Kumaran – A Cloud Guy

Microsoft 365 Admins: July 2025 Brings Major Retirements, Game-Changing Features & Critical Actions – Here’s Your Definitive Guide

July 1, 2025July 1, 2025 by Kumaran

Alright admins, deep breath. July is rolling in hot with some of the biggest Microsoft 365 updates, retirements, and must-do tasks of the year. Whether you’re wrangling SharePoint, securing sensitive data, or prepping Teams for your org, this month has something that will definitely land on your radar and maybe on your weekend schedule if you don’t plan ahead.

Consider this your field guide to navigate July 2025 without missing a beat.

July at a Glance

Category	Count
🔻 Retirements	7
🆕 New Features	11
🔧 Enhancements	8
🔄 Changes in Functionality	5
⚠️ Action Needed	7

Retirements: Say Goodbye to These

Microsoft 365 Business Premium & Office 365 E1 Grants for Non-Profits
Retiring July 1, 2025 — Non-profits must move to Microsoft 365 Business Basic grants or discounted plans.
➡️ Learn more
Viva Engage Private Content Mode
Retiring June 30, 2025 — All tenants will lose access to Private Content Mode across Viva Engage, Teams, and Outlook.
➡️ Details
Monitor Action in Defender Safe Attachments Policies
Gone Early-July 2025 — Monitor mode will be switched to Block; evaluate Safe Attachments settings now.
➡️ More info
SharePoint Alerts
Phased retirement starts July 2025 — Power Automate or SharePoint Rules recommended as replacements.
➡️ Guidance
OneNote .DOC Export Option
Ending July 28, 2025 — Shift to modern formats like .docx now.
➡️ Message Center
Organization Data Type in Excel
Retiring July 31, 2025 — Switch to Get Data > From Power BI or custom data types via add-ins.
➡️ Learn more
TLS 1.1 & Older on Fabric Platform
Deprecated July 31, 2025 — Update systems to TLS 1.2+ to avoid data connectivity issues.
➡️ Blog post

New Features: Hot Off the Press

Native Forms in SharePoint Libraries — Build forms directly inside document libraries for smoother file uploads.
➡️ Roadmap
Cold File Scanning for Sensitive Info — Microsoft Purview now scans old, untouched files in SharePoint/OneDrive.
➡️ Details
Unit-Level Backup Deletion in Microsoft 365 Backup — Delete backups for specific OneDrive, SharePoint, or Exchange units.
➡️ Roadmap
External Chat File Attachments in Teams — Finally attach files in 1:1 and group chats with external users.
➡️ Message Center
Detailed Audit Logs for Screen Sharing in Teams — Gain full transparency over Give/Take Control and sharing events.
➡️ Read more
Facilitator Agent in Teams — Automated meeting summaries and real-time note collaboration (Copilot license required).
➡️ Details
Multi-Admin Notifications for M365 Backup — Configure centralized alerts for backup events.
➡️ Roadmap
AI Posture Management in Purview — Manage security of AI activity across Copilot and other AI apps.
➡️ Message Center
Drag & Drop Between Accounts in New Outlook — Attach emails/files across accounts or shared mailboxes seamlessly.
➡️ Details
Network-Level Detection of AI Activity in Insider Risk Management — Identify sensitive data shared with cloud/AI apps.
➡️ Message Center
Scoped AD Domain Access in Defender for Identity — Apply RBAC at the AD domain level for tighter security.
➡️ Details

Enhancements: Small Changes, Big Impact

Attachment Previews in Purview Content Explorer — View flagged attachments directly in the console.
➡️ Details
Recording & Transcription by Default in Teams Calls — Enabled by default for new tenants and global policies.
➡️ More info
New Outlook: S/MIME Signature Inheritance Setting — Control signature behavior in replies via NoSignOnReply.
➡️ Message Center
User Activity Timeline in Purview Compliance Portal — See flagged user interactions on a single timeline.
➡️ Details
IRM + Data Security Investigation Integration — Launch investigations faster with combined tools.
➡️ Message Center
Secure by Default Settings in Microsoft 365 — Block legacy auth and enforce admin consent by default.
➡️ Details
Best Practice Dashboard Expansion in Teams Admin Center — Monitor new meeting-related issues.
➡️ Read more
On-Demand File Classification — Discover/classify old files in SharePoint/OneDrive (pay-as-you-go).
➡️ Details

