Issues with Sensitivity Labels and "Specific email addresses or domains" - Not working
Hello! We have enabled Sensitivity Labels in our tenant. The access control settings for the label states that a specific domain gets the permission "Co-Author". When we enable the Sensitivity label on a document and sent it towards the approved domain, it results in an error message when authenticating to open the document: "Selected user account does not exist in tenant 'Veni AS' and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." After doing some research I did some changes to the external domain within the Cross-tenant settings. The external domain now has the following settings: Inbound access: Allow access on external users and groups, within B2B Collaboration Allow access on external users and groups, within B2B direct connect Trust multifactor authentication from Microsoft Entra tenants, within Trust settings. Outbound access: Allow access on users and groups, within B2B Collaboration Allow access on users and groups, within B2B direct connect External Identities: Block access for external users and groups. (Inherited from default) After doing this change, I no longer get the same error message as above when authenticating to open the labeled document. Now I get the following error message: "You are not signed in to office with an account that has permission to open this document. You may sign in a new account into Office that has permission or request permission from the content owner" I have this working from another tenant to the same external domain and I have cross-checked the settings. Any idea on how to proceed, or if it is any obvious change I need to make in order to get this to work? All feedback appreciated! :-)
Empowering Data Security with Azure Rights Management and Azure Information Protection
In today’s digital world, data is one of the most valuable assets a business can have. Whether it’s customer information, financial records, or internal documents, keeping that data safe is absolutely necessary. As more companies move to cloud-based systems and work in hybrid environments, the need for smart and reliable data protection tools is growing fast. That’s where Azure Rights Management (RMS) and Azure Information Protection (AIP) come in. These tools help businesses organize, label, and secure their data across different platforms, making sure it stays protected no matter where it goes. Understanding Azure Rights Management (RMS) Azure RMS is a cloud-based service designed to safeguard digital information through encryption, identity, and authorization policies. It ensures that data remains protected regardless of where it resides—on a local device, in the cloud, or in transit. Core Protection Workflow The Azure RMS protection process is straightforward yet powerful: Encryption: When a user initiates protection, the content is encrypted using strong cryptographic standards. Policy Attachment: An access policy is embedded within the file, defining what actions are permitted (e.g., read-only, no print, no forward). Authentication: Access is granted only after successful authentication via Azure Active Directory (Azure AD). Decryption and Enforcement: Once authenticated, the file is decrypted and the access policy is enforced in real time. Encryption Standards in Use Azure RMS employs: AES 128-bit and 256-bit encryption for securing documents. RSA 2048-bit encryption for protecting customer-specific root keys. These standards ensure that even if data is intercepted, it remains unreadable and unusable without proper authorization. Azure Information Protection: Beyond Encryption While Azure RMS focuses on securing content, Azure Information Protection (AIP) adds a layer of intelligence through classification and labeling. AIP enables organizations to define and apply sensitivity labels that reflect the value and confidentiality of their data. From Classic to Unified Labeling Microsoft has transitioned from the classic AIP client to the Unified Labeling Client, which integrates directly with Microsoft 365 compliance solutions. This shift simplifies management and enhances compatibility with modern Office applications. Sensitivity Labels in Action Sensitivity labels help organizations manage data access and usage by categorizing content into levels such as: Public: Safe for public distribution. General: Internal use only. Confidential: Restricted to specific internal groups. Highly Confidential: Limited to named individuals with strict usage controls (e.g., no printing or downloading). Labels can be applied manually by users or automatically based on content inspection, context, or metadata. Built-In Labeling in Office Apps Modern Office apps now support built-in labeling, eliminating the need for separate add-ins. This native integration ensures a smoother user experience and reduces the risk of compatibility issues or performance degradation. Licensing Overview To leverage AIP features, organizations must have the appropriate licensing: Office 365 E3 and above: Basic classification and labeling. AIP Plan 1: Included in Microsoft 365 E3 and EMS E3. AIP Plan 2: Included in Microsoft 365 E5 and EMS E5, offering advanced capabilities like automatic labeling and document tracking. Real-World Use Cases Access Control: Limit access to sensitive documents based on user roles or departments. Version Management: Use labels to distinguish between draft and final versions. Automated Workflows: Trigger encryption or archiving when documents reach a certain sensitivity level. Why Azure Information Protection Matters Implementing AIP brings a host of benefits: Persistent Protection: Data remains secure even when shared externally or accessed offline. Granular Control: Define who can access data and what they can do with it. Visibility and Auditing: Monitor access patterns and revoke access if needed. Hybrid Compatibility: Protect data across cloud and on-premises environments using the Rights Management connector. Centralized Management: Streamline policy creation and enforcement across the organization. Conclusion Azure RMS and AIP together form a powerful duo for modern data protection. By combining encryption, identity management, and intelligent labeling, organizations can confidently secure their most valuable asset information while enabling seamless collaboration and compliance.
