Recent Blogs
A video format is available for watching.
Prerequisites
- An Azure account with sufficient permissions to create resources.
- Terraform installed on your local machine.
Infrastructure Pr...
Apr 20, 2026
Strong authentication controls like MFA significantly reduce account compromise — but they don’t eliminate the risk of password exposure. In many organizations, users still interact with legacy syst...
Apr 20, 2026
As Microsoft Purview deployments mature, many organisations encounter the same scaling challenge: how do you decentralize operations without fragmenting governance or losing visibility? Administrativ...
Apr 17, 2026
6 MIN READ
Azure Activity Logs provide strong visibility into resource lifecycle operations across a subscription. Among these are lifecycle events related to Azure Public IP addresses, including creation and d...
Apr 17, 2026Recent Discussions
Microsoft Purview PowerShell: Interactive Sign-In Basics + Fixing Common Connect-IPPSSession Errors
If you’re new to Microsoft Purview PowerShell and your interactive sign-in fails when you run Connect-IPPSSession, you’re not alone. In this post, I’ll walk through the quick setup (module install + connection) and then cover practical fixes for a common authentication failure: “A window handle must be configured” (WAM / MSAL window handle error). Once connected, you can run Purview-related cmdlets for tasks like working with sensitivity labels, DLP policies, eDiscovery, and other compliance operations (depending on your permissions). Step 1: Install the Exchange Online PowerShell module Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Step 2: Connect to Microsoft Purview (Security & Compliance) PowerShell For interactive sign-in, you can start with the standard connection pattern below (replace the placeholder with your User Principal Name) Common issue: Interactive sign-in fails with a WAM “window handle” error The ExchangeOnlineManagement module uses modern authentication. In some hosts/environments, the sign-in UI can’t attach to a parent window, so token acquisition fails and you may see the error below. This is commonly associated with WAM (Web Account Manager) / MSAL interactive sign-in. Error Acquiring Token: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.9.2\netFramework\ExchangeOnlineManagement.psm1:591 char:21 + throw $_.Exception.InnerException; + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], MsalClientException + FullyQualifiedErrorId : A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles You’ll often hit this on secured devices, PowerShell ISE, or hardened corporate images. Below are two solutions to bypass this error. Start with the recommended option first. 1. Recommended workaround: Use Get-Credential without disabling WAM This approach avoids the WAM-based interactive prompt. You’ll be asked for credentials via a standard PowerShell credential dialog, and the module will complete modern authentication. $cred = Get-Credential Connect-IPPSSession -Credential $cred A credential prompt appears: Enter your username and password. After authentication, you should be connected to the Security & Compliance (Microsoft Purview) PowerShell session. As a quick validation, try a lightweight cmdlet such as Get-Label or Get-DlpCompliancePolicy (availability depends on permissions). If this works in your environment, it’s a simple way to proceed without changing system-wide WAM behavior. 2. Alternative workaround: Disable WAM for the session (use with caution) If the interactive UI is failing, you can try disabling WAM. Newer versions of the ExchangeOnlineManagement module support a -DisableWAM switch on the connection cmdlets, which bypasses the WAM broker and can avoid the “window handle” failure. Connect-IPPSSession -UserPrincipalName <yourUPN> -DisableWAM If you can’t use -DisableWAM or if it is not working as expected (or you’re troubleshooting a specific host issue), some admins set an environment variable to disable WAM for MSAL using the commands below. Treat this as a temporary troubleshooting step and follow your organization’s security guidance. $env:MSAL_DISABLE_WAM = "1" setx MSAL_DISABLE_WAM 1 Important warning! Changing authentication/broker behavior can have security and supportability implications. Use this only for troubleshooting and revert when you’re done using the following commands. $env:MSAL_DISABLE_WAM = "0" setx MSAL_DISABLE_WAM 0 Quick summary If you’re scripting for Microsoft Purview and interactive sign-in fails due to the WAM “window handle” error, try the sequence below. Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement $cred = Get-Credential Connect-IPPSSession -Credential $cred Hope this helps! If you’ve hit this in a specific host (PowerShell ISE vs Windows PowerShell vs PowerShell 7, RDP/jump box, etc.), share what worked for you in the comments. Thanks for reading. Happy Scripting! Reference: Connect to Security & Compliance PowerShell | Microsoft LearnMicrosoft Defender VPN - Android Auto Communication error 21
Hi, Using Microsoft Defender for Endpoint VPN (com.microsoft.scmx) has caused connection issues with Android Auto, (See attached image) and users cannot get it to load. The only way it seems to get this to work is to turn off the VPN which we do not want to do as its an intuned corporate device which we want to have VPN always working on the device for security reasons. Has anyone got any solution? Users receive the following error: Communication error 21 - Being connected to a VPN may prevent Android Auto from starting. If you're using a VPN, turn it off and try reconnecting to Android Auto. Thanks, Mark
Microsoft 365 Copilot not showing up as location in DLP
Hi, I am working on implementing security measures for Microsoft Copilot in a client environment. I want to create a DLP policy to not process data with certain sensitivity labels but when I go into DLP to create the policy, the location for Microsoft 365 Copilot is not an option. I also noticed that the "Fabric and Power BI workspaces: location is also not available. I have checked other similar client M365 tenants, and both of these locations are available by default. Any insight would be appreciated.Sentinel RBAC in the Unified portal: who has activated Unified RBAC, and how did it go?
Following the RSAC 2026 announcements last month, I have been working through the full permission picture for the Unified portal and wanted to open a discussion here given how much has shifted in a short period. A quick framing of where things stand. The baseline is still that Azure RBAC carries across for Sentinel SIEM access when you onboard, no changes required. But there are now two significant additions in public preview: Unified RBAC for Sentinel SIEM itself (extending the Defender Unified RBAC model to cover Sentinel directly), and a new Defender-native GDAP model for non-CSP organisations managing delegated access across tenants. The GDAP piece in particular is worth discussing carefully, because I want to be precise about what has and has not changed. The existing limitation from Microsoft's onboarding documentation, that GDAP with Azure Lighthouse is not supported for Sentinel data in the Defender portal, has not changed. What is new is a separate, Defender-portal-native GDAP mechanism announced at RSAC, which is a different thing. These are not the same capability. If you were using Entra B2B as the interim path based on earlier guidance, that guidance was correct and that path remains the generally available option today. A few things I would genuinely like to hear from practitioners: For those who have activated Unified RBAC for a Sentinel workspace in the Defender portal: what did the migration from Azure RBAC roles look like in practice? Did the import function bring roles across cleanly, or did you find gaps particularly around custom roles? For environments using Playbook Operator, Automation Contributor, or Workbook Contributor role assignments: how are you handling the fact those three roles are not yet in Unified RBAC and still require Azure portal management? Is the dual-management posture creating operational friction? For MSSPs evaluating the new Defender-native GDAP model against their existing Entra B2B setup: what factors are driving the decision either way at your scale? Writing this up as Part 3 of the migration series and the community experience here is directly useful for making sure the practitioner angle is grounded.
