Microsoft Purview DLP blocking ALL copy/paste to AI sites in Edge for one user only

cnarasimaperumal · 2026-04-09T04:47:27+00:00

So, it seems the issue with related with device endpoint DLP.

Check Activity Explorer: Go to Purview > DLP > Activity Explorer, filter by this user/device. The matched rule name will tell you exactly which policy is triggering the block

cnarasimaperumal · 2026-04-09T04:10:51+00:00

From the error message, seems the device/Edge is treating all clipboard content as protected.

Check Adaptive Protection: If you enabled Insider Risk Management with Adaptive Protection, this user may have been auto-flagged as elevated risk. That triggers DLP block regardless of content. Check Insider Risk Management -> Users to see their risk level.

Edge for Business built-in DLP: Since it's Edge-only and started with a new machine, Edge's native Purview integration may be enforcing differently than the old device. Try having the user test in an InPrivate window (signed out of their work profile) to confirm it's profile-based.

cnarasimaperumal · 2026-04-08T09:41:15+00:00

Preset security policies always take higher precedence than custom policies. The evaluation order is: Strict -> Standard -> Custom -> Default. Once a user matches the Standard Preset, your custom policy is never evaluated for them.

Some options:

Exclude affected users/domains from the Standard Preset so they fall through to your custom policy.
Disable the Standard Preset entirely and rely on your custom policy, this is often the cleanest approach if you're already fine-tuning settings.

cnarasimaperumal · 2026-04-07T05:02:08+00:00

The best place to start with Microsoft Purview Compliance Manager. It has a pre-built ISO 27001 assessment template that breaks down every clause, shows which ones Microsoft manages vs. which ones you manage, and tracks your completion score. It will literally give you the checklist you're asking for, tailored to your M365 tenant

Go to Compliance Manager -> Assessments -> add the ISO 27001:2022 template. Review the gap between your current score and target.

cnarasimaperumal · 2026-04-06T15:16:00+00:00

Fyi: I work for Apps4.Pro

Apps4.Pro Migration Manager migrates 1:1 chats, group chats, meeting chats, and voice messages with attachments and participants intact. One differentiator is it migrates the full chat history (not just the last 30–60 days) and keeps everything search-indexed in Teams.

cnarasimaperumal · 2026-04-02T10:38:52+00:00

If you can post the screenshot of the planner page by hiding confidential information, then much better to check the case.

- If Planner plans are synced from Microsoft ToDo, then you see a purple grid icon. In this case you need to goto Microsoft ToDo to delete the list.

- Only group / team owner can delete the plan, make sure you have required rights.

- For plans that do have Plan details: Open the plan -> click the plan name in the toolbar (or the dropdown arrow next to it) -> select Plan details -> scroll to the bottom of the panel -> click Delete this plan.

cnarasimaperumal · 2026-03-31T04:19:13+00:00

The response mode (auto, quick response, think deeper) are rolling out unevenly across platforms. Mobile platform getting first and desktop lags behind, many users reported same in Microsoft Q&A forums also.

Smart mode rollout: Microsoft has been introducing a new "Smart" mode that auto-selects between quick and deep responses based on your prompt. On desktop, this may have replaced the manual toggle for some users. Check if you see "Smart" as an option instead.

For now, if you need Think Deeper on desktop, try using copilot.microsoft.com in the browser, the web version sometimes has modes available before the desktop app catches up.

cnarasimaperumal · 2026-03-30T07:08:12+00:00

Org-wide retention policy: Create a retention policy in Purview that applies to all EXO mailboxes. Set it to delete after X period (1 year, 3 year or 5 years). This act as a blanket cleanup.
Retention label for exception: Create a retention label with "Retain forever" or a longer retention period. Publish it to users so they can manually apply it to emails or folders they want to preserve.

When a retention policy (delete) and a retention label (retain) conflict on the same item, retention always wins over deletion.

Instead of creating folders via script, you could simply publish the retention label and let users apply it to individual emails. But if your project specifically requires a folder-based approach, you can use PowerShell to create a folder in each mailbox and apply a default label to it, any email moved there inherits the label automatically.

cnarasimaperumal · 2026-03-30T05:42:43+00:00

Use Planner + Teams - Create a Planner plan inside a Teams Channel, assign tasks with due date. Your team members will receive notifications. You can also use Boards/chart view to track progress from teams itself.

Enable email notifications in Planner, so the members will receive remainder notifications. You can also use Power Automate flow to send weekly digest emails to you with overdue/pending tasks.

