Kumaran – A Cloud Guy

Microsoft 365 Admins: August 2025 Ushers in Major Retirements, AI-Powered Features & Key Compliance Shifts – Here’s Your Definitive Guide

July 31, 2025 by Kumaran

If you thought July was intense, buckle up, August 2025 is a heavyweight month for Microsoft 365 changes. Between legacy retirements, AI-driven security enhancements, and new controls across Teams, Outlook, and Purview, this is not the month to sleep on your Message Center.

Whether you’re managing governance, fine-tuning DLP, or trying to avoid last-minute fire drills, this guide breaks it all down into what’s retiring, what’s new, and what needs your immediate attention.

August at a Glance

Category	Count
🔻 Retirements	4
🆕 New Features	7
🔧 Enhancements	3
🔄 Changes in Functionality	1
⚠️ Action Needed	3

Retirements: Say Farewell to These Legacy Tools

1. Classic eDiscovery in Microsoft Purview

August 1, 2025 — Say goodbye to Classic eDiscovery, including Content Search, eDiscovery (Standard), and (Premium).
What to do: Migrate to the unified eDiscovery experience for better search, performance, and compliance.
🔗 Learn more

2. Project for the Web & Project in Teams

Early-August 2025 — Microsoft is sunsetting Project for the web. Users will be redirected to Planner and Portfolios.
What to do: Migrate Roadmap data to Portfolios and update any pinned tabs in Teams.
🔗 Details

3. Outlook for Mac: Legacy Switch Retires

Mid-August 2025 — New Outlook becomes default for Mac (v16.100+). Admin toggle to revert will be retired.
What to do: Prepare users for permanent shift by October 2025 (v16.102).
🔗 More info

4. Speaker Coach in Microsoft Teams

Mid-August 2025 — The preview feature providing real-time feedback during meetings will be retired.
What to do: Inform users and explore alternatives like Copilot-generated meeting recaps.
🔗 Announcement

New Features: Worth Your Immediate Attention

AI-Powered Data Security Investigations in Purview

An all-new AI-driven tool for visualizing data risk, investigating incidents, and refining policies, now built into Microsoft Purview.
🔗 Details

Advanced Mail Merge in Outlook for Web & New Outlook

August 2025 — Personalize email templates with dynamic fields, custom formatting, and preview features.
🔗 Roadmap

Copilot Blocked from Processing Labeled Emails via DLP

August 2025 — Microsoft Purview DLP will block Copilot from interacting with labeled content in chat.
🔗 Read more

Risky AI Usage Detection in Insider Risk Management

Early-August 2025 — Detect prompts, intents, and AI-generated content using Microsoft 365 Copilot, Copilot Studio, and ChatGPT Enterprise.
🔗 More info

Silent Test Calls in Teams for Network Diagnostics

Early-August 2025 — Run silent test calls via Teams Premium to proactively check network readiness.
🔗 Message Center

Rule-Based Management of Certified Teams Apps

Mid-August 2025 — Automatically manage apps based on permission access and publisher trust status.
🔗 Roadmap

Independent DLP Email Notification Settings

August 2025 — Decouple policy tips and notifications in SharePoint/OneDrive DLP settings.
🔗 Roadmap

Enhancements: Quiet but Important

Updated Audit Logs in Purview – Better granularity and new Pre/Post Execution messages for role group changes.
🔗 Read more
Microsoft Fabric Workspace User Limit – Enforcing a max of 1,000 users/groups per workspace role.
🔗 Details
Apple/Google Sign-In on Teams Web – New SSO methods are coming for consumer users (preview).
🔗 Message Center

Functionality Change: Stay Updated

Updated Sender for Teams DLP Incident Emails

August 20, 2025 — Teams DLP GIR emails will only come from no-reply@teams.mail.microsoft.com.
What to do: Update inbox rules and alert filters if needed.
🔗 Message Center

Action Needed: These Deadlines Are Not Flexible

Entra ID Retention Policy for Access Reviews

August 15, 2025 — Only 12 months of access review data will be available via UI/API.
What to do:

