Data Security Investigations (preview) workflow helps you quickly identify, investigate, and take action on data associated with security and data breach incidents. This workflow isn’t a linear process. It includes significant iteration requirements for several of the steps to fine tune searches, evidence gathering, classification, and investigation by using AI and activities.
Analysts can use Data Security Investigations (preview) features in your organization to:
Quickly and efficiently search, discover, and identify impacted data.
Use deep content AI analysis to discover exact data risks hidden in data.
Take action to reduce the impact of data security incidents and quickly mitigate ongoing risks.
Collaborate with internal and external stakeholders on investigation details.
Check out the following videos to learn about how Data Security Investigations (preview) can help you respond to data security incidents:
DSI builds on and extends Microsoft Purview’s existing best-of-breed Data Security portfolio. Our information protection, data loss prevention, and insider risk management solutions have provided customers with a strong foundation to protect their crown jewels, their data. Data is at the center of cyberattacks, and now DSI will use AI to re-imagine how customers investigate and mitigate data security incidents, accelerating the process dramatically. Most organizations we spoke to (77%) believe that AI will accelerate data security detection and response, and 76% think AI will improve the accuracy of data security detection and response strategies. With its cutting edge, generative AI-powered investigative capabilities, DSI will transform and scale how data security admins analyze incident-related data. DSI uncovers key security and sensitive data risks and facilitates secure collaboration between partner teams to mitigate those identified risks. This simplifies previously complex, time-consuming tasks – what once took months, can now be done in a fraction of the time.
To improve self-service capabilities and reduce support dependency, Microsoft has made the Remove-DkimSigningConfig cmdlet available to tenant administrators. This cmdlet enables admins to remove obsolete DomainKeys Identified Mail (DKIM) signing configurations directly from Exchange Online PowerShell, helping clean up configurations when domains are removed from a tenant.
When this will happen This feature is already enabled worldwide, including in special clouds.
How this affects your organization
Who is affected:Tenant administrators managing DKIM configurations in Exchange Onlinewith either the Transport Hygiene management role or the Security Administrator role in Entra ID.
What will happen:
Admins can now run Remove-DkimSigningConfig directly using Exchange Online PowerShell (requires ExO v3.7 module).
No escalation to Microsoft support is needed for DKIM cleanup.
Obsolete DKIM configurations for removed domains can be self-managed.
The cmdlet is available by default for eligible roles.
This cmdlet does not replace any existing tools or processes; it introduces a new capability for tenant admins to manage DKIM cleanup independently.
What you can do to prepare
Ensure you have the required role (Transport Hygiene or Security Administrator).
Upgrade to Exchange Online PowerShell module v3.7.
Use Connect-ExchangeOnline and run Remove-DkimSigningConfig as needed.
Update internal documentation for DKIM management procedures.
When you apply your company brand to customize the look of your organization’s email messages, you can also specify an expiration for these email messages. With Microsoft Purview Advanced Message Encryption, you can create multiple templates for encrypted emails that originate from your organization. Using a template, you can control how long recipients have access to mail sent by your users.
When an end user receives mail that has an expiration date set, the user sees the expiration date in the wrapper email. If a user tries to open an expired mail, an error appears in the OME portal.
You can only set expiration dates for emails to external recipients.
With Microsoft Purview Advanced Message Encryption, anytime you apply custom branding, Microsoft 365 applies the wrapper to email that fits the mail flow rule to which you apply the template. You can only use expiration if you use custom branding.
Microsoft 365 E5 subscription
Compliance Administrator Permissions
How to create a custom branding template to force mail expiration by using PowerShell
Using a work or school account that has sufficient permissions in your organization, such as Compliance Administrator, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.
Run the New-OMEConfiguration cmdlet
Where:
Identity is the name of the custom template.
ExternalMailExpiryInDays identifies the number of days that recipients can keep mail before it expires. You can use any value between 1–730 days.
More information about Microsoft Purview Advanced Message Encryption
Microsoft Defender is updating the Export-QuarantineMessage cmdlet to include a new -PasswordV2parameter for plain text passwords, replacing the old -Password parameter. Microsoft offer the -PasswordV2 parameter as a new experience that allows admins and users to pass plain text for their passwords when exporting Quarantine items in PowerShell cmdlet. Admins and users should use the -PasswordV2parameter, because using the previous -Password parameter may cause errors and –Password won’t be available in the longer term.
For files that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the files are exported in Base64 format.
Export-QuarantineMessage cmdlet functionality before this rollout:
Export-QuarantineMessage cmdlet functionality after this rollout:
Use the Export-QuarantineMessage cmdlet to export quarantined messages and files from your cloud-based organization. Messages are exported to .eml message files so you can open them in Outlook.
