Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?
Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.New PAYG Service to Classify Historical SharePoint Data
There’s no doubt that SharePoint Online sites and OneDrive for Business accounts hold lots of old files. A new On Demand Classification PAYG service aims to find and classify that data and apply sensitivity and retention labels based on policy settings. It’s a good idea for tenants that has this kind of cold files hanging around gathering dust without anyone knowing if any of the files hold confidential information. https://office365itpros.com/2025/02/28/on-demand-classification/
Online Archive Not Working for One User
Hi, I am experiencing an issue with the online archive for one of my users. The online archive has been working correctly for this user for years, but it has not archived any emails for the past six months. I have checked the licensing, retention tags, and retention policy, and everything appears to be correctly configured. I have also tried running the Start-ManagedFolderAssistant cmdlet multiple times, but it has not resolved the issue. Other users in my organization have the same retention policy and their online archives are working correctly. I have also tried changing the retention policy for the affected user to one that is known to work for other users, but this did not resolve the issue. I have tried running several cmdlets to gather more information about the issue, including Get-Mailbox | FL RetentionPolicy, Export-MailboxDiagnosticLogs -Identity -ExtendedProperties, Get-RetentionPolicy | FL Name, Get-RetentionPolicyTag, Get-ComplianceTag, Get-Mailbox | fl *hold*, Get-MailboxStatistics | fl ManagedFolderAssistantLastRunTime, Get-Mailbox -Archive | fl *, and Get-MailboxFolderStatistics -Archive | fl *. However, none of these cmdlets have helped me identify the cause of the issue. The output from these cmdlets appears to be normal and does not indicate any issues with the mailbox or the archive mailbox. One thing I noticed is that the Get-MailboxStatistics | fl ManagedFolderAssistantLastRunTime cmdlet does not return any output for any of my users, even though I have run the Start-ManagedFolderAssistant cmdlet multiple times. I am at a loss as to what could be causing this issue and would appreciate any suggestions or guidance on how to troubleshoot it further. Thank youHow to Configure Sensitivity Labels to Block Document Downloads from SharePoint Sites
The SharePoint Online Block Download Policy controls the ability to use features that rely on downloaded files (including temporary files), such as printing or editing with the Office desktop apps. It’s the kind of configuration that organizations might use for sites that hold very confidential files. Although the Set-SPOSite cmdlet can configure the policy for a site, it’s easier to use a container management label. https://office365itpros.com/2024/12/12/block-download-policy-labels/Processing Microsoft 365 Retention Labels with the Microsoft Graph PowerShell SDK
Two types of retention labels are in use: Microsoft 365 retention labels and MRM retention tags. Clients hide the difference, but the Microsoft Graph PowerShell SDK cmdlets can only process Microsoft 365 retention labels for files stored in SharePoint Online and OneDrive for Business. EWS can manage MRM retention tags, but it’s on a fast path to retirement in 2026… https://office365itpros.com/2024/12/18/microsoft-365-retention-labels-ps/Using the Audit Log to Generate a Daily Action Summary for a User
This article describes how to report the audit events for a user over a single day. The task seems simple, but inconsistency in audit payloads make it harder. Workloads don’t help by the variations in audit events. In any case, persistence and knowledge about what the audit event captured for an action helps to decode the data, as illustrated by the script detailed here. https://office365itpros.com/2024/12/03/audit-events-for-a-user/
How do I apply retention label to a folder in a SharePoint library?
Hello All, Can you please advice how do I apply a "Retention label" (Created in M365 compliance centre) to folders in a Document Library? I created this retention label below I published this label and it now appears in document library, but at a individual document level as shown below I am not sure how to make the same appear at a folder level. Note : In the actual customer scenario, they would like different retention labels to be applied to different "folders" (ie, users should be able to apply retention labels to folders, so that the documents inside those folders follow the label applied at folder level). For achieving this, I heard that we only need to create a retention label (not retention policy) as we are looking at a "Folder" level here (not site level or up). However I am not sure how to do it. Please advice.Track Sensitivity Label Downgrades and Removals with Audit Log Data
The Purview Insider Risk Management solution can do all sorts of clever things, like tracking sensitivity label downgrades and removals as an indicator that a user might be preparing to exfiltrate data. The same kind of checking can be done by using the events captured in the audit log when people remove or change sensitivity labels. All in a few lines of PowerShell… https://office365itpros.com/2024/11/20/sensitivity-label-downgrades/
