Primer: How to Use RBAC for Applications to Control App Use of the Mail.Send Permission
The temptation to use the Mail.Send application permission in scripts can lead PowerShell developers into trouble because the permission allows access to all mailboxes, including sensitive executive and financial mailboxes. Fortunately, RBAC for Applications allows tenants to control the access that apps have to mailboxes and other Exchange content. All explained here with an example script to test RBAC of Applications. https://office365itpros.com/2026/02/17/mail-send-rbac-for-applications/
Cross tenant migration tools : New MS solution compared to Migration Wiz?
Hi, I'm looking for informations about advantages and limitations between new Microsoft Cross Tenant migration solution (Preview) and "Migration Wiz". Microsoft solution look more limited and doesn't seem to have Free/busy sync. What are the returns for those who did use MS cross tenant solution ? Thanks,Microsoft Unified Tenant Configuration Management
Unified Tenant Configuration Management (UTCM) is a new tenant configuration management solution that can monitor changes to over 300 resource types found within Microsoft 365 tenants. Currently accessible via Microsoft Graph beta APIs to all tenants, UTCM offers an alternative to Microsoft DSC and third-party configuration management products. No details are available yet about an admin UX, licensing, or availability. https://office365itpros.com/2026/02/03/utcm-beta/
Outlook Classic for M365 - File > Encrypt > 'Encrypt-Only' option applies 'Do Not Forward' label?
I recently joined a new company and am helping support their M365 tenant and admin duties. I'm running into a very weird issue where no recipients can actually read/view the message when we encrypt emails using only 1 specific method (our organization largely uses the Outlook Classic for Microsoft 365 desktop app). If a user follows this method, for some reason the 'Do Not Forward' label is applied to the encryption, despite specifically selecting 'Encrypt-Only' - it defaults to 'Do Not Forward' every single time: New Email > File > Encrypt > Encrypt-Only Sending emails with this method gives any/all recipients a "You don't have sufficient permissions to open the mail." regardless of where they try to open the email (OWA, Outlook Classic, New Outlook) Yet, if the user tries this other method below - the proper Encrypt-Only label is applied, and any Outlook client immediately and opens/views the email as you'd expect: New Email > Options ribbon > Encrypt properly applies the Encrypt-Only label I verified IRM (Identity Rights Management) is enabled for our tenant: And encryption tests pass with flying colors: Ultimately, I'm at a loss for what's going on here and specifically where to check to fix this issue for this 1 specific encryption method. Poking around in the Purview portal, I'm having a hard time figuring out where these encryption policies/settings lie and how to get this method to stop defaulting to 'Do Not Forward' even though 'Encrypt-Only' is checked.A Method to track current and upcoming changes to M365 Products
Good evening (from Ireland at least), I've spent most of today traipsing down a variety of dead-ends and soon-to-be-discontinued features looking to create a useful location where I can find/send all new updates to products that I can peruse and ultimately highlight ones that may be of particular importance in my organisation. I've had a long chat with Copilot today and while I've made significant progress in some areas (had upwards of 30 great questions according to Copilot! ;P), when it comes to the final product, there's always some missing connector, or some RSS feed that is no longer supported. What I'm looking for here is any input on how you manage to stay ahead of changes and I'll share everything I'm doing and have learned as well, in the hope that the discussion is somewhat mutually beneficial. What I do: Message Centre: Manually check the Message Center (under Service Health in M365 Admin Center). You can sort by product here and by relevance which is quite handy. Link: https://admin.cloud.microsoft/?#/MessageCenter (Access to the M365 Admin Center on your tenant is required for this). Today I found out you can also send emails to yourself (and Teams channels) here so awaiting the next message to see if this has worked. Unfortunately, there doesn't seem to be a way of migrating past messages over so I'll have to go through these myself first. Road Maps: These have been the bane of my day. Currently, I actively check the road maps of the products I manage but going forward, I'd like to be able to track major changes to products used in my organisation so I can give users a heads up. I initially tried Power Automate to send updates to myself, however, it's not a feature widely used in our org yet and isn't well supported, so I wasn't too surprised when my efforts were blocked by existing policy. Not long after, I found RSS feeds, which seemed to be the answer to my problems. I created RSS Feeds for each of the Road Maps that I found useful, assured by Copilot that these would work. The assurance wasn't fell founded however as, true to form, once I showed Copilot by errors, they remembered that they were there all along! :') I'm yet to find a useful solution here beyond my current efforts so any assistance would be greatly appreciated. Community Blogs The final recommendation was these Community Blog posts which, to be fair, I've had immense success with to date. However, there is a slight issue with filtering. While I did finally get the RSS Feed to work on something (the Tech Comm M365 RSS Feed), it did then proceed to send me a mass of emails on every topic under the Sun & Moon. I've decided to return to the drawing board tomorrow with this, but I'm content in knowing that RSS isn't just a myth at least. I think what I'd like here is just to receive notifications when approved Blogs are posted (i.e., Monthly OneDrive Updates and the equivalent for other products). OneDrive Office Hours: This is a fansastic resource I do use every month as it gives you the opportunity to get in contact with the people who know the most about the product and the issues you're facing. I've spent weeks in a ticket before, only to raise it in one of these meetings and get a solution that took half an hour to set up. You'll get a yes or a no, but at least you'll have an answer. Copilot Chat: I don't have the full Copilot license because I haven't had a need for it yet. Everything I've wanted to do, I've been able to do in Copilot Chat. We haven't yet looked too much into Agents, and as a Public body, aren't going to rush into it until we know it's viable and can be supported. In the interim, I'm happy to test the waters with Copilot Chat asking it for Monthly Summaries on a variety of products, time frames, etc. It isn't perfect but it's faster than I am. It can find the sources for me and I can take it from there. As an organisation, we'll be pushing out all users on the most recent version (-1) on the Monthly Enterprise Channel. This means that they'll be supported whilst also being shielded from any brand new features. Our team will be on the most recent version and will be able to note any upcoming changes ahead of time. These are what I'm using so far but would be very grateful for any further input. Thanks in advance, Chris Martin
Automating CRUD operations in MS Places
Hi, Has anyone been able to automate CRUD operations in MS Places yet? Given that the Places API calls support user access tokens only currently and Application access tokens isn't yet supported? We were able to do Get operations using App tokens but when run anything to modify, For Ex: Create a building using Set-Placev3 cmdlet it gives error. When raised an MS ticket they confirmed that the calls doesn't support application tokens yet.. We have a showstopper kind of situation.Tenant Migration
Our parent company wants to migrate us to their O365 tenant. We would keep our Brand and domain name, but the goal of the tenant move is: - to allow people to work seamlessly in Teams (currently, we need to Switch orgs to access our parent company Team sites) to chat, share files - to allow seamless interaction with Outlook (free/busy, calendar access) - seamless access to Sharepoint sites across orgs So far, we have been using Guest Accounts to access their Teams or Sharepoint sites. Challenges on our end: - we have an on-prem AD synchronizing to Azure AD and our own set of conditional policies and SSO applications for many SaaS tools. The parent company is looking at migrating our AD domain to their AD as a sub-domain - we have enrolled our laptops to Intune/Autopliot using Azure AD Join (no hybrid join) - we have Azure File shares joined to AD using NTFS permissions When migrating to another tenant, at which stage should the AD migration happen? Can we keep administering our domain once the migration is done (Mail flow rules, policies, Intune,...)? Is the migration possible at all in this scenario or would a domain name change would be required?
