Power BI October 2025 Feature Summary — AI-Powered Insights, Smarter Reporting, and a Future-Ready Platform

by

October didn’t disappoint for Power BI fans. This month’s update is a powerhouse of innovation, from AI-driven Copilot for DAX and sleek Button Slicer upgrades, to long-awaited features like Export Query Results, ARM support, and a new Power BI Controller for PowerPoint that finally makes managing embedded visuals painless.

Whether you’re an analyst fine-tuning dashboards or an enterprise architect optimizing your Fabric workflows, there’s something here that will make your data life easier (and maybe even fun). Let’s dive in.

General: Goodbye Bing Maps, Hello Azure Maps

Microsoft is moving full steam ahead with the transition from Bing Maps to Azure Maps in Power BI. This change future-proofs map visuals with richer capabilities and better integration across Microsoft’s ecosystem.

  • Power BI Desktop & Service: The Bing Maps icon will stick around for now, but it’s still on the deprecation path. Start upgrading to Azure Maps if your reports aren’t used in China, Korea, or government clouds.
  • Paginated Reports: Phase 1 migration to Azure Maps is complete in Power BI Report Builder (PBIRB). Phase 2: service-side migration, wraps by mid-November 2025.

Paginated report authors who still rely on Bing Maps can temporarily switch back while the Azure Maps migration completes. To do so, set the RevertToBingMaps registry key to 1 under:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Power BI Report Builder

If the Microsoft Power BI Report Builder folder doesn’t exist, simply create it before adding the key. This option allows continued authoring with Bing Maps until both migration phases are fully rolled out.

Copilot and AI: Let Copilot Write Your DAX

DAX just got way less intimidating. The new Copilot-powered DAX query view (now Generally Available) lets you describe the insights you need in plain English and Copilot writes the DAX for you. You can edit the query conversationally, test it live, and learn as you go.

Copilot is context-aware, leveraging your semantic model, understanding relationships, measures, and hierarchies. Whether you’re exploring data in the DAX query view, chat with your data, or semantic model–backed data agents, Copilot is ready to help.

To learn more, refer to the Write DAX queries with Copilot documentation, and try it out today!

Reporting: Visual Power and Presentation Control

Button Slicer (GA) — More Interaction, Less Effort

The Button Slicer graduates from preview with new cross-highlighting and Auto Grid features.

  • Cross-highlighting: Like the Chiclet slicer, it dims unrelated visuals and highlights related ones, helping you instantly spot correlations.
  • Auto Grid: Automatically arranges rows and columns to fit your layout. No more pixel-perfect wrestling.

Accessibility improvements make it more inclusive, and it’s now your go-to slicer for modern report interactivity.

For example, following with Auto grid on:

Visual Calculations in Embedded Reports (Preview)

Embedded analytics gets a boost, visual calculations are now supported in “Embed for your customers” scenarios.
You can define calculations directly in visuals without touching the data model or writing DAX. This means ISVs and developers can deliver faster, dynamic insights in embedded Power BI solutions.

Grow to Fit — Tables that Auto-Resize Gracefully

A small change with a big impact: Power BI tables now support “Grow to Fit”, automatically distributing unused space across columns. It’s the polish your reports deserve — clean, balanced, and professional, no manual resizing required.

Power BI Controller for PowerPoint (Preview)

Say goodbye to repetitive manual updates in slide decks. The new Power BI Controller add-in for PowerPoint acts as a central control panel to manage all embedded Power BI visuals across multiple slides.

Bulk refresh, update, or replace visuals in one shot. Simply install the add-in from the PowerPoint ribbon, open the command pane, and let the Controller handle the heavy lifting.

Performance Analyzer in Web

The Performance Analyzer pane — long loved in Desktop, is now available in the web experience. You can finally measure the load times of visuals directly where your users view them.

Rollout hits all tenants within weeks.

Data Connectivity: Export Query Results (Preview)

This one’s huge for data engineers and Fabric users. Export Query Results lets you take transformed Power Query data and export it directly to Dataflows Gen2, Lakehouses, or OneLake — all from Power BI Desktop.