Purview DLP Behaviours in SharePoint and OneDrive
We are currently testing Microsoft Purview DLP policies for user awareness across SharePoint Online, and OneDrive. The policy is configured such that sensitive information (based on a sensitivity label-OFFICIAL Sensitive) shared externally triggers a policy tip, with override allowed (justification options enabled) and no blocking action configured. In SharePoint Online and OneDrive, users are not experiencing any DLP-related behaviour. When attempting to share labelled content externally: No policy tips are displayed No override prompts are presented No indication of DLP enforcement is shown Users are able to share content externally without any awareness prompt or restriction. Expected behaviour: Users should receive a policy tip during the sharing process Users should be prompted for justification when overriding, aligned with the DLP configuration Has anyone observed similar behaviour with DLP in SharePoint Online and OneDrive, particularly in scenarios where no blocking action is configured? Keen to understand if this is expected behaviour, a known limitation, or if there are any configuration considerations or workarounds to achieve a consistent user experience across workloads.Purview Integration during Merger and Acquisitions
a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; } Hello, We are currently in the process of merging with two other organizations and are looking to integrate our Microsoft Purview environments. All three organizations have different sensitivity labeling schemes, and we would like guidance on the best approach to achieve a unified labeling strategy across the merged organization. Specifically, should we create a new, common set of sensitivity labels for the combined organization and plan a phased transition for users? One of the organizations already has the majority of its documents labeled, so maintaining those existing labels during the merger is a key concern. We are also looking for best practices to ensure that existing labels are preserved when the two additional organizations are onboarded into Purview, while still moving toward a consistent, unified labeling framework. Any suggestions or if any one had already been a part of such a merger, please share your experienceSensitivity Labels and CoPilot - "No AI"
As a Purview Administrator, I recently received a request that might resonate with many of you: add a “No AI” designation to every sublabel we have. Why? Because our contracts and EULAs explicitly state that certain documents must not be used with AI tools. This raises an important question: What’s the best way to implement this without creating unnecessary complexity? The Challenge If we simply append “NoAI” to every existing label and sublabel, we end up duplicating our entire labeling structure. For example, if you follow Microsoft’s guidance on default sensitivity labels and policies, doing this “times two” for every label and sublabel is clearly not scalable. How do you deploy it? Best regards Stephan
Adaptive Scopes
I'm setting up adaptive scopes in MS Purview for data retention testing, focusing on Entra groups. However, when I create a test adaptive scope using the 365 groups scope and add a query with the group's display name, it doesn't populate. Some scopes are over 7 days old, despite MS stating it can take up to 3 days for queries to sync. Does anyone have a better method for creating adaptive scopes for Entra groups?
Feature Request: Extend Security Copilot inclusion (M365 E5) to M365 A5 Education tenants
Background At Ignite 2025, Microsoft announced that Security Copilot is included for all Microsoft 365 E5 customers, with a phased rollout starting November 18, 2025. This is a significant step forward for security operations. The gap Microsoft 365 A5 for Education is the academic equivalent of E5 — it includes the same core security stack: Microsoft Defender, Entra, Intune, and Purview. However, the Security Copilot inclusion explicitly covers only commercial E5 customers. There is no public roadmap or timeline for extending this benefit to A5 education tenants. Why this matters Education institutions face the same cybersecurity threats as commercial organizations — often with fewer dedicated security resources. The A5 license was positioned as the premium security offering for education. Excluding it from Security Copilot inclusion creates an inequity between commercial and education customers holding functionally equivalent license tiers. Request We would like Microsoft to: Confirm whether Security Copilot inclusion will be extended to M365 A5 Education tenants If yes, provide an indicative timeline If no, clarify the rationale and what alternative paths exist for education customers Are other EDU admins in the same situation? Would appreciate any upvotes or comments to help raise visibility with the product team.
MFA Options for Employees without Phones
Hello everbody, we're currently trying to implement MFA in our company, but approximately 1/10 of our employees have a workphone and are not allowed to use their personal phone. Since we also recently introduced Intune, the idea was to just use Windows Hello for Business, but when trying to provision it, we realized that you need to have MFA active for an account to be able to even activate it? Which kinda defeats the purpose. So my question is, is there some way to circumvent the MFA requirement for WHfB? Or what other options do we realistically have? Thanks in Advance!
Shared capabilities
I am writing my thesis about Microsoft Purview. And something is not very clear to me about the shared capabilities. So I know Microsoft has the platform and the product shared capabilities. The platform shared capabilities are the foundation for Purview. Like audit logs and retention labels etc. The product shared capabilities are products as Adaptive Protection and OCR. There is a lot information about the product shared capabilities on learn.microsoft.com. But is there anything I can find about the platform shared capabilities like a blogpost or a webinar?
