Merge branch 'main' into main

chrisda · web-flow · commit 969cc8080799 · 2024-06-24T16:10:10.000-07:00
diff --git a/exchange/docs-conceptual/app-only-auth-powershell-v2.md b/exchange/docs-conceptual/app-only-auth-powershell-v2.md
@@ -412,20 +412,22 @@ The supported Microsoft Entra roles are described in the following table:
 |Role|Exchange Online<br>PowerShell|Security & Compliance<br>PowerShell|
 |---|:---:|:---:|
 |[Compliance Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-administrator)|✔|✔|
-|[Exchange Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-administrator)<sup>\*</sup>|✔||
+|[Exchange Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-administrator)¹|✔||
 |[Exchange Recipient Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-recipient-administrator)|✔||
-|[Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)<sup>\*</sup>|✔|✔|
+|[Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)¹ ²|✔|✔|
 |[Global Reader](/entra/identity/role-based-access-control/permissions-reference#global-reader)|✔|✔|
 |[Helpdesk Administrator](/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator)|✔||
-|[Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)<sup>\*</sup>|✔|✔|
+|[Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)¹|✔|✔|
 |[Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader)|✔|✔|
 
-> <sup>\*</sup> The Global Administrator and Exchange Administrator roles provide the required permissions for any task in Exchange Online PowerShell. For example:
->
-> - Recipient management.
-> - Security and protection features. For example, anti-spam, anti-malware, anti-phishing, and the associated reports.
->
-> The Security Administrator role does not have the necessary permissions for those same tasks.
+¹ The Global Administrator and Exchange Administrator roles provide the required permissions for any task in Exchange Online PowerShell. For example:
+
+- Recipient management.
+- Security and protection features. For example, anti-spam, anti-malware, anti-phishing, and the associated reports.
+
+The Security Administrator role does not have the necessary permissions for those same tasks.
+
+² Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 For general instructions about assigning roles in Microsoft Entra ID, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
 
diff --git a/exchange/docs-conceptual/connect-exo-powershell-managed-identity.md b/exchange/docs-conceptual/connect-exo-powershell-managed-identity.md
@@ -361,20 +361,22 @@ Now that the Office 365 Exchange Online resource is available, return to Step 4.
 The supported Microsoft Entra roles are described in the following list:
 
 - [Compliance Administrator](/entra/identity/role-based-access-control/permissions-reference#compliance-administrator)
-- [Exchange Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-administrator)<sup>\*</sup>
+- [Exchange Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-administrator)¹
 - [Exchange Recipient Administrator](/entra/identity/role-based-access-control/permissions-reference#exchange-recipient-administrator)
-- [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)<sup>\*</sup>
+- [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator)¹ ²
 - [Global Reader](/entra/identity/role-based-access-control/permissions-reference#global-reader)
 - [Helpdesk Administrator](/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator)
-- [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)<sup>\*</sup>
+- [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator)¹
 - [Security Reader](/entra/identity/role-based-access-control/permissions-reference#security-reader)
 
-> <sup>\*</sup> The Global Administrator and Exchange Administrator roles provide the required permissions for any task in Exchange Online PowerShell. For example:
->
-> - Recipient management.
-> - Security and protection features. For example, anti-spam, anti-malware, anti-phishing, and the associated reports.
->
-> The Security Administrator role does not have the necessary permissions for those same tasks.
+¹ The Global Administrator and Exchange Administrator roles provide the required permissions for any task in Exchange Online PowerShell. For example:
+
+- Recipient management.
+- Security and protection features. For example, anti-spam, anti-malware, anti-phishing, and the associated reports.
+
+The Security Administrator role does not have the necessary permissions for those same tasks.
+
+² Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 For general instructions about assigning roles in Microsoft Entra ID, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
 
diff --git a/exchange/docs-conceptual/disable-access-to-exchange-online-powershell.md b/exchange/docs-conceptual/disable-access-to-exchange-online-powershell.md
@@ -30,12 +30,14 @@ Admins can use the procedures in this article to disable or enable a user's abil
 
 - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
   - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Recipient Management** role groups.
-  - [Microsoft Entra RBAC](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** role gives users the required permissions *and* permissions for other features in Microsoft 365.
+  - [Microsoft Entra RBAC](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Exchange Administrator** or **Global Administrator**<sup>\*</sup> roles gives users the required permissions *and* permissions for other features in Microsoft 365.
 
