migration
841 TopicsNeed to Restore PST Files to Office 365 Mailboxes - What's the Best Approach
Hey everyone, I have a task coming up where I need to restore several PST files back into Office 365 mailboxes. Haven't done this before at this scale and honestly not sure where to begin. I've looked at Microsoft's native import service through Purview but I have a few concerns: Some of the PST files are quite large — not sure how well it handles that I need to restore only specific folders for some users, not the entire PST I'm worried about data consistency after the restore Would prefer something that doesn't require too many admin roles or complex setup For those who have done PST to Office 365 restores — what approach worked best for you? Any tools, tips, or things to watch out for that you wish you knew before starting?69Views0likes1CommentMoving Office 365 Mailboxes to IMAP Servers - What’s the Best Approach
I’ve recently been looking into scenarios where organizations need to move mailboxes from Microsoft 365 to IMAP based email servers, and I noticed this is still a common requirement in many migrations. In most cases, the challenge is not just moving emails, but making sure everything like folder structure, old emails, and user data stays intact without creating too much disruption for users. From what I’ve seen, doing this manually can get very complex, especially when there are multiple mailboxes or large data volumes involved. That’s where migration tools usually come into the picture. Most tools simplify things by handling: 1. Secure connection to Microsoft 365 accounts 2. Bulk mailbox migration 3. Preserving folder hierarchy 4. Reducing downtime during the move 5. Avoiding duplicate data issues One thing I’ve noticed is that running a small pilot migration first always helps. It gives a clear idea of how the actual migration will behave before moving all users. Has anyone here worked on Office 365 to IMAP migration at scale? Would be good to know what approaches or tools worked best in your case and what challenges you faced during the process.101Views0likes2CommentsMCA billing account stuck in "under review" status for 4+ days, no resolution
I'm the Global Admin for a Microsoft 365 tenant (domain: fortunamg.net) recently transitioned from a GoDaddy CSP reseller relationship to a direct Microsoft Customer Agreement (MCA) billing account. After setting up the MCA billing account and adding a payment method, I attempted to make an edit to my billing account address (updating to the new 9-digit zip code format). This triggered an "Account under review" status, which states the review usually takes up to 2 days. It has now been over 4 days with no update or email notification. This review is blocking me from purchasing a subscription, which I need to do to restore an active Microsoft 365 subscription on this tenant (currently showing as "Disabled" following the GoDaddy detach). Billing Account ID: 7793dd6e-68c9-5362-c5e2-3fe091b9854c Domain: fortunamg.net Could someone help check the status of this review or escalate to the appropriate team? Phone support has been unable to resolve this. Thank you.62Views0likes2CommentsOffice 365 Mailbox Export to PST - Third Party Tools: What’s Your Experience?
Exporting Office 365 mailboxes to PST is still a common requirement in many Microsoft 365 environments, especially for backup, compliance, and migration scenarios. While Microsoft offers native options like Purview eDiscovery and Outlook export, many administrators also consider third-party tools when dealing with large mailboxes or bulk export requirements. In real-world scenarios, factors like speed, ease of use, permission handling, and consistency of exported data often influence the choice of tool. Some teams prefer native methods for compliance control, while others explore third-party solutions to simplify large-scale or repeated export tasks. For those working with Microsoft 365, what has your experience been with third-party PST export tools? Have they helped in your environment, or do you still rely mainly on Microsoft’s native options?195Views1like3CommentsMSSP migration to Unified portal: how are you sequencing your customer portfolio?
Following the automation and SOAR discussion, I wanted to open a conversation specifically focused on the MSSP and multi-tenant side of the migration, because this is where the coordination challenges are an order of magnitude higher than the technical ones. A few things I am working through before writing this up as Part 5 of the migration series. On Workspace Manager: Microsoft's own documentation now points you away from Workspace Manager at the point of onboarding to the Defender portal, directing you to Microsoft Defender multitenant management instead. For MSSPs who built their operating model around Workspace Manager, this is a significant structural change. For those implementing now, the recommendation is to go straight to the multitenant portal. I am interested in what the transition has looked like in practice for teams who were mid-flight on Workspace Manager when this became clear. On access delegation: one of the more honest framings I want to include in the article is around the GDAP plus Unified RBAC gap. A Microsoft employee confirmed in the RSAC 2026 thread that Unified RBAC support for GDAP in the Defender portal is on the roadmap with no firm date. MSSPs choosing between Entra B2B and the governance relationships model today are making an architectural call that is difficult to reverse. I want to present this accurately, and real experience from practitioners will sharpen that framing. On the connector deployment constraint: you cannot deploy connectors from a managed workspace configured with Azure Lighthouse alone, you also need GDAP. This makes a layered delegation architecture, Lighthouse plus GDAP plus B2B or governance relationships, necessary rather than optional. I am curious whether MSSPs are already running this layered model or whether most are still trying to make Lighthouse work as a single mechanism. On migration sequencing: the question I want to ask specifically is how teams are structuring their customer portfolio migration. Are you running waves based on customer complexity, based on contract renewal timing, based on customer risk appetite, or some other factor? And when something goes wrong in one tenant's migration, how are you containing the impact on the rest of the programme? Sharing the full article once it is written. Happy to discuss anything above in more detail in the thread.95Views0likes0CommentsWhat’s new in Microsoft Sentinel: May 2026
Welcome to the May edition of What's new in Microsoft Sentinel. This month’s updates focus on unified role-based access control (RBAC), ecosystem breadth, AI-agent security, and high-assurance identity. RBAC and row-level scoping are now generally available, giving security teams a single, granular permissions model across Sentinel and the Microsoft Defender portal and enabling multi-team SOC collaboration. The Sentinel connector catalog has passed 400 connectors, expanding coverage across Microsoft and third-party data sources and helping customers and partners onboard new data faster with the Codeless Connector Framework (CCF). The Agent 365 connector, now in public preview, brings AI agent telemetry into Sentinel data lake as first-class standardized signals so you can monitor agent behavior alongside identity, endpoint, and cloud activity. Finally, Entra Verified ID partner integrations in Microsoft Security Store are now generally available, delivering high‑assurance identity verification that makes account recovery after compromise far safer and significantly reduces the risk of re‑compromise. Read on for the full list of updates across Sentinel in May. Sentinel innovations: Sentinel SIEM Sentinel data lake Microsoft Security Store Sentinel SIEM Unified role-based access controls and row level scoping [Generally available] Sentinel now delivers general availability of two powerful access management capabilities: Unified RBAC and row-level data scoping. Together, these innovations provide a consistent, end-to-end model for controlling who can access data and what actions they can take — extending unified permissions management across the Defender portal while enabling granular, row-level visibility within a single Sentinel workspace. With Unified RBAC, organizations can simplify and centralize permissions across security workloads, reducing operational overhead, while row-level scoping enables secure collaboration across multiple teams by ensuring users only see data aligned to their role or scope. This milestone unlocks more scalable, multi-team SOC operations without the need for workspace segmentation, helping us to advance toward fully unified, granular access control across Microsoft Security. Tenant groups [Public preview] Managing security across multiple tenants just got simpler. Tenant Groups in the Microsoft Defender multi-tenant portal (MTO) give managed security service providers (MSSPs), cloud service partners (CSPs), and multi-tenant security teams a flexible way to organize tenants into logical groupings such as customer segment, geography, or operational priority, and instantly switch views with a single click. This streamlined experience reduces noise, improves investigation focus, and aligns to how teams actually work, all while respecting existing permissions and access controls. Learn more. Out-of-the-box integrations for Sentinel automation [Public preview] Out-of-the-box (OOTB) integrations for Sentinel automation brings a centralized catalog to easily discover, configure, and manage both Microsoft and third-party integrations. With simple, authentication-based setup, users can quickly add integrations and seamlessly incorporate