Existing Functionality Changes: Adjust Your Ops

Teams Live Event Assistance Becomes Paid — LEAP moves under Unified as a paid service on July 1, 2025.
➡️ More info
Insider Risk Policy Limits Increased — Up to 100 total active policies across templates.
➡️ Roadmap
Outlook Blocks More File Types — .library-ms and .search-ms added to the blocked list.
➡️ Details
Improved B2B Guest Sign-In — Guests redirected to their home org’s sign-in page for clarity.
➡️ Message Center
Unified Teams App Management Paused — Rollout delay with updates expected by late July.
➡️ Details

Action Needed: Don’t Procrastinate

Azure AD PowerShell Retirement After July 1 — Migrate scripts to Microsoft Graph or Entra PowerShell ASAP.
➡️ Details
DNS Provision Change — Update automation scripts to retrieve MX records via Graph API to avoid mail flow issues.
➡️ Message Center
Classic Teams App Retirement — All users must move to New Teams or web app by July 1, 2025.
➡️ Details
Reshare SharePoint Content Post-Entra B2B — External users lose access to pre-integration OTP shares. Reshare content now.
➡️ Message Center
Teams Android Devices Must Update Apps — Move to supported versions by Dec 31, 2025, to enable modern auth.
➡️ Details
Graph Beta API Permissions Update — Adjust apps to use new permissions for device management by July 31, 2025.
➡️ Message Center

Final Thoughts

July 2025 is a make-or-break month for Microsoft 365 admins. There’s a mountain of changes, but staying ahead means no late-night incidents, no broken workflows, and definitely no panicked calls from leadership.

Bookmark this guide, share it with your team, and start planning now. Because in IT, the only thing worse than unexpected downtime is knowing you could’ve avoided it.

Thank you for stopping by. ✌️

Generate Multi-Subscription Azure Cost Reports Using REST API and PowerShell

July 9, 2025June 29, 2025 by Kumaran

Managing cloud costs is like trying to diet at a buffet. Tempting services everywhere, and one bad decision can blow your budget wide open. So, I was tasked for a breakdown of Azure usage across 50+ subscriptions for the month of June, I knew this wasn’t going to be a quick Azure Portal copy-paste job.

Instead, I rolled up my sleeves and built a PowerShell script that uses the Azure REST API to automatically:

Query all accessible subscriptions
Fetch usage-based cost data for a given time range
Export it into a clean Excel report

And I made it smart enough to handle throttling too. Here’s how it all came together.

Goals

Pull Azure cost data from multiple subscriptions
Offer flexible time range selection (this month, last month, custom, etc.)
Authenticate securely with Entra ID (Service Principal)
Export to Excel in a way leadership can digest (bonus points if it opens without errors)

Authentication with Entra ID

I created a Service Principal and assigned it the “Global Billing Reader” role at the billing account level. The script uses the client_credentials flow to authenticate and obtain an access token.

Yes, I temporarily stored the client secret in a plain text variable $clientSecretPlain = 'ENTER_SECRET' because I was still prototyping. Don’t judge me. But for production? Vault it or a managed identity.

Handling Throttling (429 Errors)

Azure’s APIs like to throw shade when you hit them too hard. I added retry logic with exponential backoff and jitter.