Why It Matters

  • No more copy-paste or third-party hacks.
  • Seamless handoff from analyst prep to enterprise storage.
  • Streamlined refresh, monitoring, and interoperability across Fabric workloads.

How to Try It

  1. Go to File → Options → Preview Features → Export Queries from Power Query.
  2. In Power Query Editor, open Export Query Results.
  3. Choose a Fabric destination and credentials, then export.

Result: A Fabric Dataflow Gen2 created automatically in your workspace — ready for refresh and governance.

Open the Export query results feature

After enabling the preview:

  • Open Power Query Editor from the ribbon (Transform) or the query menu (Edit Query).
  • In the ribbon, select Export Query Results.

Check Fabric access

To use this feature:

  • You need access to Microsoft Fabric.
  • Your My Workspace must be assigned to a Fabric or trial capacity.
  • If these conditions aren’t met, you’ll see an error message.

Options:

  • Sign up for a Fabric trial and assign your workspace.
  • Assign My Workspace to a Fabric capacity in your organization.
  • If you can’t enable Fabric, contact your Fabric admin.
  • Select a destination
  • Once your workspace is assigned to Fabric, choose an online destination:
  • Supported destinations match those in Fabric Dataflows.
  • You can also pick existing OneLake destinations.

Enter credentials

After selecting a destination:

  • Enter your credentials.
  • Select Connect, then Choose.
  • Confirm and export

You see a summary screen:

  • A Fabric Dataflow Gen2 is created in My Workspace.
  • You can rename the dataflow but can’t change the workspace yet.
  • Expand Manage Connections to check or fix query connections.
  • When ready, select Export.
  • The next screen shows export progress.
  • After completion, review your dataflow in Fabric.
  • If errors occur, open the dataflow in Fabric and run it to debug.

Platform Support: Power BI Desktop on ARM

Power BI Desktop now runs natively on ARM-based Windows devices (with KB5065789 installed).
That means better performance, lower battery usage, and optimized experience for lightweight, energy-efficient devices — ideal for users working on the go.

This move aligns with Microsoft’s broader ecosystem shift toward ARM and ensures Power BI stays modern, fast, and portable.

Visualizations: Fresh, Functional, and Fun

The marketplace is buzzing this month — here are the standouts:

Sankey Chart by Powerviz

Flow your data like never before. The Sankey Chart visual adds vertical/horizontal orientations, multi-level support, color-blind palettes, conditional formatting, and even image labels. Perfect for customer journeys, expense flows, and supply chains.

Your Timeline Slicer

Microsoft’s compact, modern timeline visual saves up to 60% dashboard space while introducing Current Period and Latest Available filters. It’s sleek, adaptive, and made for executive dashboards.

Drill Down Scatter PRO by ZoomCharts

Intuitive data exploration meets smartphone-like UX: zoom, pinch, click to drill down. Great for interactive scatter plots with regression lines, category clusters, and visual storytelling.

Multiple Sparklines

Build a complete Income Statement in one visual with trend, comparison, and benchmark columns. Clean, compact, and storytelling-ready.

Performance Bar by JTA

Minimalist progress bars with optional total bars, dynamic labels, and animations. Ideal for tracking KPIs in a sleek way.

Financial Reporting Matrix v8.2

Adds RowHeaderParent(), Invert Sign Factor, conditional formatting enhancements, pinned columns, and comment support (even exporting comments to Excel!). It’s the accountant’s new best friend.

BI Pixie by DataChant

A robust governance and adoption tracker now measuring six dimensions from Adoption to Security. BI Pixie audits Power BI usage and detects RLS misconfigurations, helping orgs boost ROI on analytics.

Closing Thoughts

October 2025 proves that Power BI isn’t slowing down, it’s accelerating into an era of AI-assisted modeling, Fabric-integrated data mobility, and cross-platform performance.
Copilot is rewriting DAX (literally), the Button Slicer is smarter than ever, and Power BI is now comfortably running on ARM because analytics should be as agile as the people using it.

