Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?
Hidden Group and Hidden Group Membership
Hi everyone! I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group. They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself. Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement. Have you guys come across this sort of scenario? Group Configuration: Users should not be able to view the group Users should not be able to view members of the group Users should not be able to leave the group Thanks in advance.New PAYG Service to Classify Historical SharePoint Data
There’s no doubt that SharePoint Online sites and OneDrive for Business accounts hold lots of old files. A new On Demand Classification PAYG service aims to find and classify that data and apply sensitivity and retention labels based on policy settings. It’s a good idea for tenants that has this kind of cold files hanging around gathering dust without anyone knowing if any of the files hold confidential information. https://office365itpros.com/2025/02/28/on-demand-classification/
Online Archive Not Working for One User
Hi, I am experiencing an issue with the online archive for one of my users. The online archive has been working correctly for this user for years, but it has not archived any emails for the past six months. I have checked the licensing, retention tags, and retention policy, and everything appears to be correctly configured. I have also tried running the Start-ManagedFolderAssistant cmdlet multiple times, but it has not resolved the issue. Other users in my organization have the same retention policy and their online archives are working correctly. I have also tried changing the retention policy for the affected user to one that is known to work for other users, but this did not resolve the issue. I have tried running several cmdlets to gather more information about the issue, including Get-Mailbox | FL RetentionPolicy, Export-MailboxDiagnosticLogs -Identity -ExtendedProperties, Get-RetentionPolicy | FL Name, Get-RetentionPolicyTag, Get-ComplianceTag, Get-Mailbox | fl *hold*, Get-MailboxStatistics | fl ManagedFolderAssistantLastRunTime, Get-Mailbox -Archive | fl *, and Get-MailboxFolderStatistics -Archive | fl *. However, none of these cmdlets have helped me identify the cause of the issue. The output from these cmdlets appears to be normal and does not indicate any issues with the mailbox or the archive mailbox. One thing I noticed is that the Get-MailboxStatistics | fl ManagedFolderAssistantLastRunTime cmdlet does not return any output for any of my users, even though I have run the Start-ManagedFolderAssistant cmdlet multiple times. I am at a loss as to what could be causing this issue and would appreciate any suggestions or guidance on how to troubleshoot it further. Thank you
DLP Exception for "Permission Controlled" Not Working (Microsoft Purview | RMS Template | Encrypt)
Hello, We are in the process of moving some of our mail-flow / transport rules over to Microsoft Purview. We don't want the DLP policy to apply when people click their "Encrypt" or "Do not Forward" buttons (RMS templates; OME encryption.) Putting "Permission Controlled" in the exceptions group should theoretically let the emails go through. The exception we have for when people put "Encrypt" in the subject line works (we have a mail-flow rule that encrypts those emails.) But actually clicking "Options" > "Set permissions on this item" > "Encrypt" doesn't remove the policy tip on an email draft, and people are unable to send the emails. Can someone verify that this rule is constructed properly? If so, we may have to reach out to Microsoft Support. Thank you so much for your time and help!How to Configure Sensitivity Labels to Block Document Downloads from SharePoint Sites
The SharePoint Online Block Download Policy controls the ability to use features that rely on downloaded files (including temporary files), such as printing or editing with the Office desktop apps. It’s the kind of configuration that organizations might use for sites that hold very confidential files. Although the Set-SPOSite cmdlet can configure the policy for a site, it’s easier to use a container management label. https://office365itpros.com/2024/12/12/block-download-policy-labels/Processing Microsoft 365 Retention Labels with the Microsoft Graph PowerShell SDK
Two types of retention labels are in use: Microsoft 365 retention labels and MRM retention tags. Clients hide the difference, but the Microsoft Graph PowerShell SDK cmdlets can only process Microsoft 365 retention labels for files stored in SharePoint Online and OneDrive for Business. EWS can manage MRM retention tags, but it’s on a fast path to retirement in 2026… https://office365itpros.com/2024/12/18/microsoft-365-retention-labels-ps/
Can IT Admins Block Anonymous Responses in Microsoft Forms?
Is it possible for admins to configure Microsoft Forms so that users cannot create an option for anonymous responses? For example, if there is a concern that someone might submit inappropriate responses, admins would want the ability to trace who provided the response. From my understanding, an anonymous response is completely untraceable.Using the Audit Log to Generate a Daily Action Summary for a User
This article describes how to report the audit events for a user over a single day. The task seems simple, but inconsistency in audit payloads make it harder. Workloads don’t help by the variations in audit events. In any case, persistence and knowledge about what the audit event captured for an action helps to decode the data, as illustrated by the script detailed here. https://office365itpros.com/2024/12/03/audit-events-for-a-user/