PowerShell Script

# Author: Kumaran Alagesan

# Requires: Az CLI, ImportExcel module (Install-Module -Name ImportExcel)
# Authenticate using Entra Application (Service Principal)

$clientId = 'ENTER_APP_ID'
$tenantId = 'ENTER_Tenant_ID'
$clientSecretPlain = 'ENTER_SECRET'

# Get access token using Service Principal
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecretPlain
    scope         = "https://management.azure.com/.default"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body -ContentType "application/x-www-form-urlencoded"
if (-not $tokenResponse.access_token) {
    Write-Host "Failed to acquire token. Check credentials." -ForegroundColor Red
    exit 1
}
$token = @{ accessToken = $tokenResponse.access_token }


$selection = $null
while (-not $selection) {
    $selection = Read-Host "Select time range: `n1) This month`n2) Last month`n3) This quarter`n4) Last quarter`n5) This year`n6) Last 6 months`n7) Last 12 months`n8) Custom`nEnter number"
    if ($selection -notmatch '^[1-8]$') {
        Write-Host "Invalid selection. Please enter a number from the list (1-8)." -ForegroundColor Yellow
        $selection = $null
    }
}

$today = Get-Date
switch ($selection) {
    '1' { # This month
        $startDate = Get-Date -Year $today.Year -Month $today.Month -Day 1
        $endDate = $today
    }
    '2' { # Last month
        $lastMonth = $today.AddMonths(-1)
        $startDate = Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1
        $endDate = (Get-Date -Year $lastMonth.Year -Month $lastMonth.Month -Day 1).AddMonths(1).AddDays(-1)
    }
    '3' { # This quarter
        $quarter = [math]::Ceiling($today.Month / 3)
        $startMonth = (($quarter - 1) * 3) + 1
        $startDate = Get-Date -Year $today.Year -Month $startMonth -Day 1
        $endDate = $today
    }
    '4' { # Last quarter
        $currentQuarter = [math]::Ceiling($today.Month / 3)
        if ($currentQuarter -eq 1) {
            $lastQuarterYear = $today.Year - 1
            $lastQuarter = 4
        } else {
            $lastQuarterYear = $today.Year
            $lastQuarter = $currentQuarter - 1
        }
        $startMonth = (($lastQuarter - 1) * 3) + 1
        $startDate = Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1
        $endDate = (Get-Date -Year $lastQuarterYear -Month $startMonth -Day 1).AddMonths(3).AddDays(-1)
    }
    '5' { # This year
        $startDate = Get-Date -Year $today.Year -Month 1 -Day 1
        $endDate = $today
    }
    '6' { # Last 6 months
        $startDate = $today.AddMonths(-5)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '7' { # Last 12 months
        $startDate = $today.AddMonths(-11)
        $startDate = Get-Date -Year $startDate.Year -Month $startDate.Month -Day 1
        $endDate = $today
    }
    '8' { # Custom
        $startDate = Read-Host "Enter start date (yyyy-MM-dd)"
        $endDate = Read-Host "Enter end date (yyyy-MM-dd)"
        try {
            $startDate = [datetime]::ParseExact($startDate, 'yyyy-MM-dd', $null)
            $endDate = [datetime]::ParseExact($endDate, 'yyyy-MM-dd', $null)
        } catch {
            Write-Host "Invalid date format. Exiting." -ForegroundColor Red
            exit 1
        }
    }
}

$startDateStr = $startDate.ToString("yyyy-MM-dd")
$endDateStr = $endDate.ToString("yyyy-MM-dd")

# Set headers for REST calls using the service principal token
$headers = @{
    'Authorization' = "Bearer $($token.accessToken)"
    'Content-Type'  = 'application/json'
}

# Get all subscriptions
$subsUrl = "https://management.azure.com/subscriptions?api-version=2020-01-01"
$subscriptions = Invoke-RestMethod -Uri $subsUrl -Headers $headers -Method Get | Select-Object -ExpandProperty value

Write-Host "Fetching cost data for $($subscriptions.Count) subscriptions: " -NoNewline

