Merge branch 'main' into patch-1

Author: chrisda

.github/workflows/AutoLabelMsftContributor.yml

@@ -1,3 +1,4 @@
+
 name: Auto label Microsoft contributors
 
 permissions:
@@ -31,4 +32,5 @@ jobs:
           PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
         secrets:
           AccessToken: ${{ secrets.GITHUB_TOKEN }}
-          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
+          ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+          PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}

exchange/docs-conceptual/exchange-online-powershell-v2.md

@@ -3,7 +3,7 @@ title: About the Exchange Online PowerShell V3 module
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 10/28/2024
+ms.date: 02/25/2025
 ms.audience: Admin
 audience: Admin
 ms.topic: article
@@ -613,14 +613,28 @@ Unless otherwise noted, the current release of the Exchange Online PowerShell mo
 
 ### Current release
 
+#### Version 3.7.1
+
+- Added a new property named `ExoExchangeSecurityDescriptor` to the output of **Get-EXOMailbox** that's similar to the `ExchangeSecurityDescriptor` property in the output of **Get-Mailbox**.
+- Added new cmdlets to support the Viva Org Insights Delegation feature:
+  - **Add-VivaOrgInsightsDelegatedRole**
+  - **Get-VivaOrgInsightsDelegatedRole**
+  - **Remove-VivaOrgInsightsDelegatedRole**
+
+### Previous releases
+
+#### Version 3.7.0
+
+- Integrated Web Account Manager (WAM) in authentication flows to enhance security.
+- Command line help for Exchange Online PowerShell cmdlets is no longer loaded by default. Use the _LoadCmdletHelp_ parameter in the **Connect-ExchangeOnline** command so help for Exchange Online PowerShell cmdlets is available to the **Get-Help** cmdlet.
+- Fixed connection issues with app only authentication in Security & Compliance PowerShell.
+
 #### Version 3.6.0
 
 - **Get-VivaModuleFeature** now returns information about the kinds of identities that the feature supports creating policies for (for example, users, groups, or the entire tenant).
 - Cmdlets for Viva feature access management now handle continuous access evaluation (CAE) claim challenges.
 - Added fix for compatibility issue with the Microsoft.Graph module.
 
-### Previous releases
-
 #### Version 3.5.1
 
 - Bug fixes in **Get-EXOMailboxPermission** and **Get-EXOMailbox**.

exchange/docs-conceptual/whats-new-in-the-exo-module.md

@@ -22,6 +22,20 @@ description: "Learn about the new features and functionality available in the la
 
 This article lists new features in the Exchange Online PowerShell module that's used for connecting to Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell. Features that are currently in preview are denoted with **(preview)**.
 
+## January 2025
+
+- [Version 3.7.1](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.1)
+
+  For information about what's in this release, see [Version 3.7.1](exchange-online-powershell-v2.md#version-371).
+
+## December 2024
+
+- [Version 3.7.0](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.0)
+
+  Starting with this version of the module, command line help for Exchange Online PowerShell cmdlets is no longer loaded by default. Use the _LoadCmdletHelp_ parameter in the **Connect-ExchangeOnline** command so help for Exchange Online PowerShell cmdlets is available to the **Get-Help** cmdlet.
+
+  For information about what's in this release, see [Version 3.7.0](exchange-online-powershell-v2.md#version-370).
+
 ## September 2024
 
 - [Version 3.6.0](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.6.0)

exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md

@@ -81,10 +81,13 @@ The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens ar
 
 Legacy Exchange tokens include Exchange user identity and callback tokens.
 
+This switch also specifies a date and time sometime within the past seven days when an add-in was either allowed or blocked from acquiring a token.
+
 **Important**:
 
-- Currently, the AllowLegacyExchangeTokens switch only specifies whether legacy Exchange tokens are allowed in your organization. For now, disregard the empty Allowed and Blocked arrays returned by the switch.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- An update is being deployed to enable the AllowLegacyExchangeTokens switch to specify any add-in that requested an Exchange token from the last seven days. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- The AllowLegacyExchangeTokens switch returns `Not Set` if tokens haven't been explicitly allowed or blocked in your organization using the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. Although tokens are blocked by default, the AllowLegacyExchangeTokens switch still returns `Not Set` if you haven't used the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter

exchange/exchange-ps/exchange/Get-MessageTrackingReport.md

@@ -48,7 +48,9 @@ You need to be assigned permissions before you can run this cmdlet. Although thi
 ```powershell
 $Temp = Search-MessageTrackingReport -Identity "David Jones" -Recipients "[email protected]"
 
-Get-MessageTrackingReport -Identity $Temp.MessageTrackingReportID -ReportTemplate Summary
+foreach ($reportId in $Temp.MessageTrackingReportId) {
+    Get-MessageTrackingReport -Identity $reportId -ReportTemplate Summary -Status Delivered
+}
 ```
 