Export old data using Graph API
Store reports securely
Create an annual backup process
🔗 More info

Legacy Message Trace Retires in Exchange Online

August 31, 2025 — New Message Trace UI and V2 cmdlets become the default.
What to do: Update any scripts to use Get-MessageTraceV2 and Get-MessageTraceDetailV2.
🔗 Read more

Azure AD Graph API Retirement

August 31, 2025 — Azure AD Graph API officially ends; apps using it will stop working.
What to do: Migrate to Microsoft Graph API. Use Entra admin center to identify impacted apps.
🔗 Migration Help

Final Thoughts

August 2025 is a pivotal month between the rise of AI-enhanced compliance tools and the retirement of legacy Microsoft features, the Microsoft 365 ecosystem is evolving fast.

If you’re responsible for security, collaboration, or compliance, now’s the time to document changes, communicate with your teams, and adjust scripts and policies. Waiting until the last minute will put you behind both operationally and reputationally.

Bookmark this.
Share it with your team.
Knock out the action items before they knock on your door.

Thank you for stopping by. ✌️

Microsoft 365 Admins: July 2025 Brings Major Retirements, Game-Changing Features & Critical Actions – Here’s Your Definitive Guide

July 1, 2025July 1, 2025 by Kumaran

Alright admins, deep breath. July is rolling in hot with some of the biggest Microsoft 365 updates, retirements, and must-do tasks of the year. Whether you’re wrangling SharePoint, securing sensitive data, or prepping Teams for your org, this month has something that will definitely land on your radar and maybe on your weekend schedule if you don’t plan ahead.

Consider this your field guide to navigate July 2025 without missing a beat.

July at a Glance

Category	Count
🔻 Retirements	7
🆕 New Features	11
🔧 Enhancements	8
🔄 Changes in Functionality	5
⚠️ Action Needed	7

Retirements: Say Goodbye to These

Microsoft 365 Business Premium & Office 365 E1 Grants for Non-Profits
Retiring July 1, 2025 — Non-profits must move to Microsoft 365 Business Basic grants or discounted plans.
➡️ Learn more
Viva Engage Private Content Mode
Retiring June 30, 2025 — All tenants will lose access to Private Content Mode across Viva Engage, Teams, and Outlook.
➡️ Details
Monitor Action in Defender Safe Attachments Policies
Gone Early-July 2025 — Monitor mode will be switched to Block; evaluate Safe Attachments settings now.
➡️ More info
SharePoint Alerts
Phased retirement starts July 2025 — Power Automate or SharePoint Rules recommended as replacements.
➡️ Guidance
OneNote .DOC Export Option
Ending July 28, 2025 — Shift to modern formats like .docx now.
➡️ Message Center
Organization Data Type in Excel
Retiring July 31, 2025 — Switch to Get Data > From Power BI or custom data types via add-ins.
➡️ Learn more
TLS 1.1 & Older on Fabric Platform
Deprecated July 31, 2025 — Update systems to TLS 1.2+ to avoid data connectivity issues.
➡️ Blog post

New Features: Hot Off the Press

Native Forms in SharePoint Libraries — Build forms directly inside document libraries for smoother file uploads.
➡️ Roadmap
Cold File Scanning for Sensitive Info — Microsoft Purview now scans old, untouched files in SharePoint/OneDrive.
➡️ Details
Unit-Level Backup Deletion in Microsoft 365 Backup — Delete backups for specific OneDrive, SharePoint, or Exchange units.
➡️ Roadmap
External Chat File Attachments in Teams — Finally attach files in 1:1 and group chats with external users.
➡️ Message Center
Detailed Audit Logs for Screen Sharing in Teams — Gain full transparency over Give/Take Control and sharing events.
➡️ Read more
Facilitator Agent in Teams — Automated meeting summaries and real-time note collaboration (Copilot license required).
➡️ Details
Multi-Admin Notifications for M365 Backup — Configure centralized alerts for backup events.
➡️ Roadmap
AI Posture Management in Purview — Manage security of AI activity across Copilot and other AI apps.
➡️ Message Center
Drag & Drop Between Accounts in New Outlook — Attach emails/files across accounts or shared mailboxes seamlessly.
➡️ Details
Network-Level Detection of AI Activity in Insider Risk Management — Identify sensitive data shared with cloud/AI apps.
➡️ Message Center
Scoped AD Domain Access in Defender for Identity — Apply RBAC at the AD domain level for tighter security.
➡️ Details