$totalCost = 0
$results = @()

foreach ($sub in $subscriptions) {
    $costQueryBody = @{
        type       = "Usage"
        timeframe  = "Custom"
    timePeriod = @{
        from = $startDateStr
        to   = $endDateStr
    }
    dataSet    = @{
        granularity = "None"
        aggregation = @{
            totalCost = @{
                name     = "Cost"
                function = "Sum"
            }
        }
    }
} | ConvertTo-Json -Depth 10

    $costUrl = "https://management.azure.com/subscriptions/$($sub.subscriptionId)/providers/Microsoft.CostManagement/query?api-version=2024-08-01"

    $maxRetries = 7
    $retryDelay = 5
    $attempt = 0
    $success = $false

    while (-not $success -and $attempt -lt $maxRetries) {
        try {
            $costData = Invoke-RestMethod -Uri $costUrl -Headers $headers -Method Post -Body $costQueryBody

            $subscriptionCost = 0
            if ($costData.properties.rows -and $costData.properties.rows.Count -gt 0) {
                $subscriptionCost = $costData.properties.rows[0][0]
            }

            $results += [PSCustomObject]@{
                'Subscription Name' = $sub.displayName
                'Total Cost'        = [math]::Round([double]$subscriptionCost, 2)
            }

            $totalCost += $subscriptionCost
            Write-Host "." -NoNewline
            $success = $true
        }
        catch {
            if ($_.Exception.Response.StatusCode.value__ -eq 429 -and $attempt -lt ($maxRetries - 1)) {
                # Add random jitter to delay
                $jitter = Get-Random -Minimum 1 -Maximum 5
                $sleepTime = $retryDelay + $jitter
                Write-Host "`n429 received, retrying in $sleepTime seconds..." -ForegroundColor Yellow
                Start-Sleep -Seconds $sleepTime
                $retryDelay *= 2
                $attempt++
            }
            else {
                Write-Host "x" -NoNewline
                Write-Host "`nError getting cost for subscription $($sub.displayName): $($_.Exception.Message)" -ForegroundColor Red
                $success = $true
            }
        }
    }
}

# Export results to Excel
$excelPath = Join-Path -Path $PSScriptRoot -ChildPath ("AzureCostReport_{0}_{1}.xlsx" -f $startDateStr, $endDateStr)
if ($results.Count -gt 0) {
    # Do not pre-format 'Total Cost' as string; keep as number for Excel formatting

    # Check if file is locked
    $fileLocked = $false
    if (Test-Path $excelPath) {
        try {
            $stream = [System.IO.File]::Open($excelPath, 'Open', 'ReadWrite', 'None')
            $stream.Close()
        } catch {
            $fileLocked = $true
        }
    }
    if ($fileLocked) {
        Write-Host "Excel file is open or locked: $excelPath. Please close it and run the script again." -ForegroundColor Red
    } else {
        $results | Export-Excel -Path $excelPath -WorksheetName 'CostReport' -AutoSize -TableName 'CostSummary' -Title "Azure Cost Report ($startDateStr to $endDateStr)" -TitleBold -ClearSheet
        Write-Host "Excel report saved to: $excelPath"
        # Optionally open the file
        if ($IsWindows) {
            Start-Sleep -Seconds 2
            Invoke-Item $excelPath
        }
    }
}

If you want to email the output as a table in the body to a mailbox, you can replace the ‘Export results to Excel’ section with the code below. Yup! I know Send-MailMessage is obsolete and ideally I’d run this script with in an Azure automation account and set app permissions for the identity to be able to send emails. I’ll cover it in a later post.

