Removing Inactive Entra ID User Accounts with PowerShell
The Entra ID Governance solution includes a workflow to detect and remove inactive user accounts. Sounds good, but the same can be done with PowerShell if you want to avoid the cost of Entra ID Governance licenses or want to create a bespoke workflow that’s better suited to the business needs of the organization. Azure Automation would be a good way to process this workflow. https://office365itpros.com/2025/11/17/remove-inactive-user-accounts/How to Check Unexpected Sign-Ins Against Utility Accounts
Utility accounts exist in every Microsoft 365 tenant. These accounts are not intended for normal user activity and include accounts used for Exchange room and shared mailboxes and the break-glass or emergency accounts intended to allow administrators to sign-in if their usual accounts are blocked. This article shows how to use PowerShell and the Microsoft Graph to check sign-in events to ensure that the accounts aren't being accessed. https://practical365.com/check-utility-accounts-break-glass-signins/A Brief History of Soft-Deleted Entra ID Groups
Entra ID has long supported soft-deleted Microsoft 365 Groups. Now support is available to list and restore soft-deleted security groups in both the Entra admin center and cmdlets from the Microsoft Graph PowerShell SDK, so the articles include a script to show how to list and recover deleted Microsoft 365 and security groups. The update is very welcome as it fixes a big recovery gap in the Entra ID story. Too many important security groups have been deleted in error, much to the chagrin of administrators. https://office365itpros.com/2025/11/11/soft-deleted-security-groups/Effortless Time Tracking in Teams, Outlook and M365 Copilot
How do you stay in the flow of work when tasks move across Teams, Outlook and now M365 Copilot? Many of us already collaborate and manage our day in these Microsoft 365 tools, but logging time often feels like something separate that interrupts our focus. With https://www.klynke.com/ time tracking stays right where your work happens. It runs inside Teams, Outlook and M365 Copilot, creating one consistent and natural experience for logging hours without leaving your workflow. We shared more in our blog: https://www.klynke.com/post/log-time-in-teams-outlook-copilot, and were grateful that Microsoft featured our story in a Tech Community interview: Building Secure SaaS on Microsoft Cloud. A quick look under the hood Microsoft 365 SSO (Entra ID) – Employees sign in with their existing credentials Tenant-based storage and security – Data stays within your Microsoft 365 tenant, under IT control Native experience – Same workflow in Teams, Outlook and M365 Copilot Simple reporting – Export to Excel, Power BI or dashboards How do you currently manage time tracking in Microsoft 365? Would having it built directly into Teams, Outlook and M365 Copilot make a difference in your day? CTO at KlynkeVersion 1.5 of the Microsoft 365 User Password and Authentication Report
The Microsoft 365 User Passwords and Authentication report now includes the last used date for authentication methods (when available). The new data is available through the Graph beta API for listing authentication methods and the equivalent Graph PowerShell SDK cmdlet. Another change that might break scripts is a new way to expose the created date for authentication methods. The changing sands of Graph programming… https://office365itpros.com/2025/11/06/authentication-methods-graph-2/Allowing Users to Add Enterprise Apps to Entra ID is a Bad Idea
Enterprise apps can come from a variety of sources. Most are Microsoft 1st party apps, and the rest are ISV apps. It’s easy to add an app without really intending to, which is a good reason to force users through the Entra ID app consent workflow when they want to add an app. Unhappily, I failed the test and added an app in a moment of weakness. Here’s what happened. https://office365itpros.com/2025/10/24/enterprise-apps-my-mistake/
Nested App Authentication (NAA) token to protect middle-tier server
I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver. The addin runs as a taskepane (created with yo office) with the app only manifest. I have setup NAA to do Microsoft graph calls on behalf of the user. I have used this guid to setup NAA (copy/past) https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in I have setup a php server (not in Microsoft infrastruktur) for a simple API, that handlers MySQL calls and app only calls to Microsoft graph. The php api authenticate itself with a client secret from the Azure app registration. Both are working as expected. Can i use the accesstoken from the NAA, to authenticate the user on the php server? If it can be done how do I validate the token?Updating the Entra ID Password Protection Policy with the Microsoft Graph PowerShell SDK
The Entra ID password protection policy contains settings that affect how tenants deal with passwords. Entra ID includes a default policy that doesn’t require additional licenses. Creating a custom password protection policy requires tenant users to have Entra P1 licenses. As explained in this article, once the licensing issue is solved, it’s easy to update the policy settings with PowerShell. https://office365itpros.com/2025/10/23/password-protection-policy-ps/Important Change Coming for Entra ID Passkeys in November 2025
Entra ID is about to introduce passkey profiles, a more granular approach to passkey settings. The change is good, but you might like to check the current passkey settings to make sure that the values inherited by the new default passkey profile behave the way that you want. In particular, check attestation enforcement to make sure that the right kind of passkeys are used. https://office365itpros.com/2025/10/22/passkey-setting-policy/Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/
