Merge branch 'main' into SafeAttach-chrisda

Author: chrisda

exchange/docs-conceptual/app-only-auth-powershell-v2.md

@@ -20,14 +20,25 @@ description: "Learn about using the Exchange Online V2 module in scripts and oth
 # App-only authentication for unattended scripts in the EXO V2 module
 
 > [!NOTE]
-> The features and procedures described in this article require the following versions of the EXO V2 module:
 >
-> - **Exchange Online PowerShell (Connect-ExchangeOnline)**: Version 2.0.3 or later.
-> - **Security & Compliance PowerShell (Connect-IPPSSession)**: Version 2.0.6 Preview5 or later.
+> - The features and procedures described in this article require the following versions of the EXO V2 module:
+>   - **Exchange Online PowerShell (Connect-ExchangeOnline)**: Version 2.0.3 or later.
+>   - **Security & Compliance PowerShell (Connect-IPPSSession)**: Version 2.0.6 Preview5 or later.
 >
-> For instructions on how to install or update the module, see [Install and maintain the EXO V2 module](exchange-online-powershell-v2.md#install-and-maintain-the-exo-v2-module).
+>   For instructions on how to install or update the module on clients or servers, see [Install and maintain the EXO V2 module](exchange-online-powershell-v2.md#install-and-maintain-the-exo-v2-module). For instructions on how to use the module in Azure automation, see [Manage modules in Azure Automation](/azure/automation/shared-resources/modules).
 >
-> You can't use the procedures in this article to modify Microsoft 365 Groups ([Set-UnifiedGroup](/powershell/module/exchange/set-unifiedgroup)). To use Microsoft Graph instead, see [Update group](/graph/api/group-update).
+> - In Exchange Online PowerShell, you can't use the procedures in this article with the following Microsoft 365 Group cmdlets:
+>   - [New-UnifiedGroup](/powershell/module/exchange/new-unifiedgroup)
+>   - [Remove-UnifiedGroup](/powershell/module/exchange/remove-unifiedgroup)
+>   - [Set-UnifiedGroup](/powershell/module/exchange/set-unifiedgroup)
+>   - [Remove-UnifiedGroupLinks](/powershell/module/exchange/remove-unifiedgrouplinks)
+>   - [Add-UnifiedGroupLinks](/powershell/module/exchange/add-unifiedgrouplinks)
+>
+>   You can use Microsoft Graph instead. For more information, see [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview)
+>
+> - In Security & Compliance PowerShell, you can't use the procedures in this article with the following cmdlets:
+>   - [Get-ComplianceCase](/powershell/module/exchange/get-compliancecase)
+>   - [Get-CaseHoldPolicy](/powershell/module/exchange/get-caseholdpolicy)
 
 Auditing and reporting scenarios in Microsoft 365 often involve unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell. In the past, unattended sign in required you to store the username and password in a local file or in a secret vault that's accessed at run-time. But, as we all know, storing user credentials locally is not a good security practice.
 
@@ -166,7 +177,7 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
    ![Select Manifest on the application properties page.](media/exo-app-only-auth-select-manifest.png)
 
-2. On the **Manifest** page that opens, find the `requiredResourceAccess` entry (on or about line 44).
+2. On the **Manifest** page that opens, find the `requiredResourceAccess` entry (on or about line 47).
 
    Modify the `resourceAppId`, `resourceAccess`, `id`, and `type` values as shown in the following code snippet:
 
@@ -194,6 +205,9 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
    - **API / Permissions name**: Verify the value **Exchange.ManageAsApp** is shown.
 
+     > [!NOTE]
+     > If necessary, search for **Office 365 Exchange** under **APIs my organization uses** on the **Request API Permissions** page.
+
    - **Status**: The current incorrect value is **Not granted for \<Organization\>**, and this value needs to be changed.
 