   > [!IMPORTANT]
   > In your haste to quickly and globally disable PowerShell access in your cloud-based organization, beware of commands like `Get-User | Set-User -EXOModuleEnabled $false` without considering admin accounts. Use the procedures in this article to selectively remove PowerShell access, or preserve access for those who need it by using the following syntax in your global removal command: `Get-User | Where-Object {$_.UserPrincipalName -ne 'admin1@contoso.onmicrosoft.com' -and $_.UserPrincipalName -ne 'admin2@contoso.onmicrosoft.com'...} | Set-User -EXOModuleEnabled $false`.
   >
   > If you accidentally lock yourself out of PowerShell access, create a new admin account in the Microsoft 365 admin center, and then use that account to give yourself PowerShell access using the procedures in this article.
+  >
+  > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 - For detailed information about OPATH filter syntax in Exchange Online, see [Additional OPATH syntax information](recipient-filters.md#additional-opath-syntax-information).
 
diff --git a/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md b/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md
@@ -42,7 +42,10 @@ You can use PowerShell to find the permissions required to run any Exchange or E
     - **Hygiene Management**
     - **Organization Management**
     - **View-Only Organization Management**
-  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup> or **Global Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
+
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 ## Use PowerShell to find the permissions required to run a cmdlet
 
diff --git a/exchange/exchange-ps/exchange/Add-VivaModuleFeaturePolicy.md b/exchange/exchange-ps/exchange/Add-VivaModuleFeaturePolicy.md
@@ -70,6 +70,9 @@ To learn more about assigned roles at the feature level, see [Features Available
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-DefaultTenantBriefingConfig.md b/exchange/exchange-ps/exchange/Get-DefaultTenantBriefingConfig.md
@@ -40,6 +40,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 For more information, see [Microsoft Entra built-in roles](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-DefaultTenantMyAnalyticsFeatureConfig.md b/exchange/exchange-ps/exchange/Get-DefaultTenantMyAnalyticsFeatureConfig.md
@@ -36,6 +36,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 For more information, see [Microsoft Entra built-in roles](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-DnssecStatusForVerifiedDomain.md b/exchange/exchange-ps/exchange/Get-DnssecStatusForVerifiedDomain.md
@@ -41,7 +41,7 @@ You need to be assigned permissions before you can run this cmdlet. Although thi
 
