Priority Cleanup for SharePoint Online and OneDrive for Business Is Generally Available
Priority cleanup is a Microsoft Purview solution that allows tenants to remove items even when the items are subject to retention hold. That sounds like Priority cleanup goes against the nature of data governance, but sometimes it's more important to remove items than to keep them for their full retention period. This article explains how Priority Cleanup works and some of the important concepts that you need to master before removing anything. https://practical365.com/priority-cleanup-for-sharepoint/A Quick Look at Purview Data Security Investigations
During the quiet holiday period, I tested the new Purview Data Security Investigations (DSI) solution, which seems to be put together from bits of Microsoft 365 together with Security Copilot and some generative AI. Assembling new solutions from existing components makes sense because it reduces engineering effort. Without real data, it's hard to know how effective DSI is, but the cost of an investigation came as a real surprise. https://office365itpros.com/2026/01/06/data-security-investigation/SharePoint Online Dumps Legacy Compliance Features
MC1211579 (3 January 2026) announces the retirement of four legacy SharePoint compliance features in favor of Purview Data Lifecycle management and Records management. It’s always unsurprising when Microsoft chooses to remove old features developed for on-premises and replaces them with better online options, which is exactly what’s happening here. Some tenants might face additional licensing requirements for Purview. https://office365itpros.com/2026/01/05/sharepoint-compliance-legacy/
Conditional Access - Policy AND'ing - Registering Security Info
Hi All, I've been working away trying to solve an issue but haven't found a way around it just yet. The aim is to let an users on BYOD use TAP on a non-compliant device to setup their security info, but then for all other actions to have MFA+Compliance enforced from desktops. Three CA Policies from the templates articles with a tweak for passwordless: - Secure Registration Policy (MFA+TAP Auth Strength) - Device Compliance (MFA+TAP Auth Strength + Compliance) - Intune Enrollment (MFA+TAP Auth Strength) I'm noting a few outcomes here: Device Compliance (AND grant control) - User with a BYOD Device and TAP, can't enroll in MFA as the device isn't compliant, they cant workplace join the device either - User on an enrolled device, can use TAP to reset/create their MFA control Device Compliance (OR grant control) - User with a BYOD Device and TAP, can workplace join and register their security info without issues - User with an enrolled device has no issues using TAP to reset/create their MFA control. This makes sense with the AND'ing of policies, however for the registration method i'm wanting to let the user in on their BYOD device to register their security control, once done they can workplace join with no issues to access resources. The sign-in logs, always show the device compliance policy as hit, this is expected, the login shows a success for passwordless + tap but fails the compliance strength as expected. It doesn't look like its the device enrolment side of things, purely the registration portal getting in the way wanting the compliant device. Does anyone else have similar requirements and have a way to do this without a manual exclusion group? Thanks!Talking Microsoft 365 Compliance at the European SharePoint Conference
Paul Robichaux and I led a session about Microsoft 365 Compliance at the European SharePoint Conference in Dublin on December 2, 2025. During the session, we discussed how intelligent versioning works and its value in saving storage, priority cleanup and its ability to delete files even if the files are under retention hold, and the recent revamp of the Purview eDiscovery solution. We were thrilled at the attendance. Here’s what happened. https://office365itpros.com/2025/12/03/microsoft-365-compliance-espc/Microsoft 365 Announcements at Ignite 2025
The Ignite 2025 keynote was a marathon 150-minute event, but some interesting Microsoft 365 announcements emerged, mostly centered on AI. Microsoft is obviously focused on making AI and agents a very real part of tenant activities, so there’s new agent management and a repository among other things that will roll out in the year ahead. https://office365itpros.com/2025/11/19/ignite-2025-day-1/
Language defaults audit for everything M365
We are struggling to find where and how the wrong language is being used for various parts of the M365 platform. We have Swedish set as default, but still English is used for a number of places which often are only realized as a consequence by a user. For example, in Viva Engage language is set to Swedish, and for the SharePoint as well. But: When a new user logs on VE is in English While the SharePoint web part is in Swedish, the link text have for some time ended with "- Home" (English) instead of as it was when we started 2+ years ago " - Startsida" (Swedish) Then when creating a VE group Event (Teams-meeting) default language is also English Tracking down what and where is making the wrong language being used is hard. I would be very grateful if pointed to a resource that give an as complete as possible overview of everything in M365 that we need to look over for making sure that the correct language is default everywhere it should be.Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.
Partner lockout of Microsoft 365 tenant – looking for advice on next steps
Hello all, I’d appreciate some guidance from the community on a serious situation we are facing. On 12 September 2025, our Microsoft partner unilaterally locked us out of our Microsoft 365 tenant. They retained exclusive Global Administrator / Partner Delegated Admin rights, which means: All staff and directors are unable to access email, Teams, SharePoint/OneDrive, or even log into their Azure AD-authenticated workstations. Our corporate and staff personal data is now inaccessible to us as the controller. Access restoration has been explicitly conditioned on payment of a disputed invoice (not related to Microsoft licence pass-through). This raises several concerns: Operational: we are effectively paralysed. Security/IP: the partner still has exclusive access to proprietary source code and other confidential business data. Compliance: we cannot meet our GDPR/UK DPA obligations on availability of personal data while locked out. We contacted Microsoft Business Conduct on Friday evening with full details of the incident, but so far no human response has been received to those emails. Questions for the community From a Microsoft tenancy perspective – what’s the fastest/most effective way to remove a partner’s delegated admin access if they refuse to release it voluntarily? Has anyone experienced or seen a similar scenario where access was conditioned on disputed payments? Are there formal Microsoft Partner Code of Conduct provisions that directly address this type of misuse of delegated admin rights? Any practical lessons on balancing the technical fix (regaining control of the tenant) with the legal approach (injunction, regulatory notifications)? My focus is on regaining secure access, protecting data/IP, and ensuring compliance. Any experience, insight, or links to Microsoft policy/resources would be greatly appreciated.