Blocking User Mode Installation
Hi Experts, I have a Hybrid Azure AD Join environment with all Windows devices enrolled in Intune. I have removed Domain Users from the local Administrators group on all devices via an on-premises Group Policy from the Domain Controller (Restricted Groups / Local Admin configuration). But what I observe is users are still able to install application in user move no elevation, how can I block this so that when get get a prompt only IT team can enter their credentials which will allow install. Currently apps are being installed in Appdata folder under user profile. Thanks"Security Operations Admin User" Predefined Critical Asset classification
In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users. I can't figure out by what logic they were added to this classification. It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either. If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups. Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"
DLP Policy - DSPM Block sensitive info from AI sites
Having issues with this DLP policy not being triggered to block specific SITs from being pasted into ChatGPT, Google Gemine, etc. Spent several hours troubleshooting this issue on Windows 11 VM running in Parallels Desktop. Testing was done in Edge. Troubleshooting\testing done: Built Endpoint DLP policy scoped to Devices and confirmed device is onboarded/visible in Activity Explorer. Created/edited DLP rule to remove sensitivity label dependency and use SIT-based conditions (Credit Card, ABA, SSN, etc.). Set Paste to supported browsers = Block and Upload to restricted cloud service domains = Block in the same rule. Configured Sensitive service domain restrictions and tested priority/order (moved policy/rule to top). Created Sensitive service domain group for AI sites; corrected entries to hostname + prefix wildcard a format (e.g., chatgpt.com + *.chatgpt.com) after wildcard/URL-format constraints were discovered. Validated Target domain = chatgpt.com in Activity Explorer for paste events. Tested multiple SIT payloads (credit card numbers with/without context) and confirmed detection occurs. Confirmed paste events consistently show: Policy = Default Policy, Rule = JIT Fallback Allow Rule, Other matches = 0, Enforcement = Allow (meaning configured rules are not matching the PastedToBrowser activity). Verified Upload enforcement works: “DLP rule matched” events show Block for file upload to ChatGPT/LLM site group—proves domain scoping and endpoint enforcement works for upload. Disabled JIT and retested; paste events still fall back to JIT Fallback Allow Rule with JIT triggered = false. Verified Defender platform prerequisites: AMServiceVersion (Antimalware Client) = 4.18.26020.6 (meets/exceeds requirements).
Microsoft Defender doesn't, Spy hunter shows a Hijacker
Spy Hunter indicates a "Elex Hijacker" and three other problems were as Defender and McAfee do not show any problem. Is Spy Hunter legitimate? I did have a Search engine redirect problem that has a name "ext.ladispatcher.com" and "search-load.com" while using Chrome browser with Chrome search engine. But no problem with Microsoft Edge and Bing. My monitor screen occasionally momentary collapses and reverts back to normal in a split second. Could there be a connection to malware.? Please let me know if i am posting on the wrong site.Myapplications.microsoft.com and managing applications
We have begun testing the new Myapplications.microsoft.com site. One thing we have noticed is the inability to manage the users who have access to an enterprise application. In the older MyApps site, a delegated user listed within the self-service properties of an enterprise application, could manage and invite guest users (if they have been added to the Guest Inviter role) to their application. However, when trying to do the same thing on Myapplications.microsoft.com brings up the following message on the Permissions and Accounts tab: "This app does not have any accounts." Has anyone else experienced this issue? We currently have Azure AD P1.Microsoft Authenticator help
keep getting Microsoft Authenticator attempts on my Hotmail account every 15 mins or so from an overseas location that im not aware of. I have changed my password, however im still getting attempts. I deny the request every time, and when i look at security section under my account > view my sign-in activity. it doesn't appear here .Copilot Studio Auditing
Hey team, While I'm doing research around copilot studio audting and logging, I did noticed few descripencies. This is an arcticle that descibes audting in Microsoft copilot. https://learn.microsoft.com/en-us/microsoft-copilot-studio/admin-logging-copilot-studio?utm_source=chatgpt.com I did few simualtions on copilot studio in my test tenant, I don't see few operations generated which are mentioned in the article. For Example: For updating authentication details, it generated "BotUpdateOperation-BotIconUpdate" event. Ideally it should have generated "BotUpdateOperation-BotAuthUpdate" I did expected different operations for Instructions, tools and knowledge update, I believe all these are currently covered under "BotComponentUpdate". Any security experts suggestion/thoughts on this?
Events
in 1 day
Accidental changes and security compromises can quickly cascade across your tenant. Learn how to recover with confidence using Microsoft Entra Backup and Recovery.
Tune in to see how this Microsof...
Online
Purview Lightning Talks Join the Microsoft Security Community for Purview Lightning Talks; quick technical sessions delivered by the community, for the community.
You’ll pick up practical Pu...
Online