the demand for the extra click, but what organizational policies are at work here?
The New Setting for Two-Click Confirmation
The answer lies in the Exchange Online organization configuration, specifically the TwoClickMailPreviewEnabled setting. In my tenant, the setting is True, meaning that it’s enabled and forcing OWA to demand the extra click.
But here’s the thing. According to message center notification MC1041456 (26 March 2025, Microsoft 365 roadmap item 483883), the two-click requirement to view protected messages rolled out to general availability in early April 2025 and should be now be complete worldwide. The notification mentions encrypted emails. I have no idea if the feature extends to messages protected with S/MIME or another type of encryption other than Purview sensitivity labels. I hadn’t seen the behavior in OWA before because I’ve been using the new Outlook for Windows. According to MC1041456, the setting should affect that client too, but it doesn’t. The new Outlook ignores the TwoClickMailPreviewEnabled setting and opens protected messages without as much as a brief pause (Figure 2). Perhaps the client is awaiting an update to respect the setting.
The TwoClickMailPreviewEnabled setting doesn’t affect Outlook classic. That client uses a different mechanism to fetch authorization to open protected messages (to allow Outlook to work offline).
Configuring Two-Click Confirmation
A mismatch between documented setting and client behavior isn’t the only thing that’s odd about the information contained in MC1041456. First, the text refers to the setting being in the Microsoft Azure directory. It’s not. The setting is in the Exchange organization configuration. I’m not saying that the setting doesn’t exist somewhere in Entra ID (which I assume the text refers to), but the instructions given to maintain the setting use Exchange Online cmdlets.
MC1041456 asserts “By default, the two-click setting is off.” I checked by running the Get-OrganizationConfig cmdlet and found that the setting is true (enabled):
Get-OrganizationConfig | fl two* TwoClickMailPreviewEnabled : True
Obviously, somewhere along the line between the message center notification appearing and now the setting had been changed, probably by me. To reset the setting and remove the requirement for double clicks, I ran:
Set-OrganizationConfig -TwoClickMailPreviewEnabled $false
(MC1041456 refers to Boolean values. You can use $false or 0 to update the setting).
Prompts to use OneDrive
When checking out two-click confirmation, I noticed that both OWA and the new Outlook nag users to use OneDrive to share files rather than uploading copies of files as attachments (Figure 3). This is the effect of MC1053121 (last updated 15 May 2025) to have the Office apps prompt users to make more use of OneDrive. The update is now generally available. I don’t like this kind of nagging and recommend that organizations take the time to review the information in MC1053121 and consider if you want to block the nagging.
Two-Click Confirmation Can be Valuable
Microsoft doesn’t give any clues why they think it is a good idea to “require user confirmation before allowing access to encrypted emails.” My assumption is that the reason has to do with privacy. No one wants to have a confidential message pop up on screen when a chance exists that the information could be read by someone else.
However, in other situations where people have grown used to reading confidential messages without hindrance, they might find two-click confirmation a tiresome restriction on their workflow. The bad thing about the feature is that it’s either on or off for an entire tenant without any ability to grant exclusions.
Forcing the double click confirmation allows the recipient to wait until they’re sure that no one can look over their shoulder or otherwise see the content before going ahead. The volume of notifications that flood into tenants mean that features like this can go by without being noted by administrators. If administrators don’t know about a feature, it can’t be used. And that’s a bad thing.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
June 2025 Update Available for Office 365 for IT Pros (2025 Edition)
Monthly Update #120 Now Available for Subscribers to Download
The Office 365 for IT Pros team is delighted to announce the availability of monthly update #120 for the Office 365 for IT Pros (2025 edition) eBook. Updated PDF and EPUB files are available for the main book and for the Automating Microsoft 365 with PowerShell eBook (previously released last week). The files can be downloaded using the link in the receipt subscribers received when they bought the book or from their Gumroad accounts. See our FAQ for more information about downloading updates and the change log for information about changes made in this update.
This is the last monthly update for the 2025 edition. We plan to release the 2026 edition on July 1, 2025, and begin a new cycle of monthly updates (#121 to #132) to bring us to June 2026. We’ll let subscribers know when the 2026 edition is available and it is our sincere hope that you’ll all join us for another year of constant change across the Microsoft 365 ecosystem. As is our normal practice, anyone who buys the 2025 edition at full price during June 2025 will receive a free upgrade to the 2026 edition when it is available.
