February 15 Enhancements


Due to issues found late in the release testing process, the license playbook was held back from release. We will release it in an upcoming release.  


The ability to define policies on the Audit data reports has been enhanced in the new interface (New UX), replacing the previously available Audit Alerts in the Legacy UX. 

The key advantage of these policies, known as Audit Policies, lies in their event-based nature, triggering the policy immediately upon detection of a matching audit record. 

Additionally, Operators can now perform the following remediation actions for Audit reports:  

• Run workflow  

• Send notification 

Please note that there is currently no exception management for Audit Policies, and they do not display “matched items”. However, the full report can show the history of matching audit records. 


We're taking another step forward in our support of Dynamic Groups with the ability to view if a group is a dynamic group. 

You'll now be able to manage group members with confidence, knowing exactly what group has been created as dynamic, avoiding errors when managing group members also through Workflows and Playbook policies. 

Detect what the Dynamic Groups are is easy! Simply select the new attribute Dynamic Membership from the Columns drop-down menu, then check which groups are dynamic setting the value equal to true. Below there is the list of the reports that feature the new attribute: 

  • Distribution groups 
  • Distribution groups inactive 
  • Empty distribution groups 
  • Microsoft 365 groups 
  • Microsoft 365 deleted groups 
  • Empty Microsoft 365 groups 
  • Security groups 
  • Empty security groups 
  • Teams groups 
  • Empty Teams groups 



You can now easily view the Workflows associated with your Playbooks. This will make it simple to identify which Workflows form the basis of Playbook remediation actions. Plus, you can determine which Workflows cannot be manually executed from the Workflow Management page.


Previously in the application if a user was moving between OUs, perhaps as part of a promotion or other job move, that required an operator to perform a management action to make that change.  We have now added an action to Move User to a Different Organization Unit in Workflow so you can automate the process of managing this kind of user change.  


We know, we know… updating each list that is associated with a Workflow can be tedious.  

Therefore, we are excited to introduce you Custom Lists, that let you create a list once and use it as execution input across different Workflows. This saves you time and ensures that any updates or modifications to the list are applied automatically to all associated Workflows, reducing the risk of manual error.  

Try out Custom Lists today and see how they can streamline your workflow! (UserVoice)


Take your reporting to the next level with our latest update, which expands the scheduling options to include monthly recurrences, in addition to hours, days, and weeks. 


This increased flexibility empowers organizations to stay compliant, streamline internal processes, and automate tasks by delivering reports precisely when needed, on a specific day of the month. For example, organizations can generate reports at the end of the month to track the usage of software licenses, providing valuable insights to help reduce costs and optimize resources by reallocating unused licenses. 


Another round of Reports have made their way from the Legacy UX to the New UX, so you can now find all of them in one place. this means no more flipping back and forth between interfaces to find what you need. 

Now, you can find the following Reports with ease: 

  • Mailboxes without licenses  
  • Recipient Over Time  
  • Archive Sizes 
  • Users by Connection type 
  • Calendar Permissions report 
  • Quarantined Messages 
  • [Audit] Exchange - Mailbox rights changes report 
  • [Audit] Azure AD - Sign-in Reports 
  • Sign-ins with admin roles 
  • Sign-ins external 
  • Sign-ins failed 
  • Monthly sign-ins by user 
  • Monthly sign-ins by app 
  • Risky users 
  • Risk detections 
  • Sign-ins from anonymous IP addresses 
  • Sign-ins from infected devices 
  • Sign-ins from unfamiliar locations 
  • Impossible travel to atypical locations 
  • Sign-ins legacy pro 


We've heard your requests to simplify the interface and improve usability, with enhancements that will streamline your workflow and save your time. 

What are these improvements? 

Click Cutting: When executing an Action from a Report or a User Card, you'll now be able to skip the "Target Selection" step and go directly to the action you need to run. 

Bulk Actions via CSV upload: You can easily run Management Actions related to Users in bulk, just uploading a CSV file.  

Grand Totals in Pivot Tables: Get a clear and quick overview of your data with the Grand Totals included in all reports, now featuring the row total for each column in our latest update. (UserVoice)


Do you find yourself frustrated with the time-consuming task of manually recreating filters for multiple reports with the same targets? 

This update offers a key advantage for Operators by expanding their ability to perform complex AND/OR queries. Previously, this was only available for User reports, but now it has been extended to all types of Groups. 

It also saves time by enabling operators to reuse the same filter on multiple reports with the same targets. For example, a filter created in the Active Users report can be reused in the MS365 Members report. 

What are the key features of the improved report filtering capabilities? 

Operators can now save a report filter configuration for future use, allowing the same filter to be applied to multiple reports with the same target. For instance, after creating a filter in the Active Users report, it can be used in the M365 Members report as well. 

Tenant Administrators also have the option to make saved report filters Public, allowing them to be accessible by all members of the organization. 

The Global Filters feature has been reinstated from Legacy UX to New UX with minor revisions. You can now apply any saved Report Filters for the user target as Global Filters, affecting all reports that have the same user target. 


Are you ready to unlock the full potential of your data? With our new custom reporting feature, you have the power to create tailored reports that provide the in-depth insights you need to make informed decisions. This optimized feature empowers you to easily select and focus on the properties that matter most, resulting in a more flexible and customizable reporting system. 


Easily manage your API Keys with our new dedicated page! This page has been recreated from the Legacy UX in the New UX, providing a simple way to view all your API Keys in one place. 

Additional Enhancements

Below are additional small enhancements provided in this release

  • Teams DisplayName - The DisplayName field is now available in the Teams User Activity report. (UserVoice)
  • Missing MFA status information - In some cases MFA status information was not available. By changing the API where we retrieve this information, it is now availablelable for all users. (UserVoice). 

