User Profile
TonyRedmond
MVP
Joined 10 years ago
User Widgets
Recent Discussions
Allowing Users to Add Enterprise Apps to Entra ID is a Bad Idea
Enterprise apps can come from a variety of sources. Most are Microsoft 1st party apps, and the rest are ISV apps. It’s easy to add an app without really intending to, which is a good reason to force users through the Entra ID app consent workflow when they want to add an app. Unhappily, I failed the test and added an app in a moment of weakness. Here’s what happened. https://office365itpros.com/2025/10/24/enterprise-apps-my-mistake/21Views0likes0CommentsUpdating the Entra ID Password Protection Policy with the Microsoft Graph PowerShell SDK
The Entra ID password protection policy contains settings that affect how tenants deal with passwords. Entra ID includes a default policy that doesn’t require additional licenses. Creating a custom password protection policy requires tenant users to have Entra P1 licenses. As explained in this article, once the licensing issue is solved, it’s easy to update the policy settings with PowerShell. https://office365itpros.com/2025/10/23/password-protection-policy-ps/14Views0likes0CommentsImportant Change Coming for Entra ID Passkeys in November 2025
Entra ID is about to introduce passkey profiles, a more granular approach to passkey settings. The change is good, but you might like to check the current passkey settings to make sure that the values inherited by the new default passkey profile behave the way that you want. In particular, check attestation enforcement to make sure that the right kind of passkeys are used. https://office365itpros.com/2025/10/22/passkey-setting-policy/32Views0likes0CommentsRe: Automating Microsoft 365 with PowerShell Second Edition
Automating Microsoft 365 with PowerShell November 2025 Update The November 2025 update for the Automating Microsoft 365 with PowerShell eBook is available online. Subscribers can download the new PDF and EPUB files from their Gumroad account. As always, the update features a mixture of new and updated information, some corrections, and removal of obsolete information. Look no further for guidance for using PowerShell with the Graph APIs to interact with Microsoft 365 data! https://office365itpros.com/2025/10/21/automating-microsoft-365-with-powershell17/11Views0likes0CommentsPractical Graph: Creating a Multi-Workload User Activity Report
Microsoft 365 comes will many usage report APIs covering different workloads. This article explains how to use PowerShell to extract usage data for multiple workloads to combine together to create a holistic view of user account activity within a Microsoft 365 tenant. https://practical365.com/holistic-usage-report/19Views0likes0CommentsNew Audio-Only Recording Option for Teams Meetings
A new audio-only recording option for Teams meeting suppresses the video feed from meeting participants to generate the MP4 file for the meeting recording. The idea is to better preserve user privacy during recording playbacks. Few will miss the video stream because the audio is usually more important. The audio is also the basis for the meeting transcript, and that leads to AI-generated outputs like meetings summaries and action items. https://office365itpros.com/2025/10/20/audio-only-recording-teams/145Views0likes2CommentsOutlook Gets AI Drafting of Meeting Agendas
Agenda auto-draft is a new feature for OWA and the new Outlook to help meeting organizers create a draft meeting agenda using AI. The Copilot-generated draft agenda contains an introduction and some bullet points created from the meeting subject. It’s not a make-or-break feature for Microsoft 365 Copilot. Some will like it, if they discover how to use agenda auto-draft. https://office365itpros.com/2025/10/17/agenda-auto-draft/33Views0likes0CommentsUsing the Secret Management PowerShell Module with Azure Key Vault and Azure Automation
If you can't use managed identities, credential resources are a way to manage username and password credentials for Azure Automation runbooks. The Secret Management module is an alternative, and it’s a good option to manage credentials that are shared between interactive scripts and automation runbooks. This article describes how to use the Secret Management PowerShell module to fetch credentials stored in Azure Key Vault for use in an automation runbook. https://office365itpros.com/2025/10/16/secret-management-azure-automation/13Views0likes0CommentsThe My Sign-Ins Portal, Applications, and Conditional Access
A recent change has exposed the applications used by the My Sign-ins portal for use in conditional access policies. This article discusses the app-centric nature of Microsoft 365 and Entra ID and why it’s important that the newly-revealed set of applications are available for conditional access processing, just in case the Entra ID agents planned by Microsoft can’t optimize your policies. https://office365itpros.com/2025/10/15/my-sign-ins-portal/35Views0likes0CommentsChanging the Offline Access Period for Sensitivity Labels
One of the settings for sensitivity labels governs how long items protected by a label remain accessible (including offline access) before reauthentication. The default is 30 days, which is a good balance between security and avoiding users having to constantly reauthenticate to open protected messages and files. If necessary, tenant administrators can change the validity period to be anything from 0 to 65535 days. https://office365itpros.com/2025/10/14/offline-access-validity-period/14Views0likes0CommentsRe: External people can't open files with Sensitivity Label encryption.
