Device Stuck on Restart Screen After Update - Error Code: ATTEMPTED WRITE TO READONLY MEMORY
Hi everyone, I’m experiencing an issue with my Windows device that started after a recent update. For the past three days, my device has been stuck on a restart screen with the following error message: Your device ran into a problem and needs to restart. We'll restart for you. For more information about this issue and possible fixes, visit https://www.windows.com/stopcode If you call a support person, give them this info: Stop Code: ATTEMPTED WRITE TO READONLY MEMORY I’ve tried restarting the device multiple times, but it keeps returning to this screen. I’m unable to access my system or troubleshoot further. Has anyone else encountered this issue after an update? Any suggestions on how to resolve this would be greatly appreciated. Thank you in advance for your help!
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksGetting Started with the New Purview eDiscovery (E3)
“I heard that classic eDiscovery (Standard) will be retired on May 26 th . How can I get started in the new Purview eDiscovery?” Welcome to the new era of Purview eDiscovery! As we transition from the classic eDiscovery (Standard) to the new Purview eDiscovery, you'll find a more intuitive and user-friendly experience designed to streamline your workflow. This enhanced platform offers additional capabilities such as improved data sources for easier identification of search locations, an upgraded condition builder, better support for modern collaboration, and a more efficient export process. There are a few important notes before we get started with the new Purview eDiscovery user experience: The new Purview eDiscovery is a unified user experience. No longer will there be separate E3 or E5 products for eDiscovery; both E3 and E5 users will enjoy the same new interface. However, Purview eDiscovery users with E5 licenses or advanced SKU license holders will have access to new Premium features, while E3 Purview eDiscovery users will also benefit from new enhancements. Rest assured, you will not need to migrate any of your existing classic cases or content searches. All your current cases and content searches are seamlessly integrated into the new user experience. There are also no changes required for your existing permissions or compliance boundaries. The new Purview eDiscovery respects your existing settings, ensuring a smooth transition. You will see a new case under Purview eDiscovery called “Content Search.” You will find all your existing content searches within this case. You will also be able to access your content search by using the new Purview Content Search shortcut (Learn more about getting started with the new Purview Content Search by going to the following article: https://aka.ms/newcontentsearch). "Where do I get started in the new Purview eDiscovery?" You will be able to access the new Purview eDiscovery by going to the Microsoft Purview portal and signing in using the credentials for a user account assigned eDiscovery permissions. Select the eDiscovery solution card under the Purview portal and then select Cases in the left nav. This will take you to the new Purview eDiscovery. From there, you will be able to select Create case. “Now that I have created my case, what’s next?” Now that you’ve created your case, let’s talk about the new case settings. Click on the Case settings button in the new Purview eDiscovery case view. These are the relevant settings for E3 eDiscovery: The Case details settings are where you can go to disable or enable the eDiscovery (Premium) features (E5) using the eDiscovery (Premium) toggle. ings" page for a Purview eDiscovery case, where users can input the case name, number, and description. This image also shows where you can enable or disable the Premium features for this case. It also provides access to manage permissions, data sources, search & analytics, and review sets for comprehensive case control. You will also be able to close or delete the case using the Actions button under Case details. Permissions settings in eDiscovery allow you to add or remove users to a case and manage role group membership for a case. This is where you will go to give other eDiscovery managers/users access to your case. You can also add a role group to give all members of that role group access to your case. t access is limited to individual users at this stage. The new Data sources section is where you can make changes to the locations you wish to include in tenant-wide searches. NOTE: adding more data sources might cause searches to take longer than normal. The Search & analytics and Review set settings sections are for E5 features. Now that you have managed your Purview eDiscovery settings, the next step is to either create a search or create a hold policy to manage your eDiscovery holds. First, let’s start with the new Purview eDiscovery search experience! Make sure that you are under the Searches tab in your case and click Create a search. Create a search name and search description and select the Create button to create a new search in the new Purview eDiscovery experience. This will take you to the new Purview eDiscovery search experience. Under the Query tab in your new search, you will see the enhanced Data sources on the left side. The new Purview eDiscovery’s enhanced data sources will make it a lot easier for you to set the locations that you would like to search. You can use the enhanced data sources to search for M365 content such as email, documents, and instant messaging conversations in your organization. Use search to find content in these cloud-based Microsoft 365 data sources: Exchange Online mailboxes SharePoint sites OneDrive accounts Microsoft Teams Microsoft 365 Groups Viva Engage In this example, we will be searching Nestor’s mailbox and OneDrive site for an email sent in March 2025 that contains the keyword string “Project 9” Click Add sources under Data sources to add your locations (you can also search all your mailboxes or sites