Final Takeaway

If you’re building reports or managing analytics platforms:

  • Start transitioning your maps to Azure Maps.
  • Enable Copilot for DAX and Export Query Results.
  • Experiment with the Power BI Controller for PowerPoint for presentation efficiency.
  • Explore the new visuals, they’re not just eye candy; they simplify storytelling.

Thank you for stopping by. ✌️

Source: Power BI October 2025 Feature Summary

The Principle of Least Privilege (PoLP): Keep Access Tight, Keep Threats Out

by

In security, more access usually means more risk. The Principle of Least Privilege (PoLP) is about flipping that around, giving users, systems, and apps only the access they truly need, nothing more.
It’s simple in theory but powerful in practice: when people or systems can’t touch what they don’t need, they can’t break it (accidentally or otherwise).

Why Least Privilege Matters

Most breaches start with too much access.
A user clicks a phishing link, malware runs with their admin rights, and suddenly the whole network’s on fire. If that user had limited access, the damage would’ve been contained to one account or one system. That’s what PoLP prevents, chaos spreading beyond its starting point.

PoLP doesn’t just guard against hackers. It also saves you from insider mistakes and “oops” moments like a user deleting shared folders they shouldn’t have even seen.
And yes, it keeps malware from running wild since it can’t exploit privileges it doesn’t have.

What Privileged Accounts Are (and Why They’re Dangerous)

Not all accounts are created equal.
Privileged accounts have special powers, installing software, managing configurations, running services, or touching sensitive data.
Think of them as the keys to the kingdom. And if those keys get stolen, it’s open season on your infrastructure.

Types of privileged accounts include:

  • Admin/root accounts: Control system-wide changes.
  • Service accounts: Run background processes and automation.
  • Application accounts: Manage specific app functions.
  • System accounts: Handle OS-level components.

These accounts need tight control, strong authentication, monitoring, and isolation. That’s where Privileged Access Management (PAM) comes in. It enforces who gets access, when, and how long.

How PoLP Works in Practice

Least privilege isn’t a one-time setup, it’s an ongoing discipline.

  1. Audit what exists.
    Start by finding every account with elevated access—users, vendors, services, cloud apps. Identify what’s overprivileged.
  2. Revoke the excess.
    Drop unnecessary admin rights, remove shared accounts, and lock down unused permissions.
  3. Separate duties.
    Admins shouldn’t use their everyday login for privileged work. Create split accounts—one for regular use, one for admin tasks.
  4. Grant access only when needed.
    Use Just-In-Time (JIT) access so privileges exist only for short periods. When the task’s done, access expires.
  5. Watch everything.
    Monitor privileged account activity, set up alerts for odd behavior, and review permissions regularly.
  6. Secure the cloud, too.
    Cloud IAM roles are easy to overprovision. Enforce the same least-privilege logic in AWS, Azure, and other platforms.

PoLP isn’t about micromanaging, it’s about containing risk before it becomes a headline.

Real-World Examples

Here’s how least privilege shows up in daily IT life:

  • User accounts: An employee who just runs backups doesn’t need access to HR data. Backup rights only, nothing more.
  • Endpoint security: Removing local admin rights from regular users blocks 90% of common malware installs.
  • Application permissions: Apps should only access the data they need, not the entire database.
  • Cloud roles: In Azure or AWS, define roles per job—not per person—and remove blanket “owner” or “admin” assignments.
  • Privileged sessions: Keep admin logins separate and audited. Never use a shared “admin” account for daily operations.

Benefits That Actually Matter

Implementing PoLP pays off quickly. Here’s what you’ll notice:

  • Smaller attack surface: Fewer paths for attackers to exploit.
  • Reduced insider risk: Employees can’t mess up what they can’t access.
  • Better compliance: Regulations like HIPAA, GDPR, and ISO 27001 love least privilege.
  • Stable systems: Less chance of “oops, I changed a system setting” moments.
  • Simpler admin life: Clean role definitions mean fewer helpdesk tickets about permission issues.
  • Stronger overall security posture: Because it’s one of the few controls that cuts across every system and app.

