MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json‎
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎exchange/docs-conceptual/disable-access-to-exchange-online-powershell.md‎
Lines changed: 9 additions & 6 deletions b/‎exchange/docs-conceptual/disable-access-to-exchange-online-powershell.md‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎exchange/docs-conceptual/recipient-filters.md‎
Lines changed: 1 addition & 1 deletion b/‎exchange/docs-conceptual/recipient-filters.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎exchange/docs-conceptual/recipientfilter-properties.md‎
Lines changed: 1 addition & 1 deletion b/‎exchange/docs-conceptual/recipientfilter-properties.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/Add-VivaModuleFeaturePolicy.md‎
Lines changed: 5 additions & 5 deletions b/‎exchange/exchange-ps/exchange/Add-VivaModuleFeaturePolicy.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎exchange/exchange-ps/exchange/Export-ContentExplorerData.md‎
Lines changed: 57 additions & 24 deletions b/‎exchange/exchange-ps/exchange/Export-ContentExplorerData.md‎
Lines changed: 57 additions & 24 deletions
diff --git a/‎exchange/exchange-ps/exchange/Get-App.md‎
Lines changed: 1 addition & 1 deletion b/‎exchange/exchange-ps/exchange/Get-App.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md‎
Lines changed: 33 additions & 0 deletions b/‎exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎exchange/exchange-ps/exchange/Get-ClientAccessRule.md‎
Lines changed: 1 addition & 1 deletion b/‎exchange/exchange-ps/exchange/Get-ClientAccessRule.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/Get-ComplianceTag.md‎
Lines changed: 17 additions & 0 deletions b/‎exchange/exchange-ps/exchange/Get-ComplianceTag.md‎
Lines changed: 17 additions & 0 deletions
@@ -7133,6 +7133,16 @@
       "redirect_url": "/exchange/exchange-hybrid",
       "redirect_document_id": false
     },
+    {
+      "source_path": "exchange/virtual-folder/exchange/Get-PhishSimOverrideRule.md",
+      "redirect_url": "/powershell/module/exchange/get-exophishsimoverriderule",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "exchange/virtual-folder/exchange/Get-SecOpsOverrideRule.md",
+      "redirect_url": "/powershell/module/exchange/get-exosecopsoverriderule",
+      "redirect_document_id": false
+    },
     {
       "source_path": "skype/virtual-folder/skype/Disable-CsOnlineSipDomain.md",
       "redirect_url": "/powershell/module/teams/Disable-CsOnlineSipDomain",
 
@@ -3,7 +3,7 @@ title: "Enable or disable access to Exchange Online PowerShell"
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 5/16/2024
+ms.date: 12/11/2024
 ms.audience: Admin
 audience: Admin
 ms.topic: article
@@ -18,7 +18,7 @@ description: "Admins can learn how to disable or enable access to Exchange Onlin
 
 Exchange Online PowerShell is the administrative interface that enables admins to manage the Exchange Online part of a Microsoft 365 organization from the command line (including many security features in Exchange Online Protection and Microsoft Defender for Office 365).
 
-By default, all accounts in Microsoft 365 are allowed to use Exchange Online PowerShell. This access doesn't give users administrative capabilities in an organization. They're still limited by [role based access control (RBAC)](/exchange/permissions-exo/permissions-exo) (for example, they can configure settings on their own mailbox or manage distribution groups that they own, but not much else).
+By default, all accounts in Microsoft 365 are allowed to use Exchange Online PowerShell. This access doesn't give users administrative capabilities. They're still limited by [role based access control (RBAC)](/exchange/permissions-exo/permissions-exo). For example, they can configure some settings on their own mailbox and manage distribution groups that they own, but not much else.
 
 Admins can use the procedures in this article to disable or enable a user's ability to connect to Exchange Online PowerShell.
 
@@ -33,7 +33,7 @@ Admins can use the procedures in this article to disable or enable a user's abil
   - [Microsoft Entra RBAC](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Exchange Administrator** or **Global Administrator**<sup>\*</sup> roles gives users the required permissions *and* permissions for other features in Microsoft 365.
 