# Prepare HTML table for email
if ($results.Count -gt 0) {
    # Add $ symbol to each Total Cost value
    $resultsWithDollar = $results | ForEach-Object {
        $_ | Add-Member -NotePropertyName 'Total Cost ($)' -NotePropertyValue ('$' + [math]::Round([double]$_.('Total Cost'), 2)) -Force
        $_
    }

    $htmlTable = $resultsWithDollar | Select-Object 'Subscription Name', 'Total Cost ($)' | ConvertTo-Html -Property 'Subscription Name', 'Total Cost ($)' -Head "<style>table{border-collapse:collapse;}th,td{border:1px solid #ccc;padding:5px;}</style>" -Title "Azure Cost Report"
    $htmlBody = @"
<h2>Azure Cost Report ($startDateStr to $endDateStr)</h2>
$htmlTable
<p><b>Total Cost (all subscriptions):</b> $([string]::Format('${0:N2}', [math]::Round([double]$totalCost,2)))</p>
<p style='color:gray;font-size:small;'>This is an automatically generated email - Please do not reply.</p>
"@

    # Email parameters (update these as needed)
    $smtpServer = "smtpserver@domain.com"
    $smtpPort = 587
    $from = "alerts@domain.com"
    $to = "emailaddress@domain.com"
    $subject = "Azure Cost Report ($startDateStr to $endDateStr)"

    Send-MailMessage -From $from -To $to -Subject $subject -Body $htmlBody -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
    Write-Host "Cost report sent via email to $to"
} else {
    Write-Host "No results to send."
}

What You’ll Get

The final Excel report displays each subscription’s name alongside its total cost for your chosen time period. Whether you’re reviewing it manually or feeding it into FinOps tools, the format is designed for quick analysis and clean presentation.

Practical Applications

Scenario	How It Helps
Automation and scheduling	Supports routine reporting via scheduled tasks or DevOps flows
Multi-subscription environments	Consolidates cost data across departments or teams
Governance and FinOps	Enables proactive budget tracking and reporting

With just a PowerShell script and the Azure Cost Management API, you can unlock instant insights into your cloud spend across all Azure subscriptions. Whether you’re part of a DevOps team, driving FinOps initiatives, or simply managing cloud budgets, this automation makes cost visibility one less thing to worry about.

Lessons Learned

Azure Cost Management API is powerful, but throttling is real.
Microsoft will be retiring the Consumption Usage Details API at some point in the future and does not recommend that you take a new dependency on this API.
Export-Excel is a lifesaver, especially when you want your report to actually be readable.

Room for Improvement

Add Azure MeterCategory per subscription in the email report to give a better idea of where the cost usage is
Move secrets to Azure Key Vault or use Managed Identity
Add monthly trend analysis and forecasting
Push the data to Power BI for richer dashboards

Final Thoughts

This script is now my go-to tool for quickly generating Azure cost reports across environments. It’s flexible, reliable, and gives my leadership team the visibility they need to make informed decisions, without logging into the portal.

Because let’s face it: if you’re managing Azure at scale, you shouldn’t be clicking through billing blades. You should be scripting your way to clarity.

Keep those costs in check, one API call at a time.

Thanks for stopping by. ✌

Azure’s Default Outbound Access Is Being Retired: What Cloud Admins Need to Know (and Do)

June 25, 2025June 7, 2025 by Kumaran

If you’re an Azure architect or admin and thought “default outbound access” was your silent wingman for VM connectivity, surprise! Microsoft is retiring it. After September 30, 2025, all new virtual networks in Azure will no longer support default outbound Internet access. Translation? If you’re spinning up VMs and expecting magic public IP access without configuring anything, those days are numbered.

Let’s break down what’s happening, why it matters, and how to prepare without losing your mind.

What’s Being Retired?

Historically, Azure has provided what’s called default outbound access to virtual machines that don’t have an explicitly defined method of reaching the internet. Think of it as Azure tossing a temporary, shared public IP behind the scenes so your VM can connect out.

But that’s going away for all new VNETs after September 30, 2025.

Existing VNETs using default outbound access? You’re safe… for now.
New VNETs? You’ll need to be explicit.

No more “it just works” surprises. And honestly? That’s a good thing.

Why Is Microsoft Doing This?

