How to Control Access to Entra Multi-Tenant Apps
Entra multi-tenant applications can be used by any tenant – unless you restrict sign-in audiences to permit only specific tenants to use the application. In this article, we explain the preview feature and use the Microsoft Graph PowerShell SDK to restrict sign-in audiences by defining a list of permitted tenant identifiers in the properties of multi-tenant applications. https://office365itpros.com/2026/01/28/restrict-sign-in-audience/Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/Generate a Weekly Report of Role Assignments
This article explores how to use Entra ID audit records to create a weekly report about role assignment additions and deletions. After deciphering the information contained in the audit records, it’s easy to generate a report showing who made the assignments and if any critical role assignments are in the mix. We can then email the report to interested parties, all with some relatively simple PowerShell. https://office365itpros.com/2026/01/21/role-assignment-weekly-report/Synchronizing Security and Microsoft 365 Group Memberships
An article from 2018 uses the AzureAD and Exchange PowerShell modules to synchronize membership between a security and a Microsoft 365 group. The idea is to enable collaboration for the members of the security group. This version does the work with the Microsoft Graph PowerShell SDK. The code is better and it will work as an Azure Automation runbook, which is always nice. https://office365itpros.com/2026/01/20/group-membership-synchronization/Teams External Collaboration Administrator Role Arrives
Microsoft is introducing a new Entra ID role. The Teams External Collaboration administrator role allows users to manage external collaboration settings. Quite how often Microsoft 365 tenants need to manage these settings is unknown, but it’s a useful prompt to review the current set of roles used and users who are members of those roles. Time for an annual clean-up. https://office365itpros.com/2026/01/14/new-entra-id-role/Entra ID Rationalizes Session Revocation for User Accounts
Microsoft is rationalizing the options to revoke sessions for a user account in the Entra admin center by removing an old revoke MFA sessions button. That seems like a perfectly reasonable thing to do. When administrators want to revoke sessions for an account, the best way is to create a PowerShell script to perform the necessary steps. That way you don’t need to worry about buttons. https://office365itpros.com/2026/01/09/revoke-sessions-button/Moving Exchange Account Source Account
I have a very complex environment I'm hoping someone might jump start my search. We have two domains syncing to Entra ID. One domain is a resource forest where our Exchange environment sits. That domain contains disabled stub accounts synced to our primary domain where the actual user accounts sit. The source for all EXO mailboxes are the stubs in the resource forest. Those accounts are kept in sync using FIM 2008. We're wanting to decom that entire resource environment and move all of the attributes to the primary domain. The resource domain schema is the last version of Ex 2016. The primary domain schema is Ex 2010 SP1. I know my first step is to update the primary schema, however, has anyone encountered a situation like this? Any help would be greatly appreciated.Checking Where Tenant Users Go as Guests
After all the fuss about Teams users inviting people to chat via email, tenant administrators realize that knowing where users are active as guest accounts is not as easy as it might seem. Part of the problem is that data about user activity is mostly controlled by host rather than home tenants. However, it’s possible to extract some information from audit sign-in logs to figure out where tenant users go as guests. https://office365itpros.com/2025/12/09/external-guest-activity/
Can't use a SPN in a PowerBi dashboard to access SharePoint lists
Hoping you can help with an ongoing issue I have. I have a PowerBi dashboard I built using regular account to fetch some SharePoint lists and uploaded it to PowerBi for others to view Now in PowerBi portal I want to change the credential from my account to an SPN. I've read what feels like a thousand articles describing the process to create the SPN 99% all the same. Yet when I go into Powerbi portal, edit the semantic model for the dashboard, click edit credentials, select Service Principal put in the tenant ID the Service principal ID (yes using the app id, in fact I tried everything) the service principal key (the secret) and choose any privacy level it fails 100% of the time. Error is: Failed to update data source credentials: The credentials provided for the SharePoint source are invalid. Same error regardless of what privacy level I choose. I'm sure the secret is correct also. Just for fun I tried the Secret ID and the Object ID in place of the Application ID for the Service principal ID field. All failed same error. I'm sure the secret is correct also. The SPN has Graph sites.read.all, Graph user.read and SharePoint Sites.Read.All api permissions configured. All are consented. Everything seems right but gives me the error failed to retrieve oauth token 100% of the time. Am i missing something else? More API permissions maybe? Do i still need ot actually add the SPN to the Sharepoint site itself even though I has API permissions SharePoint Sites.Read.All? I've done days of research and all I find is lots of people with same or similar issue but not resolution. Is this a bug? Help me I'm desperate to get this fixed or I'm going to have to allow people to bypass MFA across my organization which I cant have.Effortless Time Tracking in Teams, Outlook and M365 Copilot
How do you stay in the flow of work when tasks move across Teams, Outlook and now M365 Copilot? Many of us already collaborate and manage our day in these Microsoft 365 tools, but logging time often feels like something separate that interrupts our focus. With https://www.klynke.com/ time tracking stays right where your work happens. It runs inside Teams, Outlook and M365 Copilot, creating one consistent and natural experience for logging hours without leaving your workflow. We shared more in our blog: https://www.klynke.com/post/log-time-in-teams-outlook-copilot, and were grateful that Microsoft featured our story in a Tech Community interview: Building Secure SaaS on Microsoft Cloud. A quick look under the hood Microsoft 365 SSO (Entra ID) – Employees sign in with their existing credentials Tenant-based storage and security – Data stays within your Microsoft 365 tenant, under IT control Native experience – Same workflow in Teams, Outlook and M365 Copilot Simple reporting – Export to Excel, Power BI or dashboards How do you currently manage time tracking in Microsoft 365? Would having it built directly into Teams, Outlook and M365 Copilot make a difference in your day? CTO at Klynke