Seeking a Million Prompts
As we prepare for the new edition, we keep our eyes open for news that we might like to cover. One interesting item that won’t make it into the book is the news that Shoosmiths, a UK-based law firm will share a £1m sterling bonus among its employees if the employees clock up one million Microsoft Copilot prompts in its new financial year. Presumably, the prompts will be counted using the aiInteractionHistory Graph API or audit records.
Shoosmiths estimates that the target will be achieved if each employee uses Copilot “4 times per working day.” That target shouldn’t be too hard to meet. Law firms are prolific users of documents, so the automatic summaries generated by Copilot in Word will go a long way to achieving the bonus (which might not be what the Shoosmiths bosses anticipated).
Microsoft 365 Gets to 430 Million Paid Seats
I usually write about Microsoft’s quarterly results but failed to do so for the FY25 Q3 announcement. The reason is simple: the data shared by Microsoft is great from a financial perspective (revenue was $70.1 billion and increased 13% (up 15% in constant currency)), but poor in terms of Microsoft 365 news. Where once it was common for Microsoft to report growth in seat numbers and other details, now it’s all about spending on artificial intelligence and the growth of agents.
A couple of things did stand out from the transcript of the quarterly results meeting with analysts.
First, Microsoft CFO Amy Hood said that paid Microsoft 365 commercial seats grew to “over 430 million,” a growth of 7% year-over-year. She also observed that Microsoft 365 seat growth in the current quarter would see “moderation given the size of the installed base.” In other words, Microsoft has signed up so many customers that adding a few extra million seats each quarter barely budges the needle.
However, Hood said that she expected Microsoft 365 revenue growth of 14%. The gap between seat growth and revenue growth is accounted for customers buying upgraded licenses, including moving lower-level licenses to Microsoft 365 E5 and buying Microsoft 365 Copilot.
The quarterly results didn’t mention Teams, the poster child of Microsoft 365 for the last few years, The last number given for Teams users was 320 million in October 2023. If growth in Teams usage had matched Microsoft 365, that number would be around 350 million now. Instead, CEO Nadella chose to emphasize the growth in Power Platform, saying “We now have 56 million monthly active Power Platform users, up 27% year-over-year, who increasingly use our AI features to build apps and automate processes.” He also said that Copilot usage increased three times year-over-year, but that’s a useless statistic without knowing the baseline.
Office 365 for IT Pros Enters an Agentic World
Obviously, there’s a lot of people using Power Platform (about 13.25% of all paid seats). Some of that growth probably comes from Copilot agents. Microsoft doesn’t have a great story about management of agent lifecycle, deployment, and access across a Microsoft 365 tenant, and the announcement that Entra ID will deliver some agent management capabilities in the Entra admin center is a good step forward. Technology keeps on changing, and we keep on tracking that change through updates to Office 365 for IT Pros. Onward to the 2026 edition!
Microsoft Launches the Copilot Interaction Export API
aiInteractionHistory Graph API Available in June 2025
Microsoft 365 message center notification MC1080682 (22 May 2025, Microsoft 365 Roadmap item 491631) announces that the new Microsoft 365 Copilot Interaction Export API (aka, the aiInteractionHistory API) will roll out in June 2025. This is the same API that I covered in a Practical365.com article last December and the documentation still says that the API is available through the Graph beta endpoint. Perhaps the intention is to move the API to the V1.0 (production) endpoint when it’s officially released.
I don’t see much change in how the API works or the retrieved data since I last looked at it. A welcome change is that it is now possible to fetch a maximum of 100 records per request rather then ten. Fetching ten interaction records at a time made the API very slow. Although faster than before, the API is still slow, especially for an API designed to allow third-party apps and ISVs “to export Copilot user interaction data for processing in their security and compliance (S+C) applications.”
Other audit APIs support fetching up to a thousand records at a time. Maybe a V1.0 version of the API will support a higher value. Details of how the API works and an example script can be found in the original article.
Licenses and Permissions
The AiEnterpriseInteraction.Read.All Graph permission needed to access interaction data is not available as a delegated permission, meaning that the only way to access the data is through an app (including app-only interactive Microsoft Graph PowerShell SDK sessions). Weirdly, accounts used to run apps using the API to fetch interaction records must have a Microsoft 365 Copilot license.