Best Practices to Keep It Tight

To make PoLP stick, bake it into your daily IT routine:

  • Review access rights regularly. Don’t let old privileges linger.
  • Use role-based access control (RBAC) instead of assigning permissions one by one.
  • Automate provisioning and deprovisioning. It saves time and prevents forgotten accounts.
  • Enforce multifactor authentication (MFA) on all privileged accounts.
  • Avoid shared accounts. Everyone gets their own. Accountability depends on traceability.
  • Apply PoLP everywhere—users, endpoints, applications, cloud, and infrastructure.

The goal isn’t perfection. It’s making “too much access” the exception, not the default.

The Bottom Line

The Principle of Least Privilege is one of those timeless IT truths:
fewer permissions = fewer problems.

It’s not glamorous, and it won’t earn you applause at the next all-hands meeting.
But when the next ransomware campaign hits and your systems stay safe, you’ll know it was worth it.

Thank you for stopping by. ✌️

Best Practices for Active Directory Security: Because Hackers Don’t Take Coffee Breaks

by

October is Cybersecurity Awareness Month — that time of year when we remind everyone that “Password123” isn’t clever, and clicking suspicious links doesn’t count as continuing education.

As part of this month’s awareness focus, I’m turning the spotlight on one of the most critical and misunderstood pillars of enterprise IT: Active Directory (AD) — the brain of your IT environment. It decides who gets access, who doesn’t, and whether that intern really needs Domain Admin privileges (spoiler: they don’t).

But this brain, while brilliant, is also a favorite target for cybercriminals. One misconfigured policy, one neglected account, and suddenly your network’s “brain” is handing out secrets like a gossiping chatbot.

So, in the spirit of staying one step ahead of the bad guys, let’s talk about how to lock down AD like the digital Fort Knox it was meant to be, without losing your mind or your weekend.

Privileged Account Management: Because Power Needs Boundaries

1. Use Dedicated Admin Accounts

Admins checking email with Domain Admin privileges? That’s like using your company credit card to buy lunch at Taco Bell — risky and unnecessary.
Create separate accounts for admin and daily work. One for privilege, one for productivity. Keep your credentials (and tacos) compartmentalized.

2. Disable Local Administrator Accounts

Every domain-joined system comes with a local admin account and attackers love them more than free Wi-Fi.
Rename or disable them, and use Microsoft LAPS to automatically rotate passwords. It’s simple, effective, and dramatically limits lateral movement.

3. Lock Down the Built-In Administrator Account

The built-in admin is basically the “root god mode” of AD and that’s why attackers target it first.
Mark it as sensitive and cannot be delegated, enforce smart card logon, and deny RDP/network access. Think of it as your digital crown jewels, under lock, key, and 24/7 surveillance.

4. Limit Privileged Group Membership

Groups like Domain Admins and Enterprise Admins should be exclusive clubs, not open mic nights.
Review memberships regularly, remove anyone who doesn’t belong, and make sure each role has a purpose. The smaller the group, the smaller the blast radius.

5. Implement a Tiered Administration Model

Treat your environment like layers of a secure fortress:

  • Tier 0: Domain controllers and critical identity assets
  • Tier 1: Servers and infrastructure
  • Tier 2: User devices and workstations

This approach prevents one compromised credential from leading to full-scale domain doom. It’s containment but stylish.

Identity Hygiene: Clean Directory, Clear Conscience

6. Remove Inactive Accounts

Nothing screams “free real estate” to hackers like dormant user accounts.
Audit and disable old or unused accounts, human or computer. The less clutter in AD, the fewer entry points for attackers.

7. Secure Service Accounts with Managed Identities

Static passwords for service accounts are digital kryptonite. Switch to Managed Service Accounts (MSAs) that rotate passwords automatically and minimize privilege creep.
They’re the automation win your AD never knew it needed.

8. Disable Guest and Anonymous Access

Guest and anonymous access are relics from a more trusting age — like floppy disks and Clippy.
If you must enable them, restrict, monitor, and set expiration dates. Better yet, don’t.

