Maintaining a Microsoft 365 Retention Policy with PowerShell
The Connect-IPPSSession cmdlet is needed to connect to the Security and Compliance endpoint to update a Microsoft 365 retention policy. Unhappily, the Security and Compliance module doesn’t support managed identities, which makes it harder to run Connect-IPPSSession securely in an Azure Automation runbook. In the end, we use a credential stored in the automation account. And then we had to disable WAM. All explained here. https://office365itpros.com/2025/08/12/connect-ippssession-azure/Creating a Microsoft 365 Retention Policy for Shared Mailboxes
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here. https://office365itpros.com/2025/08/05/shared-mailboxes-retention/Be Careful with Retention Labels Configured with Created Date Expiration
Retention policies and retention labels have been around for about 8 years. Some of the older retention settings might use file created dates to remove items. No doubt basing retention on creation dates made perfect sense at the time, but experience shows that maybe basing retention on the last modified date can be better. All explored here together with a script to update retention labels in OneDrive. https://office365itpros.com/2025/07/22/retention-label-last-modified-date/
Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.
How many files have been deleted?
Is there a way to find out how many files have been deleted by a retention policy over a certain time frame? (across the entire tenant) As well the # of files, the total size or space freed up by these deletions? I've tried researching PowerShell cmdlets and other areas to find this information out but have come up empty. We'd like some initial information on how the implementation of Microsoft Purview Records Management is progressing.
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?
Microsoft Purview best practices
I am wondering what the best way to accomplish this would be. We are working at stepping down our email retention periods from 10 years to 5 years. We currently have a 10-years policy that uses a dynamic 365 group for assigned users. The group runs a query that finds anyone in our organization with a Business Premium license. That's working great. Our next step is to go to a 5-year policy. But we have several users that need to be placed in a 7-year policy. Microsoft has removed the option to use both the include and exclude settings in a retention policy. My question is, Are we over thinking the way to do this? Or should we just be doing this: Create one 5-year policy that is set to the entire organization. Then create a 365 dynamic group with the users who need the 7-year policy assigned to it. Then create a 7-year policy and assign the 7-year policy group to it. Then also place that group in the Exclude listing of the 5-year policy. Will that work and is it best practice.? I can't afford to make a mistake on this and I can't remember if I created the dynamic group with the query for licensed users for a reason or if I was just being too detailed.Practical Graph: Apply Retention Labels to Unlabeled SharePoint Files
A previous article described a script to find SharePoint Online files that didn't have retention labels. This article picks up the thread and shows how to use the data generated by the previous script to apply retention labels to the unlabeled files using cmdlets from the Microsoft Graph PowerShell SDK. Some issues are met along the way, but the script works and does the job, which is all that counts at the end of the day. https://practical365.com/apply-retention-labels-powershell/
