Urgent: Enrollment Blocked for Sorted Keys LLC (Error 715-123160) - No Workspace Access
Hello Microsoft Partner Community Team, I am reaching out here because I am currently stuck in a Support Loop while trying to enroll my business, Sorted Keys LLC, into the Microsoft AI Cloud Partner Program. While entering my company information, I encountered the Error Code: 715-123160 stating that the request was blocked. Because the enrollment was halted at this stage, a Partner Center Workspace has not been created for my account. This prevents me from logging in to the portal to raise a standard support ticket. I am an authorized representative of the business and have all legal documentation ready for manual verification. Application Details: Legal Business Name: Sorted Keys LLC Transaction ID: 348fc4c3-6b8a-45de-97ea-5a51a7517ac3 Reference Number: 715-123160 Correlation ID: 1cbc853b-9496-47d3-80b1-55cbfa92d60a Requested Action: Could a community manager please escalate this to the Vetting/Identity team to manually review my entity details or reset the enrollment block so I can proceed with the CSP Indirect Reseller application? Thank you for your time and assistance.Windows 11, version 25H2 security baseline
Microsoft is pleased to announce the security baseline package for Windows 11, version 25H2! You can download the baseline package from the Microsoft Security Compliance Toolkit, test the recommended configurations in your environment, and customize / implement them as appropriate. Summary of changes This release includes several changes made since the Windows 11, version 24H2 security baseline to further assist in the security of enterprise customers, to include better alignment with the latest capabilities and standards. The changes include what is depicted in the table below. Security Policy Change Summary Printer: Impersonate a client after authentication Add “RESTRICTED SERVICES\PrintSpoolerService” to allow the Print Spooler’s restricted service identity to impersonate clients securely NTLM Auditing Enhancements Enable by default to improve visibility into NTLM usage within your environment MDAV: Attack Surface Reduction (ASR) Add "Block process creations originating from PSExec and WMI commands" (d1e49aac-8f56-4280-b9ba-993a6d77406c) with a recommended value of 2 (Audit) to improve visibility into suspicious activity MDAV: Control whether exclusions are visible to local users Move to Not Configured as it is overridden by the parent setting MDAV: Scan packed executables Remove from the baseline because the setting is no longer functional - Windows always scans packed executables by default Network: Configure NetBIOS settings Disable NetBIOS name resolution on all network adapters to reduce legacy protocol exposure Disable Internet Explorer 11 Launch Via COM Automation Disable to prevent legacy scripts and applications from programmatically launching Internet Explorer 11 using COM automation interfaces Include command line in process creation events Enable to improve visibility into how processes are executed across the system WDigest Authentication Remove from the baseline because the setting is obsolete - WDigest is disabled by default and no longer needed in modern Windows environments Printer Improving Print Security with IPPS and Certificate Validation To enhance the security of network printing, Windows introduces two new policies focused on controlling the use of IPP (Internet Printing Protocol) printers and enforcing encrypted communications. The setting, "Require IPPS for IPP printers", (Administrative Templates\Printers) determines whether printers that do not support TLS are allowed to be installed. When this policy is disabled (default), both IPP and IPPS transport printers can be installed - although IPPS is preferred when both are available. When enabled, only IPPS printers will be installed; attempts to install non-compliant printers will fail and generate an event in the Application log, indicating that installation was blocked by policy. The second policy, "Set TLS/SSL security policy for IPP printers" (same policy path) requires that printers present valid and trusted TLS/SSL certificates before connections can be established. Enabling this policy defends against spoofed or unauthorized printers, reducing the risk of credential theft or redirection of sensitive print jobs. While these policies significantly improve security posture, enabling them may introduce operational challenges in environments where IPP and self-signed or locally issued certificates are still commonly used. For this reason, neither policy is enforced in the security baseline, at this time. We recommend that you assess your printers, and if they meet the requirements, consider enabling those policies with a remediation plan to address any non-compliant printers in a controlled and predictable manner. User Rights Assignment Update: Impersonate a client after authentication We have added RESTRICTED SERVICES\PrintSpoolerService in the “Impersonate a client after authentication” User Rights Assignment policy. The baseline already includes Administrators, SERVICE, LOCAL SERVICE, and NETWORK SERVICE for this user right. Adding the restricted Print Spooler supports Microsoft’s ongoing effort to apply least privilege to system services. It enables Print Spooler to securely impersonate user tokens in modern print scenarios using a scoped, restricted service identity. Although this identity is associated with functionality introduced as part of Windows Protected Print (WPP), it is required to support proper print operations even if WPP is not currently enabled. The system manifests the identity by default, and its presence ensures forward compatibility with WPP-based printing. Note: This account may appear as a raw SID (e.g., S-1-5-99-...) in Group Policy or local policy tools before the service is fully initialized. This is expected and does not indicate a misconfiguration. Warning: Removing this entry will result in print failures in environments where WPP is enabled. We recommend retaining this entry in any custom security configuration that defines this user right. NTLM Auditing Enhancements Windows 11, version 25H2 includes enhanced NTLM auditing capabilities, enabled by default, which significantly improves visibility into NTLM usage within your environment. These enhancements provide detailed audit logs to help security teams monitor and investigate authentication activity, identify insecure practices, and prepare for future NTLM restrictions. Since these auditing improvements are enabled by default, no additional configuration is required, and thus the baseline does not explicitly enforce them. For more details, see Overview of NTLM auditing enhancements in Windows 11 and Windows Server 2025. Microsoft Defender Antivirus Attack Surface Reduction (ASR) In this release, we've updated the Attack Surface Reduction (ASR) rules to add the policy Block process creations originating from PSExec and WMI commands (d1e49aac-8f56-4280-b9ba-993a6d77406c) with a recommended value of 2 (Audit). By auditing this rule, you can gain essential visibility into potential privilege escalation attempts via tools such as PSExec or persistence mechanisms using WMI. This enhancement helps organizations proactively identify suspicious activities without impacting legitimate administrative workflows. Control whether exclusions are visible to local users We have removed the configuration for the policy "Control whether exclusions are visible to local users" (Windows Components\Microsoft Defender Antivirus) from the baseline in this release. This change was made because the parent policy "Control whether or not exclusions are visible to Local Admins" is already set to Enabled, which takes precedence and effectively overrides the behavior of the former setting. As a result, explicitly configuring the child policy is unnecessary. You can continue to manage exclusion visibility through the parent policy, which provides the intended control over whether local administrators can view exclusion lists. Scan packed executables The “Scan packed executables” setting (Windows Components\Microsoft Defender Antivirus\Scan) has