Because “default” often equals “risky.” Here’s why the implicit setup has been problematic:

Unowned IPs: The IP addresses used for default outbound access are owned by Microsoft, not you. If they change, your workloads can break. And good luck explaining that to your CISO.
Lack of Visibility: These IPs aren’t traceable to your tenant, complicating logging and egress controls.
Zero Trust FTW: The shift aligns with modern security practices, explicit is better than implicit. You want to control your perimeter, not let Azure make assumptions for you.

This is a “secure by design” decision. We’re moving away from “let’s hope it works” to “I know exactly what’s happening and why.”

What You Need to Do Now

If you’re still relying on default outbound access in existing deployments: start transitioning. For all new virtual networks, you’ll need to plan outbound access explicitly. Microsoft recommends one of the following methods:

Explicit Method	When to Use It
Azure NAT Gateway	Best practice for scalable, consistent outbound IP
Standard Load Balancer (SLB)	Use when you already load-balance traffic
Public IP on NIC	Use when only one VM needs public connectivity

Bonus: Disable Default Access Explicitly

Even before the cutoff, you can preemptively disable default outbound access by enabling “Private Subnet” on your VNET or via PowerShell/CLI/ARM templates. Here’s the PowerShell approach:

$resourceGroupName = "<your-rg>"
$vnetName = "<your-vnet>"

$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Name $vnetName

foreach ($subnet in $vnet.Subnets) {
    $subnet.DefaultOutboundAccess = $false
}

Set-AzVirtualNetwork -VirtualNetwork $vnet

Why do this? Because some services like Windows Update and Windows Activation require explicit outbound connectivity anyway. Plus, it’s future-proof.

Gotchas to Watch Out For

Fragmented packets & ICMP: Not supported with default outbound IPs.
Multiple NICs or VMSS: IPs can change unpredictably when scaling.
NIC-level detection: Azure Advisor will still report default outbound usage unless the VM is rebooted after changing egress method.

Also note: Flexible orchestration mode for VMSS never uses default outbound. It’s already secure-by-default.

What’s Next?

Microsoft is nudging (okay, shoving) us toward better security hygiene. This is your nudge to revisit those old Terraform templates, ARM deployments, and quick-and-dirty test setups that assumed default behavior.

Checklist before September 30, 2025:

Inventory VMs using default outbound access
Decide on your preferred outbound method (NAT Gateway is a strong default)
Update IaC templates
Communicate with app teams about the change
Test egress-dependent services (patching, activation, APIs)

Final Thoughts

This isn’t just another checkbox compliance update, this is about control, visibility, and security. By requiring explicit egress, Microsoft is giving you more authority over your architecture.

It’s also a good reminder: just because something works “by default” doesn’t mean it should.

Thank you for stopping by. ✌️

Microsoft 365 Admins: June 2025 Brings Major Updates, Retirements & Action Items — Here’s Your Definitive Guide

June 2, 2025 by Kumaran

Buckle up, admins! June’s heating up with a fresh wave of Microsoft 365 changes. Whether you manage identity, information protection, collaboration, or compliance, there’s something here that will nudge your daily workflow—or bulldoze it if you’re not paying attention.

Let’s cut through the clutter. Below is your clear, actionable roundup of what’s coming, what’s going, and what needs your immediate attention across the Microsoft 365 landscape.

In the Spotlight

Smoother OneDrive File Transfers

Say goodbye to clunky cleanup processes when employees leave. Microsoft’s new “Move and keep sharing” feature lets you transfer ownership while preserving existing sharing permissions. Combine that with new filters to zero in on important files and clearer notification emails, and you’ve got an admin’s dream come true.

Shared Mailboxes in New Outlook (Finally!)

The New Outlook for Windows now lets you add shared mailboxes like real accounts—no more backflips to get the same experience your users are used to. Easier management, better UX, happier end users.

Non-Profit Grant Offers Retiring

Heads up for non-profit orgs: Microsoft is retiring Microsoft 365 Business Premium and Office 365 E1 grant offers. If your licensing strategy includes these grants, now’s the time to rethink and re-budget.

