I built a free, open-source M365 security assessment tool - looking for feedback
I work as an IT consultant, and a good chunk of my time is spent assessing Microsoft 365 environments for small and mid-sized businesses. Every engagement started the same way: connect to five different PowerShell modules, run dozens of commands across Entra ID, Exchange Online, Defender, SharePoint, and Teams, manually compare each setting against CIS benchmarks, then spend hours assembling everything into a report the client could actually read. The tools that automate this either cost thousands per year, require standing up Azure infrastructure just to run, or only cover one service area. I wanted something simpler: one command that connects, assesses, and produces a client-ready deliverable. So I built it. What M365 Assess does https://github.com/Daren9m/M365-Assess is a PowerShell-based security assessment tool that runs against a Microsoft 365 tenant and produces a comprehensive set of reports. Here is what you get from a single run: 57 automated security checks aligned to the CIS Microsoft 365 Foundations Benchmark v6.0.1, covering Entra ID, Exchange Online, Defender for Office 365, SharePoint Online, and Teams 12 compliance frameworks mapped simultaneously -- every finding is cross-referenced against NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2, HIPAA, PCI DSS v4.0.1, CMMC 2.0, CISA SCuBA, and DISA STIG (plus CIS profiles for E3 L1/L2 and E5 L1/L2) 20+ CSV exports covering users, mailboxes, MFA status, admin roles, conditional access policies, mail flow rules, device compliance, and more A self-contained HTML report with an executive summary, severity badges, sortable tables, and a compliance overview dashboard -- no external dependencies, fully base64-encoded, just open it in any browser or email it directly The entire assessment is read-only. It never modifies tenant settings. Only Get-* cmdlets are used. A few things I'm proud of Real-time progress in the console. As the assessment runs, you see each check complete with live status indicators and timing. No staring at a blank terminal wondering if it hung. The HTML report is a single file. Logos, backgrounds, fonts -- everything is embedded. You can email the report as an attachment and it renders perfectly. It supports dark mode (auto-detects system preference), and all tables are sortable by clicking column headers. Compliance framework mapping. This was the feature that took the most work. The compliance overview shows coverage percentages across all 12 frameworks, with drill-down to individual controls. Each finding links back to its CIS control ID and maps to every applicable framework control. Pass/Fail detail tables. Each security check shows the CIS control reference, what was checked, what the expected value is, what the actual value is, and a clear Pass/Fail/Warning status. Findings include remediation descriptions to help prioritize fixes. Quick start If you want to try it out, it takes about 5 minutes to get running: # Install prerequisites (if you don't have them already) Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser Clone and run git clone https://github.com/Daren9m/M365-Assess.git cd M365-Assess .\Invoke-M365Assessment.ps1 The interactive wizard walks you through selecting assessment sections, entering your tenant ID, and choosing an authentication method (interactive browser login, certificate-based, or pre-existing connections). Results land in a timestamped folder with all CSVs and the HTML report. Requires PowerShell 7.x and runs on Windows (macOS and Linux are experimental -- I would love help testing those platforms). Cloud support M365 Assess works with: Commercial (global) tenants GCC, GCC High, and DoD environments If you work in government cloud, the tool handles the different endpoint URIs automatically. What is next This is actively maintained and I have a roadmap of improvements: More automated checks -- 140 CIS v6.0.1 controls are tracked in the registry, with 57 automated today. Expanding coverage is the top priority. Remediation commands -- PowerShell snippets and portal steps for each finding, so you can fix issues directly from the report. XLSX compliance matrix -- A spreadsheet export for audit teams who need to work in Excel. Standalone report regeneration -- Re-run the report from existing CSV data without re-assessing the tenant. I would love your feedback I have been building this for my own consulting work, but I think it could be useful to the broader community. If you try it, I would genuinely appreciate hearing: What checks should I prioritize next? Which security controls matter most in your environment? What compliance frameworks are most requested by your clients or auditors? How does the report land with non-technical stakeholders? Is the executive summary useful, or does it need work? macOS/Linux users -- does it run? What breaks? I have tested it on macOS, but not extensively. Bug reports, feature requests, and contributions are all welcome on GitHub. Repository: https://github.com/Daren9m/M365-Assess License: MIT (free for commercial and personal use) Runtime: PowerShell 7.x Thanks for reading. Happy to answer any questions in the comments.