Enhancements: Small Changes, Big Impact

Attachment Previews in Purview Content Explorer — View flagged attachments directly in the console.
➡️ Details
Recording & Transcription by Default in Teams Calls — Enabled by default for new tenants and global policies.
➡️ More info
New Outlook: S/MIME Signature Inheritance Setting — Control signature behavior in replies via NoSignOnReply.
➡️ Message Center
User Activity Timeline in Purview Compliance Portal — See flagged user interactions on a single timeline.
➡️ Details
IRM + Data Security Investigation Integration — Launch investigations faster with combined tools.
➡️ Message Center
Secure by Default Settings in Microsoft 365 — Block legacy auth and enforce admin consent by default.
➡️ Details
Best Practice Dashboard Expansion in Teams Admin Center — Monitor new meeting-related issues.
➡️ Read more
On-Demand File Classification — Discover/classify old files in SharePoint/OneDrive (pay-as-you-go).
➡️ Details

Existing Functionality Changes: Adjust Your Ops

Teams Live Event Assistance Becomes Paid — LEAP moves under Unified as a paid service on July 1, 2025.
➡️ More info
Insider Risk Policy Limits Increased — Up to 100 total active policies across templates.
➡️ Roadmap
Outlook Blocks More File Types — .library-ms and .search-ms added to the blocked list.
➡️ Details
Improved B2B Guest Sign-In — Guests redirected to their home org’s sign-in page for clarity.
➡️ Message Center
Unified Teams App Management Paused — Rollout delay with updates expected by late July.
➡️ Details

Action Needed: Don’t Procrastinate

Azure AD PowerShell Retirement After July 1 — Migrate scripts to Microsoft Graph or Entra PowerShell ASAP.
➡️ Details
DNS Provision Change — Update automation scripts to retrieve MX records via Graph API to avoid mail flow issues.
➡️ Message Center
Classic Teams App Retirement — All users must move to New Teams or web app by July 1, 2025.
➡️ Details
Reshare SharePoint Content Post-Entra B2B — External users lose access to pre-integration OTP shares. Reshare content now.
➡️ Message Center
Teams Android Devices Must Update Apps — Move to supported versions by Dec 31, 2025, to enable modern auth.
➡️ Details
Graph Beta API Permissions Update — Adjust apps to use new permissions for device management by July 31, 2025.
➡️ Message Center

Final Thoughts

July 2025 is a make-or-break month for Microsoft 365 admins. There’s a mountain of changes, but staying ahead means no late-night incidents, no broken workflows, and definitely no panicked calls from leadership.

Bookmark this guide, share it with your team, and start planning now. Because in IT, the only thing worse than unexpected downtime is knowing you could’ve avoided it.

Thank you for stopping by. ✌️

Generate Multi-Subscription Azure Cost Reports Using REST API and PowerShell

July 9, 2025June 29, 2025 by Kumaran

Managing cloud costs is like trying to diet at a buffet. Tempting services everywhere, and one bad decision can blow your budget wide open. So, I was tasked for a breakdown of Azure usage across 50+ subscriptions for the month of June, I knew this wasn’t going to be a quick Azure Portal copy-paste job.

Instead, I rolled up my sleeves and built a PowerShell script that uses the Azure REST API to automatically:

Query all accessible subscriptions
Fetch usage-based cost data for a given time range
Export it into a clean Excel report

And I made it smart enough to handle throttling too. Here’s how it all came together.