      ![Original incorrect API permissions.](media/exo-app-only-auth-original-permissions.png)
@@ -276,6 +290,7 @@ Azure AD has more than 50 admin roles available. The supported roles are describ
 |Helpdesk Administrator|![Check mark.](media/checkmark.png)||
 |Security Administrator<sup>\*</sup>|![Check mark.](media/checkmark.png)|![Check mark.](media/checkmark.png)|
 |Security Reader|![Check mark.](media/checkmark.png)|![Check mark.](media/checkmark.png)|
+|Exchange Recipient Administrator|![Check mark.](media/checkmark.png)||
 
 <sup>\*</sup> The Global Administrator and Exchange Administrator roles provide the required permissions for any task in Exchange Online PowerShell. For example:
 

exchange/docs-conceptual/basic-auth-connect-to-eop-powershell.md

@@ -17,7 +17,7 @@ description: "Use remote PowerShell to connect to a standalone Exchange Online P
 # Bssic auth - Connect to Exchange Online Protection PowerShell
 
 > [!NOTE]
-> The connection instructions in this article [will eventually be deprecated](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-july-update/ba-p/1530163) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Exchange Online Protection PowerShell. For instructions, see [Connect to Exchange Online Protection PowerShell](connect-to-exchange-online-protection-powershell.md).
+> The connection instructions in this article [will be deprecated starting on October 1, 2022](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Exchange Online Protection PowerShell. For instructions, see [Connect to Exchange Online Protection PowerShell](connect-to-exchange-online-protection-powershell.md).
 
 In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, standalone EOP PowerShell allows you to manage your EOP organization from the command line. You use Windows PowerShell on your local computer to create a remote PowerShell session to EOP. It's a simple three-step process where you enter your Microsoft 365 credentials, provide the required connection settings, and then import the EOP cmdlets into your local Windows PowerShell session so that you can use them.
 
@@ -61,7 +61,7 @@ The following introductory video shows you how to connect to and use Exchange On
 
 - WinRM needs to allow Basic authentication (it's enabled by default). We don't send the username and password combination, but the Basic authentication header is required to send the session's OAuth token, since the client-side WinRM implementation has no support for OAuth.
 
-  **Note**: You must temporarily enable WinRM to run the following commands. You can enable it by running the command: `winrm quickconfig`.
+  **Note**: The following commands require that WinRM is enabled. To enable WinRM, run the following command:  `winrm quickconfig`.
 
   To verify that Basic authentication is enabled for WinRM, run this command **in a Command Prompt** (not in Windows PowerShell):
 

exchange/docs-conceptual/basic-auth-connect-to-exo-powershell.md

@@ -20,7 +20,8 @@ description: "Learn how to use remote PowerShell to connect to Exchange Online w
 # Basic auth - Connect to Exchange Online PowerShell
 
 > [!NOTE]
-> The connection instructions in this article [will eventually be deprecated](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-july-update/ba-p/1530163) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
+> The connection instructions in this article [will be deprecated starting on October 1, 2022](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Exchange Online PowerShell.
+If you're using PowerShell for administration, see [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md). If you're using PowerShell for automation, see [App-only authentication for unattended scripts](app-only-auth-powershell-v2.md).
 
 Exchange Online PowerShell allows you to manage your Exchange Online settings from the command line. You use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. It's a simple three-step process where you enter your Microsoft 365 credentials, provide the required connection settings, and then import the Exchange Online cmdlets into your local Windows PowerShell session so that you can use them.
 
@@ -64,7 +65,7 @@ The following introductory video shows you how to connect to and use Exchange On
 
 - WinRM needs to allow Basic authentication (it's enabled by default). We don't send the username and password combination, but the Basic authentication header is required to send the session's OAuth token, since the client-side WinRM implementation has no support for OAuth.
 
-  **Note**: You must temporarily enable WinRM to run the following commands. You can enable it by running the command: `winrm quickconfig`.
+  **Note**: You The following commands require that WinRM is enabled. To enable WinRM, run the following command:  `winrm quickconfig`.
 