Disable incessant nagware popups
I don't know about everyone else, but I am sick and tired of the nagware pop ups in Word, Excel, PowerPoint, Outlook, etc. Every single product harasses me with pop ups trying to tell me "hey, did you know this feature was here?", "you can do this if you click that", "let me hold your hand through using products you've used for decades even though you don't want daddy Microslop to do that". This is a prime example. I keep getting the same ones again and again and again and everything I've read indicates they should only appear once. But they don't. They keep coming back like a psychotic stalker ex who wants alimony even though you were never married. How do I get this nagware to stop?!
Shortcuts appearing when using Option+arrow in Outlook on Chrome in Mac
luse Outlook on Chrome in my MacBook Pro. While typing an email, though, if I use Option tarrow left or right (to go back or forth between words), after a few words, the shortcut letters for the menus pop up, and stop what I'm doing. (See image.) It doesn't happen in any other window on Chrome. So it's not a Chrome thing. It's only when Outlook 365 is loaded. (Don't know if it happens in other 365 apps, as I only use Outlook, really.) Anyone experienced that? And, if so, is there a solution? I tried Outlook 365's setting, but nothing there. Thanks!
Generating an email with Power Automate using data from MS Forms
I'm trying to generate an email based on responses to a Microsoft Form. To do that, we've been using Power Automate. But I don't know coding, so I'm struggling with the "if this, then do this or if this then do this." I'm trying to add content based on the response to a form question. This is what I have & Power Automate doesn't like it. If possible, I want the No response to result in a blank. if(equals(outputs('Get_response_details')?['body/r4dc7982d2d21447595928fe605d196a9'],'Yes','SNAP',' ') It also doesn't like this: if(equals(@{outputs('Get_response_details')?['body/rfa090ef4e8d14bf187d32d6ee29bce37']},Yes),'What is needed to complete the benefit request? @{outputs('Get_response_details')?['body/r6671aa148c974fbfb399bdf3c334f4a4']}',' ')
IS EXCHANGE 2016 HYBRID STILL SUPPORTED?
IS EXCHANGE 2016 HYBRID STILL SUPPORTED as of January 2026? Pls advise if this statement is correct: Exchange Server 2016 was supported for hybrid deployments with Exchange Online, but as of October 14, 2025, it is no longer supported by Microsoft, meaning no security updates, bug fixes, or technical support are provided. While hybrid prerequisites still technically list Exchange 2016, running it now carries security and compliance risks, and Microsoft recommends upgrading to a supported version such as Exchange Server Subscription Edition or moving fully to Exchange Online. Continuing to use Exchange 2016 in hybrid is possible, but unsupported, so for a secure and compliant hybrid setup, an upgrade or migration is strongly advised.10 Things You Might Not Know You Could Do with Azure Communication Services
Azure Communication Services gives developers the building blocks for voice, video, chat, SMS, and more. But the real magic happens when you start combining those capabilities with other Azure services to solve real-world problems. This blog isn’t a feature list or a product pitch. It’s a collection of creative, practical scenarios that show what’s possible with Azure Communication Services today. Each one is based on real questions, real demos, and real developer experiences. Some are simple. Some are surprisingly powerful. All of them are designed to spark ideas. We’ve included links to sample code, documentation, and visuals to help you dive deeper. And we’ll keep this post updated as new scenarios emerge, so if you’ve built something cool, let us know! Build a Voice Assistant That Understands Users—and Follows Through 🔎 Quick Look What it does: Create a voice-first assistant that can understand, respond, and follow up using natural language. Why it matters: Offers a more intelligent, flexible alternative to traditional IVRs. What you'll need: Azure Communication Services for voice, Azure OpenAI, and backend logic to handle actions. Most voice agents are limited to scripted menus or keyword matching. But with Azure Communication Services and Azure OpenAI, you can build a voice experience that actually understands what users are saying and responds with meaningful action. In this demo, a user calls a virtual assistant looking for dinner inspiration. Instead of navigating a rigid menu, they just talk naturally. The assistant interprets the request, asks follow-up questions, and sends a personalized recipe link via SMS—all powered by Azure Communication Services for both the voice and messaging workflows. This kind of voice-first interaction is ideal for customer support, concierge services, or any scenario where users want to speak naturally and get something done. Watch the video below