June at a Glance

Category	Count
Retirements	4
New Features	10
Enhancements	9
Changes in Functionality	5
Action Needed	2

Retirements: What’s Going Away

Meeting Details in OneNote for Windows 10 – Poof, gone starting June 2025.
Private Content Mode in Viva Engage – Say farewell by June 30, 2025.
Teams Recording Initiator Policy – Both the MeetingInitiator value and MeetingRecordingOwnership setting will be retired by June 30, 2025.
Sports Calendars in Outlook – “Interesting Calendars” will vanish starting early June 2025.

New Features: What You’ll Want to Try First

Copilot Troubleshooter in Power Automate – Diagnose and resolve flow errors with a few clicks inside the designer.
Copilot for Security in Purview Insider Risk Management – Contextual alerts and smarter investigations—yes, please.
Data-at-Rest Scanning in SharePoint/OneDrive – Finally scan previously untouched files for sensitive info and apply sensitivity labels.
Microsoft Backup Enhancements – Define backup policies that automatically cover all Exchange, OneDrive, and SharePoint users—even new ones.
Automated Retention Actions in Gov Cloud – US government tenants can now use Power Automate to act on expired items.
50+ Modern SharePoint Page Templates – No more pixel-pushing—get sleek, branded designs in a click.
New Insider Risk Email Indicators – Spot emails with attachments sent to free public domains or to oneself—cue the red flags.
Risky AI Activity Detection – Admins can now monitor for sensitive prompt usage and sketchy AI behavior.
Microsoft Defender XDR Integration – Insider Risk data will now flow into XDR for unified investigations.
Fabric Network Enhancements (Preview) – Private links and outbound access controls to lock down Fabric workspaces like Fort Knox.

Enhancements: Refinements You’ll Appreciate

HR Connector in Insider Risk Management – Apply the updated PowerShell script or risk issues.
Exclude Folders from OneDrive Sync – Control bloat and protect endpoints.
Reduce Noise in Communication Compliance – Filter out newsletters and spam to surface real threats.
On-Demand Classification – Retroactively classify sensitive content in SharePoint/OneDrive.
New Teams Role: Teams Reader – View-only access in the admin center. Great for auditors or curious execs.
View and Upload Anyone Links – Strike a balance between accessibility and control.
Global Exclusions in Insider Risk – Now supports more logical rules to cut alert fatigue.
DLP + Administrative Units – SharePoint DLP policies can now be scoped by administrative units. Finally.
Targeted IRM Policies – Use combinations of users, groups, and adaptive scopes for laser-focused risk management.

Functional Changes: What’s Evolving

SharePoint Online CDN Migration – Allow public-cdn.sharepointonline.com and stop relying on hardcoded links.
Teams DLP Reports – Incident notifications now come from both old and new sender addresses.
Exchange Federation Cmdlet Changes – Get-FederationInformation is being scoped down.
Audit Log Cmdlets Go Read-Only – No changes/downloads after June for Search-MailboxAuditLog and New-MailboxAuditLogSearch.
Separate Policy Tip Settings – Customize email notifications separately for SharePoint and OneDrive DLP.

Action Needed: Do This Now

Viva Engage External Networks – Legacy networks will be retired June 1, 2025. Transition to modern external networks now to avoid disruption.
Microsoft Defender SIEM Agents – After June 19, 2025, no new agents can be configured. Move to supported APIs to future-proof your integration.

Final Thoughts

If you’re managing Microsoft 365 in an enterprise setting, June is a no-joke month for updates. With new features that improve automation, security, and governance—and retirements that could leave gaps if ignored—it’s vital to stay proactive.

Bookmark this post, forward it to your team, and prep your change calendar. Because in IT, those who fail to plan… usually end up on a 2 a.m. call with their CISO.

Stay sharp, stay current—and keep your tenant tight.

Thank you for stopping by. ✌️

Microsoft SharePoint Premium: Getting the Most Out of SharePoint Advanced Management

April 5, 2025January 18, 2025 by Kumaran

Let’s be real—managing SharePoint at scale is no walk in the park. When you’ve got thousands of users, sprawling document libraries, and security risks lurking around every corner, the last thing you need is more complexity. Enter Microsoft SharePoint Premium, specifically its SharePoint Advanced Management capabilities, designed to bring order to the chaos.

But is it just another fancy add-on, or does it actually make your life easier? Let’s break it down.

Site Lifecycle Policies: Keeping SharePoint Tidy

Without oversight, SharePoint sites tend to pile up like old emails in an unchecked inbox. That’s where Site Lifecycle Policies come in.

Inactive SharePoint Sites Policy – Automatically detects and archives (or deletes) sites that haven’t been used in a while. Think of it as digital housekeeping that prevents clutter.
Site Ownership Policy – Ever had a SharePoint site where no one knows who’s in charge? This policy ensures every site has a designated owner—and prompts them to confirm ownership periodically.

These policies save IT teams from sifting through forgotten sites and guessing which ones are still relevant.

Data Access Governance (DAG) Insights: Who’s Seeing What?

Ever worry that sensitive data is floating around where it shouldn’t be? DAG Insights help IT admins spot and control broad access issues.

“Everyone Except External Users” (EEEU) Insights – This permission group sounds harmless, but it can sometimes overexpose data internally. DAG Insights help admins quickly identify and correct these cases.
Sharing Links & Sensitivity Labels – Visibility into which files are shared externally (and with what sensitivity labels) ensures sensitive documents don’t end up in the wrong hands.
PowerShell: Permission State Report – Need an exhaustive report on who has access to what? This PowerShell tool provides a deep dive across SharePoint, OneDrive, and specific files.
Sharing Links Report – Helps admins monitor and manage shared links across the organization, reducing unnecessary exposure.

Site Access Reviews: Keeping Permissions in Check

Permissions in SharePoint can get complicated fast. The Site Access Review feature ensures that access stays intentional and secure. Admins can set up periodic reviews, prompting site owners to confirm who still needs access—and who doesn’t.

It’s like a spring cleaning for permissions, reducing security risks and keeping data locked down to the right people.

PowerShell: Restricted Content Discovery (RCD)

Sometimes, sensitive data ends up where it shouldn’t be. With Restricted Content Discovery (RCD), admins can scan SharePoint and OneDrive for files that shouldn’t be widely accessible. This helps with compliance and security audits—before problems arise.

Restricted Access Control (RAC): Locking Down Sensitive Sites

Some SharePoint sites contain data that only a select few should ever see. Restricted Access Control (RAC) ensures that even if a user has general access to SharePoint, they won’t automatically see certain sensitive sites.

This applies to both SharePoint and OneDrive, providing an extra layer of control where it’s needed most.

Recent Admin Actions & Change History: Who Did What?

Admins make changes all the time—adjusting permissions, creating new policies, modifying access levels. Recent Admin Actions and Change History provide a log of what’s been modified, making it easier to track down unexpected issues or roll back unintended changes.

Block Download Policy: Extra Security for Sensitive Content

Not all files should be downloadable—especially sensitive reports or confidential recordings. The Block Download Policy lets admins restrict downloads from SharePoint, OneDrive, and even Teams recordings. Users can still view the content online but can’t save a local copy, reducing the risk of data leaks.

Should You Upgrade?

If you’re a small team with a handful of SharePoint sites, Advanced Management might feel like overkill. But for organizations juggling hundreds (or thousands) of users, it’s the difference between smooth operations and constant headaches.

So, if your team is spending way too much time managing permissions, cleaning up inactive sites, or chasing security risks, upgrading to SharePoint Premium’s Advanced Management might just be the smartest move you make.

At the very least, it’s worth a test drive—because who doesn’t want a smoother, safer, and smarter SharePoint experience?

Thanks for stopping by. ✌