AIP padlock icon missing in encrypted message
Hi, I have enabled AIP in my tenant along with sensitivity labels and encryption. I can send encrypted messages succesfully however the secure message - which contains a padlock icon referring to a microsoft website - is broken and fails to load. I’ve viewed the source of the message and tried to load the image in my browser. The image failed to load and I believe the image location is not valid anymore. Could you please validate and provide a fix so that the padlock icon loads successfully? Currently the secure message looks like a phishing email and will probably be treated as such.Track Sensitivity Label Downgrades and Removals with Audit Log Data
The Purview Insider Risk Management solution can do all sorts of clever things, like tracking sensitivity label downgrades and removals as an indicator that a user might be preparing to exfiltrate data. The same kind of checking can be done by using the events captured in the audit log when people remove or change sensitivity labels. All in a few lines of PowerShell… https://office365itpros.com/2024/11/20/sensitivity-label-downgrades/
I lost my Admin privileges in Microsoft 365
So, I'm working in a corporate company and we had services purchased like Azure, PowerBI etc. that we were paying for a long time. And until today I was logging in with the Admin email to the 365 admin portal with my admin account. but today when I try that Email has lost it's admin privileges. And so to recover that account I tried directly connecting through the phone call which also had to go through an automated voice assistant. And even after finally connected with the call. the only way they were about to provide a help was to telling them what is the current admin account's email address. which is like the reason why we called them because we have a security breach and don't know who did that. And I had all my previous admin accounts with credentials and all payment details etc. but I had to talk to some guy for like 20 minutes that just repeating the same thing like tell me the current admin email so w can help you further. Like if I know that why would I even call them. And I have all the details of my previous info but how can I know what the email that the attacker has used in just one day.
Connect-Aipservice is not working
Hello everyone, Please is anyone able to connect to the aip service using powershell version 5.5 and above? Even after installing and importing the aip service module, the connect-aipservice failed to work with all its parameters. However, creating and publishing sensitivity label policy is working. Thanks.How to Handle an Unwanted Sensitivity Label
Sometimes sensitivity labels defined for use within a Microsoft 365 tenant turn out to be unnecessary. The question then is what to do with these unwanted sensitivity labels. The answer is to pause for thought, gather information, and then make an informed decision, all of which we discuss here. https://practical365.com/how-to-handle-an-unwanted-sensitivity-label/C# application with MIP SDK fails creating the FileEngine
Hi! I have a C# application which tries to create a FileEngine to unprotect AIP protected files. The application runs in Azure. Network connectivity is available. The MIP SDK logs look like this: Info 2024-06-05 11:49:15.652 common/api_utils.h:195 w3wp (6324) "Start calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 common/api_utils.h:197 w3wp (6324) "Ended calling success callback for API: protection_profile_load_async" mipns::TryExecuteSuccessCallback::<lambda_aa4c0887fcc47f487d59891ccfa0eff4>::operator () 5396 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API call: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Ended API call: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1048 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:522 w3wp (6324) "Starting API task: profile_add_engine_async scenarioId=55a8c9cb-bbe6-40bb-992f-10b54066f182" mipns::ProfileImpl::AddEngineAsync 1700 Info 2024-06-05 11:49:15.652 policy_profile_impl.cpp:244 w3wp (6324) "Starting to add policy engine with engine id: 09342290-3990-4ef9-bdeb-611113bcccee" `anonymous-namespace'::CreateEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:275 w3wp (6324) "Inconsistent label & sensitivity policy detected. Removing both from cache if it exists." mipns::PolicyEngineManagerImpl::DeletePolicyFromStorage 1700 Info 