Skip to main content

M365 Roundup, July 2025: Token Protection Comes to P1

Nick Ross7 min read

TL;DR

  • Token protection in Conditional Access policies became available to Entra ID P1 licenses in July 2025, previously a P2-only feature.
  • Defender for Office 365 shipped a new detection for mail bombing attacks that routes high-volume spam floods to Junk while honoring safe sender lists.
  • The Conditional Access Optimization Agent and Security Copilot in Microsoft Entra reached general availability in early July 2025.
  • Intune made LAPS generally available for macOS automated device enrollment, with admin passwords rotated automatically every six months.
  • Linkable token identifiers hit GA across Entra, Exchange, Graph, Teams, and SharePoint logs, letting responders trace a session across workloads from one authentication event.

July 2025's wave is a security month in disguise. The headline for MSPs is token protection in Conditional Access dropping from P2 to P1 licensing, but the same month brought mail-bombing detection in Defender for Office 365, GA for the Conditional Access Optimization Agent, linkable token identifiers across audit logs, and LAPS finally landing on macOS. The full month, grouped by what it touches.

Microsoft Teams logo

Teams: smaller notifications, saved messages, and join URL validation

Compact notifications for users

Windows users can choose between standard and compact toast notification sizes in Teams via Settings > Notifications > Choose Compact. The feature is off by default and must be enabled by the user; it is designed to improve focus and reduce screen clutter in high-notification environments. Rollout: mid-July 2025, completing by late July 2025.

Compact notification option in Teams settings

Save chats and channel messages for later

Users can save any message, whether a post, reply, or chat, and return to it from the Saved view in their Chat or Teams list. Clicking a saved message opens the full conversation in the right pane for review or response, no more scrolling through long threads to find that one answer. Rollout: late August 2025, completing by early September 2025.

Saved messages view in Microsoft Teams

A join bar for meetings you said yes to

A new in-context join experience surfaces meetings users RSVP'd to as Yes or Tentative. When a meeting is live, a banner appears with a direct join button; if multiple meetings are active, the banner shows the count with a View More option to pick one. Rollout: mid-July 2025 through late July 2025.

Meeting join bar banner in Teams

Teams meeting join URL validation

Microsoft is introducing validation of Teams meeting join URLs to ensure links are not altered or rewritten by security products in ways that render them unusable or flagged as malicious. Action items before the September 30, 2025 rollout:

  • Ensure your security products do not rewrite Teams meeting join URLs
  • Whitelist Teams join URLs in your security software
  • Review URL rewriting and inspection policies
  • Communicate the change to helpdesk and security teams

This one deserves a spot on the MSP checklist: email security tools that rewrite URLs are common in managed environments, and an unreviewed policy could start breaking meeting invites.

The new Workflows experience

The Workflows app, powered by Power Automate, helps users automate repetitive tasks across Teams and Microsoft 365: scheduling messages, managing approvals, syncing updates across apps, or triggering actions from chat messages, all built in a few clicks. Rollout: September 2025. More: Browse and add workflows in Microsoft Teams (opens in new tab).

New Workflows experience in Teams

Teams Premium: SMS appointment reminders reach Australia

Organizers with a Teams Premium license will be able to send SMS appointment notifications to Australian phone numbers using Microsoft Bookings, the Virtual Appointment meeting template, and other Teams experiences. Existing SMS behavior is unchanged. Rollout: late July 2025, completing by early August 2025. More: Use SMS text messages to remind customers of their appointments (opens in new tab).

SMS appointment notification in Teams

Accent colors for the Teams shell

Users can personalize Teams by choosing an accent color under Settings > Appearance. Rollout: late July 2025, completing by late August 2025.

Teams accent color options in appearance settings
Exchange and Outlook logo

Outlook: three nudges that prevent embarrassing sends

Large audience warnings on iOS and Android

Users get a warning when about to email a large number of recipients, a prompt to reconsider wording, tone, and content before the message goes wide. Rollout: early May 2025 (previously mid-April), completing by early July 2025 (previously early June).

Large audience warning in Outlook mobile

Unverified sender banner in the mobile reading pane

When an email arrives from an unverified sender, Outlook Mobile shows a banner in the reading pane explaining why the sender is flagged and warning about potential impersonation. It complements the existing safety messages: "External sender," "Not on safe senders list," and "You don't often get email from this sender." Rollout: mid-July 2025, completing by mid-August 2025.

Report junk and unsubscribe in one action

When users report an email as junk, they now see an unsubscribe option if the sender supports it, cutting unwanted mail off at the source and keeping blocked sender lists from bloating. Rollout: mid-July 2025, completing by late July 2025.

Entra ID logo

Entra: Authenticator backup goes native on iOS

Starting in September 2025, Microsoft Authenticator on iOS gains a more secure backup and restore experience using iCloud and iCloud Keychain. The update removes the requirement for a Microsoft personal account to back up account names and third-party TOTP credentials, simplifying setup on new devices.

Authenticator backup experience on iOS
Authenticator restore flow using iCloud Keychain
Microsoft Intune logo

Intune: LAPS for macOS and four more quality-of-life wins

Hotpatching arrives on Arm64

Security updates without a restart are now available for Windows 11, version 24H2 Arm64 devices. Check prerequisites, disable Compiled Hybrid PE (CHPE), and enroll the devices into a quality update policy with hotpatching enabled.