by selecting Add tenant-wide sources if needed) Type in the name of the user or their email address to find the user’s locations that you are wanting to search and then select them. Next, add a group like a Microsoft Team that you would like to search. Click the Manage button to see the locations associated with this user and Team. The enhanced data source experience will automatically identify a user’s mailbox and OneDrive site if they have one enabled. Select Save to continue. Optional: you can exclude either their Mailbox or OneDrive site by unchecking them under the Manage sources view. Now that you have identified the locations that we want to search. The next step is to create a query to define what we are wanting to search for within the locations. Under the Keywords condition, make sure that Equal is selected, and type in Project 9 and hit enter. & Project Team are listed for targeted investigation This will let you specify that you are looking for any chat, email, or document that contains the phrase “Project 9” Next, click on the + Add conditions button to add the date range condition. Select Date from the list and select Apply. Switch the Date operator from Before to Between and select March 1, 2025 through March 31, 2025 as the date range. Click the Run query button to generate the search estimate. Then click Run Query after selecting any additional options that you may want. After the search has run, the Statistics tab will help you verify whether the relevant content was found. You can also generate a sample of the results by going under the Sample tab and selecting the Generate sample results button. a single SharePoint source. Visual charts highlight search hit trends and top location types, while sections for sensitive information types and top users currently show no data. You can export the results of your search after you have verified that the relevant content has been returned by your search by selecting the Export button. Give your export a name and description. In the Export type section, choose one of the following options: Export items report only: Only the summary and item report are created. The various options for organizing data, folder and path structure, condensing paths, and other structures are hidden. Export items with items report: Items are exported with the item report. Other export format options are available with this option in the Export format section. In the Export format section, choose one of the following options: Create PSTs for messages: This option creates .pst files for messages. Create .msg files for messages: This option creates .msg files for messages Select one or more of the following output package options: Organize data from different locations into separate folders or PSTs: This option organizes data into separate folders for each data location. Include folder and path of the source: This option includes the original folder and folder path structure for items. Condense paths to fit within 256 characters: This option condenses the folder path for each item to 259 characters or less. Give each item a friendly name: This option creates a friendly name for each item. After you have selected the options for your export, select the Export button. Click the Export button to go to the Export tab. Select your export once the status shows as “Complete” Select the export packages that you wish to download and hit the Download button. Clicking the Download button will kick off a browser download. The new Content Search does not use classic Content Search and eDiscovery (Standard)’s .NET eDiscovery Export Tool application. NOTE: You may have to disable popup blocking depending on your browser settings. The download report relating to the export is named Reports-caseName-EntityName-ProcessName-timestamp.zip. With EntityName being the user given name to the export. This will include several .CSV files including items.csv which provide details of all items exported, including information such as item ID, location of the item, subject/title of the item, item class/type, and success/error status. The .PST files exported will be included in an export package called PSTs.00x.zip Files exported (e.g. files stored in OneDrive and SharePoint) will be included in an export package called Items.00x.zip “How do I place a hold using the new Purview eDiscovery?” You can create holds in the new Purview eDiscovery to preserve content in mailboxes and sites. This includes mailboxes and sites that are associated with Microsoft Teams, Microsoft 365 groups, and Viva Engage Groups. When you place locations on hold, content is preserved until you remove the hold from the locations or delete/release the hold policy. Like classic eDiscovery (Standard), you will first visit the Hold policies tab. In the hold policies tab, please click New policy to create a new hold policy for your case. Please give your hold policy a unique policy name and policy description. Next, you will add the locations that you would like to place on hold. Please click Add sources under Data sources to start adding locations to your hold. Note: you must select at least one data source to create the hold policy. Put in the name of the custodian that you would like to place on hold. Like the search experience, you will automatically identify the user’s mailbox and OneDrive site when you search by their name. Next, you can enter a group by putting in the name of the group. In this example, I have added a Team called the “Mark 8 Project”. & Project" and received results including two Teams and one Private Shared Channel. The interface allows filtering by scope and type, and each result has a checkbox for selection. Action buttons at the bottom like "Manage," "Save and close," and "Cancel" enable users to finalize or adjust their selections. Please select Manage or Save and close to save your results. If you leave the query blank under the Condition builder section, all the data in the specified locations will be placed on hold. You can also create a