This example exports the specified message with attachments that was quarantined as malware:
The first command exports the quarantined message and attachments to the variable $f. The message and attachments are stored in the Eml property (the $f.eml value) as Base64 (based on the $f.BodyEncoding value).
The second command converts the Eml property from Base64 to bytes and stores the result in the variable $bytes.
The third command writes the quarantined message and attachments to the specified .eml file.
Microsoft announce some important updates to M365 Copilot Chat that will enhance security and user experience, following:
Integration with SafeLinks:
M365 Copilot Chat will integrate with SafeLinks in Defender for Office 365 to provide time-of-click URL protection for the hyperlinks included in its chat responses.
This change applies to users with Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. No policy configuration is needed within the SafeLinks policy.
Within Microsoft Defender for Office 365 Security Center, URL protection report will show the relevant summary and trend views for threats detected and actions taken on URL clicks.
Native Time-of-Click URL Reputation Check:
For users without SafeLinks protection (which is available as part of Microsoft Defender for Office 365), M365 Copilot Chat will natively enable time-of-click URL reputation check for the hyperlinks returned in its chat responses.
Hyperlink Redaction Changes:
M365 Copilot Chat will no longer redact hyperlinks in its chat responses if they are found in the grounding data used to generate the responses.
When this will happen:
General Availability (Worldwide): We will begin rolling out in late March 2025 and expect to complete by late May 2025.
Rollout will start on desktop and web and will complete with mobile versions. We plan to extend these updates to Copilot Chat experiences in Office apps in the future.
How this will affect your organization:
These updates are designed to enhance the security of the links included in M365 Copilot Chat response, ensuring that users are protected from malicious URLs.
What you need to do to prepare:
You may consider updating your training and documentation as appropriate to ensure users are aware of the change in behavior with hyperlinks in M365 Copilot Chat.
In 2018, Microsoft announced that they’ll no longer making feature updates to Exchange Web Services (EWS) in Exchange Online, and advised developers to move to Microsoft Graph.
In 2023, Microsoft announced that on October 1, 2026, they will start blocking EWS requests to Exchange Online.
Today, in Microsoft ongoing commitment to enhance the security and control mechanisms of Exchange Web Services (EWS), Microsoft announcing a significant change in the behavior of the EWSEnabled tenant-wide switch in Exchange Online. This modification provides a more robust framework for managing EWS access within organizations, ensuring both flexibility and security, and is necessary as they continue to work in there plan to disable EWS starting October 2026.
Current Behavior
The EWSEnabled flag can be set at both the tenant (organization) level and the user (mailbox) level. Currently, when the flag is set to true at the user level, it takes precedence over the organization-level setting. If the setting is Null, it means the setting is not enforced at that level. If Org and user-level are both Null, the default behavior is to allow. This hierarchical structure means that if the organization-level flag is set to false, but the user-level flag is set to true, EWS requests from that user are still allowed. In other words:
Organization Level
User Level
EWS Requests
True or <null>
True or <null>
Allowed
True or <null>
False
Not Allowed
False
True
Allowed
False
False or <null>
Not Allowed
This approach has led to inconsistencies and security concerns. It can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments.
New Behavior
To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. Here’s a simplified view of the new logic:
Organization Level
User Level
EWS Requests
True or <null>
True or <null>
Allowed
True or <null>
False
Not Allowed
False
True or <null>
Not Allowed
False
False
Not Allowed
In short, EWS will be permitted only if both the organization and user-level allow it. This change ensures that administrators have better control over EWS access and can enforce policies more consistently across their entire organization.
This change will rollout worldwide starting April 2025.
Tenant-level setting
The first thing to check is your tenant setting. To do this, simply run this command in Exchange Online PowerShell
If the EWSEnabled flag is empty (the default), or set to True – this change won’t affect you, but we still advise you read the per-user settings information below to make sure it matches your expected settings.
If your EWSEnabled flag is set to False, you might see some impact when we enforce this new logic change on your tenant unless you take action now. We encourage you to review the section below to ensure your per-user settings reflect your desired state for who can and cannot use EWS, and then proactively change the tenant wide switch to True to ensure uninterrupted access for users and apps.
User-level setting
As discussed earlier, even if your tenant-wide EWSEnabled switch has been set to False, it’s currently still possible to use EWS, if the per-user setting is set to True (default setting for every mailbox).
To check if EWS is Enabled or Disabled for a specific mailbox, you can run:
The Scareware Blocker is a New feature in Microsoft Edge designed to protect users from tech support scams, often referred to as scareware. These scams use aggressive web pages to trick users into thinking their system is infected with malware, pressuring them to call fake tech support numbers. Scareware blockers use a machine learning model to recognize the tell-tale signs of scareware scams and put users back in control of their computer.
Here’s how it works:
Machine Learning: It uses a machine learning model to detect and block scareware sites.
