Merge branch 'main' into 372-chrisda

Author: chrisda

.github/workflows/AutoLabelMsftContributor.yml

@@ -1,3 +1,4 @@
+
 name: Auto label Microsoft contributors
 
 permissions:
@@ -31,4 +32,5 @@ jobs:
           PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
         secrets:
           AccessToken: ${{ secrets.GITHUB_TOKEN }}
-          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
+          ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+          PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}

exchange/exchange-ps/exchange/Export-ContentExplorerData.md

@@ -110,8 +110,6 @@ When you use this switch with the TagName, TagType, and Workload parameters, the
 - Exchange Online and Microsoft Teams: The list of UPNs.
 - The count of items in the folders stamped with relevant tag.
 
-
-
 ```yaml
 Type: SwitchParameter
 Parameter Sets: (All)

exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md

@@ -81,10 +81,13 @@ The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens ar
 
 Legacy Exchange tokens include Exchange user identity and callback tokens.
 
+This switch also specifies a date and time sometime within the past seven days when an add-in was either allowed or blocked from acquiring a token.
+
 **Important**:
 
-- Currently, the AllowLegacyExchangeTokens switch only specifies whether legacy Exchange tokens are allowed in your organization. For now, disregard the empty Allowed and Blocked arrays returned by the switch.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- An update is being deployed to enable the AllowLegacyExchangeTokens switch to specify any add-in that requested an Exchange token from the last seven days. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- The AllowLegacyExchangeTokens switch returns `Not Set` if tokens haven't been explicitly allowed or blocked in your organization using the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. Although tokens are blocked by default, the AllowLegacyExchangeTokens switch still returns `Not Set` if you haven't used the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter

exchange/exchange-ps/exchange/Get-MessageTrackingReport.md

@@ -48,7 +48,9 @@ You need to be assigned permissions before you can run this cmdlet. Although thi
 ```powershell
 $Temp = Search-MessageTrackingReport -Identity "David Jones" -Recipients "[email protected]"
 
-Get-MessageTrackingReport -Identity $Temp.MessageTrackingReportID -ReportTemplate Summary
+foreach ($reportId in $Temp.MessageTrackingReportId) {
+    Get-MessageTrackingReport -Identity $reportId -ReportTemplate Summary -Status Delivered
+}
 ```
 
 This example gets the message tracking report for messages sent from one user to another. This example returns the summary of the message tracking report for a message that David Jones sent to Wendy Richardson.

exchange/exchange-ps/exchange/New-AppRetentionCompliancePolicy.md

@@ -308,6 +308,8 @@ Accept wildcard characters: False
 ```
 
 ### -PolicyRBACScopes
+**Note**: Admin units aren't currently supported, so this parameter isn't functional. The information presented here is for informational purposes when support for admin units is released.
+
 The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
 
 Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.

exchange/exchange-ps/exchange/New-AutoSensitivityLabelRule.md

@@ -254,6 +254,10 @@ The ContentContainsSensitiveInformation parameter specifies a condition for the
 
 This parameter uses the basic syntax `@(@{Name="SensitiveInformationType1";[minCount="Value"],@{Name="SensitiveInformationType2";[minCount="Value"],...)`. For example, `@(@{Name="U.S. Social Security Number (SSN)"; minCount="2"},@{Name="Credit Card Number"; minCount="1"; minConfidence="85"})`.
 
+Exact Data Match sensitive information types are supported only groups. For example:
+
+`@(@{operator="And"; groups=@(@{name="Default"; operator="Or"; sensitivetypes=@(@{id="<<EDM SIT Id>>"; name="<<EDM SIT name>>"; maxcount="-1"; classifiertype="ExactMatch"; mincount="100"; confidencelevel="Medium"})})})`
+
 ```yaml
 Type: PswsHashtable[]
 Parameter Sets: (All)

exchange/exchange-ps/exchange/New-ProtectionAlert.md

@@ -14,7 +14,17 @@ ms.reviewer:
 ## SYNOPSIS
 This cmdlet is available only in Security & Compliance PowerShell. For more information, see [Security & Compliance PowerShell](https://learn.microsoft.com/powershell/exchange/scc-powershell).
 
-Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries in the Microsoft Purview compliance portal.
+Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal and the Microsoft Defender portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries.
+
+> [!NOTE]
+> Although the cmdlet is available, you receive the following error if you don't have an enterprise license:
+>
+> _Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or
+Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alerts can be created._
+>
+> You can bypass this error by specifying `-AggregationType None` and an `-Operation` within the command.
+>
+> For more information, see [Alert policies in Microsoft 365](https://learn.microsoft.com/purview/alert-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://learn.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).
 

exchange/exchange-ps/exchange/New-RetentionCompliancePolicy.md

@@ -410,6 +410,8 @@ Accept wildcard characters: False
 ```
 
 ### -PolicyRBACScopes
+**Note**: Admin units aren't currently supported, so this parameter isn't functional. The information presented here is for informational purposes when support for admin units is released.
+
 The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
 
 Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.

exchange/exchange-ps/exchange/New-TenantAllowBlockListItems.md

@@ -74,6 +74,15 @@ New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery
 
 This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](https://learn.microsoft.com/defender-office-365/advanced-delivery-policy-configure).
 
+### Example 4
+```powershell
+New-TenantAllowBlockListItems -Allow -ListType Url -Entries abcd.fabrikam.com -RemoveAfter 45
+```
+
+This example adds a URL allow entry for the specified domain with expiration as 45 days after last used date. This allow entry permits URLs identified as bulk, spam, high confidence spam, and phishing (not high confidence phishing).
+
+For URLs identified as malware or high-confidence phishing, you need to submit the URLs Microsoft to create allow entries. For instructions, see [Report good URLs to Microsoft](https://learn.microsoft.com/defender-office-365/submissions-admin#report-good-urls-to-microsoft).
+
 ## PARAMETERS
 
 ### -Entries
@@ -281,6 +290,8 @@ The RemoveAfter parameter enables the **Remove on** \> **45 days after last used
 
 The only valid value for this parameter is 45.
 
+You can use this parameter with the Allow switch when the ListType parameter value is Sender, FileHash, or Url.
+
 You can't use this parameter with the ExpirationDate or NoExpirationDate parameters.
 
 ```yaml

exchange/exchange-ps/exchange/Remove-AuthenticationPolicy.md

@@ -84,7 +84,7 @@ This switch applies to the entire organization. The Identity parameter is requir
 - Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
 - It might take up to 24 hours for the change to take effect across your entire organization.
 - Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization will remain valid until they expire.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter