Merge branch 'main' into patch-3

Author: vijurtse

.github/workflows/AutoIssueAssign.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Auto issue assign
+
+permissions:
+  issues: write
+      
+on:
+  schedule:
+    - cron: "0 17 * * *"
+
+  workflow_dispatch:
+  
+
+jobs:
+
+  stale-branch:
+    if: github.repository_owner == 'MicrosoftDocs'
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoIssueAssign.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        ExcludedUserList: '["user1", "user2"]'
+
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}
+        PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
+        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

.github/workflows/AutoPublish.yml

@@ -1,3 +1,4 @@
+
 name: (Scheduled) Publish to live
 
 permissions:
@@ -7,8 +8,8 @@ permissions:
 
 on:
   schedule:
-    # - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time (~Mar-Nov). Scheduling at :25 to account for queuing lag.
-    - cron: "25 3,6,9,12,15,18,21,23 * * *" # Times are UTC based on Standard Time (~Nov-Mar). Scheduling at :25 to account for queuing lag.
+    - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time (~Mar-Nov). Scheduling at :25 to account for queuing lag.
+    # - cron: "25 3,6,9,12,15,18,21,23 * * *" # Times are UTC based on Standard Time (~Nov-Mar). Scheduling at :25 to account for queuing lag.
 
   workflow_dispatch:
 
@@ -25,4 +26,4 @@ jobs:
     secrets:
         AccessToken: ${{ secrets.GITHUB_TOKEN }}
         PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
-        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+        ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

exchange/docfx.json

@@ -78,7 +78,7 @@
       "uhfHeaderId": "MSDocsHeader-M365-IT",
       "author": "chrisda",
       "ms.author": "chrisda",
-      "manager": "serdars",
+      "manager": "bagol",
       "ms.date": "09/25/2017",
       "ms.topic": "reference",
       "ms.service": "exchange-powershell",
@@ -88,16 +88,28 @@
       ],
       "ms.devlang": "powershell",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://github.com/MicrosoftDocs/office-docs-powershell/issues"
+      "feedback_product_url": "https://github.com/MicrosoftDocs/office-docs-powershell/issues"
     },
     "fileMetadata": {
       "apiPlatform": {
         "exchange-ps/exchange/**/*.yml": [
           "powershell"
+        ],
+        "contributors_to_exclude": [
+          "aditisrivastava07",
+          "AGuentherinWA",
+          "claydetels19",
+          "dstrome",
+          "garycentric",
+          "padmagit77",
+          "rjagiewich",
+          "Ruchika-mittal01",
+          "Shipra-M09",
+          "techtoons"
         ]
       }
     },
     "template": [],
     "dest": "exchange-ps"
   }
-}
+}

exchange/docs-conceptual/app-only-auth-powershell-v2.md

@@ -1,27 +1,22 @@
 ---
 title: App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell
-ms.author: chrisda
-author: chrisda
-manager: orspodek
-ms.date: 12/05/2025
+ms.date: 03/11/2026
 ms.audience: Admin
-audience: Admin
 ms.topic: article
 ms.service: exchange-online
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Learn how to configure app-only authentication (also known as certificate based authentication or CBA) using the Exchange Online PowerShell V3 module in scripts and other long-running tasks."
 ---
 
 # App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell
 
 Auditing and reporting scenarios in Microsoft 365 often involve unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell. In the past, unattended sign in required you to store the username and password in a local file or in a secret vault accessed at run-time. But, as we all know, storing user credentials locally isn't a good security practice.
 
-Certificate based authentication (CBA) or app-only authentication as described in this article supports unattended script and automation scenarios by using Microsoft Entra apps and self-signed certificates.
+Certificate based authentication (CBA) or app-only authentication as described in this article supports unattended script and automation scenarios by using Microsoft Entra apps and certificates.
 
 > [!NOTE]
 >
@@ -154,22 +149,20 @@ For a detailed visual flow about creating applications in Microsoft Entra ID, se
 
    An application object has the **Delegated** API permission **Microsoft Graph** \> **User.Read** by default. For the application object to access resources in Exchange, it needs the **Application** API permission **Office 365 Exchange Online** \> **Exchange.ManageAsApp**.
 