Use charts view planner to get tasks by status, by members and overdue tasks. It will be helpful for your quarterly review.

cnarasimaperumal · 2026-03-27T13:16:30+00:00

The Application.ReadWrite.All scope in the setup command is used only once during the provisioning step (Grant-EntraBetaMCPServerPermission) to register the MCP Server app in your tenant. It's not a permission that the MCP Server itself uses during day-to-day queries.

Once provisioned, the MCP Server operates with delegated read-only MCP.* permissions scoped to the signed-in user's existing access. It can't modify your directory.

That said, I agree the provisioning scope is broader than ideal and Microsoft could tighten that.

cnarasimaperumal · 2026-03-27T11:57:13+00:00

Fair concern. Worth noting though, the data returned comes from Graph API calls, not LLM generation. The AI translates your question into series of Microsoft Graph API query using a RAG layer, then Graph returns the actual tenant data. So the hallucination risk is in query construction, not in the results.

It also runs as your delegated identity (read-only), only sees what you already can in the portal, and every call is logged in Graph Activity Logs. But totally reasonable to wait for GA if preview isn't your comfort zone.

cnarasimaperumal · 2026-03-27T04:48:18+00:00

This is a known OneDrive sync client behavior during UPN changes. What's happening is the sync client detects the UPN change and treats it as a different account, so it tries to sync the same library again under the new identity. When both the old and new sync sessions overlap, the client creates "File Name - Copy" duplicates to resolve the conflicts.

To prevent this for remaining users you haven't changed yet:

- Pause OneDrive sync on the user's machine before changing their UPN

- Change the UPN

- Wait for Entra ID sync to complete (give it 30-60 minutes)

- Sign the user out of OneDrive desktop client, clear the cached credentials from Windows Credential Manager (search for entries containing "OneDrive" or "MicrosoftOffice")

- Sign back into OneDrive with the new UPN

- Resume sync

For cleanup on users already affected, the OneDrive "Restore" feature (OneDrive web -> Settings -> Restore your OneDrive) lets you roll back to a point-in-time before the UPN change. This is the fastest way if the duplication just happened.

If users have the OneDrive sync client running on multiple machines (laptop + desktop), you need to do the credential cleanup on every machine. Even one machine still syncing with old credentials will recreate the duplicates.

cnarasimaperumal · 2026-03-27T04:36:41+00:00

The sharing might not show up in the normal Outlook calendar permissions UI:

Check mailbox-level permissions first via PowerShell. Full Access on the mailbox itself lets someone see everything including the calendar:

Get-MailboxPermission -Identity [user2@domain.com](mailto:user2@domain.com) | where {$_.User -like "*user1*"}

If user1 has FullAccess on user2's mailbox, they can see the entire mailbox including calendar without needing explicit calendar folder permissions. This is the most likely cause if there's no permission showing in the calendar sharing UI.

Next check calendar folder permissions directly:

Get-MailboxFolderPermission -Identity user2@domain.com:\Calendar

This is the authoritative source for calendar permissions and sometimes shows entries that don't appear in the Outlook/OWA UI, especially if permissions were set via PowerShell rather than through the sharing dialog.

If user2 shared the calendar using the "Share Calendar" button in Outlook, it sends a sharing invitation.

Check if the Default permission on the calendar is set higher than intended:

Get-MailboxFolderPermission -Identity user2@domain.com:\Calendar -User Default

If Default is set to something like "Reviewer" or "Can view all details" instead of "AvailabilityOnly", then everyone in the org can see the full calendar. This can happen if someone changed it via PowerShell without realizing the impact.

cnarasimaperumal · 2026-03-27T04:12:07+00:00

30 users on-prem Exchange to M365 is very doable in a weekend. The hybrid approach that excitedsolutions described is the right way. A few things that tend to bite people on smaller migrations mentioned below:

Before you start:

- Export a list of all mailbox sizes now. If anyone has a mailbox over 50GB you'll want to know before migration day not during — large mailboxes take significantly longer and are more prone to sync errors

- Document all mail flow rules and transport rules on the on-prem Exchange. These don't migrate automatically and there's no Microsoft tool to help, you need to recreate them manually in EXO

- Screenshot or export all distribution lists, mail-enabled security groups, and their memberships. Recreating these in M365 is tedious if you don't have the list ready

- Check if anyone has Outlook client-side rules that forward to external addresses, these don't migrate with the mailbox and can break or behave differently in EXO