Thinking about this again. The label encrypts content using the special any authenticated user group. The label is applied to documents that are attached to emails (which means that the messages are also protected by the label). The messages are sent to external users in other Microsoft 365 tenants. Users with guest accounts in your tenant can open and access the message and attachments. Users without guest accounts cannot. https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users emphasizes that the application being used to open the encrypted items "must support be able to support the authentication being used". Up to now, I assumed that the applications are OWA or Outlook (any recent build of classic, new, or mobile) because these definitely support the necessary authentication. Is this the case? If it is, send a test encrypted message to Michelle.Best AT O365Maestro.onmicrosoft.com to see if it arrives there successfully. This is a brand-new account in a test Microsoft 365 tenant configured for sensitivity labels where I know that the clients can successfully read and send encrypted email and documents.8Views0likes0CommentsCreating a Comprehensive Inactive Guest Account Report
Many examples of how to report inactive Entra ID guest accounts with PowerShell are available on the internet, but they're all flawed because they make decisions based on the last sign in. That's a shortsighted method because it doesn't take guest activity into account. This article explains how to combine audit data with sign-in data to create an enhanced view of guest account activity so that intelligent decisions can be made to keep or retain the accounts. https://practical365.com/inactive-guest-account-report/ChatGPT Enterprise Connects to SharePoint Online
OpenAI has launched a ChatGPT enterprise SharePoint Connector that allows organizations to synchronize files from SharePoint Online to ChatGPT. I could never understand why Microsoft 365 tenants allowed users to upload individual files from SharePoint or OneDrive to ChatGPT for processing. Using a connector to synchronize entire sites to ChatGPT makes even less sense, especially from a compliance perspective. I must be missing something! https://office365itpros.com/2025/10/13/sharepoint-connector-chatgpt/52Views0likes0CommentsMicrosoft 365 Copilot Usage Report API General Availability
The Copilot usage report Graph API is now generally available. Like the report APIs for the other workloads, the Copilot usage API helps to understand usage of some very expensive licenses. Even better, the usage data can be combined with data from other Microsoft 365 sources to produce interesting and valuable insights. All it takes is some PowerShell to knit everything together. https://office365itpros.com/2025/10/10/copilot-usage-report-api-ga/Re: External people can't open files with Sensitivity Label encryption.
I really don't know what to say. I cannot see your tenant settings so don't know what might be happening. Microsoft support can check things out, which is a good reason to get them involved. As another test, I sent a protected email to a new contact in Microsoft. I have many guests from Microsoft in my tenant, but this wasn't one. He was able to open and read the email, and was perplexed because he couldn't reply to it due to access rights kicking in...9Views0likes0CommentsRe: External people can't open files with Sensitivity Label encryption.
Just for luck, I asked Copilot about the issue. Here's what the AI says: In Microsoft Purview (formerly part of Microsoft Information Protection), the "All authenticated users" access right for sensitivity labels refers to granting access to any user who has successfully signed in to a Microsoft 365 tenant—not just users within your organization. Here's what it means in practice: ✅ Includes: All users with a valid Microsoft 365 account (Azure AD authenticated), including external users if they are invited and authenticated. ❌ Does not include: Anonymous or guest users who haven't signed in. Implications for Sensitivity Labels: If a sensitivity label is configured to allow access to "All authenticated users," then: Anyone who can authenticate with Microsoft 365 (including external collaborators) can access the content protected by that label. It's not restricted to your organization unless you explicitly scope it to internal users. This setting is often used for broad sharing scenarios, like documents meant for partners or cross-tenant collaboration.22Views1like2CommentsExchange 2016 and 2019 End of Life and Some Interesting Exchange Online Developments
On Oct 14, 2025, Exchange 2019 and 2016 reach end-of-life and Exchange SE becomes the only supported on-premises Exchange server. In other news, we discuss Microsoft guidance for moving to cloud first identity, HVE and ECS and the extension of basic authentication support to September 2028, the introduction of auto-archiving for Exchange Online, and why Microsoft is deprecating the Contact object from Exchange Online. https://office365itpros.com/2025/10/09/exchange-se-news/73Views0likes0CommentsRe: External people can't open files with Sensitivity Label encryption.
I tested again with a brand-new account that is absolutely not a guest in my tenant... and the message showed up just fine. I'll try with another account in a tenant that I don't own to see what happens there.9Views0likes1Comment
Recent Blog Articles
No content to show