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:358 w3wp (6324) "Loading new policy engine (requires fetch): 09342290-3990-4ef9-bdeb-611113bcccee" mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Warning 2024-06-05 11:49:15.652 policy_engine_manager_impl.cpp:361 w3wp (6324) "New PolicyEngine was created without an identity. Dynamic content marking will be partially disabled, and URL redirect caching will be fully disabled." mipns::PolicyEngineManagerImpl::LoadNewEngineAsync 1700 Info 2024-06-05 11:49:15.652 auth_request_transformer.cpp:155 w3wp (6324) "Requesting auth token from app. Resource: 'https://syncservice.o365syncservice.com/', Authority: 'https://login.windows.net/common', Scope: '', Claims: ''" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.917 auth_request_transformer.cpp:169 w3wp (6324) "Authentication response time (seconds): 0.264937" mipns::AuthRequestTransformer::GetAuthToken 1700 Info 2024-06-05 11:49:15.932 http_director_impl.cpp:141 w3wp (6324) "Sending HTTP request: ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}, Type: GET, Url: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies?supportedMaxVersion=1.0.50.0, Body Size: 0, Headers['ClientInfo'] = 'mip_ver=1.14.128;os_name=win;os_ver=10-0-20348;runtime=msvc-1929;arch=x86', Headers['Capabilities'] = 'BestEffortEntityMatch,BestEffortCCSIMatch,SchematizedDataContentType', Headers['Content-Type'] = 'application/xml;charset=utf-8', Headers['Authorization'] = 'UOID:2d3ea670-a6d7-4a66-85fe-0bcc9b5f563a;Tenant:tenant id;Audience:https://syncservice.o365syncservice.com/;Roles:UnifiedPolicy.Tenant.Read;" mipns::HttpDirectorImpl::DoSendHttp 1700 Info 2024-06-05 11:49:16.104 http_client_base.cpp:44 w3wp (6324) "HTTP response time (seconds): 0.185885 ID: {C3D930DE-50B3-40A8-8C44-0ED22007A6FB}" mipns::HttpClientBase::SendAsync::<lambda_b2b0e837acbc3dca3dadb2856c35cf30>::operator () 5756 Info 2024-06-05 11:49:16.120 oneds_helper.cpp:532 w3wp (6324) "OneDsHelper::WriteTelemetryEvent(policy_sync_acquire_policy)" mipns::OneDSHelper::WriteTelemetryEvent 5756 Info 2024-06-05 11:49:16.120 diagnostic_utils.cpp:80 w3wp (6324) "Send Telemetry. Event Name : [policy_sync_acquire_policy] App.ApplicationId: [application id], Pii: [None] App.ApplicationName: [AR_COSI_TEST_AIP], Pii: [None] App.ApplicationVersion: [1.0.0], Pii: [None] App.SessionId: [], Pii: [None] Engine.SessionId: [], Pii: [None] Event.CorrelationId: [3f4d9f3a-a5a1-40fc-bbdb-049f4d40889f], Pii: [None] Event.CorrelationIdDescription: [HttpDirector], Pii: [None] Event.Duration: [0.187074], Pii: [None] Event.ErrorType: [NetworkError], Pii: [None] Event.Failed.File: [src\core\api_impl\http\http_director_impl.cpp], Pii: [None] Event.Failed.Func: [mipns::HttpTelemetryHelper::NotifyOperationComplete], Pii: [None] Event.Failed.Line: [374], Pii: [None] Event.Failed.Message: [No HTTP response. Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']], Pii: [None] Event.ParentCorrelationId: [948d1c35-91a9-47be-af1f-6d6a241125e5], Pii: [None] Event.ParentCorrelationIdDescription: [PolicyProfile], Pii: [None] Event.UniqueId: [eacab4b6-2048-4cf0-8d5c-cba215bcb6a0], Pii: [None] EventInfo.Level: [10], Pii: [None] EventInfo.PrivTags: [33554432], Pii: [None] MIP.Version: [1.14.128], Pii: [None] Request.CorrelationId: [{C3D930DE-50B3-40A8-8C44-0ED22007A6FB}], Pii: [None] Request.IsAsynchronous: [true], Pii: [None] Request.RequestBodySize: [0], Pii: [None] Request.TokenTenantId: [tenant id], Pii: [None] Request.Url: [https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies], Pii: [None] iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None] " mipns::WriteTelemetryEventToLog 5756 Info 2024-06-05 11:49:16.120 http_director_impl.cpp:38 w3wp (6324) "Received HTTP response: " `anonymous-namespace'::LogHttpOperationDetails 5756 Error 2024-06-05 11:49:16.120 http_director_impl.cpp:42 w3wp (6324) "HTTP operation {C3D930DE-50B3-40A8-8C44-0ED22007A6FB} failed: Failed with: [NetworkError: 'HTTP connection failure Inner exception: [http_exception: 'WinHttpSendRequest: 12029: A connection with the server could not be established'], NetworkError.Category=NoConnection, HttpRequest.SanitizedUrl=https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies, HttpRequest.Id={C3D930DE-50B3-40A8-8C44-0ED22007A6FB}']" `anonymous-namespace'::LogHttpOperationDetails 5756 This error does not occur on every tenant! Does anyone have a clue why this error occurs?