been removed from the security baseline because it is no longer functional in modern Windows releases. Microsoft Defender Antivirus always scans packed executables by default, therefore configuring this policy has no effect on the system. Disable NetBIOS Name Resolution on All Networks In this release, we start disabling NetBIOS name resolution on all network adapters in the security baseline, including those connected to private and domain networks. The change is reflected in the policy setting “Configure NetBIOS settings” (Network\DNS Client). We are trying to eliminate the legacy name resolution protocol that is vulnerable to spoofing and credential theft. NetBIOS is no longer needed in modern environments where DNS is fully deployed and supported. To mitigate potential compatibility issues, you should ensure that all internal systems and applications use DNS for name resolution. We recommend the following; test critical workflows in a staging environment prior to deployment, monitor for any resolution failures or fallback behavior, and inform support staff of the change to assist with troubleshooting as needed. This update aligns with our broader efforts to phase out legacy protocols and improve security. Disable Internet Explorer 11 Launch Via COM Automation To enhance the security posture of enterprise environments, we recommend disabling Internet Explorer 11 Launch Via COM Automation (Windows Components\Internet Explorer) to prevent legacy scripts and applications from programmatically launching Internet Explorer 11 using COM automation interfaces such as CreateObject("InternetExplorer.Application"). Allowing such behavior poses a significant risk by exposing systems to the legacy MSHTML and ActiveX components, which are vulnerable to exploitation. Include command line in process creation events We have enabled the setting "Include command line in process creation events" (System\Audit Process Creation) in the baseline to improve visibility into how processes are executed across the system. Capturing command-line arguments allows defenders to detect and investigate malicious activity that may otherwise appear legitimate, such as abuse of scripting engines, credential theft tools, or obfuscated payloads using native binaries. This setting supports modern threat detection techniques with minimal performance overhead and is highly recommended. WDigest Authentication We removed the policy "WDigest Authentication (disabling may require KB2871997)" from the security baseline because it is no longer necessary for Windows. This policy was originally enforced to prevent WDigest from storing user’s plaintext passwords in memory, which posed a serious credential theft risk. However, starting with 24H2 update, the engineering teams deprecated this policy. As a result, there is no longer a need to explicitly enforce this setting, and the policy has been removed from the baseline to reflect the current default behavior. Since the setting does not write to the normal policies location in the registry it will not be cleaned up automatically for any existing deployments. Please let us know your thoughts by commenting on this post or through the Security Baseline Community.Security Dashboard for AI: 3 Ways CISOs Drive Impact Today
AI is reshaping the enterprise and, with it, the threat landscape. Today's organizations face new threats with AI agents that modify configurations, execute workflows, and access data without direct human oversight. As a result, the gap between AI adoption and AI governance is widening, and CISOs face growing challenges to maintain visibility, control, and compliance across an increasingly complex ecosystem. As AI becomes embedded across the enterprise, CISOs face four key challenges: Scale without visibility: Over 75% of enterprises surveyed by PWC report they are already adopting AI agents. ¹ At the same time, over 80% of security teams surveyed by Nokod report visibility gaps into the applications and AI agents created within their organization. ² Rapid AI proliferation and evolving regulations make unified visibility across AI platforms, apps, and agents critical for CISOs. Fragmentation: Organizations rely on multiple siloed tools for AI asset visibility, making oversight fragmented and inefficient. According to Gartner’s 2024 survey of 162 enterprises, organizations use 45 cybersecurity tools on average. Expanding AI risk: AI proliferation is rapidly increasing the attack and risk surface, with the surge of AI-generated identities. By 2027, 4 out of 5 organizations will face phishing attacks powered by AI-generated synthetic identities, according to IDC. ³ This makes it harder for CISOs to track emerging threats, unmanaged assets, and shifting risk patterns. Overload: Alert fatigue is now a top challenge, with organizations now receiving an average of 2,992 security alerts daily, yet 63% go unaddressed. ⁴ Increasing AI risk without a way to prioritize what matters most compounds pressure on CISOs. In conversations between Microsoft and CISOs, one common need emerged: a single place to view integrated AI risk across the enterprise. To address these growing challenges, we are excited to provide CISOs with the Security Dashboard for AI, which recently became generally available. This unified dashboard aggregates posture and real-time risk signals from Microsoft Defender, Entra, and Purview into one unified, executive-level view of AI posture, risk, and inventory across agents, apps, and platforms. The Security Dashboard for AI helps CISOs: Gain unified AI risk visibility: Discover AI agents and applications and continuously monitor posture across the environment Prioritize critical risks: Correlate signals across identity, data, and threat protection to surface the most urgent issues Drive risk mitigations: Investigate activity and take action to help reduce exposure across the AI ecosystem The dashboard is capable of aggregating and surfacing AI risks from across Microsoft Defender, Entra, Purview - including Microsoft 365 Copilot, Microsoft Copilot Studio agents, and Microsoft Foundry applications and agents as well as cross-platform AI risks with Microsoft network-based or SDK-enabled integrations, and MCP servers. This supports comprehensive visibility and control, regardless of where applications and agents are built. As you activate Microsoft Security for AI capabilities, you can gain richer visibility into different aspects of your AI risk posture. Figure 1: Security Dashboard for AI in browser Getting Started with the Security Dashboard for AI The Security Dashboard for AI is provided at no additional cost to customers already using Defender, Entra, and/or Purview to protect their AI innovation. Based on how early adopter CISOs are using the dashboard, here are three ways you can start leveraging the dashboard today. 1. Manage Daily AI Risk Beyond reporting, you must stay hands-on with AI risks, scanning for emerging issues, verifying asset governance, and delegating remediations. The Security Dashboard for AI consolidates daily operations into a single pane of glass, surfacing critical alerts, unmanaged assets, and emerging risks. Use the dashboard as a daily AI risk radar, enabling rapid triage and ensuring you focus on the most urgent threats. Scan and triage daily AI risk: Start each day by identifying and prioritizing the highest-risk AI exposures. Risks are prioritized on severity reported by underlying security tools, helping you focus on the most critical exposures. Track AI asset inventory and monitor agent sprawl: Use the Inventory page to gain comprehensive visibility into all AI assets. Identify newly registered assets to mitigate the risk of shadow or unmanaged IT and surface inactive agents to proactively monitor and control agent sprawl. Delegate tasks for remediation: Move from insight to action by delegating tasks to your security team with easy click delegation. Delegation routes ownership via email or Microsoft Teams with notifications, due date, and ownership tracking. Delegate actions to specific roles such as global admin and AI administrator, without granting full access to underlying tools. Figure 2: Security