them into playbooks. The experience places OOTB and custom integrations side by side, with enhanced with smart search, recommendations, and duplicate prevention to streamline automation workflows end to end. Learn more. UEBA enhancements [Public preview] Microsoft Sentinel UEBA continues to evolve with improvements that simplify management and expand detection coverage. A dedicated UEBA tab view in the Sentinel settings page consolidates UEBA and behaviors settings, making configuration easier to find and manage. Learn more. UEBA insights and anomalies now support the OktaV2_CL table alongside the existing Okta_CL table, extending anomalous activity and anomalous MFA failures detections to customers using the newer Okta connector format, without requiring new anomaly types. Learn more. UEBA extends GCP Audit Logs coverage with five anomaly detections for login activity, privileged actions, resource deployments, secret/KMS key access, and infrastructure usage. Learn more. Together, these updates make UEBA easier to operate while extending its visibility into identity and behavior signals from additional cloud and identity providers. Read the latest blog from the Microsoft Defender Research Team to learn more about Microsoft Sentinel UEBA and binary feature stacking, which uses clear binary signals to help establish behavioral context and inform investigation and detection decisions. Threat Intelligence – TAXII Export connector [Generally available] Sentinel supports threat intelligence export through the built-in Threat Intelligence – Trusted Automated Exchange of Intelligence Information (TAXII) Export connector, giving customers a standards-based way to share curated Structured Threat Information Expression (STIX) objects with supported TAXII 2.1 platforms. Configured from the Defender portal, the connector handles destination setup and intelligence delivery to external platforms. The capability supports cross-organization intelligence sharing for collective defense and centralized management in multi-tenant environments, with use cases across government, critical infrastructure, and large distributed organizations. Additional enhancements are planned, including more export options and expanded destination support. Learn more. Decision-stage resources for SIEM migration to Sentinel The AI-powered SIEM migration experience helps teams analyze detections, identify required data sources and connectors, and plan a phased move to Sentinel. But, customers still need help turning that analysis into a clear decision. To support that step, we’re introducing two new customer-facing resources: the Sentinel SIEM Migration Decision and Planning Guide, which explains the migration journey, outputs, and decision checkpoints before execution, and the Decision-Stage Customer FAQ, which answers common questions around disruption, cost, dual running, detection coverage, and delivery support. Together, these resources help make migration conversations more concrete and move teams more quickly from evaluation to a clearer, lower-risk next step. Learn more: Read the blog: AI-powered SIEM migration experience announcement Download the guide: Decision and planning guide Download the FAQ: Decision-stage customer FAQ Learn more: SIEM migration experience documentation Register for live AMA (Jun 23 at 9am PT): Live Microsoft Tech Community AMA on SIEM migration Sentinel data lake 400+ Sentinel data connectors The Sentinel connector catalog now includes 400+ connectors, providing broad, ready-to-deploy coverage across Microsoft and third-party data sources. Customers can flexibly ingest security data into Microsoft Sentinel analytics tier or the data lake tier. The Codeless Connector Framework (CCF) and VS code-based connector builder agent enables partners and customers to onboard new data sources faster and scale the catalog. Discover connectors in the Sentinel Content hub within the Defender portal or build custom connectors when needed. Learn more. Agent 365 connector [Public preview] Agent 365 connector streams AI agent telemetry from Agent 365 into Sentinel data lake, giving SOC teams visibility into agent behavior alongside identity, endpoint, and cloud signals. With the Agent 365 connector in place, Sentinel data lake becomes the system of record for agent security, turning activity such as data exposure or access drift into first-class security signals that analysts can correlate, hunt across, and investigate. Telemetry is normalized and to mapped to standard Advanced Security Information Model (ASIM) schemas, ready for analytics and detections, and end-to-end investigations can run through KQL, graph, and MCP-powered workflows. Install the connector with a single click from Sentinel Content Hub in the Defender portal. Learn more. CCF support for Azure Blob Storage [Public preview] Sentinel Codeless Connector Framework (CCF) supports Azure Blob Storage as a data source, providing an ingestion pattern designed for high-volume security data. Partners and customers can build CCF connectors that read from Blob Storage through a durable architecture that buffers spikes, handles backpressure, and reduces data loss risk during outages or throttling, making ingestion more reliable for variable or distributed pipelines. The pattern broadens compatibility with partners already streaming logs to Azure as part of their audit data delivery, with Cloudflare and Netskope as early adopters. App Assure further provides engineering-backed support for designing, validating, and remediating the Azure Blob Storage CCF connector integration. Learn more. Data filtering