Goals

Pull Azure cost data from multiple subscriptions
Offer flexible time range selection (this month, last month, custom, etc.)
Authenticate securely with Entra ID (Service Principal)
Export to Excel in a way leadership can digest (bonus points if it opens without errors)

Authentication with Entra ID

I created a Service Principal and assigned it the “Global Billing Reader” role at the billing account level. The script uses the client_credentials flow to authenticate and obtain an access token.

Yes, I temporarily stored the client secret in a plain text variable $clientSecretPlain = 'ENTER_SECRET' because I was still prototyping. Don’t judge me. But for production? Vault it or a managed identity.

Handling Throttling (429 Errors)

Azure’s APIs like to throw shade when you hit them too hard. I added retry logic with exponential backoff and jitter.

PowerShell Script

# Author: Kumaran Alagesan

# Requires: Az CLI, ImportExcel module (Install-Module -Name ImportExcel)
# Authenticate using Entra Application (Service Principal)

$clientId = 'ENTER_APP_ID'
$tenantId = 'ENTER_Tenant_ID'
$clientSecretPlain = 'ENTER_SECRET'

# Get access token using Service Principal
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecretPlain
    scope         = "https://management.azure.com/.default"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body -ContentType "application/x-www-form-urlencoded"
if (-not $tokenResponse.access_token) {
    Write-Host "Failed to acquire token. Check credentials." -ForegroundColor Red
    exit 1
}
$token = @{ accessToken = $tokenResponse.access_token }


$selection = $null
while (-not $selection) {
    $selection = Read-Host "Select time range: `n1) This month`n2) Last month`n3) This quarter`n4) Last quarter`n5) This year`n6) Last 6 months`n7) Last 12 months`n8) Custom`nEnter number"
    if ($selection -notmatch '^[1-8]$') {
        Write-Host "Invalid selection. Please enter a number from the list (1-8)." -ForegroundColor Yellow
        $selection = $null
    }
}

$today = Get-Date
switch ($selection) {
    '1' { # This month
        $startDate = Get-Date -Year $today.Year -Month $today.Month -Day 1
        $endDate = $today
    }
    '2' { # Last month
        $lastMonth = $today.AddMonths(-1)
        $startDate = Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1
        $endDate = (Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1).AddMonths(1).AddDays(-1)
    }
    '3' { # This quarter
        $quarter = [math]::Ceiling($today.Month / 3)
        $startMonth = (($quarter - 1) * 3) + 1
        $startDate = Get-Date -Year $today.Year -Month $startMonth -Day 1
        $endDate = $today
    }
    '4' { # Last quarter
        $currentQuarter = [math]::Ceiling($today.Month / 3)
        if ($currentQuarter -eq 1) {
            $lastQuarterYear = $today.Year - 1
            $lastQuarter = 4
        } else {
            $lastQuarterYear = $today.Year
            $lastQuarter = $currentQuarter - 1
        }
        $startMonth = (($lastQuarter - 1) * 3) + 1
        $startDate = Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1
        $endDate = (Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1).AddMonths(3).AddDays(-1)
    }
    '5' { # This year
        $startDate = Get-Date -Year $today.Year -Month 1 -Day 1
        $endDate = $today
    }
    '6' { # Last 6 months
        $startDate = $today.AddMonths(-5)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '7' { # Last 12 months
        $startDate = $today.AddMonths(-11)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '8' { # Custom
        $startDate = Read-Host "Enter start date (yyyy-MM-dd)"
        $endDate = Read-Host "Enter end date (yyyy-MM-dd)"
        try {
            $startDate = [datetime]::ParseExact($startDate, 'yyyy-MM-dd', $null)
            $endDate = [datetime]::ParseExact($endDate, 'yyyy-MM-dd', $null)
        } catch {
            Write-Host "Invalid date format. Exiting." -ForegroundColor Red
            exit 1
        }
    }
}

$startDateStr = $startDate.ToString("yyyy-MM-dd")
$endDateStr = $endDate.ToString("yyyy-MM-dd")

# Set headers for REST calls using the service principal token
$headers = @{
    'Authorization' = "Bearer $($token.accessToken)"
    'Content-Type'  = 'application/json'
}