 ### Example 1
 ```powershell
-PS C:\> Get-Get-DnssecStatusForVerifiedDomain -DomainName contoso.com
+PS C:\> Get-DnssecStatusForVerifiedDomain -DomainName contoso.com
 
 DnssecFeatureStatus : Enabled
 ExpectedMxRecord    : Microsoft.Exchange.Management.ProvisioningTasks.ExpectedMxRecordInfo
diff --git a/exchange/exchange-ps/exchange/Get-MyAnalyticsFeatureConfig.md b/exchange/exchange-ps/exchange/Get-MyAnalyticsFeatureConfig.md
@@ -39,6 +39,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-UserBriefingConfig.md b/exchange/exchange-ps/exchange/Get-UserBriefingConfig.md
@@ -36,6 +36,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-VivaInsightsSettings.md b/exchange/exchange-ps/exchange/Get-VivaInsightsSettings.md
@@ -40,6 +40,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-VivaModuleFeatureEnablement.md b/exchange/exchange-ps/exchange/Get-VivaModuleFeatureEnablement.md
@@ -38,6 +38,9 @@ Currently, you need to be a member of the Global Administrators role to run this
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Get-VivaModuleFeaturePolicy.md b/exchange/exchange-ps/exchange/Get-VivaModuleFeaturePolicy.md
@@ -56,6 +56,9 @@ To learn more about assigned roles at the feature level, see [Features Available
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/New-AuthenticationPolicy.md b/exchange/exchange-ps/exchange/New-AuthenticationPolicy.md
@@ -34,6 +34,7 @@ New-AuthenticationPolicy [[-Name] <String>]
  [-AllowBasicAuthRpc]
  [-AllowBasicAuthSmtp]
  [-AllowBasicAuthWebServices]
+ [-AllowLegacyExchangeTokens]
  [-BlockLegacyAuthActiveSync]
  [-BlockLegacyAuthAutodiscover]
  [-BlockLegacyAuthImap]
@@ -332,6 +333,33 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -AllowLegacyExchangeTokens
+This parameter is available only in the cloud-based service.
+
+The AllowLegacyExchangeTokens switch specifies whether to allow legacy Exchange tokens. You don't need to specify a value with this switch.
+
+Legacy Exchange tokens (for example, Exchange user identity and callback tokens) are used by Outlook add-ins.
+
+**Important**:
+
+- The Microsoft Report Message and Report Phishing add-ins require legacy Exchange tokens to work.
+- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations.
+
+For more information on the Report Message and Report Phishing add-ins, see [Enable the Microsoft Report Message or the Report Phishing add-ins](https://learn.microsoft.com/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+Applicable: Exchange Online, Exchange Online Protection
+
+Required: False
+Position: Named
+Default value: True
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -BlockLegacyAuthActiveSync
 This parameter is available only in on-premises Exchange.
 
diff --git a/exchange/exchange-ps/exchange/Remove-VivaModuleFeaturePolicy.md b/exchange/exchange-ps/exchange/Remove-VivaModuleFeaturePolicy.md
@@ -56,6 +56,9 @@ To learn more about assigned roles at the feature level, see [Features Available
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Set-AuthenticationPolicy.md b/exchange/exchange-ps/exchange/Set-AuthenticationPolicy.md
@@ -34,6 +34,7 @@ Set-AuthenticationPolicy [-Identity] <AuthPolicyIdParameter>
  [-AllowBasicAuthRpc]
  [-AllowBasicAuthSmtp]
  [-AllowBasicAuthWebServices]
+ [-AllowLegacyExchangeTokens]
  [-BlockLegacyAuthActiveSync]
  [-BlockLegacyAuthAutodiscover]
  [-BlockLegacyAuthImap]
@@ -348,6 +349,33 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -AllowLegacyExchangeTokens
+This parameter is available only in the cloud-based service.
+
+The AllowLegacyExchangeTokens switch specifies whether to allow legacy Exchange tokens. You don't need to specify a value with this switch.
+
+Legacy Exchange tokens (for example, Exchange user identity and callback tokens) are used by Outlook add-ins.
+
+**Important**:
+
+- The Microsoft Report Message and Report Phishing add-ins require legacy Exchange tokens to work.
+- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations.
+
+For more information on the Report Message and Report Phishing add-ins, see [Enable the Microsoft Report Message or the Report Phishing add-ins](https://learn.microsoft.com/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+Applicable: Exchange Online, Exchange Online Protection
+
+Required: False
+Position: Named
+Default value: True
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -BlockLegacyAuthActiveSync
 This parameter is available only in on-premises Exchange.
 
diff --git a/exchange/exchange-ps/exchange/Set-DefaultTenantBriefingConfig.md b/exchange/exchange-ps/exchange/Set-DefaultTenantBriefingConfig.md
@@ -38,6 +38,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 For more information, see [Microsoft Entra built-in roles](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Set-DefaultTenantMyAnalyticsFeatureConfig.md b/exchange/exchange-ps/exchange/Set-DefaultTenantMyAnalyticsFeatureConfig.md
@@ -41,6 +41,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 For more information, see [Microsoft Entra built-in roles](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Set-MyAnalyticsFeatureConfig.md b/exchange/exchange-ps/exchange/Set-MyAnalyticsFeatureConfig.md
@@ -42,6 +42,9 @@ To run this cmdlet, you need to be a member of one of the following directory ro
 
 To learn more about administrator role permissions in Microsoft Entra ID, see [Role template IDs](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#role-template-ids).
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## EXAMPLES
 
 ### Example 1
diff --git a/exchange/exchange-ps/exchange/Set-OwaMailboxPolicy.md b/exchange/exchange-ps/exchange/Set-OwaMailboxPolicy.md
diff --git a/exchange/exchange-ps/exchange/Set-UserBriefingConfig.md b/exchange/exchange-ps/exchange/Set-UserBriefingConfig.md
diff --git a/exchange/exchange-ps/exchange/Set-VivaInsightsSettings.md b/exchange/exchange-ps/exchange/Set-VivaInsightsSettings.md
diff --git a/exchange/exchange-ps/exchange/Update-HybridConfiguration.md b/exchange/exchange-ps/exchange/Update-HybridConfiguration.md
diff --git a/exchange/exchange-ps/exchange/Update-VivaModuleFeaturePolicy.md b/exchange/exchange-ps/exchange/Update-VivaModuleFeaturePolicy.md
diff --git a/teams/teams-ps/teams/New-CsTeamsEmergencyCallingExtendedNotification.md b/teams/teams-ps/teams/New-CsTeamsEmergencyCallingExtendedNotification.md
diff --git a/teams/teams-ps/teams/Set-CsTeamsAcsFederationConfiguration.md b/teams/teams-ps/teams/Set-CsTeamsAcsFederationConfiguration.md
diff --git a/teams/teams-ps/teams/Set-CsTeamsFilesPolicy.md b/teams/teams-ps/teams/Set-CsTeamsFilesPolicy.md
diff --git a/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md b/teams/teams-ps/teams/Set-CsTenantFederationConfiguration.md