What the aiInteractionHistory API Captures
According to Microsoft, the API “captures the user prompts and Copilot responses in Copilot private interactions chat and provides insights into the resources Copilot has accessed to generate the response.” This statement does not mean that the data lays bare the details of Copilot interactions. Some of the information needs to be mined and interpreted to make sense. For instance, here are the details of an interaction record:
Name Value
---- -----
locale en-us
body {[content, [AutoGenerated]undefined<attachment id="fd3a9044-309c-4ec9-a568-676f1d521f24"></attachment><attachment id="01TAGX3U2ESA5P3HBQZFHKK2DHN…
from {[@odata.type, #microsoft.graph.chatMessageFromIdentitySet], [user, System.Collections.Hashtable], [application, ], [device, ]}
appClass IPM.SkypeTeams.Message.Copilot.Word
attachments {02 Managing Identities.docx, unknown-file-name}
contexts {02 Managing Identities.docx, unknown-file-name}
createdDateTime 25/04/2025 09:27:05
conversationType appchat
interactionType userPrompt
mentions {}
links {}
sessionId 19:t67NyrXsxDyC8qGGCtSQZYjC3TV1lYvq3IkjzpXquUc1@thread.v2
id 1745573225046
requestId GTbr3lBouCMpcP7L1qVv8Q.20.1.1.1.4
etag 1745573225046
The appClass property tells us what Copilot app the interaction is for. In this case, it’s Copilot for Word. The attachments property tells us if any reference files are used. One is mentioned here, and given that the body property mentions AutoGenerated, we can conclude that this interaction occurred when Copilot for Word generated an automatic summary for a document.
The interactionType tells us that this record is for a user prompt. Responses from Copilot have aiResponse in the interactionType property. User prompts that aren’t for automatic summaries have the text of the prompt in the body property. For example:
Name Value ---- ----- content What functionality isn't available with a Microsoft 365 retention policy contentType text
aiInteractionHistory API requests require the identifier for a user account and the response is the records for that user. Details of the user are in the from property, but you’ll have to navigate to from.user.id to see the identifier for the user. A DisplayName property is available in the from structure but doesn’t hold the display name of the user.
Assuming that a third-party application wanted to retrieve the ai interaction history records and process the records for its own purposes, it’s obvious from this brief discussion that the application has some work to do to interpret the raw data to make it useful for compliance investigations or other purposes. The script published with the December article referenced above shows how to approach the task, which is like the parsing of audit records to extract useful content. Figure 1 shows the kind of data that can be extracted from the aiInteractionHistory API records.
The Many Sources of Information About Copilot Interactions
It’s hard to know how useful the aiInteractionHistory API will turn out to be. Other sources of information can be mined to discover how people use Copilot, including usage data, audit records, and the compliance records held in user mailboxes. I guess it all depends on what you’re looking for.
How to List Hidden Group Memberships with the Graph
Administrative Interfaces Can List Hidden Group Memberships, but Graph-Based Apps Need Extra Permission
A user of the Microsoft 365 Groups and Teams activity report script (which I should do some work on to upgrade some really old code) pointed out that they weren’t getting details of groups with hidden membership. I’ve written about groups with hidden membership before and observed that administrative interfaces like the Microsoft 365 admin center or Entra admin center have access to hidden membership (Figure 1) where user-facing clients like Outlook block access to hidden group memberships.
PowerShell modules built for administrative use also count is administrative interfaces, so cmdlets like Get-UnifiedGroupLinks from the Exchange Online management module report hidden memberships as happily as they list open memberships. Modules like Exchange Online assume that anyone running their cmdlets is an administrator, so they extend the same access to data that the administrator enjoys through an admin portal.
Listing Hidden Group Memberships is Different with the Graph
The Graph API is different. Working on a least permission model, the Graph makes no assumptions about permissions when a session starts and the only access to data available during the session is via granted permissions. The permissions can be delegated (access to data available to the signed-in user) or application (available to tenant data). Delegated permissions are used for interactive sessions. Application permissions are used by apps (which can run in interactive sessions).
When the problem was first reported, I did a quick check but couldn’t find anything wrong. But I screwed up by running commands in an interactive session signed in with an account that held the Exchange administrator role. Interactive sessions use delegated permissions, but they also respect any of the administrative roles assigned to the account, so while the Get-MgGroupMember cmdlet would normally stop me seeing the members of a group with hidden membership, the Exchange administrator role removed the block and made the membership visible.
This experience proves once again that any testing for a Graph access scenario should be done with application permissions. In other words:
- Create an app (registration).
- Assign the app the lowest possible level of permissions you think are needed to get the job done.
- Test.
- Refine as necessary using different permissions until the test is successful.
Fetching Hidden Group Membership
In this scenario, I started off with an app with consent to use the Group.Read.All and User.Read.All permissions. The former is needed to read group details; the latter to retrieve member information (user accounts). I then disconnected my current interactive Microsoft Graph PowerShell SDK session and signed in with the app, using the thumbprint of an X.509 certificate uploaded to the app to authenticate. Running Get-MgContext confirmed the available permissions (scopes):
Connect-MgGraph -Tenantid $TenantId -AppId $AppId -CertificateThumbprint $Thumbprint (Get-MgContext).Scopes | Format-List User.Read.All Group.Read.All
Now attempt to read the membership of a group with hidden membership. The Get-MgGroupMember cmdlet returns nothing, but we know why because the visibility property of the group is set to HiddenMembership. A group might have no members, but if its visibility property is set to HiddenMembership, there might be data to retrieve,
Get-MgGroupMember -GroupId $GroupId Get-MgGroup -GroupId $GroupId | Select-Object Visibility Visibility ---------- HiddenMembership
The Visibility property is most often used to note whether a group has private or public membership. Unfortunately, it’s not a filterable property for the Graph, so to find the groups with hidden membership, you do something like this:
[array]$Groups = Get-MgGroup -All -PageSize 500
$Groups | Where-Object {$_.Visibility -eq 'HiddenMembership' } | Format-Table DisplayName, Id, Visibility
To find details of the hidden membership, grant consent for the app to use the Member.Read.Hidden permission. Disconnect and reconnect using the app and make sure that Member.Read.Hidden is available. Now run Get-MgGroupMember again:
[array]$Members = Get-MgGroupMember -GroupId $GroupId Id DeletedDateTime -- --------------- eff4cd58-1bb8-4899-94de-795f656b4a18 cad05ccf-a359-4ac7-89e0-1e33bf37579e 08dda855-5dc3-4fdc-8458-cbc494a5a774 75ba0efb-aed5-4c0b-a5de-be5b65187c08 4daa5f06-55eb-4d79-9a24-1be369919fec 59e09287-ac1b-4ff7-80a3-08d0d1eed939
Or to see the display names of the members:
$Members.additionalProperties.displayName Tony Redmond James Ryan Sean Landy Terry Hegarty Otto Flick Hans Geering (Project Management)
If an app has a higher-level permission, such as Directory.Read.All, it can also read hidden membership. The same permission governs access to hidden memberships of Entra ID groups and administrative units.
The Takeaway about Graph Permissions
The takeaway here is not to assume anything about Graph permissions. The ability of the Microsoft Graph Command Line Tools app (used for Microsoft Graph PowerShell SDK interactive sessions) to accrue delegated permissions over time is both a benefit and a problem. When you can, use app-only mode to validate exactly what permissions are required to run your code.
Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.
The Case of the Mysterious SharePoint Embedded Containers
Oddly Named SharePoint Embedded Containers Show Up for Copilot Studio
Microsoft 365 tenant administrators can be swamped with message center notifications, reports about service health issues, and automated email generated by Entra ID and other workloads. Other more important things usually get in the way and often no great harm is done. Right now, there are 830 notifications in the message center for my tenant, and probably only 20% of the notifications are what I consider important. For instance, knowing that a new channel update is available for the Office apps isn’t usually a critical event.
In any case, some gems do appear, and it’s important that tenant administrators keep an eye on what’s happening. Let’s discuss an example involving SharePoint Embedded and Copilot Studio to illustrate the point.
The Set of SharePoint Embedded Containers with GUID Names
At first glance, message center notification MC1058260 (last updated 12 May 2025, Microsoft 365 roadmap item 489214), titled “Microsoft 365 Copilot: Admin controls and user file uploads for agent knowledge sources” didn’t seem too worrying. Given Microsoft’s current preoccupation with AI, it’s unsurprising that flood of notifications describing various Copilot enhancements appear weekly. As I don’t use Copilot Studio much, it was easy to assume that a development won’t impact my tenant.
When investigating how Loop workspaces connected to Teams standard channels, I noticed a bunch of strange containers for the Declarative Agent app had appeared in SharePoint Embedded (Figure 1). Some process had created these containers in three batches on April 27 (3:25am), 8 May (1:53am), and 15 May (2:21pm). All the containers appeared to be empty. The only clue was the application name, indicating that the containers are related to some form of agents.
Agents process information from knowledge sources like SharePoint Online sites. MC1058260 explains that users will soon be able to upload up to 20 documents for agents to use as knowledge sources, and when this happens, the uploaded files are stored in “tenant-owned Microsoft SharePoint Embedded (SPE) containers.” MC1058260 goes on to note that “As part of this rollout, we will pre-provision a limited set of SPE containers in your tenant.” The mystery is solved because these containers are the pre-provisioned containers mentioned by MC1058260. I assume that Microsoft creates the containers to make it faster for users to upload documents (because they don’t have to wait for an agent to create a container).
Adding Files as Knowledge Sources for Agents
My tenant ended up with 80 pre-provisioned containers (so far – I have no idea if more provisioning cycles will happen in the future). As far as I can tell, the provisioning operation didn’t generate any audit records. At least, audit log searches for the creation times for the containers turn up nothing of interest.
My tenant doesn’t have 80 agents in use (the number is more like 8), so I assume that the pre-provisioned containers are a pool that agents can use. To test the theory, I edited an agent that I created with Copilot Studio a couple of months ago and added the source Word document for the Automating Microsoft 365 with PowerShell eBook as a knowledge source (Figure 2).
What I expected to happen is an allocation of one of the pre-provisioned containers to the agent and an update to the container name to change it from the GUID used by the pre-provisioning routine to the name of the agent. Updates don’t happen quickly in the SharePoint admin center and site and containers data is usually at least two days behind real time, so I was prepared to wait. However, no change showed up over the next few days.
The Mysterious SharePoint Embedded Containers Disappear
And then, Microsoft hid the pre-provisioned containers. I had chatted to some Microsoft contacts and complained about the mysterious containers, so I guess they acted. In any case, there’s now no trace of the containers and I can’t find out if the updated agent took over a container. And as I don’t know the application identifier for the Declarative Agent app, I can’t use the Get-SPOContainer cmdlet to retrieve any details like the storage consumption (or name) to check if anything had changed in the set of containers.
It’s probably best that Microsoft hides these containers when they are newly created and empty. However, once a container is used by an agent, I think it should show up in the set of active containers displayed in the SharePoint admin center, if only because the storage consumed by the container is charged against the tenant SharePoint Online storage quota. It’s the kind of detail that Microsoft needs to deliver for tenant-wide agent management.
The mystery is solved, and I learned how to add a file as a knowledge source for an agent. Keep an eye on the notifications posted to the message center. You might even learn something too!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Microsoft opens its first cloud region in Indonesia to unlock the new AI economy
Executive Vice President Cloud & AI Microsoft, Scott Guthrie launches the Indonesia Central cloud region
Baca dalam bahasa Indonesia di sini
Microsoft today announced the opening of its first cloud region in Indonesia, called Indonesia Central. This is an AI-ready hyperscale cloud infrastructure that offers in-country data residency, high levels of security, and lower latency.
The announcement was made during Microsoft’s AI Tour Jakarta, where over 800 decision-makers from leading organizations gathered. Joining the occasion were Coordinating Minister of Infrastructure and Regional Development, Agus Harimurti Yudhoyono, Minister of Communications & Digital Affairs (Komdigi), Meutya Hafid, Minister of Creative Economy, Teuku Rifky, as well as representatives from the Ministry of Investment & Downstreaming (BKPM), and the Coordinating Ministry of Human Development & Culture, among others.
This marks a significant progress towards Microsoft’s investment commitment in Indonesia. With a planned investment of 1.7 billion dollars in the period 2024-2028, the Indonesia Central cloud region will enable businesses from across the world to ideate, develop, and scale digital innovation in Indonesia; positioning the country as a global economic powerhouse.
Microsoft Cloud & AI Executive Vice President Scott Guthrie said, “Indonesia’s vision for AI and digital transformation requires trusted infrastructure as its foundation. With the launch of Indonesia Central cloud region, we are bringing the full power of Microsoft cloud closer to Indonesian innovators – empowering every developer, every organization, and every government institution to innovate locally and scale globally.”
According to IDC’s latest study*, Microsoft, its partners, and cloud-using customers will generate about US$15.2 billion new economic value between 2025 to 2028. The opening of Indonesia Central cloud region is expected to account for 16.5% of it and add more than 106,000 new jobs in the same period.
“The presence of Microsoft’s cloud region in Indonesia reflects two key points: first, a strong confidence in the government’s digital policy direction, which is becoming increasingly consistent, responsive, and open to collaboration; and second, that Indonesia is considered ready to manage advanced technologies such as cloud and AI—not only as a user, but as an active partner in shaping the governance of a sustainable digital ecosystem,” said Meutya Hafid, Minister of Communications and Digital Affairs, representing the President of the Republic of Indonesia Prabowo Subianto, further supported by Agus Harimurti Yudhoyono, Coordinating Minister of Infrastructure and Regional Development.
Bringing world class infrastructure and services to Indonesia
The Indonesia Central cloud region, now live with three availability zones which provides independent power, cooling, and networking for higher availability needs, is built with security and sustainability at its core, including:
- Enterprise-grade stringent security – encompasses physical security, encryption, network protection and access control, as well as hardware and software protections designed to protect sensitive customer and organizational data. The level of security standards and protections in Indonesia Central cloud region is the same with all Microsoft cloud regions worldwide.
- Global connectivity – Integrated into Microsoft’s global wide area network, with high-bandwidth and low-latency access across regions. This enables Indonesian organizations to scale local innovations to the global stage, whilst also enabling global organizations to access the Indonesian market through a streamlined, secure cloud gateway.
- Data residency and compliance – enables customers to store and process data locally, helping meet Indonesian regulatory requirements.
- Sustainable by design – developed to support Microsoft’s global sustainability goals including
- Being carbon negative by 2030, and removing historical emissions by 2050
- Becoming water positive by 2030, replenishing more water than consumed
- Achieving zero waste by 2030, through recycling and responsible resource use
- Protecting more land than we use by 2025 to support environmental conservation.
“For 30 years, Microsoft made it our commitment to empower Indonesia. Today, we take the next step forward by opening the Indonesia Central cloud region, which expands Microsoft’s global network of over 70+ Azure regions worldwide, the most of any cloud provider. This is more than an infrastructure, this is a foundation for national progress,” said Dharma Simorangkir, President Director, Microsoft Indonesia.
The technologies offered at Indonesia Central cloud region are, among others, the most modern services for productivity, data analytics, cybersecurity, computing, and storage. Today, the Indonesia Central cloud region is already available with an extensive set of Microsoft Azure services, with Microsoft 365 Copilot services to be available in the first half of the year, and Microsoft Azure OpenAI Service as well as Microsoft’s stack of business applications to be available later. This will empower organizations to innovate in their industries and move their businesses to the cloud, while enabling them to meet customer data residency, security and compliance needs.
Empowering every person and every organization to innovate in Indonesia
The launch of the Indonesia Central cloud region reflects the growing demand for digital transformation across industries in Indonesia—where organizations are embracing cloud and AI to modernize operations, enhance services, and drive innovation at scale.
To date, more than 100 organizations have onboarded to the Indonesia Central cloud region, including leading names such as Adaro, BCA, Binus University, BUMA, Disprz, Emerson, Home Credit Indonesia, KPP Mining, Manulife, Peloton Computer Enterprises, Pertamina, Petrosea, PT Federal International Finance, PT Kereta Api Indonesia (Persero), PT Pamapersada Nusantara, PT United Tractors Tbk, Siloam Hospitals, Sinarmas Land, SLB (Schlumberger), Telkom Indonesia, TRAC, and Veeam. With local access to hyperscale infrastructure, these organizations can now store and process data within Indonesia while gaining the benefits of Microsoft’s global standards in security, compliance, and performance.