Passwords & Authentication: Fortify the Front Door

9. Enforce Strong Password Policies

Strong passwords are still your best first defense. Set a minimum of 14 characters, enforce complexity, and keep a 24-password history.
It’s not rocket science, it’s digital hygiene.

10. Fine-Grained Password Policies (FGPP)

Admins and regular users don’t need the same rules. Apply FGPP to enforce stricter requirements for privileged accounts without creating user revolt.

11. Account Lockout Policies

Configure smart lockout thresholds to stop brute-force attempts without locking out half your team every Monday morning. Balance security with sanity.

Auditing & Monitoring: Because “Trust But Verify” Is a Security Lifestyle

12. Enable Advanced Audit Policies

Turn on Advanced Audit Policy Configuration to track logons, password changes, and directory access. Logs are your crystal ball — if you bother to read them.

13. Deploy Honeypot Accounts

Honeypots are fake accounts that no one should touch.
If someone does, you’ve got a live one. These tripwire accounts are an elegant way to catch intruders red-handed.

14. Configure User Rights Assignments

Too many permissions? Too many problems.
Regularly review what users can do (logon, shut down, change time, etc.). Less privilege = less chaos.

Maintenance, Patching & Recovery: The Boring Stuff That Saves You

15. Patch Domain Controllers Regularly

Unpatched DCs are like leaving your front door open with a neon “Welcome Hackers” sign.
Patch early, patch often, and keep your DCs dedicated to identity services only.

16. Reset the KRBTGT Account Password (Twice!)

If you’ve never reset your KRBTGT password, consider this your reminder.
It prevents Golden Ticket attacks, which let attackers mint fake Kerberos tickets like it’s Black Friday. Reset it twice during maintenance, it’s tedious but vital.

17. Use Secure Admin Workstations (SAWs)

Admins shouldn’t manage AD from general-use machines.
Deploy isolated, hardened SAWs — no web browsing, no random installs, no nonsense. Treat them like clean rooms for your digital operations.

18. Perform and Test Active Directory Backups

Backups are useless until tested. Run regular AD backups, verify integrity, and document recovery procedures. When disaster strikes, you’ll thank your past self.

Final Thoughts: Security Is a Journey, Not a Checkbox

Securing Active Directory isn’t a one-time project, it’s a habit. You review, patch, audit, and repeat. Because the moment you stop, the adversaries don’t.

So tighten your policies, clean up those stale accounts, and check your audit logs like your paycheck depends on it because it just might.

Wrapping It Up: Stay Cyber-Aware, Not Cyber-Weary

As Cybersecurity Awareness Month reminds us, security isn’t about fear, it’s about habit. The small, consistent things you do today like rotating passwords, trimming privileges, and auditing regularly, stop tomorrow’s breach before it starts.

Active Directory may be the brain of your IT environment, but you are its conscience. Keep it clean, disciplined, and alert, and it’ll serve your business faithfully without gossiping to strangers on the internet.

So take a few minutes this month to revisit your AD setup, fine-tune your defenses, and maybe even drop a honeypot or two. Because security isn’t a checklist — it’s a mindset.

Stay sharp, stay patched, and may your logs always tell the truth.

Good AD security doesn’t just keep attackers out, it keeps you out of the next incident postmortem.

Thank you for stopping by. ✌️

Understanding Delegated vs Application Permissions in Microsoft Entra ID: A Security Deep Dive for IT Architects

by

Introduction

October is Cybersecurity Awareness Month, a reminder that protecting identity and data is everyone’s responsibility, especially in cloud-first environments. As organizations deepen their reliance on Microsoft 365 and Entra ID, understanding how applications gain access to corporate resources has never been more critical.

Access control sits at the heart of Microsoft 365 and Entra ID security. Every permission you grant, whether to a user, application, or service principal defines who can interact with corporate data and how.
For system architects and administrators, understanding the difference between delegated and app-only access isn’t just a technical nuance; it’s essential for preventing data exposure, privilege escalation, and consent-based attacks.

Modern organizations rely heavily on integrations, custom apps, automation scripts, backup agents, or Power Platform connectors – all of which authenticate through Microsoft Entra ID. Knowing how these apps access resources helps you enforce least privilege, evaluate consent requests, and monitor what happens behind the scenes.