PowerShell cmdlets not available within a script unless it is run as administrator
I wonder if somebody can help with this issue. Essentially I want to be able to connect to Exchange Online and the Security and Compliance PowerShell from within a script run as a regular user, not administrator. If I drop these commands into my un-elevated PS window they will connect successfully and give me back some info on the two commands. If I drop the same commands into a PS1 file and execute it in an elevated PS console they also run successfully. Connect-IPPSSession Get-Command Get-DlpCompliancePolicy Connect-ExchangeOnline Get-Command Get-Mailbox If I run Get-ConnectionInformation in the script I can see the two connections are there - ConnectionId : 745f6176-5d1f-46ec-a786-b8e84f273791 State : Connected Id : 1 Name : ExchangeOnlineProtection_1 UserPrincipalName : ********* ConnectionUri : https://eur01b.ps.compliance.protection.outlook.com AzureAdAuthorizationEndpointUri : https://login.microsoftonline.com/organizations TokenExpiryTimeUTC : 20/04/2024 10:01:24 +00:00 CertificateAuthentication : False ModuleName : C:\Users\*******\AppData\Local\Temp\tmpEXO_5lnrtren.etr ModulePrefix : Organization : DelegatedOrganization : AppId : PageSize : 1000 TenantID : 081cc50b-e5a5-4e76-b6b7-d7c274899193 TokenStatus : Active ConnectionUsedForInbuiltCmdlets : False IsEopSession : True ConnectionId : 3d3547ec-f35e-4dc3-ba50-ed2f93ef0c35 State : Connected Id : 2 Name : ExchangeOnline_2 UserPrincipalName : ******* ConnectionUri : https://outlook.office365.com AzureAdAuthorizationEndpointUri : https://login.microsoftonline.com/organizations TokenExpiryTimeUTC : 20/04/2024 11:50:29 +00:00 CertificateAuthentication : False ModuleName : C:\Users\*******\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh ModulePrefix : Organization : DelegatedOrganization : AppId : PageSize : 1000 TenantID : 081cc50b-e5a5-4e76-b6b7-d7c274899193 TokenStatus : Active ConnectionUsedForInbuiltCmdlets : True IsEopSession : False If I run Get-Module I can see the modules I understand are necessary - Name : ExchangeOnlineManagement Path : C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnli neManagement.psm1 Description : This is a General Availability (GA) release of the Exchange Online Powershell V3 module. Exchange Online cmdlets in this module are REST-backed and do not require Basic Authentication to be enabled in WinRM. REST-based connections in Windows require the PowerShellGet module, and by dependency, the PackageManagement module. Please check the documentation here - https://aka.ms/exov3-module. For issues related to the module, contact Microsoft support. Guid : b5eced50-afa4-455b-847a-d8fb64140a22 Version : 3.4.0 ModuleBase : C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0 ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {[Add-VivaModuleFeaturePolicy, Add-VivaModuleFeaturePolicy], [Get-ConnectionInformation, Get-ConnectionInformation], [Get-DefaultTenantBriefingConfig, Get-DefaultTenantBriefingConfig], [Get-DefaultTenantMyAnalyticsFeatureConfig, Get-DefaultTenantMyAnalyticsFeatureConfig]...} ExportedFunctions : {[Connect-ExchangeOnline, Connect-ExchangeOnline], [Connect-IPPSSession, Connect-IPPSSession], [Disconnect-ExchangeOnline, Disconnect-ExchangeOnline]} ExportedVariables : {} NestedModules : {Microsoft.Exchange.Management.RestApiClient, Microsoft.Exchange.Management.ExoPowershellGalleryModule} Name : Microsoft.PowerShell.Management Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerS hell.Management.psd1 Description : Guid : eefcb906-b326-4e99-9f54-8b4bb6ef3c6d Version : 3.1.0.0 ModuleBase : C:\Windows\System32\WindowsPowerShell\v1.0 ModuleType : Manifest PrivateData : AccessMode : ReadWrite ExportedAliases : {[gcb, gcb], [gin, gin], [gtz, gtz], [scb, scb]...