query-based hold to put data that matches your query on hold. Note: For the best results when dealing with encrypted or partially indexed items, we recommend limiting conditions to Date, Participants, and Type in query-based holds. Queries aren't effective on other conditions within encrypted or partially indexed items and holds might not be applied to these items. Select Apply hold to enable your hold policy. After creating a hold, check that the hold is applied successfully by navigating to the Details tab for the hold policy. You can check the statuses of all the locations within your hold policy within the Details tab. This is a great way to verify that your hold was successfully deployed. You can also delete the policy, retry the policy, and turn off the policy by selecting Policy actions. This screenshot displays the dashboard for the hold policy titled "H001a - Custodian and Teams Hold," summarizing its application across 6 locations and 2 data sources. A detailed table lists each location along with its hold status, team group, location type, and associated site. Users can filter results, customize columns, and access policy actions such as delete policy, retry policy, or turn it off. You can select a location under the Details tab to learn additional information regarding the held location. You can also select Download Report to get a downloaded report of the hold details. Other important information for creating holds After you create an eDiscovery hold, it might take up to 24 hours for the hold to take effect. For long term data retention not related to eDiscovery investigations, we advise that you use retention policies and retention labels. For more information, see Learn about retention policies and retention labels. When you select a distribution list to be placed on hold, the distribution list expands into the members of the distribution list. Users can choose to place all members' mailboxes and sites on hold or a subset/mix of these data sources on hold. Subsequent changes in distribution list membership don't change or update holds or the policy. Users must add the distribution list to data source again to ensure the latest membership is reflected and expanded. The Recycle Bin in SharePoint sites isn't indexed and therefore unavailable for searching. As a result, eDiscovery searches can't find any Recycle Bin content to place holds. When you create a query-based hold, all content from selected locations is initially placed on hold. Later, any content that doesn't match the specified query is cleared from the hold every seven to 14 days. However, a query-based hold doesn't clear content if more than five holds of any type are applied to a content location, or if any item has indexing issues. The URL for a user's OneDrive account includes their user principal name (UPN) (for example, https://alpinehouse-my.sharepoint.com/personal/sarad_alpinehouse_onmicrosoft_com). In the rare case that a person's UPN is changed, their OneDrive URL will also change to incorporate the new UPN. If a user's OneDrive account is part of an eDiscovery hold, and their UPN is changed, you need to update the hold by adding the user's new OneDrive URL and removing the old one. If the URL for the OneDrive site changes, previously placed holds on the site remain effective and content is preserved. For more information, see How UPN changes affect the OneDrive URL.Upcoming changes to Microsoft Purview eDiscovery
Today, we are announcing three significant updates to the Microsoft Purview eDiscovery products and services. These updates reinforce our commitment to meeting and exceeding the data security, privacy, and compliance requirements of our customers. Effective May 26, 2025, the following changes will take effect: Content Search will transition to the new unified Purview eDiscovery experience. The eDiscovery (Standard) classic experience will transition to the new unified Purview eDiscovery experience. The eDiscovery export PowerShell cmdlet parameters will be retired. These updates aim to unify and simplify the eDiscovery user experience in the new Microsoft Purview Portal, while preserving the accessibility and integrity of existing eDiscovery cases. Content Search transition to the new unified Purview eDiscovery experience The classic eDiscovery Content Search solution will be streamlined into the new unified Purview eDiscovery experience. Effective May 26 th , the Content Search solution will no longer be available in the classic Purview portal. Content Search provides administrators with the ability to create compliance searches to investigate data located in Microsoft 365. We hear from customers that the Content Seach tool is used to investigate data privacy concerns, perform legal or incident investigations, validate data classifications, etc. Currently, each compliance search created in the Content Search tool is created outside of the boundaries of a Purview eDiscovery (Standard) case. This means that administrators in Purview Role Groups containing the Compliance Search role can view all Content Searches in their tenant. While the Content Search solution does not enable any additional search permission access, the view of all Content Searches in a customer tenant is not an ideal architecture. Alternatively, when using a Purview eDiscovery case, these administrators only have access to cases in which they are assigned. Customers can now create their new compliance searches within an eDiscovery case using the new unified Purview eDiscovery experience. All content searches in a tenant created prior to May 26, 2025 are now accessible in the new unified Purview eDiscovery experience within a case titled “Content Search”. Although the permissions remain consistent, eDiscovery managers and those with custom permissions will now only be able to view searches from within the eDiscovery cases in which they are assigned, including the “Content Search” case. eDiscovery Standard transition to the new unified Purview eDiscovery experience The classic Purview