   > [!IMPORTANT]
-  > In your haste to quickly and globally disable PowerShell access in your cloud-based organization, beware of commands like `Get-User | Set-User -EXOModuleEnabled $false` without considering admin accounts. Use the procedures in this article to selectively remove PowerShell access, or preserve access for those who need it by using the following syntax in your global removal command: `Get-User | Where-Object {$_.UserPrincipalName -ne '[email protected]' -and $_.UserPrincipalName -ne '[email protected]'...} | Set-User -EXOModuleEnabled $false`.
+  > In your haste to quickly and globally disable PowerShell access in your cloud-based organization, beware of commands like `Get-User | Set-User -EXOModuleEnabled $false` without considering admin accounts. Use the procedures in this article to **selectively** remove PowerShell access, or **preserve access for those who need it** by using the following syntax in your global removal command: `Get-User | Where-Object {$_.UserPrincipalName -ne '[email protected]' -and $_.UserPrincipalName -ne '[email protected]'...} | Set-User -EXOModuleEnabled $false`.
   >
   > If you accidentally lock yourself out of PowerShell access, create a new admin account in the Microsoft 365 admin center, and then use that account to give yourself PowerShell access using the procedures in this article.
   >
@@ -62,7 +62,7 @@ Set-User -Identity [email protected] -EXOModuleEnabled $true
 
 To prevent access to Exchange Online PowerShell for a specific group of existing users, you have the following options:
 
-- **Filter users based on an existing attribute**: This method assumes that the target user accounts all share a unique filterable attribute. Some attributes, such as Title, Department, address information, and telephone number, are available only from the **Get-User** cmdlet. Other attributes, such as CustomAttribute1 to CustomAttribute15, are available only from the **Get-Mailbox** cmdlet.
+- **Filter users based on an existing attribute**: This method assumes that the target user accounts all share a unique filterable attribute. Some attributes (for example, Title, Department, address information, and telephone number) are available only from the **Get-User** cmdlet. Other attributes (for example, CustomAttribute1 to CustomAttribute15) are available only from the **Get-Mailbox** cmdlet.
 - **Use a list of specific users**: After you generate the list of specific users, you can use that list to disable their access to Exchange Online PowerShell.
 
 ### Filter users based on an existing attribute
@@ -107,6 +107,9 @@ $NoPS | foreach {Set-User -Identity $_ -EXOModuleEnabled $false}
 
 ## View the Exchange Online PowerShell access status for users
 
+> [!TIP]
+> The newer `EXOModuleEnabled` property isn't available to use with the *Filter* parameter on the **Get-User** cmdlet, but the values of the `EXOModuleEnabled` property and the older `RemotePowerShellEnabled` property are always the same, so use the `RemotePowerShellEnabled` property with the *Filter* parameter on the **Get-User** cmdlet.
+
 To view the PowerShell access status for a specific user, replace \<UserIdentity\> with the name or user principal name (UPN) of the user, and run the following command:
 
 ```powershell
@@ -122,11 +125,11 @@ Get-User -ResultSize unlimited | Format-Table -Auto DisplayName,EXOModuleEnabled
 To display all users who don't have access to Exchange Online PowerShell, run the following command:
 
 ```powershell
-Get-User -ResultSize unlimited -Filter 'EXOModuleEnabled -eq $false'
+Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'
 ```
 
 To display all users who have access to Exchange Online PowerShell, run the following command:
 
 ```powershell
-Get-User -ResultSize unlimited -Filter 'EXOModuleEnabled -eq $true'
+Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'
 ```
@@ -3,7 +3,7 @@ title: "Recipient filters in Exchange PowerShell commands"
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 9/7/2023
+ms.date: 09/07/2023
 ms.audience: ITPro
 audience: ITPro
 ms.topic: reference
 
@@ -3,7 +3,7 @@ title: "Filterable properties for the RecipientFilter parameter"
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date:
+ms.date: 09/07/2023
 ms.audience: ITPro
 audience: ITPro
 ms.topic: article
 
@@ -109,35 +109,35 @@ This example adds a policy for the Reflection feature in Viva Insights. The poli
 Add-VivaModuleFeaturePolicy -CategoryId <category_id> -Name DisableCategoryForAll -IsCategoryEnabled $false -Everyone
 ```
 
-This example adds a policy for the `<cateogry_id>` category in Viva. The policy disables the category (effectively all features under the category) for all users in the organization.
+This example adds a policy for the `<category_id>` category in Viva. The policy disables the category (effectively all features under the category) for all users in the organization.
 
 ### Example 6
 ```powershell
 Add-VivaModuleFeaturePolicy -CategoryId <category_id> -Name MultipleGroups -IsCategoryEnabled $false -GroupIds [email protected],[email protected],57680382-61a5-4378-85ad-f72095d4e9c3
 ```
 
-This example adds a policy for the `<cateogry_id>` category in Viva. The policy disables the category (effectively all features under the category) for all users in the specified groups.
+This example adds a policy for the `<category_id>` category in Viva. The policy disables the category (effectively all features under the category) for all users in the specified groups.
 
 ### Example 7
 ```powershell
 Add-VivaModuleFeaturePolicy -CategoryId <category_id> -Name MultipleUsers -IsCategoryEnabled $false -UserIds [email protected],[email protected]
 ```
 
-This example adds a policy for the `<cateogry_id>` category in Viva. The policy disables the category (effectively all features under the category) for the specified users.
+This example adds a policy for the `<category_id>` category in Viva. The policy disables the category (effectively all features under the category) for the specified users.
 
 ### Example 8
 ```powershell
 Add-VivaModuleFeaturePolicy -CategoryId <category_id> -Name UsersAndGroups -IsCategoryEnabled $false -GroupIds [email protected],[email protected],57680382-61a5-4378-85ad-f72095d4e9c3 -UserIds [email protected],[email protected]
 ```
 
-This example adds a policy for the `<cateogry_id>` category in Viva. The policy disables the category (effectively all features under the category) for the specified users and group members.
+This example adds a policy for the `<category_id>` category in Viva. The policy disables the category (effectively all features under the category) for the specified users and group members.
 
 ### Example 9
 ```powershell
 Add-VivaModuleFeaturePolicy -CategoryId <category_id> -Name "Disable Category For All" -IsCategoryEnabled $false -Everyone
 ```
 
-This example adds a policy for the `<cateogry_id>` category in Viva where the policy name is with spaces. The policy disables the category (effectively all features under the category) for all users in the organization.
+This example adds a policy for the `<category_id>` category in Viva where the policy name is with spaces. The policy disables the category (effectively all features under the category) for all users in the organization.
 
 ## PARAMETERS
 
 
@@ -23,13 +23,12 @@ For information about the parameter sets in the Syntax section below, see [Excha
 ## SYNTAX
 
 ```
-Export-ContentExplorerData
+Export-ContentExplorerData [-TagName] <String> [-TagType] <String>
+ [-Aggregate]
  [[-PageCookie] <String>]
  [[-PageSize] <Int32>]
  [[-SiteUrl] <String>]
  [[-UserPrincipalName] <String>]
- [-TagName] <String>
- [-TagType] <String>
  [[-Workload] <String>]
  [<CommonParameters>]
 ```
@@ -42,6 +41,14 @@ The output of this cmdlet contains the following information:
 - RecordsReturned: The number of records returned in the query.
 - PageCookie: Used to get the next set of records when MorePagesAvailable is True.
 
+The following list describes best practices for scripts using this cmdlet:
+
+- We recommend not using a single script to export multiple SITs/Labels. Instead, create a script for one SIT/Label, and then re-use the same script for each SIT/Label in each workload as required.  
+- When retrying the script, make sure to reconnect to the session first. The session's token expires after about an hour, which can cause the cmdlet to fail. To fix this issue, reconnect to the session before retrying the script. If the script fails, restart it using the last page cookie returned to continue the export from where it left off. 
+
+  > [!TIP]
+  > To support unattended scripts that run for a long time, you can use [certificate-based authentication (CBA)](https://learn.microsoft.com/powershell/exchange/app-only-auth-powershell-v2).
+
 To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see [Permissions in the Microsoft Purview compliance portal](https://learn.microsoft.com/purview/microsoft-365-compliance-center-permissions).
 
 ## EXAMPLES
@@ -69,6 +76,51 @@ This example exports records for the specified sensitive info type for all workl
 
 ## PARAMETERS
 
+### -TagType
+The TagType parameter specifies the type of label to export file details from. Valid values are:
+
+- Retention
+- SensitiveInformationType
+- Sensitivity
+- TrainableClassifier
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+Applicable: Security & Compliance
+
+Required: True
+Position: 5
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Aggregate
+The Aggregate parameter switch returns the folder level aggregated numbers instead of returning details at the item level. You don't need to specify a value with this switch.
+
+Using this switch significantly reduces the export time. To download the items in a folder, run this cmdlet for specific folders.
+
+When you use this switch with the TagName, TagType and Workload parameters, the command returns the following information:
+
+- SiteUlrs: OneDrive and SharePoint.
+- UPNs: Exchange Online and Teams.
+- The count of items stamped with that tag.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+Applicable: Security & Compliance
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -PageCookie
 The PageCookie parameter specifies whether to get more data when the value of the MorePagesAvailable property in the command output is True. If you don't use the PageSize parameter, a maximum of 100 records are returned. If you use the PageSize parameter, a maximum of 10000 records can be returned.
 
@@ -88,6 +140,8 @@ Accept wildcard characters: False
 ### -PageSize
 The PageSize parameter specifies the maximum number of records to return in a single query. Valid input for this parameter is an integer between 1 and 10000. The default value is 100.
 