February 1 Enhancements

February is off to a bang with a big new set of enhancements. This release contains a brand new playbook for security and identify as well as migrating a ton of screens and features to the new UX.  

New Security and Identity Playbook 

This release introduces a new Security and Identity Management Playbook. Based on our experience with hundreds of companies managing their Microsoft 365 tenants, these are recommended practices for identifying and resolving common issues with security and identity management.   Below are the new policies. 

Inactive last 60 days but not blocked users 

Problem to be solved: Security best practices suggest disabling the accounts of inactive users to reduce potential breaches. 

Policy description: Finds users inactive for the last 60 days with active credentials. This list excludes guests. 

Remediation action: This policy will email the inactive account’s manager or a named account to attest that the account should remain active. Otherwise, it will disable all those accounts that have been inactive in the last 60 days. 

Admin without MFA 

Problem to be solved: MFA is a must-have for all privileged users to reduce security risk due to compromised identity. MFA provides additional assurance that the individual attempting to gain access is who they claim to be. With MFA, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise, thus reducing the risk.  

Policy definition: Find all users with admin roles and without MFA 

Remediation action: This policy will email the inactive account’s manager or a named account to attest that the account does not require MFA. Otherwise, it will re-enable MFA for targeted users.  

Admin with password not changed in the last 90 days 

Problem to be solved: Microsoft suggests ensuring the passwords of admin accounts and shared accounts change on a regular basis. Ensure all admin and shared accounts have signed in and changed their passwords at least once in the last 90 days.  

Policy definition: Find all admin accounts that have not changed their password in the last 90 days 

Remediation action: This policy will email the inactive account’s manager or a named account to attest that the account password does not need to change. Otherwise, it will force a password change for the user upon their next login. 

Microsoft 365 Groups without Owners 

Problem to be solved: Having M365 groups without owners cause difficulties if no one is monitoring usage of the group, which can result in inappropriate members being added, sensitive content being shared, and no one there to curate or manage.  

Policy definition: Find all M365 groups that have total owners equal to zero. 

Remediation action: This policy will trigger an email to a named user asking that a group owner be identified.  

Inactive Guests in the last 90 days 

Problem to be solved: Removing guest users that are no long active minimizes the risk that these accounts can be compromised.  

Policy definition: Find all guest users that have been inactive for the last 90 days 

Remediation action: This policy will remove the inactive users.  

External Users in security groups 

Problem to be solved: External users that have access to resources and data due to their membership in security groups need periodic attestation to ensure they are not forgotten, and they have the least possible privileges.  

Policy definition: Find all external members that have been added to security groups 

Remediation action: This policy requires a named user attest that external users should still belong to the security groups of which they are a member. If not attested to, they will be removed from the group.  

External Users in Microsoft 365 groups 

Problem to be solved: External users that have access to resources and data due to their membership in M365 groups need periodic attestation to ensure they are not forgotten, and they have the least possible access.  

Policy definition: Find all external members that have been added to M365 groups 

Remediation action: This policy requires a named user attest that external users should still belong to the security groups of which they are a member. If not attested to, they will be removed from the group. 

Admin on-cloud without strong password 

Problem to be solved: Security best practices suggest to set strong passwords for cloud users. Strong passwords have to include one mandatory element that is complexity to avoid security breach, especially for admin accounts.  

Policy definition: Find all Admins with 'Account type' = ONCLOUD and who have been identified as not having a strong password 

Remediation Action:  This policy forces admins without strong password to re-set the password to include complexity. 

Users without MFA 

Problem to be solved: MFA is a critical capability for users to reduce security risk due to compromised identity. MFA provides additional assurance that the individual attempting to gain access is who they claim to be.   

Policy definition: Find all users without MFA enabled 

Remediation action: This policy will re-enable MFA for targeted users. 

Users without MFA enrolled 

Problem to be solved: Enabling MFA for users is a two step process. The user must first enroll in MFA, at which point it can be enabled.  An unenrolled account is more vulnerable than even one where MFA is not enabled since it provides an opportunity for a bad actor to take over an account by enrolling with false credentials.   

Policy definition: Find all users where no strong authentication method has yet been identified.   

Remediation action: This policy emails the user asking them to complete MFA enrollment process and identify a default authentication method.  

Additional Playbook Enhancements 

In addition, the following enhancements were added to Playbooks:

  • Whenever a policy is created from a report, a version of that report is created specifically for the use by that policy. That way, if someone modifies the original report, it cannot inadvertently change or break the policy.   
  • It is now possible to create a policy from every report without first saving the report. In every report the Action menu will now display the option to create a policy.  The create policy wizard will then auto-populate the Policy definition step with the name of the target report.    

License Management Enhancements

Licenses in the Microsoft 365 Business and Microsoft 365 Apps are now counted as primary licenses and therefore supported in the Saving opportunities tab in the License Optimization center.

Report Filters Expansion

Report filters were historically supporting only reports about users. As a result, operators weren't able to perform complex queries on other critical reports. As part of the initiative to improve this feature, we now have extended the support, so you can use report filters (and leverage nested AND/OR queries) also on Distribution, Security, MS365 and Teams groups. 

New UX 

We have migrated f reports from the legacy UX to the new UX: 

  • OneDrive Shared with External Users 
  • Internal vs external  

On-premises Configuration

In addition, we have added the following configuration screen to the New UX -- On-premises Configuration. This section is only available for customers with the Hybrid connector.  

Management Actions

The following Management actions have also been added New UX.  

  • Manage calendar permissions - Of note, this management action can only be performed from the Calendar Permission report, not the Management Actions menu
  • Create teams auto-attendant
  • Edit teams auto-attendant