eDiscovery (Standard) solution experience has transitioned into the new unified Purview eDiscovery experience. Effective May 26 th , the classic Purview eDiscovery (Standard) solution will no longer be available to customers within the classic Purview portal. All existing eDiscovery cases created in the classic purview experience are now available within the new unified Purview eDiscovery experience. Retirement of eDiscovery Export PowerShell Cmdlet parameters The Export parameter within the ComplianceSearchAction eDiscovery PowerShell cmdlets will be retired on May 26, 2025: New-ComplianceSearchAction -Export parameter Get-ComplianceSearchAction -Export parameter Set-ComplianceSearchAction -ChangeExportKey parameter We recognize that the removal of the Export parameter may require adjustments to your current workflow process when using Purview eDiscovery (Standard). The remaining Purview eDiscovery PowerShell cmdlets will continue to be supported after May 26 th , 2025: Create and update Compliance Cases New-ComplianceCase, Set-ComplianceCase Create and update Case Holds New-CaseHoldPolicy, Set-CaseHoldPolicy, New-CaseHoldRule, Set-CaseHoldRule Create, update and start Compliance Searches New-ComplianceSearch,Set-ComplianceSearch, Start-ComplianceSearch, Apply Purge action to a Compliance Search New-ComplianceSearchAction -Purge Additionally, if you have a Microsoft 365 E5 license and use eDiscovery (Premium), your organization can script all eDiscovery operations, including export, using the Microsoft Graph eDiscovery APIs. Purview eDiscovery Premium On May 26 th , there will be no changes to the classic Purview eDiscovery (Premium) solution in the classic Purview portal. Cases that were created using the Purview eDiscovery (Premium) classic case experience can also now be accessed in the new unified Purview eDiscovery experience. We recognize that these changes may impact your current processes, and we appreciate your support as we implement these updates. Microsoft runs on trust and protecting your data is our utmost priority. We believe these improvements will provide a more secure and reliable eDiscovery experience. To learn more about the Microsoft Purview eDiscovery solution and become an eDiscovery Ninja, please check out our eDiscovery Ninja Guide at https://aka.ms/eDiscoNinja!
Announcing Public Preview of DLP for M365 Copilot in Word, Excel, and PowerPoint
Today, we are excited to announce the public preview of Data Loss Prevention (DLP) for M365 Copilot in Word, Excel, and PowerPoint. This development extends the capabilities you rely on for safeguarding data in M365 Copilot Chat, bringing DLP protections to everyday Copilot scenarios within these core productivity apps. Building on Our Foundation Data oversharing and leakage is a top concern for organizations using generative AI technology, and securing AI-based workflows can feel overwhelming. We’ve been laying a strong foundation with Microsoft Purview Data Loss Prevention—especially with DLP for M365 Copilot—and are excited to expand its reach to further reduce the risk of AI-related oversharing at scale. In the original public preview release, we enabled admins to configure DLP rules that block Copilot from processing or summarizing sensitive documents in M365 Copilot Chat. However, these controls didn’t extend to the powerful in-app Copilot experiences, such as rewriting text in Word, summarizing presentations in PowerPoint, or generating helpful formulas in Excel. That changes now with this public preview. The Next Phase of DLP for M365 Copilot Similar to our original approach for M365 Copilot Chat, we are bringing consistent, flexible protection to M365 Copilot for Word, Excel, and PowerPoint. Here’s how it works in this preview: Current file DLP checks: Copilot now respects sensitivity labels on an opened document or workbook. If a document has a sensitivity label and a DLP rule that excludes its content from Copilot processing, Copilot actions like summarizing or auto-generating content directly in the canvas are blocked. Chatting with Copilot is also unavailable. File reference DLP checks: When a user tries to reference other files in a prompt – like pulling data or slides from other labeled documents – Copilot checks DLP policies before retrieving the content. If there is a DLP policy configured to block Copilot processing of files with that file’s sensitivity label, Copilot will show an apology message rather than summarizing that content – so no accidental oversharing occurs. You can learn more about DLP for M365 Copilot here: Learn about the Microsoft 365 Copilot policy location (preview) Getting Started Enabling DLP for M365 Copilot in Word, Excel, and PowerPoint follows a setup similar to configuring DLP policies for other workloads. From the Purview compliance portal, you can configure the DLP policy for a specific sensitivity label at a file, group, site, and/or user level. If you have already enabled a DLP for M365 Copilot policy with the ongoing DLP for M65 Copilot Chat preview, no further action is needed – the policy will automatically begin to apply in Word, Excel, and PowerPoint Copilot experiences. In this preview, our focus is on ensuring reliability, performance, and seamless integration with the Office apps you use every day. We’ll continue to refine the user experience as we move toward general availability, including improvements to error messages and user guidance for each scenario. Join the Preview This public preview reflects our ongoing commitment to deliver robust data protection for AI-powered workflows. By extending the same DLP principles you trust to Word, Excel, and PowerPoint, we’re empowering you to embrace AI confidently without sacrificing control over your organization’s most valuable information. We invite you to start testing these capabilities in your environment. Your feedback is invaluable to us – we encourage all customers to share their experiences and insights, helping shape the next evolution of DLP for M365 Copilot in Office.