and splitting [Generally available] At RSAC, we announced built‑in filtering and splitting capabilities in Microsoft Sentinel, which is now generally available. As security teams ingest more data, it is important to optimize security data pipeline by controlling what data is ingested and in which tier. With filtering and splitting natively integrated into the Defender portal, security teams can shape data before it reaches Sentinel, without switching tools or managing custom JSON files. Using simple KQL‑based transformations directly in the UI, you can filter low‑value events and intelligently route data, making ingestion optimization faster, more intuitive, and easier to manage at scale. Filtering at ingest time allows you to remove low‑value or benign events to reduce noise, lower unnecessary processing, and ensure high‑signal data drives detections and investigations. Splitting enables intelligent routing of data between the analytics tier and the data lake tier based on relevance and usage. Together, these capabilities help you balance cost and performance while scaling data ingestion sustainably as your digital estate grows. Learn more. Transition your Sentinel connectors to the Codeless Connector Framework (CCF) [Action required] Azure has announced that the legacy Azure Data Collection API will be deprecated on September 14, 2026. Sentinel recommends customers review existing connectors and upgrade to the latest Codeless Connector Framework (CCF) versions to ensure continued access to the newest Sentinel capabilities. CCF delivers a fully managed SaaS experience with built-in health monitoring, centralized credential management, and improved performance. This enables partners and customers to onboard new data sources faster and at scale. Microsoft Security Store Entra Verified ID partner integrations via Security Store [Generally available] Security Store helps organizations secure one of the most critical steps in incident response: safe account recovery after compromise. Once a SOC team detects and contains a potential account takeover (ATO), restoring access requires high confidence that the user is legitimate. Through partner integrations with IDEMIA, AU10TIX, CLEAR, 1Kosmos, and WhoAmI, customers can extend Entra Verified ID with high-assurance identity verification (such as document and biometric checks) to validate users during recovery, onboarding, or helpdesk workflows. This helps replace weaker fallback methods that attackers often exploit, enabling SOC and IT teams to safely restore access while reducing risk of re-compromise. Learn more. Purview Data Security Triage Agent in Defender [Public preview] Security Store powers how customers discover and activate data security agents across Defender and Microsoft Purview, starting with the Data Security Triage Agent. This capability delivers AI-generated summaries and prioritization of Data Loss Prevention (DLP) alerts directly into Defender XDR, helping security teams reduce noise and focus on the incidents that matter most. By unifying discovery and activation through Security Store, customers can deploy data security agents in fewer steps and enable more integrated workflows across threat and data protection surfaces. Learn more. Additional resources Blogs and documentation: From idea to production: Building Security Store Advisor with an agentic SDLC Upcoming webinars: June 4: End-to-End Security in the Age of Agentic AI June 10: Deploy, optimize, and implement threat protection with Sentinel June 10: Security Foundations for AI Adoption June 24: Modern Security Made Simple: Stay Ahead of Threats with Sentinel Upcoming events: June 2–3: Microsoft Build, San Francisco (and free online) CEO Satya Nadella Day 1 keynote 90+ sessions, Microsoft Security experts onsite Register: build.microsoft.com Stay connected Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Microsoft Sentinel. We’ll see you in the next edition!1KViews3likes0CommentsMigration from Hosted Exchange (Hybrid) to M365 Classic Outlook Client Problems and Solutions
Hello Everyone, I'm a tech who started on a 8088 processor in the 80's. Not mentioning the Vic20 and C64 since that hardly seem relevant! I'm posting here to hopefully help the next person with the issues I've had over the last few weeks. My client had to port his email from a provider with an on-perm Exchange server in a Hybrid setup with M365 to his own M365 environment. I expected this was to be about 3 hours of work for me - setup M365 environment, plan the cut-over window, update the Outlook clients on each PC. It ended up being roughly 20 hours of my time and at least 10 hours of dedicated time for my client. For those wanting to jump directly to what mostly fixed it use this link, it should get you past the dreaded "an encrypted connection to your mail server is not available" when trying to add the mail account into a clean profile. Use https://support.microsoft.com/en-us/windows/classic-outlook-troubleshooters-086e3d66-5404-4034-9cc5-545909dcc166 and pick "Classic Outlook Profile Setup Troubleshooter" Most hits are going to tell you its an autodiscovery issue, but if you're reading this I'm going to assume you've already confirmed that. Our issue was some ghost configuration, only on the PCs previously setup for mail on the old server. A new PC could add the same account without issue. Some of the research suggested this would not happen if the proper Microsoft migration process is followed to move the account - but in our case the previous provider was unable to perform the migration. I'll skip over the research we tried along the