# Get all subscriptions
$subsUrl = "https://management.azure.com/subscriptions?api-version=2020-01-01"
$subscriptions = Invoke-RestMethod -Uri $subsUrl -Headers $headers -Method Get | Select-Object -ExpandProperty value

Write-Host "Fetching cost data for $($subscriptions.Count) subscriptions: " -NoNewline

$totalCost = 0
$results = @()

foreach ($sub in $subscriptions) {
    $costQueryBody = @{
        type       = "Usage"
        timeframe  = "Custom"
    timePeriod = @{
        from = $startDateStr
        to   = $endDateStr
    }
    dataSet    = @{
        granularity = "None"
        aggregation = @{
            totalCost = @{
                name     = "Cost"
                function = "Sum"
            }
        }
    }
} | ConvertTo-Json -Depth 10

    $costUrl = "https://management.azure.com/subscriptions/$($sub.subscriptionId)/providers/Microsoft.CostManagement/query?api-version=2024-08-01"

    $maxRetries = 7
    $retryDelay = 5
    $attempt = 0
    $success = $false

    while (-not $success -and $attempt -lt $maxRetries) {
        try {
            $costData = Invoke-RestMethod -Uri $costUrl -Headers $headers -Method Post -Body $costQueryBody

            $subscriptionCost = 0
            if ($costData.properties.rows -and $costData.properties.rows.Count -gt 0) {
                $subscriptionCost = $costData.properties.rows[0][0]
            }

            $results += [PSCustomObject]@{
                'Subscription Name' = $sub.displayName
                'Total Cost'        = [math]::Round([double]$subscriptionCost, 2)
            }

            $totalCost += $subscriptionCost
            Write-Host "." -NoNewline
            $success = $true
        }
        catch {
            if ($_.Exception.Response.StatusCode.value__ -eq 429 -and $attempt -lt ($maxRetries - 1)) {
                # Add random jitter to delay
                $jitter = Get-Random -Minimum 1 -Maximum 5
                $sleepTime = $retryDelay + $jitter
                Write-Host "`n429 received, retrying in $sleepTime seconds..." -ForegroundColor Yellow
                Start-Sleep -Seconds $sleepTime
                $retryDelay *= 2
                $attempt++
            }
            else {
                Write-Host "x" -NoNewline
                Write-Host "`nError getting cost for subscription $($sub.displayName): $($_.Exception.Message)" -ForegroundColor Red
                $success = $true
            }
        }
    }
}

# Export results to Excel
$excelPath = Join-Path -Path $PSScriptRoot -ChildPath ("AzureCostReport_{0}_{1}.xlsx" -f $startDateStr, $endDateStr)
if ($results.Count -gt 0) {
    # Do not pre-format 'Total Cost' as string; keep as number for Excel formatting

    # Check if file is locked
    $fileLocked = $false
    if (Test-Path $excelPath) {
        try {
            $stream = [System.IO.File]::Open($excelPath, 'Open', 'ReadWrite', 'None')
            $stream.Close()
        } catch {
            $fileLocked = $true
        }
    }
    if ($fileLocked) {
        Write-Host "Excel file is open or locked: $excelPath. Please close it and run the script again." -ForegroundColor Red
    } else {
        $results | Export-Excel -Path $excelPath -WorksheetName 'CostReport' -AutoSize -TableName 'CostSummary' -Title "Azure Cost Report ($startDateStr to $endDateStr)" -TitleBold -ClearSheet
        Write-Host "Excel report saved to: $excelPath"
        # Optionally open the file
        if ($IsWindows) {
            Start-Sleep -Seconds 2
            Invoke-Item $excelPath
        }
    }
}

If you want to email the output as a table in the body to a mailbox, you can replace the ‘Export results to Excel’ section with the code below. Yup! I know Send-MailMessage is obsolete and ideally I’d run this script with in an Azure automation account and set app permissions for the identity to be able to send emails. I’ll cover it in a later post.