Disable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint
In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public. Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. Key Features User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document. Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string. Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android. Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks. Benefits & Differentiators Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators: Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android. Cross-platform support: Web, Windows, Mac, iOS, and Android. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files. Get Started with Dynamic Watermarking When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption. You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here. For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks. To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.
Converting Active Directory Groups to Cloud-Only with ADGMS
If you find yourself creating and maintaining on-premises groups just so they will synchronize to your Azure tenant, it’s time to free yourself from this time-consuming and potentially risky outdated practice by converting them to cloud only. Converting your groups to cloud-only will eliminate your dependence on legacy Active Directory Domain Services environments and enable you to delegate their management without resorting to custom Active Directory permissions, outdated management interfaces and even VPN or remote access solutions if your administrators are a part of today’s remote workforce. Remember all those distribution groups that your users were able to manage before their mailboxes were migrated to Exchange Online? By converting those groups to cloud-only, your users can once again manage them themselves! This eliminates the need for custom group management tools or for your helpdesk to manage membership on their behalf. So now that we’ve agreed it makes sense to convert your synced groups to cloud-only, what are your options… There are a variety of methods available to convert your groups to cloud-only, however they vary in cost and complexity, ranging from manual re-creation, which can be time-consuming and prone to error, building your own Graph API or PowerShell scripts, which require a significant understanding of Microsoft Exchange, Active Directory, PowerShell as well as rigorous testing to ensure a functional solution, or, worst case, searching the internet and re-using scripts built by others with potentially harmful results. To help simplify and ensure the safety of this process, the IMS team offers a turn-key managed solution called Active Directory Group Modernization Service, or ADGMS. ADGMS is a cloud-based, automated solution that connects to and monitors your Entra tenant, automatically re-creating groups whenever they are moved out of scope of your Entra ID Connect or Entra Cloud Sync solution. ADGMS maintains each group’s membership, including any nesting, as well as it’s email addresses, send and receive restrictions, manager or owner and even extended attributes, and ADGMS uses all this data to instantly re-create the group as cloud-only. Additionally, ADGMS provides reports on all the nested groups in your tenant, helping to identify any cases where you have circular or self-nesting that might otherwise impact mail-flow and management. These reports are then used to create your group modernization strategy by ensuring you re-create your groups in the correct order. The beauty of ADGMS is that it’s 100% automatic and customer-driven. Once ADGMS is enabled, you control the quantity and speed of your group modernizations, and the ADGMS solution handles all the heavy lifting, and because ADGMS maintains all the email routing addresses, your users won’t even realize that the group has been converted to cloud-only. It is important to note, that while ADGMS can help radically change your cloud administration model, it does not support modernization of security groups by default. That said, based on the tens of thousands of groups already modernized with ADGMS, we have found that most legacy mail-enabled security groups primarily exist in Entra for the purposes of email routing and not securing cloud resources. In those cases, the group can be modernized into a cloud-only distribution group, and the on-premises group mail-disabled and left as a security-only group. How to take advantage of ADGMS If you are interested in reducing your administrative burden when it comes to on-premises groups currently synchronizing to Entra and leveraging a proven managed solution for migration of those groups to cloud-only resources, be sure to contact the IMS team for more information about ADGMS. Learn more about IMS and start hassle-free migrations and its capabilities today on our YouTube Channel Want to speak with an expert? Reach out to us at imssales@microsoft.com to connect with a sales representative.possible to prevent users from selecting security groups?
We have some AD synced and cloud only security groups with large memberships (think 'all employees', 'all contractors' etc) that are used for various administrative purposes. Is it possible to hide those groups or prevent users from selecting them to 'secure' their objects such as SharePoint sites and Power Apps?