+**Note**: In empty folders or folders with few files, this parameter can cause the command to run for a long time as it tries to get the PageSize count of the results. To prevent this issue, the command returns data from 5 folders or the number of records specified by the PageSize parameter, whichever completes first. For example, if there are 10 folders with 1 record each, the command returns 5 records of the top 5 folders. In the next execution using page cookie, it returns 5 records from the remaining 5 folders, even if the PageSize value is 10.
+
 ```yaml
 Type: Int32
 Parameter Sets: (All)
@@ -135,27 +189,6 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -TagType
-The TagType parameter specifies the type of label to export file details from. Valid values are:
-
-- Retention
-- SensitiveInformationType
-- Sensitivity
-- TrainableClassifier
-
-```yaml
-Type: String
-Parameter Sets: (All)
-Aliases:
-Applicable: Security & Compliance
-
-Required: True
-Position: 5
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
 ### -UserPrincipalName
 The UserPrincipalName parameter specifies the user account in UPN format to export message details from. An example UPN value is [email protected].
 
 
@@ -109,7 +109,7 @@ The Mailbox parameter specifies the identity of the mailbox where the apps are i
 
 You can't use this parameter with the Identity parameter.
 
-Note: This parameter only returns user installed and default add-ins. It doesn't return add-ins installed by admins from Integrated Apps. For more information, see [Deploy and manage Office Add-ins](https://learn.microsoft.com/microsoft-365/admin/manage/office-addins).
+**Note**: This parameter only returns user installed and default add-ins. It doesn't return add-ins installed by admins from Integrated Apps. For more information, see [Deploy and manage Office Add-ins](https://learn.microsoft.com/microsoft-365/admin/manage/office-addins).
 
 ```yaml
 Type: MailboxIdParameter
 
@@ -21,6 +21,7 @@ For information about the parameter sets in the Syntax section below, see [Excha
 
 ```
 Get-AuthenticationPolicy [[-Identity] <AuthPolicyIdParameter>]
+ [-AllowLegacyExchangeTokens]
  [-TenantId <String>]
  [<CommonParameters>]
 ```
@@ -44,6 +45,13 @@ Get-AuthenticationPolicy -Identity "Engineering Group"
 
 This example returns detailed information for the authentication policy named Engineering Group.
 
+### Example 3
+```powershell
+Get-AuthenticationPolicy -AllowLegacyExchangeTokens
+```
+
+In Exchange Online, this example specifies whether legacy Exchange tokens for Outlook add-ins are allowed in the organization.
+
 ## PARAMETERS
 
 ### -Identity
@@ -66,6 +74,31 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -AllowLegacyExchangeTokens
+This parameter is available only in the cloud-based service.
+
+The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens are allowed for Outlook add-ins in your organization. You don't need to specify a value with this switch.
+
+Legacy Exchange tokens include Exchange user identity and callback tokens.
+
+**Important**:
+
+- Currently, the AllowLegacyExchangeTokens switch only specifies whether legacy Exchange tokens are allowed in your organization. For now, disregard the empty Allowed and Blocked arrays returned by the switch.
+- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+Applicable: Exchange Online, Exchange Online Protection
+
+Required: False
+Position: Named
+Default value: True
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -TenantId
 This parameter is available only in the cloud-based service.
 
 
@@ -13,7 +13,7 @@ ms.reviewer:
 
 ## SYNOPSIS
 > [!NOTE]
-> Beginning in October 2022, we've disabled access to client access rules for all existing Exchange Online organizations that weren't using them. In September 2024, support for client access rules will end for all Exchange Online organizations. For more information, see [Update: Deprecation of Client Access Rules in Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/update-deprecation-of-client-access-rules-in-exchange-online/ba-p/3790165).
+> Beginning in October 2022, client access rules were deprecated for all Exchange Online organizations that weren't using them. Client access rules will be deprecated for all remaining organizations on September 1, 2025. If you choose to turn off client access rules before the deadline, the feature will be disabled in your organization. For more information, see [Update on Client Access Rules Deprecation in Exchange Online](https://techcommunity.microsoft.com/blog/exchange/update-on-client-access-rules-deprecation-in-exchange-online/4354809).
 
 This cmdlet is functional only in Exchange Server 2019 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
 
 
@@ -23,6 +23,7 @@ For information about the parameter sets in the Syntax section below, see [Excha
 ```
 Get-ComplianceTag [[-Identity] <ComplianceRuleIdParameter>]
  [-IncludingLabelState]
+ [-PriorityCleanup]
  [<CommonParameters>]
 ```
 
@@ -83,6 +84,22 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -PriorityCleanup
+{{ Fill PriorityCleanup Description }}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+Applicable: Security & Compliance
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/p/?LinkID=113216).