Dashboard for AI risk page 2. Guide Briefings with Security Teams You require up-to-date intelligence to guide conversations with Security Teams about what is happening across the AI estate. The Security Dashboard for AI helps you anchor discussions in specific risks, trends, and ownership gaps surfaced in the data. The dashboard becomes a conversation driver, helping you ask the right questions about risk and security posture, to help ensure you and your team are triaging the right priorities. Because the dashboard consolidates signals from Defender, Entra, and Purview, both CISO and security teams operate from the same facts, enabling more outcome-driven discussions and faster prioritization, so you can shift the conversations from status updates to targeted action planning. Prioritize top AI Risk: Use the dashboard to help you prioritize the AI risk that matters the most. In preparation for team meetings, use Microsoft Security Copilot to explore AI risks, agent activity, and security recommendations via prompts to strengthen your AI security posture. With your team, take a closer look at risk vectors like data leakage, oversharing and unethical behavior, and discuss what actions need to be taken. Review Security Recommendations: Create a routine with your security team to review the recommended Microsoft security actions and track your progress over time. Across regular team check‑ins, review what has been addressed, what remains open, and which actions require follow‑up so you are prepared to respond to regulatory, audit, or executive questions with up‑to‑date metrics. Figure 3: Security Dashboard for AI inventory page Figure 4: Security Dashboard for AI delegation 3. Executive Reporting Reporting to the board on AI security posture has historically meant weeks of manual data gathering across multiple tools. The Security Dashboard for AI streamlines the data collection process with a single source of truth for AI risk, enabling confident, data-backed insights for your board presentations and conversations. Early adopters confirm the value and are using it for quarterly executive briefings. Prepare for Board Discussions: Use the dashboard to help get the right insights at the right altitude to help you prepare for discussions with your board. The Overview page aggregates identity, data security, and threat protection signals from Defender, Entra, and Purview into an AI risk scorecard with risk factors. The embedded Security Copilot AI-powered insights provide suggested prompts with risk assessments, summaries, and recommendations to help you prioritize what matters most. Extend Observability to Executive Stakeholders: Authorize AI risk follow‑ups to the appropriate security, identity, or governance owners using Microsoft Teams or email. Distribute visibility across GRC lead, AI governance, and IT leaders, while maintaining executive‑level oversight. Figure 5: Security Dashboard for AI Copilot prompt gallery Next Steps The Security Dashboard for AI helps CISOs manage AI risk faster, more confidently and more collaboratively with their team. Defender, Entra, and Purview signals are surfaced in a single pane of glass, providing observability across your AI estate. Drive faster triage, use data to support board-level discussions about AI risk, and enable coordinated action with integrated insights, recommendations, and delegation to help accelerate remediation across existing security workflows. The Security Dashboard for AI is generally available now. If your organization uses Microsoft Defender, Entra, and/or Purview, you already have access, no additional licensing is required. Visit ai.security.microsoft.com to access the dashboard directly, or navigate to it from the Defender, Entra, or Purview portals. Learn more about the Security Dashboard for AI on the MS Learn page and the Security Dashboard for AI Security Blog. Discover new features in the Security Dashboard for AI such as the Security Reader role, new delegation flow, and new identity risk section here. ¹AI agent survey. PwC, May 2025 ²Security Teams Taking on Expanded AI Data Responsibilities. Bedrock Data, March 2025 ³IDC FutureScape: Worldwide Security and Trust 2026 Predictions, November 2025 ⁴2026 State of Threat Detection and Response Report. Vectra AI, February 2026Security Dashboard for AI - Now Generally Available
AI proliferation in the enterprise, combined with the emergence of AI governance committees and evolving AI regulations, leaves CISOs and AI risk leaders needing a clear view of their AI risks, such as data leaks, model vulnerabilities, misconfigurations, and unethical agent actions across their entire AI estate, spanning AI platforms, apps, and agents. 53% of security professionals say their current AI risk management needs improvement, presenting an opportunity to better identify, assess and manage risk effectively. 1 At the same time, 86% of leaders prefer integrated platforms over fragmented tools, citing better visibility, fewer alerts and improved efficiency. 2 To address these needs, we are excited to announce the Security Dashboard for AI, previously announced at Microsoft Ignite, is now generally available. This unified dashboard aggregates posture and real-time risk signals from Microsoft Defender, Microsoft Entra, and Microsoft Purview - enabling users to see left-to-right across purpose-built security tools from within a single pane of glass. The dashboard equips CISOs and AI risk leaders with a governance tool to discover agents and AI apps, track AI posture and drift, and correlate risk signals to investigate and act across their entire AI ecosystem. Security teams can continue using the tools they trust while empowering security leaders to govern and collaborate effectively. Gain Unified AI Risk Visibility Consolidating risk signals from across purpose-built tools can simplify AI asset visibility and oversight, increase security teams’ efficiency, and reduce the opportunity for human error. The Security Dashboard for AI provides leaders with unified AI risk visibility by aggregating security, identity, and data risk across Defender, Entra, Purview into a single interactive dashboard experience. The Overview tab of the dashboard provides users with an AI risk scorecard, providing immediate visibility to where there may be risks for security teams to address. It also assesses an organization's implementation of Microsoft security for AI capabilities and provides recommendations for improving AI security posture. The dashboard also features an AI inventory with comprehensive views to support AI assets discovery, risk assessments, and remediation actions for broad coverage of AI agents, models, MCP servers, and applications. The dashboard provides coverage for all Microsoft AI solutions supported by Entra, Defender and Purview—including Microsoft 365 Copilot, Microsoft Copilot Studio agents, and Microsoft Foundry applications and agents—as well as third-party AI models, applications, and agents, such as Google Gemini, OpenAI ChatGPT, and MCP servers. This supports comprehensive visibility and control, regardless of where applications and agents are built. Prioritize Critical Risk with Security Copilots AI-Powered Insights Risk leaders must do more than just recognize existing risks—they also need to determine which ones pose the greatest threat to their business. The dashboard provides a consolidated view of AI-related security risks and leverages Security Copilot’s AI-powered insights to help find the most critical risks within an environment. For example, Security Copilot natural language interaction improves agent discovery and categorization, helping leaders identify unmanaged and shadow AI agents to enhance security posture. Furthermore, Security Copilot allows leaders to investigate AI risks and agent activities through prompt-based exploration, putting them in the driver’s seat for additional risk investigation. Drive Risk Mitigation By streamlining risk mitigation recommendations and automated task delegation, organizations can significantly improve the efficiency of their AI risk management processes. This approach can reduce the potential hidden AI risk and accelerate compliance efforts, helping to ensure that risk mitigation is timely and accurate. To address this, the Security Dashboard for AI evaluates how organizations put Microsoft’s AI security features into practice and offers tailored suggestions to strengthen AI security posture. It leverages Microsoft’s productivity tools for immediate action within the practitioner portal, making it easy for administrators to delegate recommendation tasks to designated users. With the Security Dashboard for AI, CISOs and risk leaders gain a clear, consolidated view of AI risks across agents, apps, and platforms—eliminating fragmented visibility, disconnected posture insights, and governance gaps as AI adoption scales. Best of all, the Security Dashboard for AI is included with eligible Microsoft security products customers already use. If an organization is already using Microsoft security products to secure AI, they are already a Security Dashboard for AI customer. Getting Started Existing Microsoft Security customers can start using Security Dashboard for AI today. It is included when a customer has the Microsoft Security products—Defender, Entra and Purview—with no additional licensing required. To begin using the Security Dashboard for AI, visit http://ai.security.microsoft.com or access the dashboard from the Defender, Entra or Purview portals. Learn more about the Security Dashboard for AI at Microsoft Security MS Learn. 1AuditBoard & Ascend2 Research. The Connected Risk Report: Uniting Teams and Insights to Drive Organizational Resilience. AuditBoard, October 2024. 2Microsoft. 2026 Data Security Index: Unifying Data Protection and AI Innovation. Microsoft Security, 2026The Advantages of Premium Cases in Purview eDiscovery
Capacity & Scale Feature Description Advantage over E3 Enhanced Limits Supports significantly higher limits, including eDiscovery case count and export volume. For example, up to 50,000 cases and 5 TB per search in E5 (versus 10,000 cases and 2 TB in E3). Handles large investigations without splitting into multiple cases or searches. E3’s lower limits would force breaking up big jobs, adding overhead and risk of errors. E5’s higher capacity means fewer workarounds and seamless handling of large-scale litigation. Tenant-Wide eDiscovery Process and Holds Reports (Preview) Provides a central dashboard of all eDiscovery activities and eDiscovery holds across the tenant. Compliance and IT teams get at-a-glance status of ongoing jobs and active holds. Improves oversight and management efficiency for eDiscovery. E3 lacks centralized reporting, making it harder to track many cases. E5’s reporting gives better visibility into operations, which is crucial for heavy workloads and tight deadlines. Expanded Hold Capacity Each legal hold in E5 can encompass up to 2,000 mailboxes and 2,000 sites in one policy. E3 holds are limited to 1,000 mailboxes or 100 sites per policy. Enables placing very large custodian sets on hold with a single action. In E3, exceeding hold limits means juggling multiple policies for one case, increasing complexity. E5 simplifies hold management by consolidating more custodians per hold, reducing admin burden. Search & Collection Feature Description Advantage over E3 Advanced Search Filters Offers richer search criteria beyond keywords. You can filter by sensitive info types (credit cards, SSNs), specific message IDs, or sensitivity labels on documents. This helps pinpoint relevant sensitive content directly. Enables more precise and speedy discovery of critical data. In E3, finding the same info might require complex keyword strings or separate tools (with a higher chance of missing items). E5’s advanced filters mean faster, targeted searches for things like confidential data or GDPR content. Data Source Sync Allows you to refresh custodians’ data sources in a search or hold to catch updates to locations. For example, if a custodian adds a new OneDrive, E5 will detect and prompt you to include it. Ensures no content location is overlooked as the case evolves. E3 has no easy way to know if data moved or new sites were created, potentially leaving gaps. E5’s sync provides complete and defensible collection by keeping holds/searches up-to-date. Cloud Attachment Collection (Hyper-linked Documents) Automatically collects the content of files shared via cloud links (OneDrive/SharePoint) in emails or chats. E5 can retrieve the actual document (and its versions) that was linked, even pulling the specific version that was shared at the time if the version shared feature is enabled. Preserves evidence that E3 would miss. E3 eDiscovery does not fetch linked file content. It would only show a hyperlink, making it difficult to return the associated file. E5 ensures linked documents (with version history) are collected, so the full context of communications is retained. Conversation Threading (Chats & Email) Reconstructs conversations in a threaded view for Microsoft Teams chats and email chains. Reviewers can see messages in context (like a chat transcript or email thread) rather than as isolated items. Greatly improves contextual understanding. E3 exports chats as separate messages with no threading, making it hard to follow the story. E5’s threaded view lets reviewers grasp the full conversation at a glance, reducing confusion and ensuring nothing is interpreted out of context. Custodian & Hold Management Feature Description Advantage over E3 Case-Level Custodian Management Provides a dedicated tab to manage custodians (people) within each case. You add custodians once and can easily apply holds or searches to all their data without re-entering their information each time. Streamlines hold setup and ensures clarity on who is in the case. E3 has no concept of custodians. You must manually input email or site addresses for each search/hold. E5’s approach saves time, reduces errors, and gives a clear view of all people involved in the matter. Bulk Custodian Import Supports importing up to 1,000 custodians at once from a list into a case. Useful for large investigations (e.g., adding an entire department as custodians in one go). Dramatically faster setup for big cases. In E3, adding hundreds of people means typing or pasting each individually, which is time-consuming and error prone. E5’s bulk import means quick, one-time setup for large custodian lists, ensuring no one is missed. “Explore & Add” Custodian Sources Provides an intelligent way to discover related data sources for a given custodian. For example, it can list Teams, SharePoint sites, or groups the person is part of, and let you add those to the case. Helps capture all relevant locations for each person. In E3, you might overlook a Teams channel or group mailbox a custodian was involved in. E5’s explore feature surfaces those connections, improving completeness of your holds and searches by including collaboration spaces that might otherwise be missed. In-Place Review & Analytics Feature Description Advantage over E3 Advanced Indexing and OCR Automatically re-indexes content that was partially indexed or had errors and performs OCR (Optical Character Recognition) on images to extract text. This means files with images or previously unsearchable formats become searchable in E5. Ensures “no stone is left unturned.” E3 would flag such content as “unindexed” (meaning you know a file exists but not what’s inside it). With E5, far more data is searchable, even text inside images or scanned PDFs, reducing the amount of partially indexed content and the chance of missing critical evidence due to format issues. In-Place Review Sets Lets you create a review set of collected data in the cloud. Review sets offer contextual review of conversations, powerful query and filtering capabilities, and query reports for additional insights. Pre-review culling is possible in E5. E3 has no in-product review capability. You must export everything to an outside tool for examination. E5’s review sets allow the team to filter out irrelevant data and focus on what matters before exporting. This reduces the volume (and cost) of data sent for attorney review and keeps data in a secure, auditable environment during analysis. Tagging