-3. [Generate a self-signed certificate](#step-3-generate-a-self-signed-certificate)
+3. [Generate a certificate](#step-3-generate-a-certificate)
 
    - For app-only authentication in Microsoft Entra ID, you typically use a certificate to request access. Anyone who has the certificate and its private key can use the app with the permissions granted to the app.
 
-   - Create and configure a self-signed X.509 certificate, which is used to authenticate your Application against Microsoft Entra ID, while requesting the app-only access token.
+   - Create and configure an X.509 certificate, which is used to authenticate your Application against Microsoft Entra ID, while requesting the app-only access token. The certificate can be self-signed.
 
-   - This procedure is similar to generating a password for user accounts. The certificate can be self-signed as well. See [this section](#step-3-generate-a-self-signed-certificate) later in this article for instructions to generate certificates in PowerShell.
+   - This procedure is similar to generating a password for user accounts. See [this section](#step-3-generate-a-certificate) later in this article for instructions to generate certificates in PowerShell.
 
      > [!NOTE]
-     > Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication with Exchange. CNG certificates are created by default in modern versions of Windows. You must use a certificate from a CSP key provider. [This section](#step-3-generate-a-self-signed-certificate) section covers two supported methods to create a CSP certificate.
+     > Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication with Exchange. CNG certificates are created by default in modern versions of Windows. You must use a certificate from a CSP key provider. [This section](#step-3-generate-a-certificate) section covers two supported methods to create a CSP certificate.
 
 4. [Attach the certificate to the Microsoft Entra application](#step-4-attach-the-certificate-to-the-microsoft-entra-application)
 
-5. [Assign Microsoft Entra roles to the application](#step-5-assign-microsoft-entra-roles-to-the-application)
-
-   The application needs to have the appropriate RBAC roles assigned. Because the apps are provisioned in Microsoft Entra ID, you can use any of the supported built-in roles.
+5. [Assign roles permissions to the application](#step-5-assign-role-permissions-to-the-application)
 
 ### Step 1: Register the application in Microsoft Entra ID
 
@@ -339,27 +332,36 @@ Choose **one** of the following methods in this section to assign API permission
 
 6. Close the current **API permissions** page (not the browser tab) to return to the **App registrations** page. You use the **App registrations** page in an upcoming step.
 
-### Step 3: Generate a self-signed certificate
+<a name="step-3-generate-a-self-signed-certificate"></a>
 
-Create a self-signed x.509 certificate using one of the following methods:
+### Step 3: Generate a certificate
 
-- (Recommended) Use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pki/export-certificate), and [Export-PfxCertificate](/powershell/module/pki/export-pfxcertificate) cmdlets in an elevated (run as administrator) Windows PowerShell session to request a self-signed certificate and export it to `.cer` and `.pfx` (SHA1 by default). For example:
+> [!NOTE]
+> Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication as described in this article. CNG certificates are created by default in modern Windows versions. You need to use a certificate from a CSP key provider.
+>
+> You can use a self-signed certificate, a certificate issued by an internal public key infrastructure or PKI (for example, Active Directory Certificate Services or AD CS), or a certificate issued by a trusted commercial certificate authority (CA).
+>
+> The only requirements for the X.509 certificate are an exportable and available private key (.pfx) and public certificate (.cer).
 
-  ```powershell
-  # Create certificate
-  $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
+For a **self-signed certificate**, use one of the following methods:
 
-  # Export certificate to .pfx file
-  $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password (Get-Credential).password
+- (Recommended): Use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pki/export-certificate) and [Export-PfxCertificate](/powershell/module/pki/export-pfxcertificate) cmdlets in an elevated PowerShell session (a PowerShell window you opened after selecting **Run as administrator**) to request a self-signed certificate and export the certificate's private and public keys to files (SHA1 by default). For example:
 
-  # Export certificate to .cer file
-  $mycert | Export-Certificate -FilePath mycert.cer
-  ```
+    ```powershell
+    # Create a self-signed certificate
+    $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
+
+    # Export the X.509 certificate and the associated private key to a password-protected .pfx file
+    $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password (Get-Credential).password
+
+    # Export the X.509 public certificate to a .cer file
+    $mycert | Export-Certificate -FilePath mycert.cer
+    ```
 
 - Use the [Create-SelfSignedCertificate script](https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1) script to generate SHA1 certificates.
 
   ```powershell
-  .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2021-01-06 -EndDate 2022-01-06
+  .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2026-01-06 -EndDate 2027-01-06
   ```
 
 ### Step 4: Attach the certificate to the Microsoft Entra application
@@ -380,12 +382,10 @@ After you register the certificate with your application, you can use the privat
 
    ![Select Upload certificate on the Certificates & secrets page.](media/exo-app-only-auth-select-upload-certificate.png)
 
-   In the dialog that opens, browse to the self-signed certificate (`.cer` file) that you created in [Step 3](#step-3-generate-a-self-signed-certificate).
+   In the **Upload certificate** flyout that opens, browse to the public certificate (`.cer` file) you exported in [Step 3](#step-3-generate-a-certificate), and then select **Add**.
 
    ![Browse to the certificate and then select Add.](media/exo-app-only-auth-upload-certificate-dialog.png)
 
-   When you're finished, select **Add**.
-
    The certificate is now shown in the **Certificates** section.
 
    ![Application page showing that the certificate was added.](media/exo-app-only-auth-certificate-successfully-added.png)
@@ -404,19 +404,28 @@ If you made the application multitenant for **Exchange Online** delegated scenar
 
 For more information about the URL syntax, see [Request the permissions from a directory admin](/entra/identity-platform/v2-admin-consent#request-the-permissions-from-a-directory-admin).
 
-### Step 5: Assign Microsoft Entra roles to the application
+<a name="step-5-assign-microsoft-entra-roles-to-the-application"></a>
+
+### Step 5: Assign role permissions to the application
+
+You have the following options:
+
+- [Option 1: Assign Microsoft Entra roles to the application](#option-1-assign-microsoft-entra-roles-to-the-application): Use built-in Microsoft Entra roles to grant all permissions of the role. You can't customize or scope these roles.
+
+- [Option 2: Assign custom role groups to the application using service principals](#option-2-assign-custom-role-groups-to-the-application-using-service-principals): We recommend this option in the following scenarios:
+  - You need to restrict the available commands in your application.
+  - You need to use a Write scope to limit which recipients can be modified.
 
-You have two options:
+- <u>Option 3: Combine Microsoft Entra roles with custom role groups</u>: RBAC combines permissions from all sources. We recommend this method to extend the capabilities of a built-in Microsoft Entra role. For example, you can extend the capabilities of the **Exchange Recipient Administrator** role by granting extra permissions from a custom role.
 
-- **Assign Microsoft Entra roles to the application**
-- **Assign custom role groups to the application using service principals**: This method is supported only when you connect to Exchange Online PowerShell or Security & Compliance PowerShell in [REST API mode](exchange-online-powershell-v2.md#rest-api-connections-in-the-exo-v3-module). Security & Compliance PowerShell supports REST API mode in v3.2.0 or later.
+These options are described in the following subsections.
 
 > [!NOTE]
-> You can also combine both methods to assign permissions. For example, you can use Microsoft Entra roles for the "Exchange Recipient Administrator" role and also assign your custom RBAC role to extend the permissions.
->
 > For multitenant applications in **Exchange Online** delegated scenarios, you need to assign permissions in each customer tenant.
 
-#### Assign Microsoft Entra roles to the application
+<a name="assign-microsoft-entra-roles-to-the-application"></a>
+
+#### Option 1: Assign Microsoft Entra roles to the application
 
 The supported Microsoft Entra roles are described in the following table:
 
@@ -487,12 +496,12 @@ For general instructions about assigning roles in Microsoft Entra ID, see [Assig
 
      ![The role assignments page after to added the app to the role for Security & Compliance PowerShell.](media/exo-app-only-auth-app-assigned-to-role-scc.png)
 
-#### Assign custom role groups to the application using service principals
+<a name="assign-custom-role-groups-to-the-application-using-service-principals"></a>
+
+#### Option 2: Assign custom role groups to the application using service principals
 
 > [!NOTE]
 > You need to connect to Exchange Online PowerShell or Security & Compliance PowerShell _before_ completing steps to create a new service principal. Creating a new service principal without connecting to PowerShell doesn't work (your Azure App ID and Object ID are needed to create the new service principal).
->
-> This method is supported only when you connect to Exchange Online PowerShell or Security & Compliance PowerShell in [REST API mode](exchange-online-powershell-v2.md#rest-api-connections-in-the-exo-v3-module). Security & Compliance PowerShell supports REST API mode in v3.2.0 or later.
 
 For information about creating custom role groups, see [Create role groups in Exchange Online](/exchange/permissions-exo/role-groups#create-role-groups) and [Create Email & collaboration role groups in the Microsoft Defender portal](/defender-office-365/mdo-portal-permissions#create-email--collaboration-role-groups-in-the-microsoft-defender-portal). The custom role group that you assign to the application can contain any combination of built-in and custom roles.
 

exchange/docs-conceptual/cmdlet-property-sets.md

@@ -1,19 +1,13 @@
 ---
 title: Property sets in Exchange Online PowerShell module cmdlets
-ms.author: chrisda
-author: chrisda
-manager: orspodek
 ms.date: 9/1/2023
 ms.audience: Admin
-audience: Admin
 ms.topic: article
-ms.service: exchange-powershell
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Admins can lear about the property sets that are available in the nine exclusive Get-EXO cmdlets in the Exchange Online PowerShell V2 module and V3 module."
 ---
 

exchange/docs-conceptual/connect-exo-powershell-managed-identity.md

@@ -1,19 +1,14 @@
 ---
 title: Use Azure managed identities to connect to Exchange Online PowerShell
-ms.author: chrisda
-author: chrisda
-manager: orspodek
 ms.date: 8/24/2023
 ms.audience: Admin
-audience: Admin
 ms.topic: article
 ms.service: exchange-online
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Learn about using the Exchange Online PowerShell V3 module and Azure managed identity to connect to Exchange Online PowerShell."
 ---
 

exchange/docs-conceptual/connect-to-exchange-online-powershell.md

@@ -1,18 +1,13 @@
 ---
 title: Connect to Exchange Online PowerShell
-author: chrisda
-manager: orspodek
 ms.date: 07/11/2025
 ms.audience: Admin
-audience: Admin
 ms.topic: article
-ms.service: exchange-powershell
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Learn how to use the Exchange Online PowerShell V3 module to connect to Exchange Online PowerShell with modern authentication and/or multifactor authentication (MFA)."
 ---
 

exchange/docs-conceptual/connect-to-exchange-servers-using-remote-powershell.md

@@ -1,13 +1,8 @@
 ---
 title: "Connect to Exchange servers using remote PowerShell"
-ms.author: chrisda
-author: chrisda
-manager: orspodek
 ms.date: 01/23/2026
 ms.audience: ITPro
-audience: ITPro
 ms.topic: article
-ms.service: exchange-powershell
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:

exchange/docs-conceptual/connect-to-exo-powershell-c-sharp.md

@@ -1,19 +1,14 @@
 ---
 title: Use C# to connect to Exchange Online PowerShell
-ms.author: chrisda
-author: chrisda
-manager: orspodek
 ms.date: 8/21/2023
 ms.audience: Admin
-audience: Admin
 ms.topic: article
 ms.service: exchange-online
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Learn about using the Exchange Online PowerShell V3 module and C# to connect to Exchange Online."
 ---
 

exchange/docs-conceptual/connect-to-scc-powershell.md

@@ -1,18 +1,13 @@
 ---
 title: Connect to Security & Compliance PowerShell
-author: chrisda
-manager: orspodek
 ms.date: 12/05/2025
 ms.audience: Admin
-audience: Admin
 ms.topic: article
-ms.service: exchange-powershell
 ms.reviewer:
 ms.localizationpriority: high
 ms.collection: Strat_EX_Admin
 ms.custom:
 ms.assetid:
-search.appverid: MET150
 description: "Learn how to use the Exchange Online PowerShell V3 module to connect to Security & Compliance PowerShell with modern authentication and/or multifactor authentication (MFA)."
 ---