to see the full experience in action or explore the demo yourself here. Send Responsive Messages in Real-Time 🔎 Quick Look What it does: Trigger personalized messages based on real-time user behavior (like missed appointments or failed logins). Why it matters: Helps you move beyond static reminders to more timely, relevant communication. What you’ll need: Azure Communication Services, Azure Event Grid, Azure OpenAI, and an event source like a Logic App or backend service. Most messaging systems are built around schedules: send a reminder at 9 AM, a follow-up two days later, and so on. But what if your messages could respond to what your users are doing right now? With Azure Communication Services, you can build event-driven workflows that trigger messages based on real-time behavior. A customer misses an appointment. A user completes a transaction. A login attempt fails. Using Azure Event Grid, you can detect these events, generate a tailored message with Azure OpenAI, and send it instantly via SMS, email, or WhatsApp using Azure Communication Servies. This approach helps teams move beyond static, one-size-fits-all messaging. It enables timely, relevant communication that’s easier to maintain and scale - without manually scripting every variation. Learn more and get started: Azure Communication Services as an Event Grid source Handle SMS events with Event Grid Push notifications overview Use Event Grid to send calling push notifications Let Users Schedule Appointments by Text – In Their Own Words 🔎 Quick Look What it does: Enable natural language scheduling over SMS. No apps, menus, or portals required. Why it matters: Makes scheduling faster and more user-friendly, especially for service-based businesses. What you’ll need: Azure Communication Services for SMS, Azure OpenAI to interpret intent, and a backend or Logic App to manage availability and confirmations. Coordinating appointments over email or phone is slow and manual. Even traditional SMS-based schedulers often rely on rigid decision trees that break when users type something unexpected. This demo takes a smarter approach. By combining Azure Communication Services with Azure OpenAI, it lets users book, confirm, or reschedule appointments through natural, conversational SMS - no app, no portal, no menus. Just text like you normally would: “Hey, can I move my appointment to next Tuesday?” “Do you have anything earlier in the day?” Behind the scenes, Azure Communication Services handles the messaging layer, while OpenAI interprets the user’s intent and routes it to backend logic that manages availability and confirmations. It’s a lightweight, flexible solution that’s ideal for clinics, service providers, or any business that wants to streamline scheduling—without sacrificing user experience. Try the SMS scheduling demo. Everything you need to get started is in the README. Reach Customers on WhatsApp – Right Alongside SMS & Email 🔎 Quick Look What it does: Send messages across WhatsApp, SMS, and email from a single workflow. Why it matters: Increases engagement by meeting users where they are. What you’ll need: Azure Communication Services with Advanced Messaging SDK, verified sender setup for each channel Your customers are already on WhatsApp. Now your app can be too, without rearchitecting your entire messaging stack. Azure Communication Services lets you send and receive WhatsApp messages using the same platform you already use for SMS, email, and chat. That means you can reuse your existing workflows, backend logic, and delivery infrastructure - just with a new channel that meets your users where they are. Whether it’s appointment reminders, shipping updates, or live customer support, WhatsApp becomes just another part of your communication toolkit. You can trigger messages using Azure Event Grid, automate replies with Azure Bot Framework, and manage everything through the Advanced Messaging SDK. Want to see it in action? This quickstart guide walks you through registering your WhatsApp Business Account, connecting it to Azure Communication Services, and sending both text and media messages. > Channels selected from the blade menu. Learn more: Overview of Advanced Messaging for WhatsApp Send text and media WhatsApp messages (Quickstart) Publish an agent to WhatsApp using Copilot Studio Let Customers Join a Teams Meeting- Without a Teams Account 🔎 Quick Look What it does: Embed a browser-based Teams meeting experience into your app or site. Why it matters: Makes it easy for customers to join secure meetings without downloading Teams or signing in. What you’ll need: Azure Communication Services with Teams interop, a Teams meeting link, and a web app or portal. Not every customer wants to download an app or create a Microsoft account just to join a meeting. With Azure Communication Services, you can embed a fully branded, browser-based meeting experience into your app or website that connects directly