Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Two different Delete-Only Retention Policies for Microsoft Teams chat
I have created two different delete-only retention policies for Microsoft Teams chat. Four of us use a 90-day deletion policy and the rest of our staff use a 30-day deletion policy. My question is: If I am using the 90-day policy and I chat with someone who uses the 30-day policy, will my chats remain visible for 90 days and theirs for 30? Or will the most restrictive policy take over and delete the chats from both sides after 30 days?
Please tell me how to disable the Pin Copilot message
Morning! I wrote a message yesterday but nobody replied, so here's another one so it doesn't get lost Can somebody tell me how to disable the annoying "Pin Copilot Chat" popup? every morning I have to say "Maybe Later" when I really mean to say NEVER IN A THOUSAND YEARSTeams build 25275.2601.4002.2815) instantly closes on launch ucrtbase.dll error 0xc0000409
After updating to Teams 25275.2601.4002.2815, the app opens for one second then closes—no UI, no error. Env: Win 11 Pro 23H2 (26100) WebView2 141.0.3537.92 Entra ID joined (AAD) Faulting module: ucrtbase.dll Exception code: 0xc0000409 Path: C:\Program Files\WindowsApps\MSTeams_25275.2601.4002.2815_x64__8wekyb3d8bbwe\ms-teams.exe Tried: cleared Teams/WebView2/AAD caches, reinstalled Teams + WebView2 + VC++, did Reset this PC and clean USB install — same result. Works fine for local admin + other Entra users and browser. Older builds (Aug/Sep 2025) work fine → likely regression in this release. Please confirm if known and being investigated.
Stealing Access Token Secrets from Teams is Hard Unless a Workstation is Compromised
Teams stores information in a local state file, including encrypted access tokens. A report from a French company explained how to extract and use those tokens with the Graph API. Is this important? It could be if attackers manage to gain access to a workstation, but at that point you’ve got other problems, and maybe using code to decrypt some tokens is the least of your troubles. https://office365itpros.com/2025/10/27/local-state-file-teams/Securing Microsoft Teams Best Practice & Cleanup
Working on a Teams environment that is fully wide open. They have seen a huge number of Teams created and are looking to get it under control from here on out and clean up. Wanted some advice on what you recommend doing and if you have the instructions to complete those tasks. My thoughts would be Block Team creation where IT would need to be involved. I believe this could be accomplished by blocking M365 Group creation. Way to expire or archive old Teams with no activity in X amount of time? Also, how are you handling guest invitations or access? Doing anything that allows but might secure things better for the organization. Thanks all.
