An Explosion of Audit Events for Legacy SharePoint Online Authentication
Microsoft phased out the legacy IDCRL authentication mechanism from SharePoint Online on May 1, 2026. Sounds good, until you notice the explosion of IDCRLBlockedDueToSoftEnforcement events created by SharePoint Online in the unified audit log. The events are associated with Microsoft Office apps like Word, which SharePoint appears to think are still using IDCRL. For whatever reason, the audit log is now cluttered with unwanted events generated by the interaction between SharePoint and Office. https://office365itpros.com/2026/05/07/idcrl-audit-events/I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.Primer: How to Use RBAC for Applications to Control App Use of the Mail.Send Permission
The temptation to use the Mail.Send application permission in scripts can lead PowerShell developers into trouble because the permission allows access to all mailboxes, including sensitive executive and financial mailboxes. Fortunately, RBAC for Applications allows tenants to control the access that apps have to mailboxes and other Exchange content. All explained here with an example script to test RBAC of Applications. https://office365itpros.com/2026/02/17/mail-send-rbac-for-applications/
Audit Log, what is TokenIssuedAtTime?
I used audit log to search user delete MS Teams files, by using Recycled File and Recycled Folder, I got the log file. Why the TokenIssuedAtTime and the CreationTime are so much different? Below is one of the log record {"AppAccessContext":{"AADSessionId":"8f382a1d-b233-425c-92f4-3cf9ed395c9e","CorrelationId":"ae68fba0-40db-2000-ce07-a7bde7727c3f","TokenIssuedAtTime":"2023-12-23T00:47:57","UniqueTokenId":"U4m5SFCmckOiN_QLrysqAQ"},"CreationTime":"2023-12-26T04:24:52","Id":"7a3dc23c-2699-485b-0a87-08dc05ca9b40","Operation":"FolderRecycled","OrganizationId":"7cf9c29c-c6af-4790-b98b-4eff7637f9be","RecordType":6,"UserKey":"i:0h.f|membership|email address removed for privacy reasons","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"2001:d08:e2:58d:61cb:e4bc:c451:aef9","UserId":"email address removed for privacy reasons","AuthenticationType":"FormsCookieAuth","BrowserName":"","BrowserVersion":"","CorrelationId":"ae68fba0-40db-2000-ce07-a7bde7727c3f","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"Folder","ListId":"33880cd7-1db1-450f-9cd0-5c437c0ccaee","ListItemUniqueId":"184cd92b-40cf-4fa1-82aa-ad5fa61a2a05","Platform":"WinDesktop","Site":"f1bb631d-8ff4-4411-b49f-066e20be905c","UserAgent":"Microsoft SkyDriveSync 23.246.1127.0002 ship; Windows NT 10.0 (19045)","WebId":"aa607282-8b47-47d1-938b-c0cde8e2d87d","DeviceDisplayName":"2a01:111:2055:202:4701:ee31:fe3f:156","CrossScopeSyncDelete":false,"HighPriorityMediaProcessing":false,"SharingType":"","SourceFileExtension":"","SiteUrl":"https://mysharepoint.sharepoint.com/sites/mysite/","SourceRelativeUrl":"Shared Documents/test/MyFolder","SourceFileName":"Quotation","ObjectId":"https://mysharepoint.sharepoint.com/sites/mysite/Shared Documents/test/MyFolder/Test1"}
Language defaults audit for everything M365
We are struggling to find where and how the wrong language is being used for various parts of the M365 platform. We have Swedish set as default, but still English is used for a number of places which often are only realized as a consequence by a user. For example, in Viva Engage language is set to Swedish, and for the SharePoint as well. But: When a new user logs on VE is in English While the SharePoint web part is in Swedish, the link text have for some time ended with "- Home" (English) instead of as it was when we started 2+ years ago " - Startsida" (Swedish) Then when creating a VE group Event (Teams-meeting) default language is also English Tracking down what and where is making the wrong language being used is hard. I would be very grateful if pointed to a resource that give an as complete as possible overview of everything in M365 that we need to look over for making sure that the correct language is default everywhere it should be.Microsoft Fixes Copilot Audit Records
After a report to the MSRC about some missing file data from Copilot audit records, Microsoft fixed the problem and audit records now contain details about the SharePoint Online files reviewed by Copilot to construct answers to user prompts. Having solid audit and compliance data is a good thing, unless you’re a lawyer charged with defending an eDiscovery action who might be asked to produce the files. https://office365itpros.com/2025/08/22/copilot-audit-records-fixed/
Purview and auditing file modifications
I have full M365 E5 license and use Purview auditing a lot for investigations. I noticed is reports file modified which is create but some of my files would get modified constantly. I'm curious if it can log and provide a report on what exactly was modified. For example: If text was added or deleted, can it tell me what was added or deleted i.e. the actual text and the action (Add\Delete) If an image was pasted into a word document, can it tell me that? If possible, down to a copy of the image that was inserted? If it can't do this level of detail anyone have suggestions of a product that can?
Auditing Resource Bookings
I am once again dealing with overlapped bookings on rooms set to not allow overlapped bookings. I've verified this in PowerShell. I've limited who can make these to 2 users. I've trained these users. They are using Outlook on the web - just in case the app doesn't update. STILL, I am getting bookings on top of each other. One person books something - then another person books something on top of it. I need to audit this. I have enabled resource auditing. I have tried 1) Purview auditing the booking users - everything they do related to Exchange. This returns hundreds of entries for the time periods specified, and I genuinely do not have time to parse all of this. 2) using purview to search only for entries on the room resource. These apparently have no data, ever. 3) Using purview to search for activities related to booking.. Too bad the activity dropdown does not work, and 80% of the entries are repeats. Maybe I can find operation names from the documentation? (no) 4) Maybe Copilot can help me find operation names? (no, he just hallucinates) 6) Abandoning Purview, I open Exchange and head to the Collect Logs entries. I run both Resource Bookings and Calendar logs. Because that is, essentially, exactly what I want. Unfortunately neither of these are even remotely useful to a human - except to confirm this shouldn't be possible. I spend an hour parsing through the endless nigh-identically named fields, to find data relevant to me - What I can find isn't accurate, and isn't useful. 7) I open Outlook, and try to look at the actual mail interactions on that shared mailbox. Unfortunately, there is nothing for these days. No sent, inbox, deleted items referencing the bookings at all. 8) I open powershell, i try commands microsoft gives. These are deprecated. This should really not be this hard. In fact, it should be REALLY EASY to see when bookings came in and out. I am really close to looking for a 3rd party solution just so i don't have to waste any more time on this
Interface Views in Microsoft 365 Admin Center
1. Simplified View Purpose: Designed for small businesses or organizations with limited IT resources. Features: Streamlined dashboard with essential tasks like user management, license assignment, and password resets. Minimal configuration options to reduce complexity. Quick access to support and basic service health info. Use Case: Ideal for admins who need to perform routine tasks without diving into advanced settings. 2. Dashboard View (Advanced View) Purpose: Tailored for medium to large enterprises with complex IT environments. Features: Full access to all admin centers (Exchange, SharePoint, Teams, etc.). Advanced analytics, reporting, and configuration tools. Role-based access control and security management. Customizable widgets and navigation for personalized workflows. Use Case: Suitable for IT teams managing multiple services, users, and compliance requirements. Customization Needs Are there specific tasks we perform frequently that can be automated in the dashboard?
Obtain Deleted Stats (SharePoint) by Retention Policy
I've scoured: https://learn.microsoft.com/en-us/purview/retention-cmdlets and the Unified Audit Log (https://www.meetingroom365.com/blog/search-unifiedauditlog-powershell/, https://theitbros.com/query-microsoft-365-audit-logs-using-powershell/#penci-Search_the_SharePoint_Online_Audit_Log) to see if I can come up with a method to obtain some statistics regarding how many files and space (storage) has been freed up with the use of retention policies being enabled. I'm drawing a blank. In an ideal world, I'd like know how many files have been deleted by the system (the system enforcing a 5 Year from last modified Date and Delete Policy) for the last year or 6 month intervals. If possible the corresponding volume of storage space recovered from these deletions. Any ideas?