# Prepare HTML table for email
if ($results.Count -gt 0) {
    # Add $ symbol to each Total Cost value
    $resultsWithDollar = $results | ForEach-Object {
        $_ | Add-Member -NotePropertyName 'Total Cost ($)' -NotePropertyValue ('$' + [math]::Round([double]$_.('Total Cost'), 2)) -Force
        $_
    }

    $htmlTable = $resultsWithDollar | Select-Object 'Subscription Name', 'Total Cost ($)' | ConvertTo-Html -Property 'Subscription Name', 'Total Cost ($)' -Head "<style>table{border-collapse:collapse;}th,td{border:1px solid #ccc;padding:5px;}</style>" -Title "Azure Cost Report"
    $htmlBody = @"
<h2>Azure Cost Report ($startDateStr to $endDateStr)</h2>
$htmlTable
<p><b>Total Cost (all subscriptions):</b> $([string]::Format('${0:N2}', [math]::Round([double]$totalCost,2)))</p>
<p style='color:gray;font-size:small;'>This is an automatically generated email - Please do not reply.</p>
"@

    # Email parameters (update these as needed)
    $smtpServer = "smtpserver@domain.com"
    $smtpPort = 587
    $from = "alerts@domain.com"
    $to = "emailaddress@domain.com"
    $subject = "Azure Cost Report ($startDateStr to $endDateStr)"

    Send-MailMessage -From $from -To $to -Subject $subject -Body $htmlBody -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
    Write-Host "Cost report sent via email to $to"
} else {
    Write-Host "No results to send."
}

What You’ll Get

The final Excel report displays each subscription’s name alongside its total cost for your chosen time period. Whether you’re reviewing it manually or feeding it into FinOps tools, the format is designed for quick analysis and clean presentation.

Practical Applications

Scenario	How It Helps
Automation and scheduling	Supports routine reporting via scheduled tasks or DevOps flows
Multi-subscription environments	Consolidates cost data across departments or teams
Governance and FinOps	Enables proactive budget tracking and reporting

With just a PowerShell script and the Azure Cost Management API, you can unlock instant insights into your cloud spend across all Azure subscriptions. Whether you’re part of a DevOps team, driving FinOps initiatives, or simply managing cloud budgets, this automation makes cost visibility one less thing to worry about.

Lessons Learned

Azure Cost Management API is powerful, but throttling is real.
Microsoft will be retiring the Consumption Usage Details API at some point in the future and does not recommend that you take a new dependency on this API.
Export-Excel is a lifesaver, especially when you want your report to actually be readable.

Room for Improvement

Add Azure MeterCategory per subscription in the email report to give a better idea of where the cost usage is
Move secrets to Azure Key Vault or use Managed Identity
Add monthly trend analysis and forecasting
Push the data to Power BI for richer dashboards

Final Thoughts

This script is now my go-to tool for quickly generating Azure cost reports across environments. It’s flexible, reliable, and gives my leadership team the visibility they need to make informed decisions, without logging into the portal.

Because let’s face it: if you’re managing Azure at scale, you shouldn’t be clicking through billing blades. You should be scripting your way to clarity.

Keep those costs in check, one API call at a time.

Thanks for stopping by. ✌

The Hidden Threat in Plain Sight: Understanding and Securing Exchange Online’s Direct Send

July 21, 2025June 22, 2025 by Kumaran

In the ever-evolving world of cloud security, sometimes it’s not the new, complex exploits that catch us off guard, it’s the overlooked features hiding in plain sight. One such feature in Exchange Online is Direct Send, a capability designed for convenience but now actively exploited by attackers to bypass security controls.

Let’s pull back the curtain and take a deep dive into what Direct Send is, how it’s being misused, and what you can do to shut the door on this attack vector.

What Is Direct Send in Exchange Online?

Direct Send is a feature that allows internal devices or applications (like printers, scanners, or legacy tools) to send emails through Microsoft 365 without authentication.

It works by leveraging the tenant’s smart host, typically in the format:

tenantname.mail.protection.outlook.com

Originally designed to help internal tools send alerts or reports to internal mailboxes, Direct Send does not require credentials or tokens. That’s the convenience. But therein lies the danger.