to a Microsoft Teams meeting - no Teams account required. This is especially useful for industries like healthcare, legal, or financial services, where external participants need to join secure consultations or appointments without friction. You control the UI, the branding, and the flow, while Azure Communication Services handles the real-time voice and video connection to Teams. You can see how this works in the interop-quickstart demo, which shows how to create a Teams meeting, generate a join link, and embed the experience in a custom app. Handle Teams Calls Inside Your CRM—No App Switch Required 🔎 Quick Look What it does: Let agents make and receive Teams calls directly inside Dynamics 365 or a custom contact center UI. Why it matters: Reduces context switching and improves agent efficiency. What you’ll need: Teams Phone Extensibility, Azure Communication Services Call Automation, Dynamics 365 or another CCaaS. Most contact center agents juggle multiple tools - CRM, phone, notes, AI assistants - just to handle a single call. But what if they could do it all in one place? With Teams Phone Extensibility, powered by Azure Communication Services, agents can make and receive Teams calls directly inside Dynamics 365 or any custom contact center app. No need to open the Teams client. Here’s what’s possible: Answer calls in a custom agent desktop, routed through Teams Phone. Trigger AI workflows mid-call—like summarizing the conversation with Azure OpenAI or escalating to a supervisor. Initiate outbound calls from bots or workflows using ACS’s Call Automation APIs. Record and analyze calls with full control over logic and storage. It’s a surprising way to bring AI, voice, and CRM together, without rebuilding your contact center from scratch. Embed Secure Video Visits to Your Healthcare App–Fast 🔎 Quick Look What it does: Add HIPAA-compliant video calling with identity integration. Why it matters: Enables secure, branded telehealth or consultation experiences. What you’ll need: Azure Communication Services for video, Azure AD B2C, and a secure frontend. Telehealth is here to stay. But building a secure, compliant video experience from scratch can be a heavy lift. Azure Communication Services makes it easier. With built-in support for HIPAA, GDPR, and SOC 2, encrypted media transport, and identity integration via Azure AD B2C, Azure Communication Services lets you embed video calling directly into your app—without compromising on privacy or user experience. The Sample Builder shows how to combine video, chat, and SMS into a seamless patient-provider experience. It’s ready to deploy, customize, and scale. Learn more: Azure Communication Services HIPAA compliance overview Quickstart - Add video calling to your app - An Azure Communication Services quickstart | Microsoft Learn Combine AI and Human Support in a Single Chat Experience 🔎 Quick Look What it does: Start with an AI assistant and escalate to a human agent with full context. Why it matters: Scales support while preserving the human touch when needed. What you’ll need: Azure Communication Services for chat, Azure OpenAI, bot framework, and agent handoff logic. Most customer service chats start with automation—but they shouldn’t get stuck there. With Azure Communication Services, you can build a chat experience that begins with an AI assistant and hands off to a human agent when it makes sense. This demo shows how it works: a customer starts chatting through a web widget. An AI assistant, powered by Azure OpenAI, handles common questions and tasks. If the conversation gets complex or the user asks for help, the chat transitions smoothly to a live agent—no context lost. Agents can even generate AI-powered summaries to get up to speed quickly before jumping in. It’s a practical way to scale support without sacrificing the human touch. . On the left, a dialog box displays the user experience, while on the right, the agent's view shows the conversation summary and includes a button to take over the automated chat. Build a voice-first, AI virtual assistant in Under a Week 🔎 Quick Look What it does: Launch a branded voice assistant quickly using Zammo.ai and ACS. Why it matters: Speeds up deployment of voice experiences across channels. What you’ll need: Zammo.ai, Azure Communication Services for voice, and a publishing channel (e.g., Alexa, web). When Montgomery County, Maryland needed to support COVID-19 vaccine registration, they didn’t have months to build a solution. In just six business days, they launched a voice-first virtual assistant that handled 100% of inbound calls: automating appointment scheduling, supporting English and Spanish, and deflecting thousands of calls from live agents. They partnered with Zammo.ai to build the experience, all without writing custom code. Where Azure Communication Services fits in: Azure Communication Services powered the voice infrastructure, enabling a scalable, multilingual