   To verify that Basic authentication is enabled for WinRM, run this command **in a Command Prompt** (not in Windows PowerShell):
 

exchange/docs-conceptual/basic-auth-connect-to-scc-powershell.md

@@ -18,20 +18,18 @@ description: "Learn how to connect to Security & Compliance PowerShell."
 # Basic auth - Connect to Security & Compliance PowerShell
 
 > [!NOTE]
-> The connection instructions in this article [will eventually be deprecated](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-july-update/ba-p/1530163) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Security & Compliance PowerShell. For instructions, see [Connect to Security & Compliance PowerShell](connect-to-scc-powershell.md).
+> The connection instructions in this article [will be deprecated starting on October 1, 2022](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) due to the security concerns around Basic authentication. Instead, you should use the Exchange Online PowerShell V2 module (the EXO V2 module) to connect to Security & Compliance PowerShell. If you're using PowerShell for administration, see [Connect to Security & Compliance PowerShell](connect-to-scc-powershell.md). If you're using PowerShell for automation, see [App-only authentication for unattended scripts](app-only-auth-powershell-v2.md).
 
 Security & Compliance PowerShell allows you to manage your Microsoft 365 Defender portal and Microsoft Purview compliance portal settings from the command line. You use Windows PowerShell on your local computer to create a remote PowerShell session to Security & Compliance PowerShell. It's a simple three-step process where you enter your Microsoft 365 credentials, provide the required connection settings, and then import the Security & Compliance PowerShell cmdlets into your local Windows PowerShell session so that you can use them.
 
 > [!NOTE]
 > The procedures in this article won't work if:
 >
 > - Your account uses multi-factor authentication (MFA).
->
 > - Your organization uses federated authentication.
->
 > - A location condition in an Azure Active Directory conditional access policy restricts your access to trusted IPs.
 >
-> In these scenarios, you need to download and use the Exchange Online PowerShell V2 module (EXO V2 module) to connect to Security & Compliance PowerShell. For instructions, see [Connect to Security & Compliance PowerShell using the EXO V2 module](connect-to-scc-powershell.md).
+> In these scenarios, you need to download and use the Exchange Online PowerShell V2 module (EXO V2 module) to connect to Security & Compliance PowerShell. For instructions, see [Connect to Security & Compliance PowerShell](connect-to-scc-powershell.md).
 >
 > Some features in the Microsoft 365 Defender portal and Microsoft Purview compliance portal (for example, mailbox archiving) link to existing functionality in Exchange Online. To use PowerShell with these features, you need to connect to Exchange Online PowerShell instead of Security & Compliance PowerShell. For instructions, see [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
 
@@ -67,7 +65,7 @@ Security & Compliance PowerShell allows you to manage your Microsoft 365 Defende
 
 - WinRM needs to allow Basic authentication (it's enabled by default). We don't send the username and password combination, but the Basic authentication header is required to send the session's OAuth token, since the client-side WinRM implementation has no support for OAuth.
 
-  **Note** You must temporarily enable WinRM to run the following commands. You can enable it by running the command: `winrm quickconfig`.
+  **Note** The following commands require that WinRM is enabled. To enable WinRM, run the following command:  `winrm quickconfig`.
 
   To verify that Basic authentication is enabled for WinRM, run this command **in a Command Prompt** (not in Windows PowerShell):
 

exchange/docs-conceptual/connect-to-scc-powershell.md

@@ -30,6 +30,9 @@ To use the older Exchange Online Remote PowerShell Module to connect to Security
 
 - The requirements for installing and using the EXO V2 module are described in [Install and maintain the EXO V2 module](exchange-online-powershell-v2.md#install-and-maintain-the-exo-v2-module). The rest of the instructions in the article assume that you've already installed the module.
 
+  > [!NOTE]
+  > Security & Compliance PowerShell still requires Basic authentication in WinRM as described [Prerequisites for the EXO V2 module](exchange-online-powershell-v2.md#turn-on-basic-authentication-in-winrm). REST API cmdlets that allow you to turn off Basic authentication in WinRM are not yet available for the **Connect-IPPSSession** cmdlet. For more information, see [Updates for version 2.0.6](exchange-online-powershell-v2.md#updates-for-version-206).
+
 - After you connect, the cmdlets and parameters that you have or don't have access to is controlled by role-based access control (RBAC). For more information, see [Permissions in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center) and [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions).
 
 ## Connect to Exchange Online PowerShell using modern authentication with or without MFA