LAPS for macOS goes GA

Local Admin Password Solution (LAPS) integration is now generally available for macOS automated device enrollment. When organizations configure a macOS ADE profile, Intune can provision new enrollments with a local administrator account carrying a strong, encrypted, randomized password that rotates automatically every six months, alongside a standard user account configured to the admin's naming conventions. Full announcement: What's new in Microsoft Intune, July 2025 (opens in new tab).

Real-time visibility into Apple device updates

Mac admins have long asked for live update progress tracking. Enhanced software update reporting built on declarative device management (DDM) lets admins check update progress in real time, see failures with better detail, and understand user interactions with updates. Devices proactively report status through each stage, from download through installation, without manual check-ins. Full article: Apple software update reporting per device (opens in new tab).

Real-time Apple device update reporting in Intune

Wildcard support for Endpoint Privilege Management

Windows admins lose hours rewriting elevation rules every time an installer or updater rolls to a new build. EPM for Windows endpoints now supports wildcards to match dynamic file names or version patterns, so one rule survives version bumps instead of being recreated for every executable.

Per-platform device cleanup rules

Device cleanup now supports per-platform rules, with different criteria for Windows, iOS/iPadOS, macOS, and Android. Audit logs track which devices were concealed by cleanup rules, giving full visibility into device hygiene processes.

Microsoft Copilot logo

Copilot: the security agents go GA

Conditional Access Optimization Agent and Security Copilot in Entra reach GA

Two significant identity AI releases hit general availability:

  • Conditional Access Optimization Agent. Scans the tenant daily for policy gaps as new users and applications come online, offering precise one-click remediations to keep policies current without the overhead.
  • Security Copilot in Microsoft Entra. Investigate threats, manage the identity lifecycle of employees and guests, and take action across users, apps, and access using natural language, no custom queries or scripts.

Rollout: early July 2025, completing by early September 2025. Full announcement: Smarter identity security starts with AI (opens in new tab).

Security Copilot in Intune goes GA

Security Copilot in Intune embeds generative AI directly into Intune workflows, changing how IT teams plan, troubleshoot, and optimize device configurations. Deep dive: Security Copilot in Intune, part 3 (opens in new tab).

Copilot Notebooks in OneNote

Copilot Notebooks bring AI-powered notebooks into OneNote: collect Copilot chats, Word documents, PowerPoint decks, Excel files, and more into a single focused space, then ask Copilot questions grounded in that collected content for tailored answers, summaries, and insights. Status: GA. Announcement: Introducing Copilot Notebooks (opens in new tab).

Copilot Notebooks in OneNote

Intelligent recap learns to see shared screens

Visual Insight extends Teams intelligent meeting recap to incorporate content shared on screen into the post-meeting AI summary, capturing details shown during screen shares so unspoken insights make the recap. Rollout: mid-September 2025, completing by late September 2025.

Visual Insight in Teams intelligent meeting recap

New policy controls the Copilot Chat button in Edge for Business

Starting in August 2025, Edge for Business supports the Microsoft365CopilotChatIconEnabled policy, letting administrators control the visibility of the Microsoft 365 Copilot Chat button in the Edge toolbar. Rollout: early July 2025, completing by late July 2025.

Copilot Chat button policy in Edge for Business

Researcher agent comes to Word

The Researcher agent is rolling out in Microsoft Word for Microsoft 365 Copilot licensed users, combining OpenAI's deep research model with Copilot's orchestration and search to run complex, multi-step research across work and web data. Rollout: August 18, 2025 (previously July 16), completing by September 1, 2025 (previously July 28).

Researcher agent in Microsoft Word
Microsoft 365 admin logo

Admin and security: the three items that matter most this month

Linkable token identifiers reach GA

Linkable token identifiers let you trace a user's session across workloads from a specific authentication event, a meaningful upgrade for incident response and anomaly detection against threats like remote phishing and malware. They are now available in:

  • Microsoft Entra sign-in logs
  • Microsoft Exchange Online audit logs
  • Microsoft Graph activity logs
  • Microsoft Teams audit logs
  • Microsoft SharePoint Online audit logs

Full article: Strengthen identity threat detection and response with linkable token identifiers (opens in new tab).

Token protection lands on Entra ID P1

Token protection in Conditional Access policies, previously limited to P2, is now available to Entra ID P1 licenses. Given how much of the SMB market sits on Business Premium (which includes P1), this quietly expands who can bind tokens against theft and replay. More: Microsoft Makes Token Protection Available for Entra ID P1 Licenses (opens in new tab).

Defender for Office 365 gets mail-bombing detection

Victims of mail bombing have historically resorted to hand-built mail flow rules. Defender for Office 365 now ships a durable block that limits the influx by intelligently tracking message volumes across sources and time intervals, using the sender's historical patterns and spam-content signals. Mail bombs land in the Junk folder instead of the inbox, and Outlook safe sender lists continue to be honored so trusted mail is not swept up as a false positive. Status: GA. Announcement: Protection against email bombs with Microsoft Defender for Office 365 (opens in new tab).

Every monthly wave is a fresh chance to drift

New defaults, new policies, new licensing lines. CloudCapsule rechecks 250+ Microsoft 365 controls per tenant in about 60 seconds, so July's changes do not quietly undo June's hardening.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading