Microsoft Roadmap, messagecenter en blogs updates van 25-08-2024

As communicated in MC805200 Microsoft Teams: Tenant Federation setting to control external access with trial-only tenants (June 2024), we introduced a new admin control to enable you to block external access (federation) with Teams trial-only tenants. Some malicious actors have used free Teams trials to launch phishing or abuse attacks against Teams users. With this setting you can add another layer of protection for users against some of these attacks.

Between June 2024 and August 2024, we provided a 45-day window to allow you to review and update the setting before enforcement began. Now, by default, this new setting will block external access with trial-only tenants and requires explicit action from you to continue to federate with trial tenants. 

[When this will happen:]

General Availability (Worldwide): Available now. Blocking or allowing external access with trial-only tenants with this setting was enabled August 15, 2024. If you missed MC805200, you can still manage the setting for your organization at any time.

[How this will affect your organization:]

Teams PowerShell now supports the new Tenant Federation setting -ExternalAccessWithTrialTenants with the values Allowed or Blocked. When set to Blocked, all external access with users from Teams subscriptions that contain only trial licenses will be blocked. This means users from these trial-only tenants will not be able to search or reach your users via chats, Teams calls, and meetings (using the users’ authenticated identity) and your users will not be able to reach users in these trial-only tenants. If this setting is set to Blocked, users from the trial-only tenant will also be removed from any existing chats. The default setting will be to block external access with trial-only tenants.

Important Notes

• A “trial-only” tenant is defined as a tenant with a Teams service plan that has only Trial subscriptions (0 purchased licenses).
• Shared Channels, Guest access and Anonymous Meeting joins will not be affected by this setting.
• This new setting only controls external communication with trial-only tenants within the same Microsoft 365 cloud environment. When enforcement starts, users from trial-only tenants in public clouds will be blocked by default from external communication with users in other Microsoft 365 cloud environments and with Microsoft Skype for Business server users. No admin control will exist to allow cross-cloud external communication with trial tenants.
• If your tenant has enabled Allow only specific domains and specified domains in the Allow list, and if -ExternalAccessWithTrialTenants is set to Blocked, trial-only tenants in the Allow list will be blocked. If this setting is set to Allowed, all domains in the Allow list will be allowed.
• If your tenant has enabled Block all external domains, the -ExternalAccessWithTrialTenants setting has no impact.
• If your tenant has enabled Block specific domains and specified domains in the Block list, and if the -ExternalAccessWithTrialTenants setting is set to Blocked, trial-only tenants not in the Block list will also be blocked. If set to Allowed, this setting has no impact.
• For two trial-only tenants to be able to federate, both of them need to have the -ExternalAccessWithTrialTenants set to Allowed.

[What you need to do to prepare:]

Review your settings for external access to determine if you need to change the default value for this new setting. To change this setting, install the latest PowerShell package (6.4.0) and use the Set-CsTenantFederationConfiguration command to set the desired value when the setting is available:

1. Download or upgrade to the latest PowerShell package: https://www.powershellgallery.com/packages/MicrosoftTeams/
2. To allow external communication with trial-only tenants, use this command: Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed"
3. To block external communication with trial-only tenants, use this command: Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Blocked"

Learn more

• PowerShell cmdlet configuration: Set-CsTenantFederationConfiguration | Microsoft Learn
• Manage external communication: IT Admins – Manage external meetings and chat with people and organizations using Microsoft identities

You may want to notify your admins about this change and update any relevant documentation as appropriate.

Coming soon to Microsoft Viva Insights: We will improve sentiment insights by enabling users to view Microsoft Copilot for Microsoft 365 survey results from Viva Glint or Viva Pulse in the Microsoft Copilot Dashboard. Users can start a Pulse Copilot impact survey directly from the Copilot Dashboard and filter results to compare Copilot impact by attributes. Survey results will only be available for groups that meet the minimum privacy threshold set by Viva admins.

Only survey results that use the Microsoft Copilot impact template will be displayed. Learn more: Microsoft Copilot Impact Survey template in Viva Glint | Microsoft Learn

To access this feature, subscription plans for Microsoft Copilot for Microsoft 365 as well as Viva suite, Viva Glint, or Viva Pulse are required.

This message is associated with Microsoft 365 Roadmap ID 412358.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out early September 2024 and expect to complete by mid-September 2024.

[How this will affect your organization:]

Before this rollout, Users enabled to view the Copilot Dashboard do not see survey results from the Pulse Copilot impact survey template or the Glint Copilot impact survey template and are not able to start a Pulse survey from the Copilot Dashboard.

After this rollout, users enabled to view the Copilot Dashboard will see these updates to the Impact tab of the Copilot Dashboard:

• A Start Pulse survey button will be available.
• Survey results from the Pulse Copilot impact survey template will be available.
• Survey results from the Glint Copilot impact survey template will be available, if the Glint admin selects the program to be sent to Viva Insights. Learn more about sending data from Glint to Insights: Export Viva Glint survey results to Viva Insights (preview) | Microsoft Learn.

This new feature is on by default.

Sentiment data in Copilot Dashboard:

[What you need to do to prepare:]

After this rollout, these existing admin controls will continue to be respected:

• If a user has not been provided access to the Microsoft Copilot Dashboard, this feature will be unavailable to them. Learn more: Manage settings for the Microsoft Copilot Dashboard | Microsoft Learn.
• If Viva Pulse or Viva Glint is not enabled for your organization, this feature will be unavailable.
• Privacy thresholds set by the Viva Insights admin or the (Glint/Pulse) survey admin will be respected in the Copilot Dashboard.

Review and assess the impact on your organization. This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.

Note: A Microsoft Copilot for Microsoft 365 license is required to use this feature.

Coming soon to Microsoft Word: When you open a document, Microsoft Copilot will generate a summary in the Word window. You can hide the summary or open the Copilot chat pane to ask specific questions about the document.

This message applies to Word for Windows and Mac desktops.

This message is associated with Microsoft 365 Roadmap ID 399921.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out late August 2024 and expect to complete by late September 2024.

[How this will affect your organization:]

Before this release: Copilot in Word does not provide a summary when a file is opened.

After this rollout, the Copilot in Word summary will appear at the top of the document. The user can collapse the summary if desired.

Copilot in Word summary with the View more button:

Copilot in Word summary fully expanded:

This feature is on by default and available to all Word users with a Copilot for Microsoft 365 license.

[What you need to do to prepare:]

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.

Before rollout, we will update this post with revised documentation.

As communicated in MC711020 Outlook: Outlook for web – new application ID (January 2024), Microsoft Outlook for the web is undergoing an authentication platform migration to a public client authentication model using MSAL (Microsoft Authentication Library). The change to client-side authentication will be subject to Google’s third-party cookie block that may be active in Chrome and Edge.

Google’s third-party cookie block impacts navigation to Microsoft Entra ID to perform silent single sign-on (SSO). To overcome this block, Outlook for the web will present a banner for the user to refresh their session. This will enable navigation to Entra ID to refresh their token. SSO-enabled Windows devices are expected to silently sign in users with SSO without requiring further interaction and will not display the banner. This issue affects Outlook for web users. It will not affect users of new Outlook for Windows, Outlook (classic), Outlook for Mac, Outlook Mobile for iOS and Outlook Mobile for Android.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out late September 2024 and expect to complete by late December 2024.

General Availability (GCC, GCC High, DoD): We will begin rolling out late October 2024 and expect to complete by late December 2024.

[How this will affect your organization:]

Before this migration: Outlook for the web users were not affected by the third-party cookie block in Chrome and Edge and were able to stay signed in unless they signed out or were signed out due to inactivity.

After Outlook for the web migrates to MSAL, Outlook for the web users without device SSO who are using Google Chrome or Microsoft Edge and who have third-party cookie blocking enabled will start seeing the following if Outlook for the web is not able to silently sign in the user with SSO:

• Outlook for the web will display a red banner below the ribbon and require users to sign in when a session is open for more than 24 hours.
• Windowed (deep linked) Mail items and Calendar events will display a blocking dialog requesting users to return to Outlook for the web to sign in when the deep-linked item token expires.
• Independent of Outlook for the web’s migration to MSAL, Outlook for the web may include embedded experiences such as apps that may stop functioning due to the third-party cookie block. If this happens, the app may provide an app-specific experience to refresh their token. Alternatively, the user may be able to right-click the app to launch the app in a browser or can choose to refresh the entire Outlook for the web session.

Sign-in error message in red banner below the ribbon in Outlook for the web: “You need to sign in. Your session has expired. You may need to enable pop-ups in your browser for this site. Sign in to continue”:

Dialog box requesting users to sign in again:

The authentication rollout will be on by default.

[What you need to do to prepare:]

• In Chrome, enterprise administrators can reset the BlockThirdPartyCookies setting to avoid the block.
• Enterprise administrators can also enable SSO from their Windows devices or add the Microsoft Single Sign On extension for Chrome to ensure their users are not impacted.

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.