Key Detail: Direct Send only works for recipients within the same tenant, it won’t deliver mail to external domains.

How Direct Send Becomes a Security Risk

While Direct Send serves a legitimate purpose, it becomes a security liability because anyone with the right tenant domain and smart host format can spoof an internal sender. No login. No breach. Just open SMTP.

All an attacker needs is:

A valid tenant domain (easy to scrape from public records or previous breaches)
The smart host address (easily guessable)
An internal email format (like first.last@company.com)

With that, they can send spoofed emails that appear to come from inside the organization, bypassing both Microsoft’s and third-party email filters that trust internal traffic.

Real-World Abuse: How Attackers Exploit Direct Send

During a recent threat campaign observed across several U.S.-based organizations, attackers used PowerShell to exploit Direct Send, sending emails that looked like internal alerts, complete with subject lines like “New Missed Fax-msg” or “Voicemail received.”

Here’s a sample PowerShell command used:

Send-MailMessage -SmtpServer company-com.mail.protection.outlook.com `
  -To joe@company.com -From joe@company.com `
  -Subject "New Missed Fax-msg" `
  -Body "You have received a call! Click the link to listen." -BodyAsHtml

Since the emails originated from Microsoft’s infrastructure, many filters saw them as internal-to-internal traffic. This allowed them to sneak past SPF, DKIM, and DMARC checks, especially in tenants with lax anti-spoofing policies.

How to Detect Direct Send Abuse

You’ll need to dig into message headers and behavioral signals to spot these threats:

Message Header Indicators

Received headers showing external IPs sending to your smart host.
Authentication-Results failing SPF, DKIM, or DMARC checks.
X-MS-Exchange-CrossTenant-Id not matching your tenant.
SPF record mismatch or missing smart host entry.

Behavioral Indicators

A user “emailing themselves.”
Emails sent via PowerShell or unknown user agents.
Unusual IP addresses or geolocations.
Suspicious links, QR codes, or file attachments.

Remember, not all Direct Send traffic is malicious, context matters.

How to Disable or Control Direct Send

Microsoft now allows you to disable Direct Send entirely using a single command in PowerShell:

Connect-ExchangeOnline
Set-OrganizationConfig -RejectDirectSend $true

To verify:

Get-OrganizationConfig | Select-Object Identity, RejectDirectSend

Pro Tip: Disabling this feature won’t affect authenticated SMTP relay or Microsoft 365 apps, it only blocks unauthenticated Direct Send.

More details here: Microsoft’s announcement on Direct Send controls

Best Practices to Secure Your Tenant

Here’s a checklist to keep Direct Send from becoming your weakest link:

Disable Direct Send with RejectDirectSend = $true
Enforce DMARC with a strict policy (p=reject)
Flag unauthenticated internal emails for review or quarantine
Enable Anti-Spoofing Policies in Exchange Online Protection (EOP)
Enforce known IPs in SPF records to reduce spoofing
Educate users on phishing threats, especially QR code–based quishing
MFA + Conditional Access for all users

Final Thoughts

Direct Send was designed with good intentions but in the wrong hands, it becomes a fast-track lane for phishing campaigns. The good news? You now have the awareness and the tools to defend against it.

Don’t let this quiet feature become a noisy headline for your security team. Audit your tenant, close the loopholes, and stay vigilant.

Thanks for stopping by. ✌️

RBAC vs. ABAC in Azure: Why You Need Both for Cloud Access Control That Actually Works

July 21, 2025June 21, 2025 by Kumaran

Let’s cut to the chase, cloud access control isn’t just a checkmark on your compliance list anymore. It’s a daily battlefield. With global teams, hybrid workloads, and rising security risks, who can do what and under what conditions is now a core pillar of IT strategy.

If you’re working in Azure, you’ve likely heard of RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control). But what you may not know is that these aren’t mutually exclusive instead they’re better together.

Let’s unpack what each model does, where they shine (and struggle), and how to combine them for airtight, scalable access governance in Azure.