 This example gets the message tracking report for messages sent from one user to another. This example returns the summary of the message tracking report for a message that David Jones sent to Wendy Richardson.

exchange/exchange-ps/exchange/New-AppRetentionCompliancePolicy.md

@@ -308,6 +308,9 @@ Accept wildcard characters: False
 ```
 
 ### -PolicyRBACScopes
+
+**Note**: Admin units aren't currently supported, so this parameter isn't functional. The information presented here is for informational purposes when support for admin units is released.
+
 The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
 
 Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.

exchange/exchange-ps/exchange/New-AutoSensitivityLabelRule.md

@@ -254,6 +254,10 @@ The ContentContainsSensitiveInformation parameter specifies a condition for the
 
 This parameter uses the basic syntax `@(@{Name="SensitiveInformationType1";[minCount="Value"],@{Name="SensitiveInformationType2";[minCount="Value"],...)`. For example, `@(@{Name="U.S. Social Security Number (SSN)"; minCount="2"},@{Name="Credit Card Number"; minCount="1"; minConfidence="85"})`.
 
+Exact Data Match sensitive information types are supported only groups. For example:
+
+`@(@{operator="And"; groups=@(@{name="Default"; operator="Or"; sensitivetypes=@(@{id="<<EDM SIT Id>>"; name="<<EDM SIT name>>"; maxcount="-1"; classifiertype="ExactMatch"; mincount="100"; confidencelevel="Medium"})})})`
+
 ```yaml
 Type: PswsHashtable[]
 Parameter Sets: (All)

exchange/exchange-ps/exchange/New-ProtectionAlert.md

@@ -14,7 +14,15 @@ ms.reviewer:
 ## SYNOPSIS
 This cmdlet is available only in Security & Compliance PowerShell. For more information, see [Security & Compliance PowerShell](https://learn.microsoft.com/powershell/exchange/scc-powershell).
 
-Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries in the Microsoft Purview compliance portal.
+Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal and the Microsoft Defender portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries.
+
+> [!NOTE]
+> Although the cmdlet is available, you receive the following error if you don't have an enterprise license:
+>
+> _Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or
+Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alerts can be created._
+>
+> For more information, see [Alert policies in Microsoft 365](https://learn.microsoft.com/purview/alert-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://learn.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).
 

exchange/exchange-ps/exchange/New-TenantAllowBlockListItems.md

@@ -74,6 +74,15 @@ New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery
 
 This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](https://learn.microsoft.com/defender-office-365/advanced-delivery-policy-configure).
 
+### Example 4
+```powershell
+New-TenantAllowBlockListItems -Allow -ListType Url -Entries abcd.fabrikam.com -RemoveAfter 45
+```
+
+This example adds a URL allow entry for the specified ___domain with expiration as 45 days after last used date. This allow entry permits URLs identified as bulk, spam, high confidence spam, and phishing (not high confidence phishing).
+
+For URLs identified as malware or high-confidence phishing, you need to submit the URLs Microsoft to create allow entries. For instructions, see [Report good URLs to Microsoft](https://learn.microsoft.com/defender-office-365/submissions-admin#report-good-urls-to-microsoft).
+
 ## PARAMETERS
 
 ### -Entries
@@ -281,6 +290,8 @@ The RemoveAfter parameter enables the **Remove on** \> **45 days after last used
 
 The only valid value for this parameter is 45.
 
+You can use this parameter with the Allow switch when the ListType parameter value is Sender, FileHash, or Url.
+
 You can't use this parameter with the ExpirationDate or NoExpirationDate parameters.
 
 ```yaml

exchange/exchange-ps/exchange/Remove-AuthenticationPolicy.md

@@ -84,7 +84,7 @@ This switch applies to the entire organization. The Identity parameter is requir
 - Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
 - It might take up to 24 hours for the change to take effect across your entire organization.
 - Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization will remain valid until they expire.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter