Microsoft Entra Backup and Recovery entered preview on March 19, 2026, bringing native rollback for users, groups, Conditional Access policies, and other critical directory objects. After testing a real recovery against a cloud-only user with a single attribute change, the restore itself took seconds. The difference report that preceded it took over an hour. This article explains why that timing is expected, what the five-day retention window actually means for your recovery posture, and where the feature falls short of being a complete answer.
Microsoft patched CVE-2026-26133 on March 11, 2026 — a cross-prompt injection vulnerability in Copilot’s email and Teams summarization that let attackers shape what your AI told you, without a single attachment or macro. The specific exploit is closed. But the attack exposed something a patch alone cannot fix: Copilot trusts the content it reads, and in a misconfigured tenant, that trust is a liability. Here is what happened, why it matters beyond the CVE, and what admins should actually do about it.
Microsoft has announced a significant change in how new Accepted Domains in Exchange Online are provisioned with MX records. Between early and late July 2026 (previously February), MS will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. *.mx.microsoft At first glance, this may look like a …
Still running with legacy join settings? Attackers love it. Learn the modern model: MAQ=0, OU-scoped delegation (not SeMachineAccountPrivilege), DC allow-list for account reuse, and a guarded Staging OU before production. Bonus: Offline Domain Join for segmented OT sites.
Microsoft just introduced cloud-managed remote mailboxes for directory-synced users. In plain English: you can manage Exchange attributes for synced mailboxes directly in Exchange Online without keeping an on-prem Exchange server for recipient admin. This post explains what that means for your business, the most valuable use cases, when not to enable it, and a 7-step pilot you can run this week. If “the last Exchange server” has been blocking your roadmap, this is the feature that finally moves you past it.
EWS in Microsoft 365: Why You Must Act Now As Microsoft 365 continues to evolve, one of the most impactful changes underway is the retirement of Exchange Web Services (EWS) in Exchange Online. While EWS has served as a core integration protocol for over a decade, Microsoft has made it clear: EWS is on the …
Attackers rarely miss an opportunity to twist a convenient feature into a phishing tool. Exchange Online’s Direct Send is the latest example: security researchers have documented campaigns that drop fake “internal” messages straight into corporate inboxes-no credentials required. Headlines warn that these messages “bypass SPF, DKIM and DMARC,” leaving IT teams wondering whether the standard …
Starting July 1, 2025, Microsoft will invalidate all legacy external sharing links in SharePoint and OneDrive that were created before your organization enabled Microsoft Entra B2B integration. That means anyone who accessed your content using an old OTP (one-time passcode) link is going to see an error instead. This isn’t just a security patch. It’s …
A Modern SMTP Relay for Post-Exchange Environments As more organizations retire their last on-premises Exchange server, and as Microsoft Defender for Office 365 introduces more aggressive email throttling, many customers are facing the challenge of finding a new reliable SMTP relay. Azure Communication Services (ACS) with Email capabilities is emerging as a modern, scalable alternative. …
Microsoft will retire legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies on September 30, 2025. Organizations must switch to the unified Authentication Methods policy in Microsoft Entra ID before this date. This guide explains how to: Understanding Legacy Authentication Methods Legacy methods include MFA and SSPR policies managed separately in Microsoft Entra ID. …