Overview

Applications in Microsoft Entra ID can access organizational data in two primary modes:

1. Delegated Access (On Behalf of a User)

Delegated access occurs when an application acts as the signed-in user.
It requires:

  • The user to sign in and grant consent.
  • The application to request delegated permissions (scopes) such as Mail.Read or Files.Read.All.

The app’s access is limited by:

  • The user’s existing rights to the data.
  • The scopes consented to by the user or an admin.

If a Global Administrator signs in, the app temporarily inherits their privileges, creating potential risk if either the account or app is compromised.

Example:
A Teams add-in using delegated Files.Read.All can only read files the signed-in user can access, never tenant-wide content.

OAuth 2.0 Flow (Simplified):

  1. User authenticates interactively via the Microsoft identity platform.
  2. Entra ID displays a consent screen with the requested scopes.
  3. Upon approval, Entra ID issues an access token representing both user and app permissions.
  4. The app uses this token to call APIs such as Microsoft Graph.

2. Application Permissions (Access without a user)

App-only access allows an application to act independently of any user, using its own identity.
The app’s rights come entirely from admin-granted application permissions, like User.Read.All or Mail.Send.

Common in automation, reporting, and backend integrations, this model is powerful but risky: a compromised app credential (client secret or certificate) grants tenant-wide access.

Example:
A compliance automation tool with Files.Read.All app-only permission can access all users’ OneDrive files—even without any user logged in.

OAuth 2.0 Flow (Client Credentials Grant):

  1. The app authenticates using its credentials (client secret or certificate).
  2. Entra ID verifies the identity and issues an app-only access token.
  3. The token represents the service principal, not any specific user.
  4. API calls are logged as service principal activity.

Comparison Table

AspectDelegated PermissionsApplication Permissions
Identity ContextActs on behalf of a signed-in userActs as its own service principal
AuthenticationRequires user sign-in and consent (OAuth 2.0 Authorization Code Flow)Uses client secret, certificate, or managed identity (Client Credentials Flow)
Permission ScopeLimited by user rights and requested scopesDefined by application-level permissions
Risk SurfaceInherits user privileges, risky if user has elevated rolesTenant-wide exposure if app credentials are compromised
Visibility in LogsAppears as user activityAppears as service principal activity (less transparent)
Who Can ConsentUsers (for personal data) or admins (for all users)Admins only
Consent MethodShown interactively at sign-inConfigured statically in app registration
LifespanSession-based; expires with user tokensPersistent; remains active until credentials expire or revoked
Typical Use CaseUser-centric apps (e.g., Outlook add-ins, Teams bots)Background daemons, automation scripts, or data sync agents

Security Risks and Attack Scenarios

Both permission types can be secure when scoped properly but both become dangerous when permissions are broader than required.

Delegated Permissions Access Risks

  • Users unknowingly approve apps with excessive scopes (Mail.ReadWrite.All).
  • Apps inherit Global Admin privileges from highly privileged sign-ins.
  • Attack scenario: A malicious actor launches a consent phishing attack, tricking a user into granting “Send mail as you” permission. The attacker now impersonates the user to perform Business Email Compromise (BEC).

Application Permissions Access Risks

  • Developers grant wide-ranging admin consent (e.g., User.ReadWrite.All) for convenience.
  • Secrets or certificates stored insecurely in code repositories.
  • Attack scenario: A leaked client secret for an app with Directory.ReadWrite.All allows silent privilege escalation—creating shadow accounts or modifying security settings, without triggering MFA or user prompts.

At the core, the danger lies not in the permission model itself, but in granting broader access than necessary.

Best Practices for Securing Entra ID App Access

1. Enforce Least Privilege

  • Assign only the minimum necessary scopes.
    Avoid tenant-wide permissions like *.All unless absolutely required.
  • Use incremental consent for delegated apps requesting additional permissions only when needed.

2. Choose the Right Permission Type

  • Match the application’s use case to the appropriate access model:
    • Delegated: When user context and consent are required.
    • App-Only: When no user is involved (e.g., automation or reporting).
  • Document and review permission mappings for each integration.