What is Azure Role-Based Access Control (RBAC)?

Azure RBAC helps you control access by assigning roles to security principals (users, groups, service principals, or managed identities) at a specific scope (subscription, resource group, or resource).

Each role is a bundle of permissions, think of them as job descriptions for Azure resources.

Example RBAC Use Cases

A user who can manage only virtual machines in the Dev subscription.
A group assigned the Reader role at the resource group level.
An app given Contributor access to only one storage account.

RBAC works well when your access needs are role-based and relatively straightforward. But as organizations scale and become more dynamic, things can get messy fast.

Where RBAC Falls Short

RBAC starts to creak when:

You need to create roles for every unique mix of region, team, and resource.
You end up with a Frankenstein monster of roles like:
- VP - Europe
- Manager - Asia
- SalesRep - NorthAmerica - Junior
You have hierarchical or multi-tenant data structures that don’t fit RBAC’s flat model.

The result? Role sprawl, administrative pain, and security gaps.

What is Azure Attribute-Based Access Control (ABAC)?

ABAC adds contextual smarts to access control. Instead of relying solely on roles, it factors in attributes of:

The user (e.g., department = HR)
The resource (e.g., tag = Project:Alpine)
The environment (e.g., access during business hours only)

In Azure, ABAC is implemented through role assignment conditions that filter RBAC permissions.

ABAC in Action

“Chandra can read blobs only if they’re tagged with Project=Cascade.”
“Support engineers can impersonate users only during a help session.”
“Users can access data only in their assigned region or cost center.”

This kind of fine-grained access is powerful, flexible, and crucial in multi-tenant, regulated, or fast-moving environments.

RBAC + ABAC: Not a Choice – A Collaboration

Here’s the mindset shift: RBAC and ABAC are not competing models. They’re complementary.

RBAC defines what actions are allowed.
ABAC defines under what conditions those actions are allowed.

By combining the two, you can:

Keep your role structure simple and understandable.
Layer on access conditions that reflect real-world business rules.

Common Hybrid Patterns

Scenario	RBAC Role	ABAC Condition
Multi-tenant app	Tenant Admin	Only for `tenant_id=X`
Regional access	Sales Manager	Region = “North America”
Subscription tiers	Premium User	Access feature only if `plan=premium`
File access	Editor	Only `owner=user_id` or `shared_with=user_id`
Support scenarios	Support Agent	Impersonation allowed if `user_in_session=true`

Best Practices for RBAC and ABAC in Azure

Let’s bring it home with the golden rules:

RBAC Best Practices

Least Privilege Always: Grant only the permissions needed—nothing more.
Limit Subscription Owners: Three max. The fewer, the safer.
Use PIM for Just-in-Time Access: With Microsoft Entra PIM, elevate access temporarily.
Assign Roles to Groups: Not individuals. Makes scaling and auditing easier.
Avoid Wildcards in Custom Roles: Be explicit with Actions and DataActions.
Script with Role IDs, Not Names: Avoid breakage from renamed roles.

ABAC Best Practices

Tag Strategically: Use meaningful tags like Project, Environment, or Classification to enable ABAC.
Use Conditions to Reduce Role Sprawl: Filter access with precision.
Start Small: Pilot with blob storage conditions before scaling ABAC elsewhere.
Don’t Replace RBAC: Use ABAC as a filter, not a replacement.

Recap: When to Use What

Feature	RBAC	ABAC	RBAC + ABAC
Simplicity	✅	❌	✅
Contextual Flexibility	❌	✅	✅
Scalability	⚠️ (sprawl risk)	✅	✅
Multi-Tenant Scenarios	⚠️	✅	✅
Least Privilege Enforcement	✅	✅	✅✅

Final Thoughts

RBAC gives you structure. ABAC gives you nuance. In Azure, using both gives you power and precision.

Don’t fall into the “either/or” trap. The real magic happens when you combine the predictability of RBAC with the intelligence of ABAC to build access models that scale with your business.

Thanks for stopping by. ✌