[Left-Right] Executive Vice President Cloud & AI Microsoft, Scott Guthrie, Head of the Center for Information System and Technology, Mochamad Ali Hanafiah, and SVP Pertamina Digital Hub, Ignatius Sigit Pratopo.
Some of Indonesia’s most forward-thinking organizations are already using Microsoft technology to accelerate their transformation:
- Astra International Implements AI-Based Dealer Management System: Astra, one of Indonesia’s largest publicly listed companies with over 300 subsidiaries, joint ventures, and affiliated entities, supported by more than 190,000 employees, has developed an AI-based Dealer Management System to enhance operational efficiency across its motorcycle dealer network. This system is specifically designed to assist frontline staff in managing daily activities, including purchase planning, inventory monitoring, service scheduling, and transaction recording. Built with modern technologies such as Azure Kubernetes Service, Fabric, and Azure OpenAI, and integrated with Microsoft 365 and Copilot, the system enables more structured, responsive, and connected workflows. This innovation not only drives productivity improvements but also strengthens service quality and customer satisfaction at the dealership level.
- Ministry of Finance Aligns Technology Initiatives with Institutional Needs: At the Ministry of Finance, we focus on aligning technology initiatives with institutional needs, ensuring that they deliver tangible benefits to its stakeholders. As we move forward with cloud adoption, regulatory compliance is essential. By addressing latency challenges, cloud technology can open up new opportunities for both government agencies and the private sector.
- Pertamina Embraces AI to Drive Efficiency and Innovation Across Its Business: As the only Indonesian company listed in the Fortune 500, Pertamina is accelerating its digital transformation by integrating advanced data, analytics, and artificial intelligence solutions across the organization. The company is improving operational process and enhancing decision-making in various areas. Pertamina has started to increasingly leverage cloud infrastructure and AI capabilities to support its business modernization efforts. These initiatives aim to improve operational efficiency, encourage innovation, and gradually enhance value delivery across the company’s energy operations.
Realizing commitment to the community
A well-developed digital ecosystem is not just about technological progress—it’s also about creating opportunities for people. Microsoft’s commitment to Indonesia extends beyond infrastructure investments to empowering communities, including skilling opportunities through initiatives like:
- elevAIte: an AI skilling initiative in partnership with the Ministry of Communications and Digital Affairs (Kemkomdigi) to equip 1 million Indonesian talents by 2025. A total of 22 entities across government, industry, education, and communities have been onboarded into this initiative, ensuring inclusive AI training across Indonesia.
- Nusantara Data Center Academy: a vocational datacenter skills initiative for workforce development. A total of 65 students have been part of this initiative, with 20 of them undergoing on-the-job training in various datacenters while 45 are in in-class training.
- Community Empowerment Fund: partnering with ChangeX, this initiative enables schools surrounding our datacenters to provide hardware and training for their students and teachers in order to upskill them in digital skills. Through community empowerment funds, schools are able to improve their infrastructure and provide better learning environment for the students. Our funds currently benefit approximately 3,200 students and teachers in Cikarang and Karawang area.
At the Microsoft AI Tour in Jakarta, Microsoft also shared plans to support the next phase of Indonesia’s AI transformation through the exploration of an AI Center of Excellence. This early-stage initiative aims to bring together stakeholders from across sectors to accelerate AI adoption, foster innovation, and co-develop real-world solutions that align with national priorities. The effort builds on Microsoft’s broader investment in Indonesia’s digital future, including a US$1.7 billion commitment to cloud and AI infrastructure, and programs such as elevAIte Indonesia.
These initiatives ensure that Indonesia’s growing cloud and AI ecosystem is matched by a future-ready, skilled workforce – unlocking opportunities for all.
Looking Ahead
With the launch of the Indonesia Central cloud region, Microsoft is strengthening its three-decade partnership with Indonesia by enabling inclusive digital and AI transformation. From secure, sustainable infrastructure to bold investments in people and talent, Microsoft is committed to support Indonesia’s vision of becoming a global leader in the AI economy.
###
*IDC Info Snapshot, sponsored by Microsoft, The Microsoft Cloud Dividend Snapshot: Indonesia, Doc. #US52734024, March 2025