3. Control and Review User Consent

  • Configure admin consent workflows in Microsoft Entra ID so that sensitive permissions require approval.
  • Disable or limit user consent for external or unverified applications.
  • Periodically audit app permissions and consents in the Enterprise Applications → Permissions and Consent blade.

4. Secure App Credentials

  • Use certificates or managed identities instead of client secrets whenever possible.
  • Restrict client secret creation using Application policies.
  • Rotate credentials periodically and avoid embedding them in code or configuration files.

5. Monitor and Audit Regularly

  • Review service principals and remove unused app registrations.
  • Monitor Sign-In logs and Audit logs for anomalous activity.
  • Implement alerting for new high-privilege app consents or app registrations.

6. Educate Users and Developers

  • Train users to recognize suspicious consent prompts.
  • Instruct developers to request the narrowest scopes possible during app design.
  • Embed a security review checkpoint into your app registration workflow.

Conclusion

In my years administering Microsoft Entra ID, I’ve learned one universal truth: application vendors rarely understand the full implications of the permissions their apps request.

I’ve seen requests that could make any security admin’s coffee go cold, like an app demanding Mail.ReadWrite and Mail.Send for every mailbox in the tenant. Yes, every single one. Including the CEO’s.

When I questioned the vendor about it, their response was priceless:

“Sure, we ask for those permissions, but it doesn’t mean we’ll actually use them.”

Of course. Because that’s exactly how least privilege works, right? Ask for the kingdom, but promise you’ll only open the gate occasionally.

It took hours of discussion (and a few deep breaths) to walk them through why that approach was a terrible idea.
This experience reinforced a simple but critical lesson: always verify what permissions an application is requesting and why. Blindly granting broad scopes doesn’t just expand functionality, it expands your attack surface.

Doing due diligence before approving access, verifying scopes, questioning necessity, and understanding the real reach of permissions, isn’t just best practice; it’s the difference between secure automation and unintentional data sprawl.

Thank you for stopping by. ✌️

Microsoft 365 Admins: October 2025 Brings Key Retirements, Security Enhancements & Admin Controls – Here’s Your Definitive Guide

by

October 2025 is another loaded month for Microsoft 365 admins. From the retirement of long-standing apps like OneNote for Windows 10 and Outlook Lite to the introduction of AI-powered tools, granular Teams policies, and more secure authentication flows – this is a month to tune in and take action.

Whether you’re managing mail flow, SharePoint governance, Teams collaboration, or compliance policies, this post breaks down all the new features, enhancements, retirements, and action items in one go-to guide.

October at a Glance

CategoryCount
Retirements6
New Features10
Enhancements6
Functionality Changes5
Action Required4

Retirements: What’s Going Away

  • “Add to Existing Remediation” in Defender for Office 365
    Retires Oct 1, 2025 – Admins can no longer add messages to ongoing remediation jobs.
    Use “Create new remediation” instead.
    🔗 Ref – MC1146813
  • Web-based “Share to Teams” from Outlook
    Retires Oct 3, 2025 – The feature will prompt users to install the Teams desktop app.
    Install Teams desktop to continue using “Share to Teams.”
    🔗 Ref – MC1140180
  • Outlook Lite App
    Retires Oct 6, 2025 – No new installations allowed after this date.
    Use the full Outlook Mobile app for a richer experience.
    🔗 Ref
  • OneNote for Windows 10
    Retires Oct 14, 2025 – The app becomes read-only and unsupported.
    Switch users to the latest OneNote for Windows app.
    🔗 Ref – MC899174
  • SharePoint SendEmail API
    Retires Oct 31, 2025 – Impacts custom code and Power Automate flows.
    Use Microsoft Graph API or Outlook connectors instead.
    🔗 Ref
  • Legacy Outlook for Mac
    End of support after Oct 2025 – Legacy versions will no longer work with Microsoft 365 accounts.
    Upgrade to the latest version of Outlook for Mac.
    🔗 Ref