and Metadata Filters Enables applying tags (labels like “Responsive,” “Privileged,” “Personal Data”) to documents and emails in a review set, and filtering by these tags or other metadata fields. Improves organization and review workflow. E3 cannot tag items in-place, so keeping track of important documents is harder. In E5, tagging allows systematic categorization for quick retrieval (e.g., find all items tagged Highly Relevant instantly). These tags also carry over on export, so any work done during review isn’t lost when handing off to external counsel. Email Threading and Analytics Automatically identifies and stitches together email threads, showing only the last inclusive email that contains the entire conversation. Earlier duplicate emails in the chain are noted and can be skipped. Cuts down review volume and improves context. E3 reviewers would see every single email (even if content repeats across replies). This saves review time and ensures attorneys see the full discussion in one place rather than piecemeal. Conversation View Displays collected Teams (and other chat) messages in a conversation format in a review set, similar to how one would view a chat in the app, instead of individual out-of-context messages. Makes reviewing chat evidence much easier. In E3, chat messages are isolated, forcing reviewers to manually piece together who said what when. E5’s conversational view provides full context at a glance, so nothing is misunderstood or missed in chat-based communications. Near-Duplicate Detection Finds and groups nearly identical documents (e.g. multiple versions of a file or emails with only slight differences). Reviewers are informed which items are alike. Saves time and ensures consistency. E3 requires manually spotting similar files. E5 can let a reviewer examine one version and then quickly tag all its close duplicates the same way. This speeds up review and ensures similar content is handled uniformly (no conflicting judgments on essentially the same document). Themes (Topic Analytics) Uses analytics to cluster documents by themes/topics. For example, it might reveal a group of emails all discussing “Project X” or detect an unusual theme (like frequent mentions of “resignation”). Uncovers hidden patterns that simple keyword searches in E3 might miss. This insight helps investigators spot important threads of discussion or issues they weren’t explicitly searching for, leading to a more thorough understanding of the data set. It adds a layer of proactive insight absent in E3. Global Deduplication Automatically de-duplicates exact copies of emails or files across all custodians using review sets. Each unique item is retained once for review, with duplicates noted. Prevents redundant review work. In E3, the same email stored in five mailboxes would appear five times and could be reviewed and tagged inconsistently by different people. E5’s deduplication means reviewers spend time only on unique content improving efficiency and ensuring consistency in treatment of identical items. Export & Integration Feature Description Advantage over E3 Guest Reviewer Access Allows secure, read-only external access to a review set for outside experts (like outside counsel). Guest reviewers can be invited to review and tag documents in your E5 case via secure Azure AD access (with MFA), without data leaving the tenant. Enables collaboration with outside counsel without exporting data. E3 cannot extend access to external users. You’d have to export files and send them out, which is slower and riskier. E5 keeps the data in-place and governed, letting external reviewers work more efficiently while your organization retains control and visibility. Import External Data Supports ingestion of data from outside M365 into eDiscovery. You can load files like PST emails, PDFs, or documents from file shares into an E5 review set, maintaining custodians’ identity and metadata. Brings all relevant data under one roof. E3 cannot handle content beyond Exchange/SharePoint/Teams, so any non-M365 data would be reviewed separately. E5’s ingestion means even file server or third-party data can be included in the case, making your eDiscovery truly comprehensive and eliminating blind spots between different systems. Rich Export with Metadata Exports include a detailed load file with extensive metadata from the review (custodian info, email thread indices, attachment names, message IDs, tags applied, etc.). This is in addition to the actual content files. Simplifies downstream processing and preserves review decisions. E3’s export is basic (limited metadata), often requiring additional data processing in third-party tools. E5’s comprehensive load file means that all important context (including tags like “Privileged” that your team applied) travels with the exported data, so external reviewers immediately see those cues. This saves time and prevents rework. MIP Search and Decryption Integration Can automatically decrypt protected content (encrypted by Microsoft Information Protection, e.g. with sensitivity labels/Azure RMS) during eDiscovery. Encrypted emails and documents are made readable and searchable when added to a review set. Ensures encrypted files aren’t “invisible” in your investigation. E3 often cannot search or preview MIP-protected emails/docs until they’re manually decrypted after export (if at all). E5 seamlessly includes these encrypted items in search results and review, so you don’t miss evidence that was simply locked behind encryption. Insider Risk Management Escalation Integrates with Microsoft Insider Risk Management (IRM) alerts. With E5, if an insider risk policy flags a user (e.g., for a potential data theft), you can one-click escalate to create an eDiscovery case that automatically targets that user’s content around the incident. Enables a fast, seamless response to insider threats. E3 has no IRM at all, so there’s no such trigger. In E5, the moment a high-risk activity is detected, the legal team can immediately jump into collecting and reviewing the related data. This tight integration means quicker investigations and potentially mitigating issues before they escalate. Communication Compliance Escalation Ties into Communication Compliance (E5’s internal communications monitoring for policy violations). If a serious policy violation is found (e.g., harassment in Teams chats or inappropriate sharing of sensitive info), it can be escalated directly into an eDiscovery case for further investigation. Offers proactive discovery of misconduct. E3 lacks built-in communication monitoring, so issues may go unnoticed until too late. With E5, compliance officers can swiftly pivot from detecting a problem to launching a full eDiscovery inquiry, ensuring faster and more thorough handling of incidents like HR violations or data leaks. Graph API & Automation Fully supports the Microsoft Graph API for eDiscovery. This means eDiscovery tasks (case creation, adding custodians, running searches, exporting data) can be automated or integrated into other applications via scripting/programming without additional cost. While API support is supported for E3, the E3 export API is a metered solution. E5 allows organizations to streamline eDiscovery workflows – for example, auto-create a case and hold when HR flags an employee exit, or integrate with third-party legal management tools without additional cost. Teams and Copilot Interactions Purge Provides an incident response capability to search and purge Teams chats or Microsoft 365 Copilot interactions if sensitive information was shared. Authorized investigators can directly delete up to 100 Teams chat messages (across participant mailboxes) in one go via the eDiscovery interface (leveraging Graph API) when necessary to contain a data leak. Allows quick containment of spills that E3 cannot do. E3’s content search can purge emails but cannot delete Teams messages or Copilot content. With E5, if confidential data pops up in a Teams chat, compliance can not only find it but also bulk-delete those messages from user mailboxes to mitigate further exposure. This capability is crucial for responding to internal data mishandling in real time.