} ExportedCmdlets : {[Add-Computer, Add-Computer], [Add-Content, Add-Content], [Checkpoint-Computer, Checkpoint-Computer], [Clear-Content, Clear-Content]...} ExportedFunctions : {} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.Commands.Management.dll} Name : Microsoft.PowerShell.Utility Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShel l.Utility.psd1 Description : Guid : 1da87e53-152b-403e-98dc-74d7b4d63d59 Version : 3.1.0.0 ModuleBase : C:\Windows\System32\WindowsPowerShell\v1.0 ModuleType : Manifest PrivateData : AccessMode : ReadWrite ExportedAliases : {[CFS, CFS], [fhx, fhx]} ExportedCmdlets : {[Add-Member, Add-Member], [Add-Type, Add-Type], [Clear-Variable, Clear-Variable], [Compare-Object, Compare-Object]...} ExportedFunctions : {[ConvertFrom-SddlString, ConvertFrom-SddlString], [Format-Hex, Format-Hex], [Get-FileHash, Get-FileHash], [Import-PowerShellDataFile, Import-PowerShellDataFile]...} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.Commands.Utility.dll, Microsoft.PowerShell.Utility} Name : PSReadLine Path : C:\Program Files\WindowsPowerShell\Modules\PSReadLine\2.0.0\PSReadLine.psm1 Description : Great command line editing in the PowerShell console host Guid : 5714753b-2afd-4492-a5fd-01d9e2cff8b5 Version : 2.0.0 ModuleBase : C:\Program Files\WindowsPowerShell\Modules\PSReadLine\2.0.0 ModuleType : Script PrivateData : AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {[Get-PSReadLineKeyHandler, Get-PSReadLineKeyHandler], [Get-PSReadLineOption, Get-PSReadLineOption], [Remove-PSReadLineKeyHandler, Remove-PSReadLineKeyHandler], [Set-PSReadLineKeyHandler, Set-PSReadLineKeyHandler]...} ExportedFunctions : {[PSConsoleHostReadLine, PSConsoleHostReadLine]} ExportedVariables : {} NestedModules : {Microsoft.PowerShell.PSReadLine} Name : tmpEXO_5lnrtren.etr Path : C:\Users\******\AppData\Local\Temp\tmpEXO_5lnrtren.etr\tmpEXO_5lnrtren.etr.psm1 Description : This is a Powershell module generated by using the AutoGEN infra. Guid : 2c604488-886e-4090-ac70-2b9a3130c449 Version : 1.0 ModuleBase : C:\Users\********\AppData\Local\Temp\tmpEXO_5lnrtren.etr ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {} ExportedFunctions : {[Add-ComplianceCaseMember, Add-ComplianceCaseMember], [Add-eDiscoveryCaseAdmin, Add-eDiscoveryCaseAdmin], [Add-RoleGroupMember, Add-RoleGroupMember], [Cancel-DlpEdmSession, Cancel-DlpEdmSession]...} ExportedVariables : {[HelpFileNames, System.Management.Automation.PSVariable]} NestedModules : {} Name : tmpEXO_a2axh3gk.iwh Path : C:\Users\*******\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh\tmpEXO_a2axh3gk.iwh.psm1 Description : This is a Powershell module generated by using the AutoGEN infra. Guid : e84305bc-e9b9-45bd-bb9f-d38a411419b2 Version : 1.0 ModuleBase : C:\Users\********\AppData\Local\Temp\tmpEXO_a2axh3gk.iwh ModuleType : Script PrivateData : {PSData} AccessMode : ReadWrite ExportedAliases : {} ExportedCmdlets : {} ExportedFunctions : {[Add-AvailabilityAddressSpace, Add-AvailabilityAddressSpace], [Add-DistributionGroupMember, Add-DistributionGroupMember], [Add-MailboxFolderPermission, Add-MailboxFolderPermission], [Add-MailboxLocation, Add-MailboxLocation]...} ExportedVariables : {[HelpFileNames, System.Management.Automation.PSVariable]} NestedModules : {} And once the script exits, I can then do 'Get-Command Get-Mailbox' and get a good response. So the connection is clearly working, the script just cannot seem to access the functions/cmdlets while it is running. This is Twilight Zone stuff right!? I do not know if it's relevant, but we use AppLocker. So in my unelevated PS session I am in ConstrainedLanguage mode, but the script is excluded from AppLocker so executes in FullLanguage mode. I feel like I'm missing something fundamental about how PS sessions or scopes operate within a script run as admin vs a regular user, or is there a bug in Connect-ExchangeOnline, but no amount of Google searching has saved my mind yet! Thanks
