Objects in a Retention Policy populated by Adaptive Scopes
I need a way to get all users in a retention policy that is populated by an adaptive scope. I can get all the members of the scope, and I can show that the policy uses that adaptive scope. But I know my audience. They will want to see that the users are actually in the policy. They will probably even want to see that it matches the users in the adaptive scope. In the GUI, I can click on an adaptive retention policy and click on "policy details". This will show all the users that the policy applies to and the date/time they were added, if they were removed from the policy, etc. And I can even export that. How can I get this same information via PowerShell? It's going to be important because, as you can see, there's a big difference in the date/time added. they were all in the adaptive scope BEFORE this policy was created, but it still took nearly 24 hours for all users to be added. Which is fine, and typical, but if a user gets added to the adaptive scope and does not have the policy applied to them within 24 hours, we need to know this. The goal is as much automation as possible, with checks and balances in place. Checks and balances require gathering information. That's going to require getting this information via PowerShell.
Purview-Retention Policy for Private channels
I have retention policy for Standard & Shared channels together with 2 Years retention period to keep posts for 2 years and remove after that period. Don’t have any policy for Private channels posts/messages, so posts will be available indefinitely . With this https://www.microsoft.com/en-in/microsoft-365/roadmap?id=500380from Microsoft my private channels will also part of the same policy which is applied for standard & Shared channels . in this case how i can retain the posts from private channels indefinitely . Please suggestCompliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Maintaining a Microsoft 365 Retention Policy with PowerShell
The Connect-IPPSSession cmdlet is needed to connect to the Security and Compliance endpoint to update a Microsoft 365 retention policy. Unhappily, the Security and Compliance module doesn’t support managed identities, which makes it harder to run Connect-IPPSSession securely in an Azure Automation runbook. In the end, we use a credential stored in the automation account. And then we had to disable WAM. All explained here. https://office365itpros.com/2025/08/12/connect-ippssession-azure/Creating a Microsoft 365 Retention Policy for Shared Mailboxes
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here. https://office365itpros.com/2025/08/05/shared-mailboxes-retention/
Retention Compliance Policy exemption group honoring
Hello, My company is starting down a path to enact a Data Lifecycle Management policy, starting with our EOL email. The desired state outcome is a policy that deletes all email older than 7 years, applied to all mailboxes, with certain exemptions to named users/individuals (execs, etc.). I created a mail-enabled security group for the named exempt individuals, sync'ed into EntraID. I was able to use powershell to create a retention compliance policy (in a disabled state for now) + corresponding retention compliance rule that is targeted to EOL, but I can't see to get the configuration to honor the exemption group I've specified. I'm typically PIM'ed up to Compliance Administrator to do these manipulations, though I've also tried with Global Admin to no avail. Whether via the powershell based attempts or via the Purview GUI, the exempt group listing just doesn't seem to take/appear after I've submitted the change to enact on it. Is there anything special needed to get the Purview system to honor a group specified for named users/mailboxes for exemption? I understand that it can take up to 7 days for a change to take hold, but I was under the impression that changes that are submitted should at least be visible via the admin interface of choice (powershell, Purview web GUI) once submitted. ThanksBe Careful with Retention Labels Configured with Created Date Expiration
Retention policies and retention labels have been around for about 8 years. Some of the older retention settings might use file created dates to remove items. No doubt basing retention on creation dates made perfect sense at the time, but experience shows that maybe basing retention on the last modified date can be better. All explored here together with a script to update retention labels in OneDrive. https://office365itpros.com/2025/07/22/retention-label-last-modified-date/
Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.