User Control: When a suspicious site is detected, Edge blocks it and shows a warning message, giving users the option to close the page or proceed if they believe it’s safe
“Scareware” scams are a particularly convincing type of tech support scam. They use aggressive web pages to convince victims into thinking their system is infected with malware, pressure them to call a fake tech support number, and try to gain access to the computer. Last year, Hollywood even made a blockbuster action movie with scareware scammers as the villains.
To enable Scareware Blocker in Microsoft Edge:
Open Edge and click on the three-dot menu in the toolbar.
Select Settings.
Navigate to Privacy, search, and services.
Find the Scareware Blocker option and toggle it on
When scareware blocker suspects a page is a scam, Edge will put users back in control by exiting full screen mode, stopping aggressive audio playback, warning the user, and showing a thumbnail of the page they were just viewing:
Scareware blocker fights tech scams – Video Tutorial
Microsoft 365 Copilot is a sophisticated processing and orchestration engine that provides AI-powered productivity capabilities by coordinating the following components:
Large language models (LLMs)
Content in Microsoft Graph, such as emails, chats, and documents that you have permission to access.
The Microsoft 365 productivity apps that you use every day, such as Word and PowerPoint.
How does Microsoft 365 Copilot use your proprietary organizational data?
Microsoft 365 Copilot provides value by connecting LLMs to your organizational data. Microsoft 365 Copilot accesses content and context through Microsoft Graph. It can generate responses anchored in your organizational data, such as user documents, emails, calendar, chats, meetings, and contacts. Microsoft 365 Copilot combines this content with the user’s working context, such as the meeting a user is in now, the email exchanges the user had on a topic, or the chat conversations the user had last week. Microsoft 365 Copilot uses this combination of content and context to help provide accurate, relevant, and contextual responses.
Microsoft 365 Copilot only surfaces organizational data to which individual users have at least view permissions. It’s important that you’re using the permission models available in Microsoft 365 services, such as SharePoint, to help ensure the right users or groups have the right access to the right content within your organization. This includes permissions you give to users outside your organization through inter-tenant collaboration solutions, such as shared channels in Microsoft Teams.
When you enter prompts using Microsoft 365 Copilot, the information contained within your prompts, the data they retrieve, and the generated responses remain within the Microsoft 365 service boundary, in keeping with our current privacy, security, and compliance commitments. Microsoft 365 Copilot uses Azure OpenAI services for processing, not OpenAI’s publicly available services. Azure OpenAI doesn’t cache customer content and Copilot modified prompts for Microsoft 365 Copilot.
Data stored about user interactions with Microsoft 365 Copilot
When a user interacts with Microsoft 365 Copilot (using apps such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user’s prompt and Copilot’s response, including citations to any information used to ground Copilot’s response. We refer to the user’s prompt and Copilot’s response to that prompt as the “content of interactions” and the record of those interactions is the user’s Copilot activity history. For example, this stored data provides users with Copilot activity history in Microsoft 365 Copilot Chat (previously named Business Chat) and meetings in Microsoft Teams. This data is processed and stored in alignment with contractual commitments with your organization’s other content in Microsoft 365. The data is encrypted while it’s stored and isn’t used to train foundation LLMs, including those used by Microsoft 365 Copilot.
To view and manage this stored data, admins can use Content search or Microsoft Purview. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. For Microsoft Teams chats with Copilot, admins can also use Microsoft Teams Export APIs to view the stored data.
Deleting the history of user interactions with Microsoft 365 Copilot
Microsoft 365 Copilot calls to the LLM are routed to the closest data centers in the region, but also can call into other regions where capacity is available during high utilization periods.
For European Union (EU) users, we have additional safeguards to comply with the EU Data Boundary. EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing. The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process Customer Data and personal data for our Microsoft enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where Customer Data and personal data will continue to be transferred outside the EU Data Boundary.
How does Microsoft 365 Copilot protect organizational data?
The permissions model within your Microsoft 365 tenant can help ensure that data won’t unintentionally leak between users, groups, and tenants. Microsoft 365 Copilot presents only data that each individual can access using the same underlying controls for data access used in other Microsoft 365 services. Semantic Index honors the user identity-based access boundary so that the grounding process only accesses content that the current user is authorized to access.
Copilot works together with your Microsoft Purviewsensitivity labels and encryption to provide an extra layer of protection. The following diagram provides a visual representation of how Copilot honors your information protection controls using sensitivity labels and encryption.
Copilot will only work with your M365 tenant data and won’t be able to access other companies’ data. Plus, your data doesn’t train the AI for other companies to leverage..
On the 25th of April, Microsoft announced a robust set of multi-tenant organization (MTO) capabilities within Microsoft 365, now generally available to enhance any organization’s collaboration, communication, and administration across multiple tenants. These capabilities span Microsoft 365 People Search, Microsoft Teams, Viva Engage and Microsoft Defender XDR, which can be enabled via the Microsoft 365 admin center or Microsoft Entra admin center.