way, such as New Outlook Profiles, Registry entry changes, MS Personal users with the same email as MS Business Users, Autodiscover problems (including concerns that the base website for the client was offering invalid data), and so on. After each hit where we applied a fix we again had to try adding the mail to the profile, and each time we sat watching the little circle for up to 5 minutes only to get the same error. Now, once we found the link above - which did not come up in most searches - things got better, but not 100%. We added the profile ok but then Outlook gave a permission error while starting. To fix that, the user signed in must have administrative access and you use File Explorer to navigate to the folder identified in the error. In our case it was in folders kept under \Windows\System32\. When prompted that we need to grant permanent access we said yes. In our case this is where Outlook was storing the ost files. That worked for most of the clients, but we had one additional issue where the error was pointing to a folder that didn't exist. Just creating the folder was not enough, the final fix was to hold CTRL-SHIFT down while opening Outlook to start in administrative mode to allow it to create the ost file in the newly created folder. Finally 3 weeks after our cut over window, while the client had to use OWA, we were able to get outlook running. This was critical for my client because they did not have access to the mail history since the migration didn't happen - they had to open a copy of their PST in Outlook and use mail in OWA and constantly bounce back and forth. I hope this helps someone avoid the pain we went though!46Views0likes0CommentsMicrosoft 365 Apps SHOULD NOT overwrite Office 2019/2021 one-time retail installs
I want to raise a serious concern about Microsoft 365 Apps being imposed over existing Office 2019/2021 installations that were activated with legitimate one-time installation retail keys. In our case, these are not Microsoft 365 subscriptions and they are not licenses we can simply deactivate and reactivate freely. They are one-time installation retail keys. Once the product has been installed and activated, removing Office and reinstalling it later can make the original key unusable or trigger “already used” activation problems. That is precisely why the current behavior is so damaging. We have PCs with legitimate Office 2019/2021 installations. These machines did not request a migration to Microsoft 365 Apps. However, after internet connection, Office update activity, or Microsoft account interaction, Office appears to silently update, convert, or replace the existing retail installation with the Microsoft 365 Apps version. This is not a minor inconvenience. It creates a serious licensing and operational problem: -A valid one-time Office 2019/2021 installation is replaced by Microsoft 365 Apps without clear, explicit consent. -The original retail installation is no longer cleanly usable. -Fixing the issue requires uninstalling Office, removing Click-to-Run/licensing/account leftovers, and reinstalling the previous Office 2019/2021 version. -But because these keys are one-time installation keys, that reinstall process can render the original key unusable or create activation failures. -In practice, a forced Microsoft 365 conversion can destroy the value of a legitimate one-time Office license. From a user’s perspective, this looks less like a normal software update and more like an exploitative commercial strategy: using Microsoft’s control over Office updates, account sign-ins, Click-to-Run, and activation systems to push already-paid retail users toward Microsoft 365 subscriptions. Even if Microsoft does not intend that result, the practical effect is that users who already paid for Office 2019/2021 can lose practical access to their licensed product and are then nudged toward paying again through a subscription. This should not happen. A perpetual or one-time installation Office license and Microsoft 365 Apps are different products with different licensing models. Microsoft should not silently replace or convert one into the other because a Microsoft 365 account exists on the PC, because the user signs into Office, because OneDrive is present, or because Office updates are enabled. At minimum, Microsoft should provide: -A clear opt-in confirmation before replacing, converting, upgrading, or rebranding Office 2019/2021 retail installations as Microsoft 365 Apps. -A supported way to block Microsoft 365 Apps from taking over one-time installation Office versions. -A clean removal tool that fully removes Microsoft 365 Apps, Click-to-Run leftovers, licensing remnants, and account-based activation conflicts. -A reliable way to restore the original Office 2019/2021 retail installation without invalidating or losing the original one-time key. -Clear separation between Windows account sign-in, OneDrive sign-in, Microsoft 365 entitlement, and local Office retail activation. Users who purchased legitimate one-time installation Office licenses should not be forced into Microsoft 365 Apps by unclear update behavior. If Microsoft wants users to move to Microsoft 365, that should be a deliberate, informed choice — not a silent process that leaves the user cleaning up the installation and losing access to a paid retail license. I am not asking how to install Microsoft 365. I am asking Microsoft to stop Microsoft 365 Apps from taking over valid one-time Office 2019/2021 installations without explicit consent.Sentinel SOAR migration to Unified portal: what broke? anyone evaluated the AI playbook generator?