Partner Center Enrollment Blocked – Trust Code 715-123160 – Requesting Manual Review
Hello Microsoft Partner Community Team, We are attempting to enroll our company in the Microsoft AI Cloud Partner Program, but our registration is being blocked by the automated trust verification system. We are a legitimate, legally registered business operating in the cloud connectivity industry. Our DUNS number and all company information entered during enrollment are accurate and match our official government records. Error details: Reference Number: 715-123160 Transaction ID: 0e136d6b-9164-41c3-be26-9b301c9aac24 Correlation ID: f8085e89-17fd-4b2a-8b47-40aea3030d82 Due to this block, our Partner Center account has no active workspaces, which means we are completely unable to create a support ticket through the standard Partner Center portal. We have also tried the partner.microsoft.com/support page, but it redirects us back to Partner Center — creating a loop with no resolution. We are kindly requesting: Escalation to the Partner Center Vetting / Trust & Safety team for manual review A reset or unblock of our enrollment so we can complete registration Guidance on any documentation required (business registration, address proof, domain ownership, etc.) — we are ready to provide everything immediately for email contact, please contact the email address we leave on the request (format as: email address removed for privacy reasons) Thank you in advance for your assistance.Collecting Microsoft 365 Copilot Data with Microsoft Purview eDiscovery
Copilot Data Collection Reference Table Data Type Storage Location Item Class Collection Strategy Copilot Prompts (user questions sent to M365 Copilot) Exchange Online: Hidden folder in the user's mailbox. Compliance copies stored similar to Teams chats, but with unique item classes. IPM.SkypeTeams.Message.Copilot.<AppName> (e.g., .Word, .Excel, .Outlook, .BizChat). Additional AI-related classes may also apply: IPM.SkypeTeams.Message.ConnectedAIApp*, IPM.SkypeTeams.Message.CloudAIApp*, IPM.SkypeTeams.Message.TeamCopilot*, IPM.SkypeTeams.TeamCopilot* 1. Add the user's Exchange mailbox as a data source to the search. 2. In the condition builder you can optionally filter the search to only return Copilot prompts by adding a condition of "Item class contains any of Copilot activity". This automatically applies all relevant M365 Copilot item classes as a condition of the search. 3. Add any further additional conditions such as date range or keywords to narrow results as required. You can also use the Item Class condition to exclude M365 Copilot interactions from your collections when targeting a user’s mailbox. Notes: · Additional item classes may be added. The item class condition will be updated accordingly. Copilot Responses (AI-generated answers) Exchange Online: The same hidden folder in the user's mailbox as prompts. The same IPM.SkypeTeams.Message.Copilot.<AppName> pattern as prompts The same collection strategy used for prompts. Copilot Memories (personalized saved information Copilot "remembers") Exchange Online: Hidden CopilotMemory subfolder within the user's mailbox contacts. Stored as contact entries separate from prompts and responses. IPM.Contact Each memory item appears as a contact card within Exchange, which is distinct from the message-based item classes used for prompts/responses. 1. Add the user's Exchange mailbox as a data source to the search. 2. In the condition builder you can optionally filter the search to only return Contacts by adding a condition of "Item class contains any of Contacts". Notes: · Copilot memories will not be preserved under a legal hold or retention policy. · This will return both Copilot memories stored in contacts as well as traditional contacts from the user’s Exchange mailbox. Copilot Pages (AI-generated, user-editable documents) SharePoint Online: Stored in a user-owned SharePoint embedded container (shared with Loop workspace content and Copilot Notebooks). File format is .page. Not stored in the user's mailbox. N/A These are SharePoint files (not Exchange items), so no item class applies. Identify them in search results by the .page file extension. 1. Add the custodian’s SharePoint embedded site URL as a data source to the search. Alternatively, tenant-wide searches of all SPO sites will include all SharePoint Embedded containers 2. Optionally use the condition builder with conditions such as date range, keywords or file type to further filter results returned Facilitator agent interactions in a Team meeting chat Exchange Online: Hidden folder in all meeting attendees’ mailboxes. Compliance copies stored as Teams chats IPM.SkypeTeams.Message 1. Add the user's Exchange mailbox as a data source to the search. 2. In the condition builder you can optionally filter the search to only return Copilot prompts by adding a condition of "Item class contains any of Instant messages". 3. Add any further additional conditions such as date range or keywords to narrow results as required. Facilitator agent meeting notes (loop) SharePoint Online: Facilitator meeting notes are stored as a .loop file in a OneDrive folder titled Meetings of the user who initiated Facilitator in Teams N/A These are SharePoint files (not Exchange items), so no item class applies. Identify them in search results by the .loop file extension. 1. Add the user's OneDrive URL as a data source to the search. 2. In the condition builder you can optionally filter the search to only return loop files by adding a condition of "File type equals any of loop". 3. Add any further additional conditions such as date range or keywords to narrow results as required. Notes: · With eDiscovery premium enabled cases you can follow the standard workflow for collecting Team meeting messages and select to include cloud attachments in your collection. This will automatically pull into the export or review set any Facilitator agent meeting notes. Facilitator created word/loop documents SharePoint Online: When the facilitator agent is asked to create a word or loop document during a meeting they are stored in the requesters OneDrive in a folder called N/A These are SharePoint files (not Exchange items), so no item class applies. Identify them in search results by the .loop file extension. 1. Add the user's OneDrive URL as a data source to the search. 2. In the condition builder you can optionally filter the search to only return loop and doc files by adding a condition of "File type equals any of loop, docx". 3. Add any further additional conditions such as date range or keywords to narrow results as required. Notes: · With eDiscovery premium enabled cases you can follow the standard workflow for collecting Team meeting messages and select to include cloud attachments in your collection. This will automatically pull into the export or review set any Facilitator generated loop or word documents. Facilitator generated and assigned tasks Exchange Online: When the facilitator agent creates and assigns a task to an individual, it is created as a to-do item in the assigned individual's Exchange Mailbox IPM.Task 1. Add the user's Exchange mailbox as a data source to the search. 2. In the condition builder you can optionally filter the search to only return Tasks by adding a condition of "Item class contains any of Tasks". 3. Add any further additional conditions such as date range or keywords to narrow results as required. Application-Specific Item Classes for Prompts & Responses For more granular filtering by Copilot application, the following item class values can be used in KQL queries: Application Context Item Class Value Microsoft Copilot Chat (BizChat / Teams) IPM.SkypeTeams.Message.Copilot.BizChat Copilot in Excel IPM.SkypeTeams.Message.Copilot.Excel Copilot in Loop IPM.SkypeTeams.Message.Copilot.Loop Copilot in Outlook IPM.SkypeTeams.Message.Copilot.Outlook Copilot in PowerPoint IPM.SkypeTeams.Message.Copilot.PowerPoint Copilot in Teams IPM.SkypeTeams.Message.Copilot.Teams Copilot in Whiteboard IPM.SkypeTeams.Message.Copilot.Whiteboard Copilot in Word IPM.SkypeTeams.Message.Copilot.Word To target all Copilot applications at once, use the wildcard query ItemClass:IPM.SkypeTeams.Message.Copilot.*. For a wider list of AI data sources, see the following link: https://learn.microsoft.com/en-us/purview/edisc-search-copilot-data#data-sources-for-ai-data Important Notes for eDiscovery Practitioners Excluding Copilot Data from Broader Searches Because Copilot prompts and responses reside in the same Exchange mailbox as emails and Teams chats, they will appear in broad mailbox searches unless explicitly filtered out. To exclude Copilot items, use the condition "Item Class Contains none of Copilot activity" in the condition builder, or add (-ItemClass:IPM.SkypeTeams.Message.Copilot.*) in KQL. Some eDiscovery managers run separate searches, one for Copilot data and one for other communications, to keep collections distinct. Copilot Memories: Retention & Hold Limitations Purview retention policies and eDiscovery holds do not currently apply to Copilot memory items. Memory items remain until a user deletes them or an admin explicitly removes them via eDiscovery or Graph API. Additionally, deleting a Copilot prompt and response does not delete any memory derived from that conversation. Memories must be removed separately if required. Copilot Pages: Do Not Treat Like Prompts/Responses Copilot Pages are not stored in Exchange mailboxes. Searching only a custodian’s mailbox will not return Copilot Pages. Treat Copilot Pages the same way as you do for SharePoint content in your existing eDiscovery workflow. For collections, keyword searches will generate hits on text content within the .page file if either the SharePoint Embedded URL is included in the search or the search is a tenant-wide search of all SharePoint sites Be aware that full-text search within .page files in Purview eDiscovery review sets is not currently available. Instead you can use filters such as Subject/Title or Native File Type to locate Copilot Pages in your review set and review the content. When an eDiscovery hold is placed on a custodian’s mailbox, it does not automatically extend to the SharePoint Embedded site where the Copilot Pages are stored. Instead, ensure the hold policy includes the URL for the user-owned SharePoint Embedded site that contains the Copilot Page(s) that must be preserved. Audit Logs vs. eDiscovery for Copilot Content Audit logs record that a Copilot interaction occurred (time, user, workload context) but do not include the actual prompt or response text. To retrieve the substance of Copilot interactions, use Purview eDiscovery searches against the mailbox. Copilot Prompts and Responses: HTML Transcription Copilot prompts and responses are stored as individual messages within the user’s mailbox. When collecting Copilot interactions, enabling the “Organize conversations into HTML transcripts” premium option will convert these individual messages into HTML transcripts making for easier review and linkage between the user’s original prompt and the Copilot responses. Copilot Prompts and Responses: Contextual prompts and responses When using the Keywords condition as part of your collection in eDiscovery, it will only return items that match the keywords included in the query. This means that you may only return a part of the Copilot interaction. If using keywords in your collection query you can enable the “Include full conversation for Copilot, Teams and Viva Engage messages” premium option. This will include in the export or review set any prompts or responses from the Copilot interaction within a 12-hour window before and after each responsive item. This means that you are able to see the full context of the prompt or response that was responsive to search. Collecting Referenced Documents (Cloud Attachments) Copilot responses may reference or summarize SharePoint/OneDrive files. When collecting Copilot interactions, enabling the "Access links (cloud attachments) in messages" premium option will additionally collect the files referenced in the prompt or response and include them in the export package. This provides full evidentiary context but can significantly increase export size and processing time so consider if collecting these artifacts are relevant to the investigation. If so, look to use additional conditions such as date to effectively manage volumes or reduce the number of custodians in the collection. Facilitator agent in Microsoft Teams Meetings The Facilitator agent in Microsoft Teams is an AI-powered assistant (included with Microsoft 365 Copilot) that enhances meeting productivity by generating real-time notes, summarizing key decisions, and managing action items. It acts as an active participant, allowing for collaborative editing of notes and answering chat questions during calls. As the Facilitator works within the context of Microsoft Teams meetings (scheduled private meetings only) your existing workflows for collecting Microsoft Teams meetings chat should be used. In addition, enabling the "Access links (cloud attachments) in messages" premium setting will automatically collect any meeting note (loop) or loop or word documents created by the Facilitator agent. Copilot Retention Reference Table Data Type Microsoft Purview Retention Policy Location/Scope Copilot prompts and responses Microsoft Copilot experiences Copilot Memories (personalized saved information Copilot "remembers") Not supported Copilot Pages (AI-generated, user-editable documents) SharePoint classic and communications sites (Static Scopes only) Facilitator interactions in a Team meeting Teams chats Facilitator meeting notes (loop) OneDrive Accounts Facilitator created word/loop documents OneDrive Accounts Facilitator generated and assigned tasks Exchange mailboxes (Tasks with end dates only)Speed where it matters: How Microsoft Intune helps IT prioritize time-sensitive actions
By: Albert Cabello Serrano | Principal Product Manager - Microsoft Intune A closer look at how Intune delivers updates to devices and the investments we’re making to help important changes move faster and more predictably. A common concern we hear from IT admins is, “How quickly will this change actually reach my device?” In many cases, the answer is much faster than expected. Today, 90% of policy updates, app deployments, and device actions in Intune are completed in under an hour. So where does the idea of “8-hour latency” come from? That number reflects a routine maintenance check-in used when devices are idle - not how Intune processes meaningful changes. Intune uses notification-based, priority-driven processing so that high-impact actions, like security policy changes or remediation steps, are handled promptly and reliably as possible. In this context, latency isn’t about making every action instant - it’s about providing predictable, prioritized delivery at global scale. The sections below break down how Intune prioritizes different types of updates and recent investments that are helping time-sensitive changes complete more consistently. How Intune delivers changes to devices Cloud-based device management is designed for real-world conditions; devices are not always online, fully charged, or on stable networks. Intune uses an eventual consistency model so devices can continue to be productive while converging to the desired state over time, without management actions unnecessarily disrupting users or workflows. Because devices operate in different conditions, not all device activity is handled the same way. To manage change reliably at scale, Intune uses different types of device check-ins depending on what needs to happen. Types of device check-ins in Intune Device check-ins generally fall into several categories, each triggered by a different type of action: Single‑device check‑ins: Occurs when an admin or user initiates an action on a specific device, such as starting a device action or installing an app from the Intune Company Portal. Change‑based check‑ins: Push‑triggered check‑ins used to deliver meaningful changes to devices as soon as possible. Client‑initiated check‑ins: Background activity that helps keep devices healthy, such as when a user signs in to a device or when malware status changes. Maintenance check-ins: Scheduled syncs that occur at predetermined intervals and can be client or service-initiated, depending on the platform. These typically occur approximately every 8 hours. Regardless of what triggers a check-in, any pending changes will be applied to the device when it occurs. What happens when an admin makes a change When an admin makes a change in Intune, such as updating a device compliance policy, deploying an app, or setting a configuration, Intune identifies the devices impacted by that change and initiates a change‑based check‑in for affected devices. For online devices, Intune sends a push notification prompting the device to establish a management session with the service, apply the change, and report enforcement status back to Intune. If a device is offline or unreachable, the change is applied when the device next checks in through available mechanisms. Four investments that help critical updates move forward faster The following product changes focus on reducing device‑change latency by shortening the time between an admin action in Intune and enforcement on the device, especially during peak or constrained conditions. 1. Check-in prioritization focused on what matters most Not all device activity carries the same urgency. Routine background check-ins can compete for service resources with devices that have important pending changes, such as compliance updates, remediation actions, or administrator-initiated configuration changes. Intune evaluates the potential impact of delaying a device check-in on security posture, compliance state or user productivity, and dynamically prioritizes processing accordingly. This real-time prioritization model ensures that high-impact actions move forward without being delayed by lower‑impact background activity. Prioritization adapts as conditions change, helping important updates reach devices more quickly and predictably without being delayed by lower-impact background activity. 2. Built-in resilience when multiple changes occur in quick succession Change activity often happens in bursts, with several related updates occurring in rapid succession. These periods of activity may be driven by operational needs or background processes, and can involve adjusting assignments, updating multiple policies, or rolling out configuration changes across the same set of devices. Intune dynamically coordinates notifications, so that each change requiring action triggers a corresponding device notification, even during high-activity periods. This helps improve consistency when applying multiple updates and reduces delays across consecutive changes on devices. Over the next several months, these improvements will extend to additional payloads delivered through the Intune Management Extension (IME), including scripts, Win32 apps, and custom compliance across both Windows and macOS platforms. 3. More timely notifications on Windows Intune notifies devices to check-in when changes require action. If the device is offline, on an unstable network, or low on battery, notifications may be delayed. This can cause missed check-ins or delayed actions. When notification services are delayed, blocked, or unavailable, devices may fall back to scheduled maintenance check‑ins to apply changes. For timely delivery, required notification service endpoints need to remain accessible so devices can receive management signals when updates occur. On Windows devices, Intune complements the Windows Notification Service (WNS) with the same notification protocol that powers Microsoft Teams via the Intune Management Extension. This helps increase the likelihood that devices receive management notifications when they’re online and reachable, improving visibility into whether policy updates or device actions have reached their destination. For more information, see the network endpoints for Intune documentation. 4. Optimized maintenance check-ins for iOS devices Background check-ins are still important to keep devices healthy when nothing else is going on. Unlike Windows devices, iOS devices don’t have client scheduled check‑ins and depend on service‑initiated maintenance check‑ins to ensure device health and compliance. During peak usage periods, these maintenance check‑ins can account for a significant portion of overall traffic, which can compete with devices that require immediate updates. Intune considers device activity in the scheduling of maintenance check‑ins during peak activity, making room for higher‑impact updates, while continuing to ensure devices check in regularly. This helps manage traffic and improves responsiveness when applying policies or remediation actions. What this means for you For IT admins: No additional configuration or workflow changes are required to benefit from Intune’s built-in notification system. When bidirectional communication with notification service endpoints is open, devices can receive and act on updates as they become available. For security teams: Faster delivery of device changes helps shorten the time between a policy update, a tightened Conditional Access rule, an updated compliance baseline, and a remediation action. For Zero Trust frameworks, where posture signals drive access decisions, this helps narrow the window during which a device could be out of compliance or vulnerable. Together, these improvements reflect how Intune is evolving into a more intelligent, priority-aware system. Rather than making every action instant, the focus is on prioritizing high-impact updates so they are delivered without unnecessary delays. This approach is expanding across a number of scenarios to provide a more consistent and predictable experience, helping reduce delays for key updates. Resources to learn more For another perspective on this topic, read an MVP’s take on demystifying the “8-hour” timing myth in this LinkedIn post. You can also watch the recent Tech Takeoff about this same topic to learn more about these improvements. Also, in the April edition of the What's New in Intune blog, we introduced a new segment called Myth vs. Reality. This post is part of that series. To stay current on new capabilities and updates as they ship, follow the What's New in Microsoft Intune blog. What myth should we debunk next? Leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune.Extracting and Auditing Azure DevOps Permissions at Scale with PowerShell
Managing access in Azure DevOps is easy at small scale — and increasingly opaque as organizations grow. This post introduces ADO Permissions Output, an open-source PowerShell toolset that queries Azure DevOps REST APIs across 30+ security namespaces, decodes bitmask permissions, resolves cryptic GUIDs and tokens into readable names, and produces structured JSON/CSV output ready for Power BI. It also surfaces "ghost" members — users who appear in ADO through nested Entra groups but hold no active entitlement — which the standard Graph API alone cannot detect. Whether you're preparing for a compliance review or just want to know who actually has access to what, this tool closes the gap between the ADO portal and a complete audit picture.