experience that saved time, reduced hold times by 90%, and helped the county serve residents more equitably. Don’t take our word for it, learn more about how it came together here. Know What You’ll Pay, Before You Ship 🔎 Quick Look What it does: Estimate costs and usage before you build. Why it matters: Helps you plan and budget more effectively. What you’ll need: Azure Communication Services pricing calculator, usage estimator, and billing dashboard. One of the first questions developers ask when building with Azure Communication Services is: “How much is this going to cost me?” And the answer is: it depends, but in a good way. Azure Communication Services uses a flexible, pay-as-you-go pricing model. You’re only billed for what you use - no upfront commitments, no recurring subscription fees. That makes it easy to prototype, test, and scale without overcommitting. Each communication channel (SMS, email, voice/video calling, and WhatsApp) has its own pricing structure based on usage volume, geography, and delivery method. For example: SMS to U.S. numbers is priced differently than international messages. Voice calls vary depending on whether you’re using VoIP, PSTN, or Teams interop. WhatsApp pricing may involve partner-based rates through Messaging Connect. There are a few exceptions to the pay-as-you-go model. For instance, leasing a dedicated phone number incurs a monthly fee. But overall, the model is transparent and developer-friendly. To help you estimate costs and plan ahead, here are some helpful resources: Azure portal pricing calculator: Azure Communication Services pricing | Microsoft Azure Azure Communication Services Pricing Overview: Azure Communication Services pricing | Microsoft Azure What Will You Build Next? Azure Communication Services gives you the flexibility to build the communication experience your users actually want - whether that’s a quick SMS, a secure video call, or a voice assistant that gets things done. And when you combine ACS with other Azure services like OpenAI, Event Grid, and Bot Framework, the possibilities expand even further. We’ll keep this post updated as new scenarios and demos emerge. If you’ve built something interesting with ACS, we’d love to hear about it—and maybe even feature it in a future post. Check out our official documentation to get started today!
Outlook Classic for M365 - File > Encrypt > 'Encrypt-Only' option applies 'Do Not Forward' label?
I recently joined a new company and am helping support their M365 tenant and admin duties. I'm running into a very weird issue where no recipients can actually read/view the message when we encrypt emails using only 1 specific method (our organization largely uses the Outlook Classic for Microsoft 365 desktop app). If a user follows this method, for some reason the 'Do Not Forward' label is applied to the encryption, despite specifically selecting 'Encrypt-Only' - it defaults to 'Do Not Forward' every single time: New Email > File > Encrypt > Encrypt-Only Sending emails with this method gives any/all recipients a "You don't have sufficient permissions to open the mail." regardless of where they try to open the email (OWA, Outlook Classic, New Outlook) Yet, if the user tries this other method below - the proper Encrypt-Only label is applied, and any Outlook client immediately and opens/views the email as you'd expect: New Email > Options ribbon > Encrypt properly applies the Encrypt-Only label I verified IRM (Identity Rights Management) is enabled for our tenant: And encryption tests pass with flying colors: Ultimately, I'm at a loss for what's going on here and specifically where to check to fix this issue for this 1 specific encryption method. Poking around in the Purview portal, I'm having a hard time figuring out where these encryption policies/settings lie and how to get this method to stop defaulting to 'Do Not Forward' even though 'Encrypt-Only' is checked.
Someone changed my email but i still have access to my account
My account got hacked but the hacker didn't change my the password, now i'm stuck with this weird email account from russia and dont know what to do... I tried the Recovery form but i tried too many times and now doesn't let me try anymore. What can i do? I'm scared for my accountDoes MC1189663 Impact Standard Power Automate Approvals?
Hi everyone After reviewing the change described in MC1189663 (retirement of external access tokens for actionable messages), I'm unsure wheter this also affect the out-of-the-box Standard Approval action in Power Automate. My question is specifically about the default "Start and wait for an approval" / "Standard Approval" action with no special configuration. Does this change impact approval emails or actionable messages generated by the Standard Approval action for internal usage (mails to internal accounts), or will those continue to work without modification? Thanks in advance for any clarification.
