MicrosoftDocs
diff --git a/‎.github/workflows/AutoLabelMsftContributor.yml
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/AutoLabelMsftContributor.yml
Lines changed: 3 additions & 1 deletion
diff --git a/‎exchange/docs-conceptual/exchange-online-powershell-v2.md
Lines changed: 17 additions & 3 deletions b/‎exchange/docs-conceptual/exchange-online-powershell-v2.md
Lines changed: 17 additions & 3 deletions
diff --git a/‎exchange/docs-conceptual/whats-new-in-the-exo-module.md
Lines changed: 14 additions & 0 deletions b/‎exchange/docs-conceptual/whats-new-in-the-exo-module.md
Lines changed: 14 additions & 0 deletions
diff --git a/‎exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md
Lines changed: 5 additions & 2 deletions b/‎exchange/exchange-ps/exchange/Get-AuthenticationPolicy.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎exchange/exchange-ps/exchange/Get-MessageTrackingReport.md
Lines changed: 3 additions & 1 deletion b/‎exchange/exchange-ps/exchange/Get-MessageTrackingReport.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/New-AppRetentionCompliancePolicy.md
Lines changed: 3 additions & 0 deletions b/‎exchange/exchange-ps/exchange/New-AppRetentionCompliancePolicy.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎exchange/exchange-ps/exchange/New-AutoSensitivityLabelRule.md
Lines changed: 4 additions & 0 deletions b/‎exchange/exchange-ps/exchange/New-AutoSensitivityLabelRule.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎exchange/exchange-ps/exchange/New-ProtectionAlert.md
Lines changed: 9 additions & 1 deletion b/‎exchange/exchange-ps/exchange/New-ProtectionAlert.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/New-TenantAllowBlockListItems.md
Lines changed: 11 additions & 0 deletions b/‎exchange/exchange-ps/exchange/New-TenantAllowBlockListItems.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎exchange/exchange-ps/exchange/Remove-AuthenticationPolicy.md
Lines changed: 1 addition & 1 deletion b/‎exchange/exchange-ps/exchange/Remove-AuthenticationPolicy.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/Set-AppRetentionCompliancePolicy.md
Lines changed: 41 additions & 1 deletion b/‎exchange/exchange-ps/exchange/Set-AppRetentionCompliancePolicy.md
Lines changed: 41 additions & 1 deletion
diff --git a/‎exchange/exchange-ps/exchange/Set-ArcConfig.md
Lines changed: 25 additions & 2 deletions b/‎exchange/exchange-ps/exchange/Set-ArcConfig.md
Lines changed: 25 additions & 2 deletions
@@ -1,3 +1,4 @@
+
 name: Auto label Microsoft contributors
 
 permissions:
@@ -31,4 +32,5 @@ jobs:
           PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
         secrets:
           AccessToken: ${{ secrets.GITHUB_TOKEN }}
-          TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
+          ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+          PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
@@ -3,7 +3,7 @@ title: About the Exchange Online PowerShell V3 module
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 10/28/2024
+ms.date: 02/25/2025
 ms.audience: Admin
 audience: Admin
 ms.topic: article
@@ -613,14 +613,28 @@ Unless otherwise noted, the current release of the Exchange Online PowerShell mo
 
 ### Current release
 
+#### Version 3.7.1
+
+- Added a new property named `ExoExchangeSecurityDescriptor` to the output of **Get-EXOMailbox** that's similar to the `ExchangeSecurityDescriptor` property in the output of **Get-Mailbox**.
+- Added new cmdlets to support the Viva Org Insights Delegation feature:
+  - **Add-VivaOrgInsightsDelegatedRole**
+  - **Get-VivaOrgInsightsDelegatedRole**
+  - **Remove-VivaOrgInsightsDelegatedRole**
+
+### Previous releases
+
+#### Version 3.7.0
+
+- Integrated Web Account Manager (WAM) in authentication flows to enhance security.
+- Command line help for Exchange Online PowerShell cmdlets is no longer loaded by default. Use the _LoadCmdletHelp_ parameter in the **Connect-ExchangeOnline** command so help for Exchange Online PowerShell cmdlets is available to the **Get-Help** cmdlet.
+- Fixed connection issues with app only authentication in Security & Compliance PowerShell.
+
 #### Version 3.6.0
 
 - **Get-VivaModuleFeature** now returns information about the kinds of identities that the feature supports creating policies for (for example, users, groups, or the entire tenant).
 - Cmdlets for Viva feature access management now handle continuous access evaluation (CAE) claim challenges.
 - Added fix for compatibility issue with the Microsoft.Graph module.
 
-### Previous releases
-
 #### Version 3.5.1
 
 - Bug fixes in **Get-EXOMailboxPermission** and **Get-EXOMailbox**.
 
@@ -22,6 +22,20 @@ description: "Learn about the new features and functionality available in the la
 
 This article lists new features in the Exchange Online PowerShell module that's used for connecting to Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell. Features that are currently in preview are denoted with **(preview)**.
 
+## January 2025
+
+- [Version 3.7.1](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.1)
+
+  For information about what's in this release, see [Version 3.7.1](exchange-online-powershell-v2.md#version-371).
+
+## December 2024
+
+- [Version 3.7.0](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.0)
+
+  Starting with this version of the module, command line help for Exchange Online PowerShell cmdlets is no longer loaded by default. Use the _LoadCmdletHelp_ parameter in the **Connect-ExchangeOnline** command so help for Exchange Online PowerShell cmdlets is available to the **Get-Help** cmdlet.
+
+  For information about what's in this release, see [Version 3.7.0](exchange-online-powershell-v2.md#version-370).
+
 ## September 2024
 
 - [Version 3.6.0](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.6.0)
 
@@ -81,10 +81,13 @@ The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens ar
 
 Legacy Exchange tokens include Exchange user identity and callback tokens.
 
+This switch also specifies a date and time sometime within the past seven days when an add-in was either allowed or blocked from acquiring a token.
+
 **Important**:
 
-- Currently, the AllowLegacyExchangeTokens switch only specifies whether legacy Exchange tokens are allowed in your organization. For now, disregard the empty Allowed and Blocked arrays returned by the switch.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- An update is being deployed to enable the AllowLegacyExchangeTokens switch to specify any add-in that requested an Exchange token from the last seven days. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- The AllowLegacyExchangeTokens switch returns `Not Set` if tokens haven't been explicitly allowed or blocked in your organization using the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Get the status of legacy Exchange Online tokens and add-ins that use them](https://learn.microsoft.com/office/dev/add-ins/outlook/turn-exchange-tokens-on-off#get-the-status-of-legacy-exchange-online-tokens-and-add-ins-that-use-them).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. Although tokens are blocked by default, the AllowLegacyExchangeTokens switch still returns `Not Set` if you haven't used the _AllowLegacyExchangeTokens_ or _BlockLegacyExchangeTokens_ parameters on the **Set-AuthenticationPolicy** cmdlet. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter
 
@@ -48,7 +48,9 @@ You need to be assigned permissions before you can run this cmdlet. Although thi
 ```powershell
 $Temp = Search-MessageTrackingReport -Identity "David Jones" -Recipients "wendy@contoso.com"
 
-Get-MessageTrackingReport -Identity $Temp.MessageTrackingReportID -ReportTemplate Summary
+foreach ($reportId in $Temp.MessageTrackingReportId) {
+    Get-MessageTrackingReport -Identity $reportId -ReportTemplate Summary -Status Delivered
+}
 ```
 
 This example gets the message tracking report for messages sent from one user to another. This example returns the summary of the message tracking report for a message that David Jones sent to Wendy Richardson.
 
@@ -308,6 +308,9 @@ Accept wildcard characters: False
 ```
 
 ### -PolicyRBACScopes
+
+**Note**: Admin units aren't currently supported, so this parameter isn't functional. The information presented here is for informational purposes when support for admin units is released.
+
 The PolicyRBACScopes parameter specifies the administrative units to assign to the policy. A valid value is the Microsoft Entra ObjectID (GUID value) of the administrative unit. You can specify multiple values separated by commas.
 
 Administrative units are available only in Microsoft Entra ID P1 or P2. You create and manage administrative units in Microsoft Graph PowerShell.
 
@@ -254,6 +254,10 @@ The ContentContainsSensitiveInformation parameter specifies a condition for the
 
 This parameter uses the basic syntax `@(@{Name="SensitiveInformationType1";[minCount="Value"],@{Name="SensitiveInformationType2";[minCount="Value"],...)`. For example, `@(@{Name="U.S. Social Security Number (SSN)"; minCount="2"},@{Name="Credit Card Number"; minCount="1"; minConfidence="85"})`.
 
+Exact Data Match sensitive information types are supported only groups. For example:
+
+`@(@{operator="And"; groups=@(@{name="Default"; operator="Or"; sensitivetypes=@(@{id="<<EDM SIT Id>>"; name="<<EDM SIT name>>"; maxcount="-1"; classifiertype="ExactMatch"; mincount="100"; confidencelevel="Medium"})})})`
+
 ```yaml
 Type: PswsHashtable[]
 Parameter Sets: (All)
 
@@ -14,7 +14,15 @@ ms.reviewer:
 ## SYNOPSIS
 This cmdlet is available only in Security & Compliance PowerShell. For more information, see [Security & Compliance PowerShell](https://learn.microsoft.com/powershell/exchange/scc-powershell).
 
-Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries in the Microsoft Purview compliance portal.
+Use the New-ProtectionAlert cmdlet to create alert policies in the Microsoft Purview compliance portal and the Microsoft Defender portal. Alert policies contain conditions that define the user activities to monitor, and the notification options for email alerts and entries.
+
+> [!NOTE]
+> Although the cmdlet is available, you receive the following error if you don't have an enterprise license:
+>
+> _Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or
+Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alerts can be created._
+>
+> For more information, see [Alert policies in Microsoft 365](https://learn.microsoft.com/purview/alert-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://learn.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).
 
 
@@ -74,6 +74,15 @@ New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery
 
 This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](https://learn.microsoft.com/defender-office-365/advanced-delivery-policy-configure).
 
+### Example 4
+```powershell
+New-TenantAllowBlockListItems -Allow -ListType Url -Entries abcd.fabrikam.com -RemoveAfter 45
+```
+
+This example adds a URL allow entry for the specified domain with expiration as 45 days after last used date. This allow entry permits URLs identified as bulk, spam, high confidence spam, and phishing (not high confidence phishing).
+
+For URLs identified as malware or high-confidence phishing, you need to submit the URLs Microsoft to create allow entries. For instructions, see [Report good URLs to Microsoft](https://learn.microsoft.com/defender-office-365/submissions-admin#report-good-urls-to-microsoft).
+
 ## PARAMETERS
 
 ### -Entries
@@ -281,6 +290,8 @@ The RemoveAfter parameter enables the **Remove on** \> **45 days after last used
 
 The only valid value for this parameter is 45.
 
+You can use this parameter with the Allow switch when the ListType parameter value is Sender, FileHash, or Url.
+
 You can't use this parameter with the ExpirationDate or NoExpirationDate parameters.
 
 ```yaml
 
@@ -84,7 +84,7 @@ This switch applies to the entire organization. The Identity parameter is requir
 - Apart from the Identity parameter, this switch disregards other authentication policy parameters used in the same command. We recommend running separate commands for other authentication policy changes.
 - It might take up to 24 hours for the change to take effect across your entire organization.
 - Legacy Exchange tokens issued to Outlook add-ins before token blocking was implemented in your organization will remain valid until they expire.
-- Legacy Exchange tokens will eventually be blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
+- As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. For more information, see [Nested app authentication and Outlook legacy tokens deprecation FAQ](https://learn.microsoft.com/office/dev/add-ins/outlook/faq-nested-app-auth-outlook-legacy-tokens#what-is-the-timeline-for-shutting-down-legacy-exchange-online-tokens).
 
 ```yaml
 Type: SwitchParameter
 
@@ -119,6 +119,38 @@ Set-AppRetentionCompliancePolicy -Identity "Regulation 563 Marketing" -Applicati
 
 This example adds a new user to the existing static scope retention policy named Regulation 563 Marketing that's set up for Teams private channels messages.
 
+### Example 2
+```powershell
+$stringJson = @"
+[{
+     'EmailAddress': 'SalesUser@contoso.onmicrosoft.com'
+}]
+"@
+Set-AppRetentionCompliancePolicy -Identity "Teams Private Channel Retention Policy" -AddExchangeLocationException  "SalesUser@contoso.onmicrosoft.com" -DeletedResources $stringJson
+```
+This example excludes the specified soft-deleted mailbox or mail user from the retention policy configured for Teams private channel messages. You can identify the deleted resources using the mailbox or mail user's email address.
+
+**IMPORTANT**: Before you run this command, make sure you read the Caution information for the [DeletedResources parameter](#-deletedresources) about duplicate SMTP addresses.
+
+Policy exclusions must remain within the supported limits for retention policies. For more information, see [Limits for Microsoft 365 retention policies and retention label policies](https://learn.microsoft.com/purview/retention-limits#maximum-number-of-items-per-policy).
+
+### Example 3
+```powershell
+$stringJson = @"
+[{
+     'EmailAddress': 'SalesUser1@contoso.onmicrosoft.com'
+},
+{
+     'EmailAddress': 'SalesUser2@contoso.onmicrosoft.com'
+}]
+"@
+Set-AppRetentionCompliancePolicy -Identity "Teams Private Chat Retention Policy" -AddExchangeLocationException "SalesUser1@contoso.onmicrosoft.com", "SalesUser2@contoso.onmicrosoft.com"  -DeletedResources $stringJson
+```
+
+This example is similar to Example 2, except multiple deleted resources are specified.
+
+**IMPORTANT**: Before you run this command, make sure you read the Caution information for the [DeletedResources parameter](#-deletedresources) about duplicate SMTP addresses.
+
 ## PARAMETERS
 
 ### -Identity
@@ -347,7 +379,15 @@ Accept wildcard characters: False
 ```
 
 ### -DeletedResources
-{{ Fill DeletedResources Description }}
+The DeletedResources parameter specifies the deleted mailbox or mail user to add as an exclusion to the respective location list. Use this parameter with the AddTeamsChatLocationException parameter for deleted mailboxes or mail users that need to be excluded from a Teams only retention policy.
+
+A valid value is a JSON string. Refer to the Examples section for syntax and usage examples of this parameter.
+
+For information about the inactive mailbox scenario, see [Learn about inactive mailboxes](https://learn.microsoft.com/purview/inactive-mailboxes-in-office-365).
+
+**CAUTION**: This parameter uses the SMTP address of the deleted mailbox or mail user, which might also be specified for other mailboxes or mail users. If you use this parameter without first taking additional steps, other mailboxes and mail users with the same SMTP address in the retention policy will also be excluded. To check for additional mailboxes or mail users with the same SMTP address, use the following command and replace *user@example.com* with the SMTP address to check: `Get-Recipient -IncludeSoftDeletedRecipients user@contoso.com |Select-Object DisplayName, EmailAddresses, Description, Alias, RecipientTypeDetails, WhenSoftDeleted`
+
+To prevent active mailboxes or mail users with the same SMTP address from being excluded, put the mailbox on [Litigation Hold](https://learn.microsoft.com/purview/ediscovery-create-a-litigation-hold) before you run the command with the DeletedResources parameter.
 
 ```yaml
 Type: String
 
@@ -73,6 +73,27 @@ The first four commands return the existing list of ARC sealers. The first ARC s
 
 The last two commands remove the seventh ARC sealer that's displayed in the list.
 
+### Example 4
+```powershell
+$arcSealer = 'fabrikam.com'
+$x = @(Get-ArcConfig | Select-Object -Expand ArcTrustedSealers)
+
+$y = @($x.Split(","))
+$DomainsRemove = [System.Collections.ArrayList]($y)
+$DomainsRemove.Remove($arcSealer)
+
+if ($DomainsToRemove.Count -eq 0) {        
+   Set-ArcConfig -Identity Default -ArcTrustedSealers " "
+   }
+else {
+   Set-ArcConfig -Identity Default -ArcTrustedSealers $DomainsRemove
+   }
+```
+
+This example removes the specified ARC sealer from the list (`$arcSealer`).
+
+If no other ARC sealers exist after removing this entry from the list, using the value `" "` for the ArcTrustedSealers parameter avoids a bind argument error if the `$DomainsToRemove` value is empty.
+
 ## PARAMETERS
 
 ### -Identity
@@ -99,9 +120,11 @@ The ArcTrustedSealers parameter specifies the domain name of the ARC sealers tha
 
 The domain name must match the domain that's shown in the `d` tag in the **ARC-Seal** and **ARC-Message-Signature** headers in affected email messages (for example, fabrikam.com). You can use Outlook to see these headers.
 
-To replace the existing list of ARC sealers with the values you specify, use the syntax `Domain1,Domain2,...DomainN`. To preserve existing values, be sure to include the file types that you want to keep along with the new values that you want to add.
+To replace the existing list of ARC sealers with the values you specify, use the syntax `Domain1,Domain2,...DomainN`. To preserve existing values, be sure to include the entries that you want to keep along with the new values that you want to add.
+
+To add or remove values without affecting the other entries, see the Examples section in this article.
 
-To add or remove file types without affecting the other file type entries, see the Examples section in this topic.
+To empty the list, use the value `" "` (a space enclosed in double quotation marks).
 
 ```yaml
 Type: String[]