This segmentation can cause frustration when users need to communicate and collaborate across tenant boundaries, whilst IT admins need to perform the same set of administrative tasks per tenant to maintain their organization.
A diagram showing multiple tenants within a single organization.
The capabilities we discuss below help multi-tenant organizations address these complexities, while staying compliant and secure:
Find people across organizations easily: Search for and communicate with colleagues in a unified manner with improved people search. Every search now returns a single, accurate result, simplifying how you connect with the right colleague.
Streamlined workforce collaboration: Engage in calls, chats, and meetings across tenants without the barriers of meeting lobbies. Enjoy immediate access to meeting content and collaborative tools in real time.
Unlock new ways for employees and leaders to connect: We’ve broadened the capabilities in Viva Engage, facilitating cross-tenant announcements and enabling community interaction and campaign participation that extend beyond tenant boundaries.
Manage incidents across tenants: Microsoft Defender XDR provides a single, unified view of all tenants your organization manages, allowing for swift incident investigation and advanced threat hunting without the need to switch between tenant views.
Simplify multi-tenant management: The newly defined multi-tenant organization boundary in Microsoft Entra ID P1 simplifies the enablement, configuration and management of the capabilities above. Whether through Microsoft Graph APIs or the Microsoft 365 Admin Center, setting up is intuitive and straightforward.
Find people across organizations easily with People Search
The multi-tenant organization (MTO) People Search is a collaboration feature that enables search and discovery of people across multiple tenants. A tenant admin can enable cross-tenant synchronization that allows users to be synced to another tenant and be discoverable in its global address list. Once enabled, users can search and discover synced user profiles from the other tenant and view their corresponding people cards.
An image showing a synchronized user profile from another tenant in Microsoft 365
Streamline workforce collaboration with Microsoft Teams
Once administrators form a multi-tenant organization in the Entra ID platform organizations with the new Teams desktop client will automatically receive the Teams MTO features with no additional configuration. Users can now join a meeting, chat, call, or collaborate in a channel hosted by another tenant, and simultaneously compose chat messages in their own tenant. Users can receive cross-tenant notifications for all accounts and tenants added to the Teams client, no matter which one is currently in focus. People’s search is also improved. Searches for coworkers in a multi-tenant organization could often return multiple results for the same person. With the new MTO capabilities in the new Teams client, searching for a coworker in an MTO will return a single result, helping you to identify the correct colleague and keep your conversations in one place.
The new Teams desktop client showing improved people search capability on the right hand side Users that join a meeting in another tenant can now bypass the meeting lobby, have access to all in-meeting content and resources and can collaborate in real time.
Manage incidents across tenants with Microsoft Defender XDR
Security operations teams that work with multiple tenants need a reliable and comprehensive security solution that can keep up with modern threats and provide unified and connected experience to enhance their security operations. Microsoft Defender XDR now delivers unified investigation and response experience for multi-tenant organizations alongside native protection across endpoints, identities, email, collaboration tools, cloud apps, and data.
With multi-tenant management in Microsoft Defender XDR, security operations teams can quickly investigate incidents and perform advanced hunting across data from multiple tenants, removing the need for administrators to log in and out of each individual tenant.
Enable Microsoft 365 multi-tenant capabilities with Microsoft Entra ID
Multi-tenant organization platform capabilities are now rolling out to standard production tenants in Microsoft 365. To deliver the above capabilities, administrators can enable multi-tenant capabilities in the Microsoft 365 admin center and configure which users in the organization can take advantage of multi-tenant capabilities using either Microsoft 365 admin center or Microsoft Entra admin center.
This approach allows you to define a boundary around the Entra ID tenants that your organization owns, facilitated by an invite-and-accept flow between tenant administrators. Learn more about the process in the Microsoft 365 admin center here and using Microsoft Graph API’s here. We recommend the use of the Microsoft 365 admin center to simplify the setup experience and to view your newly created MTO:
Snapshot of a multitenant organization collaboration with three tenants.
Following the formation of the multi-tenant organization, Microsoft offers two methods to provision employees into neighboring multi-tenant organization tenants at scale.
For a simplified experience, stay in the Microsoft 365 admin center to sync users into multiple tenants in your multi-tenant organization. Microsoft recommend this method for smaller multi-tenant organizations who plan on all employees receiving access to all multi-tenant organization tenants.
For a customizable sync experience, head over to Entra ID cross-tenant synchronization. Cross-tenant synchronization is highly configurable and allows the provisioning of any multi-hub multi-spoke identity landscape. We recommend this method for enterprise organizations of complex identity landscapes. Either method works. Choose the one that works best for your specific organization!
Catastrophic Failure 