New Features: Worth the Hype

  • Admin Controls for Copilot Agents
    Granular sharing controls for Copilot Studio agents.
    🔗 Ref – MC1138797
  • Entra ID Free Subscription
    Automatically added to track tenant ownership.
    🔗 Ref – MC1156361
  • AI-Powered Data Security Investigations (DSI) in Purview
    Find and mitigate risks with deep content analysis and smart visualizations.
    🔗 Ref – MC1047912
  • SharePoint Assessment Dashboard
    New Content Management Assessment (CMA) for lifecycle and access governance.
    🔗 Ref – MC1148538
  • Streamlined Authenticator Experience
    No number matching on same-device; improved first run onboarding.
    🔗 Ref – MC1117816
  • Info Barriers V2 Upgrade
    Multi-segment support, flexible discoverability.
    🔗 Ref – Roadmap ID 115482
  • Just-in-Time DLP Protection in SharePoint
    Apply DLP rules only when risk occurs (e.g., external sharing).
    🔗 Ref – Roadmap ID 139457
  • Cross-Cloud Sync in Entra
    Sync users across commercial, Gov, and China clouds.
    🔗 Ref – MC1124558
  • Drag & Drop Between Outlook Accounts
    Move mail and files across mailboxes in New Outlook for Windows.
    🔗 Ref – MC1104315
  • Teams External Access by Domain + User/Group
    Granular federation controls now supported.
    🔗 Ref – MC1150123

Enhancements: Small but Strategic

  • Teams Guest Invitation Sender Address Updated
    Now sent from no-reply@teams.mail.microsoft.com.
    🔗 Ref – MC1148535
  • OCR on Windows Endpoints for Purview DLP
    DLP can now detect text in images and PDFs.
    🔗 Ref – Roadmap ID 160008
  • SMTP DANE/DNSSEC for Exchange GCC/DoD
    Improved email encryption in restricted environments.
    🔗 Ref – Roadmap ID 361914
  • Unified Licensing View in Admin Center
    Shows user and group-based assignments in one place.
    🔗 Ref – MC1160187
  • DLP Alert UX Overhaul in Purview
    More visibility, faster triage, unified views.
    🔗 Ref – MC1148526

Functionality Changes: Worth Noting

  • DLP Policy Tips & Email Notifications Can Be Set Independently
    Finally decoupled for SharePoint and OneDrive.
    🔗 Ref – Roadmap ID 396575
  • Exchange Cmdlet Database Output Format Updated
    More descriptive paths in Get-Mailbox, etc.
    🔗 Ref – MC1108848
  • Throttling on onmicrosoft.com Domains
    Outbound email limited to 100/day to encourage branded domains.
    🔗 Ref
  • Office Scripts Settings Move to Cloud Policy
    Admins must manage three specific script settings via CPS.
    🔗 Ref – MC1150681
  • Shorter Teams Meeting URLs
    Cleaner meeting links like https://teams.microsoft.com/meet/<meeting_id>?p=<HashedPasscode>
    🔗 Ref – MC772556

Action Required: Do These Before Deadlines Hit

DeadlineTask
Oct 14Migrate off Office 2016/2019 and Visio/Project legacy apps
Oct 20Update MFA policy for credential management on “My Sign-ins”
Oct 20Ensure TLS 1.3/1.2 cipher suites supported (legacy TLS deprecated)
Oct 31Prepare for Defender for Endpoint Deception retirement

🔗 Office Retirement – MC1154299
🔗 TLS Cipher Deprecation – MC1155427
🔗 MFA for Sign-ins – MC1135479
🔗 Defender Deception Retirement

Final Thoughts

October 2025 continues Microsoft’s march toward zero-trust architecture, intelligent compliance, and tighter collaboration controls. As legacy tools like OneNote for Windows 10 and Outlook Lite fade out, the spotlight is now on AI-driven governance, adaptive DLP, and personalized admin controls.

  • Start planning your transitions now.
  • Communicate changes to your org.
  • Automate where possible.
  • Don’t wait for a 2 a.m. incident to discover a policy broke silently.

Thank you for stopping by ✌️