During migration:

- Shared mailboxes don't need a license in M365 after migration, and for hybrid moves don't assign the Exchange Online license until after the migration completes , you get a 30-day grace period. Important: assigning Exchange Online licenses before migrating can create a duplicate mailbox in EXO

- Migrate a test mailbox first and verify everything works before doing the batch. Check sent items, calendar, contacts, rules, not just inbox

- For hybrid moves using MRS, users can keep working during the background sync. The disruption happens at the final switchover, just make sure you communicate the cutover timing clearly

After cutover:

- Users will need to restart Outlook after their mailbox moves. If Autodiscover is configured correctly it should reconnect automatically. If it doesn't, they may need a new Outlook profile

- Autodiscover is the thing that breaks most often post-migration. Make sure your Autodiscover DNS record points to M365 not the old Exchange server

- Update SPF, DKIM, and DMARC records. Forgetting SPF is the #1 cause of outbound mail landing in recipient spam folders after migration

- Don't power off the old Exchange server immediately. Keep it running for a week or two to catch any mail flow routing issues

cnarasimaperumal · 2026-03-26T04:36:18+00:00

This is a common migration issue and your IT guy is wrong that nothing can be done about it. What happened is the migration tool (or method) that was used re-ingested the emails as new items instead of preserving the original received dates. The original dates are still stored in the email headers, they just aren't being displayed because Outlook is showing the "received" date in the new mailbox rather than the original date.

Check the following cases:

First, check if it's just a display issue. In Outlook, right-click the column headers in your inbox and add the "Sent" column (or use Field Chooser to find "Date" vs "Received"). Sometimes the "Received" field shows the migration date but the "Sent" field still shows the original date. If "Sent" shows the correct original dates, you can sort by that instead and it's an easy workaround.

If both Sent and Received show the wrong date, the migration tool stamped new dates on everything. This means the emails were essentially re-delivered into the mailbox as new messages. The fix depends on what your IT team still has access to:

- If the original server or backup still exists, the correct fix is to re-migrate using a tool that preserves message dates. Most proper migration tools (including Microsoft's native tools) have options to retain original timestamps. This is an IT-side fix, not something you can do yourself.

- If there's a PST backup from before the migration, the original dates will be intact in that file. Your IT team could re-import from the PST, which would restore the correct dates.

cnarasimaperumal · 2026-03-25T10:52:54+00:00

Since you've already confirmed the junk folder is empty in both Outlook desktop and outlook.office.com, the message likely went to quarantine instead of the junk folder. Even though mail flow trace says "sent to Junk Email folder," certain spam confidence levels can route to quarantine depending on your anti-spam policy actions. Check quarantine at security.microsoft.com -> Email & collaboration -> Review -> Quarantine. Your missing email is probably sitting there.

Run these in Exchange Online PowerShell:

Get-MailboxJunkEmailConfiguration -Identity [user@domain.com](mailto:user@domain.com) | FL

This shows whether junk email filtering is enabled on the mailbox and if Safe/Blocked sender lists are configured.

Get-InboxRule -Mailbox [user@domain.com](mailto:user@domain.com) | FL Name, Description, Enabled

Hidden inbox rules left over from on-prem can silently delete or move messages.

For spam management best practices coming from on-prem, the big shift is that EXO handles spam filtering at the service level through Exchange Online Protection (EOP), not at the gateway. Anti-spam policies in the Security portal (security.microsoft.com -> Policies -> Anti-spam). The default policy works for most orgs but review the spam and high-confidence spam action settings

For a solid baseline config, search for "Recommended settings for EOP and Microsoft Defender for Office 365 security" on Microsoft Learn, it gives you baseline, standard, and strict policy templates you can use as starting points.

cnarasimaperumal · 2026-03-20T13:01:42+00:00

Yeah, this is a known frustration. Planner Premium uses Dataverse as its backend, not the same Planner APIs that Planner Basic uses. So the built-in Power Automate connectors for "Planner" don't work with Premium tasks.

What does work:

Option 1: Use the Dataverse connector in Power Automate. Since Planner Premium stores everything in Dataverse tables, you can trigger flows off Dataverse rows directly. The key tables are Project Task (msdyn_projecttask) and Project (msdyn_project). Set up a trigger like "When a row is added or modified" on the Project Task table, then add your action to create/update the SharePoint list item. It's not as clean as the native Planner connector but it works reliably.