I want to open a conversation specifically focused on the automation and SOAR side of the migration, because this is the area where problems most commonly surface after onboarding rather than during it. A quick orientation: the Unified portal introduces a specific constraint that catches teams by surprise. Alert-triggered automation for alerts created by Microsoft Defender XDR is not available in the Defender portal. The main use case for alert-triggered automation in this context is responding to alerts from analytics rules where incident creation is disabled. If you had alert-triggered playbooks firing on Defender XDR signals, those need to be re-evaluated against the incident trigger model. This is documented by Microsoft, but it is easy to miss in the volume of migration guidance. The automation failure mode I have seen most consistently: automation rules built around incident title conditions. The Defender XDR correlation engine assigns its own incident names, so any condition keyed to "if incident title contains X" stops matching without throwing an error. The rule is still active, the automation is still enabled, and everything looks fine until someone notices a class of enrichment or response has gone quiet. Microsoft's recommendation is to use Analytic rule name as the condition instead. There is also a firm near-term deadline separate from the March 2027 portal retirement: queries and automation need to be updated by July 1, 2026 for standardised account entity naming. The Name field will consistently hold only the UPN prefix from that date. Any automation comparing AccountName against a full UPN will break. A few specific questions for practitioners: When you onboarded or reviewed your automation post-onboarding, what broke silently versus what produced a visible error? Silent failures are the dangerous ones and sharing specific patterns would be genuinely useful for the community. Has anyone evaluated the new AI playbook generator in the Defender portal? It requires Security Copilot with SCUs available and generates Python-based automation coauthored with Cline in an embedded VS Code environment. Interested in real-world comparisons against existing Logic Apps workflows for the same use case. For those who have migrated alert-triggered playbooks to automation rule invocation: did you find edge cases in the migration, particularly around playbooks used by multiple analytics rules simultaneously? Writing this up as Part 4 of the migration series. Sharing the article link once it is live for anyone who wants the full detail.216Views0likes2CommentsSentinel RBAC in the Unified portal: who has activated Unified RBAC, and how did it go?
Following the RSAC 2026 announcements last month, I have been working through the full permission picture for the Unified portal and wanted to open a discussion here given how much has shifted in a short period. A quick framing of where things stand. The baseline is still that Azure RBAC carries across for Sentinel SIEM access when you onboard, no changes required. But there are now two significant additions in public preview: Unified RBAC for Sentinel SIEM itself (extending the Defender Unified RBAC model to cover Sentinel directly), and a new Defender-native GDAP model for non-CSP organisations managing delegated access across tenants. The GDAP piece in particular is worth discussing carefully, because I want to be precise about what has and has not changed. The existing limitation from Microsoft's onboarding documentation, that GDAP with Azure Lighthouse is not supported for Sentinel data in the Defender portal, has not changed. What is new is a separate, Defender-portal-native GDAP mechanism announced at RSAC, which is a different thing. These are not the same capability. If you were using Entra B2B as the interim path based on earlier guidance, that guidance was correct and that path remains the generally available option today. A few things I would genuinely like to hear from practitioners: For those who have activated Unified RBAC for a Sentinel workspace in the Defender portal: what did the migration from Azure RBAC roles look like in practice? Did the import function bring roles across cleanly, or did you find gaps particularly around custom roles? For environments using Playbook Operator, Automation Contributor, or Workbook Contributor role assignments: how are you handling the fact those three roles are not yet in Unified RBAC and still require Azure portal management? Is the dual-management posture creating operational friction? For MSSPs evaluating the new Defender-native GDAP model against their existing Entra B2B setup: what factors are driving the decision either way at your scale? Writing this up as Part 3 of the migration series and the community experience here is directly useful for making sure the practitioner angle is grounded.Solved335Views0likes3Comments