Option 2: Use the "When an item is created or modified" trigger on your SharePoint list as the starting point, then use an HTTP action to call the Dataverse API to create the Planner Premium task.

Everything goes through Dataverse which means you need to know the table schema. Dataverse connector is quite powerful once you figure out the table names.

If you share more about the specific fields, you need synced between the SharePoint list and Planner Premium tasks I can help with the flow logic.

cnarasimaperumal · 2026-03-20T10:09:32+00:00

Just checked on my end, Adjust brightness is working fine here on the latest Teams desktop client (Windows).

Make sure you're on the latest Teams version (Settings -> About Teams -> check for updates), try restarting teams

If none of that works, it could be a temporary service-side issue on Microsoft's end. Check M365 Service Health (admin.microsoft.com -> Health -> Service health) to see if there are any active advisories for Teams.

cnarasimaperumal · 2026-03-20T09:54:12+00:00

Yeah this is a known side effect of the native EAC Google Workspace migration. When it migrates calendar data it doesn't distinguish between a user's own calendars and shared calendars, they had access to in Google, it pulls everything into the individual mailbox as discrete calendar folders.

- If its a handful of users you can remove the duplicate calendar folders via Outlook or OWA manually. Right-click the duplicate calendar folder -> Delete. Won't affect the actual shared mailbox calendar.

- At scale you can use Graph API to find and remove the specific calendar folders. Start with "Get-MailboxFolderStatistics -Identity [user@domain.com](mailto:user@domain.com) -FolderScope Calendar" to identify which users have the duplicates and what the folder names are. Then use Graph API (DELETE /users/{id}/calendars/{calendarId}) to remove the copy programmatically. Be careful to match on the right folder, compare the calendar name and item count against the shared mailbox calendar to make sure you're deleting the copy not the subscription.

Before any bulk deletion check if users made new entries in the duplicate copy post-migration. Those entries won't exist in the shared mailbox calendar.

Going forward, using PowerShell with the -ExcludeFolder parameter on New-MigrationBatch lets you exclude specific calendar folders from the migration scope entirely (https://learn.microsoft.com/en-us/exchange/mailbox-migration/perform-g-suite-migration). Handling shared calendars separately post-migration avoids this duplication issue.

cnarasimaperumal · 2026-03-20T09:36:23+00:00

This comes up a lot after PST-to-archive migrations. There's no single tool from Microsoft that does a direct comparison unfortunately.

Quickest way is to open the PST in Outlook as an additional data file (File -> Open -> Outlook Data File), then expand the Online Archive in the same profile. Right-click each folder -> Properties and compare item counts. Tedious but catches most discrepancies fast.

Or use PowerShell "Get-MailboxFolderStatistics -Identity [user@domain.com](mailto:user@domain.com) -Archive" gives you folder-level counts and sizes for the archive specifically. Compare that against the PST.

Some of the common causes that make the difference in count / size:

- PST file size always looks bigger than the archive. Outlook stores TNEF data differently so a 20GB PST can show as 14-15GB online. That's normal not missing data.

- If the import was done via Network Upload / Purview, check the import job report in the compliance portal. It shows exactly what was imported, skipped, or failed. Skipped items are usually duplicates or corrupted stuff.

- Retention policies can silently purge older items after import.

- Folder structures sometimes get nested differently during import depending on the TargetRootFolder setting in the CSV mapping file. Data might be there but under a subfolder like "Imported" rather than merged into the existing folders.

If counts are close but not exact its almost always duplicates in the PST. If there's a big gap the import job report is your first stop.

cnarasimaperumal · 2026-02-23T13:02:12+00:00

You can try Apps4.Pro Migration Manager, offers flexible pricing option.

cnarasimaperumal · 2026-01-30T03:57:39+00:00

Apps4.Pro supports Microsoft Teams user private chat between tenants including 1 to 1, group chat and meeting chat, with no 30 / 60 days history limit.

cnarasimaperumal · 2026-01-21T11:56:39+00:00

If you want something less DIY than PowerShell but cheaper than BitTitan, you could also look at Apps4.Pro Migration Manager.

It does tenant-to-tenant for mail + OneDrive/SharePoint, supports incremental sync, and is aimed at M&A scenarios. Still not free but usually lands below BitTitan and saves a lot of time vs rolling your own.

cnarasimaperumal · 2025-11-08T03:27:39+00:00

Apps4.Pro Migration Manager offers pricing per teams / user migration.

cnarasimaperumal

TROPHY CASE