M365 Roundup, June 2025: Secure Defaults Tighten, Teams Finally Gets Threads
TL;DR
- Starting mid-July 2025, Microsoft 365 will block legacy browser authentication and require admin consent for third-party app access by default.
- Microsoft retires the Monitor action in Safe Attachments policies starting early July 2025 and will automatically convert Monitor to Block.
- Entra ID passkey profiles, arriving November 2025, let admins apply different FIDO2 and Authenticator passkey configurations per user group.
- Hotpatch becomes the default in Windows Autopatch Quality Update policies on June 23, 2025 for devices that meet the prerequisites.
- Threaded conversation layouts reach Microsoft Teams channels in mid-August 2025, convertible per channel by owners.
June 2025 is the month Microsoft starts making secure-by-default decisions for you. Legacy browser authentication gets blocked, third-party apps will need admin consent, and Safe Attachments policies lose their permissive Monitor mode whether you asked or not. None of these are bad changes. All of them are the kind that generate confused user tickets if you find out from the helpdesk queue instead of this list.
Here is everything from the June 2025 cycle worth your attention, ordered by how much it can bite an unprepared tenant.
The security changes that happen with or without you
Secure by default settings tighten. Microsoft 365 will update default settings to block legacy browser authentication and require admin consent for third-party app access.

Both are settings we would recommend anyway, but tenants with line-of-business apps that quietly self-consented will feel this one. Rollout runs mid-July 2025 through August 2025.
Safe Attachments loses its Monitor action. Microsoft Exchange Online Protection (Defender for Office 365) retires the Monitor action in Safe Attachments policies starting early July 2025 (previously late March) and ending by late August 2025 (previously late May). If a tenant has Safe Attachments set to Monitor, Microsoft will automatically change the action from Monitor to Block.

Block is where those policies belong. Just know which clients are getting flipped so the first quarantined attachment is not a mystery.
Passkey profiles arrive in the authentication methods policy. Entra ID is adding support for passkey profiles in preview, which means different passkey configurations per user group. For example, you will be able to allow specific FIDO2 security key models for user group A while allowing passkeys in Microsoft Authenticator for user group B. The settings will live at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings.

Expected November 2025. If passwordless rollouts have stalled on the all-or-nothing policy model, this is the unlock.
Intune: Hotpatch turns itself on June 23
Starting June 23, 2025, the Hotpatch setting will be enabled by default in Quality Update policies in Windows Autopatch. The change applies to devices that meet the Hotpatch prerequisites (opens in new tab). Specifically, the "When available, apply without restarting the device (Hotpatch)" option will be set to "Allow." Details are in Hotpatch updates on Microsoft Learn (opens in new tab).
Fewer reboots is a genuine win. Verify your update rings behave the way you documented them after the flip.
Outlook: encrypted email gets a confirmation step
New Outlook for Windows, Outlook on the web, and Outlook for iOS and Android will support a two-click view for encrypted emails, requiring user confirmation before the encrypted content opens. The experience is off by default.
Admins can find the TwoClickMailPreviewEnabled setting in the Microsoft Azure directory. It is a Boolean with default = 0, meaning disabled. Set value = 1 to enable it for all users in the tenant. You can also set it with the Set-OrganizationConfiguration cmdlet in Exchange Online PowerShell, covered in the Exchange Online PowerShell documentation (opens in new tab).

GA for commercial tenants runs mid-June 2025 through late June 2025 on iOS and Android.
Teams: threads, pop-out apps, and remote log collection
Threaded channels are real. After the rollout, users can create a new channel and select Layout > Threads, or channel owners can use Edit channel to convert an existing posts channel to the threads layout.


Rollout starts mid-August 2025 and completes by late August 2025.
Core apps pop out into their own windows. Users will be able to open Chat, Teams, and other essential apps in separate windows by selecting Open in new window from the app's context menu. Mid-September 2025 through early October 2025.

Admins can pull client logs remotely. A new Teams admin center capability lets administrators collect diagnostic logs from users' Teams clients on Windows and Mac without asking the user to do anything. Navigate to Manage users, select a user, and choose Request client logs from the Client health tab or the profile card. Collected logs can be downloaded, viewed, shared, or deleted. Late June 2025 through late July 2025. Anyone who has tried to talk an end user through manual log collection knows what this is worth.
Copilot: eight updates, mostly meetings and mobile
Voice conversations arrive in Copilot Chat. Users of the Microsoft 365 Copilot app on iOS will see a voice input icon in the bottom-right of the input box on the Copilot Chat web tab. Tapping it starts a spoken conversation with Copilot. Early July 2025 through early September 2025.

People Skills hits general availability with a new Skills agent. People Skills infers individual skillsets from user profile and activity, mapped to a customizable built-in skill taxonomy. That data layer fuels the Skills agent and enriches Copilot Chat, Microsoft 365, and Viva with context about the people in the organization. Full details in Microsoft's announcement (opens in new tab).
Custom dictionaries improve Teams transcripts. Tenant admins can upload a custom dictionary on the Copilot Settings page in the Microsoft 365 admin center, improving recognition of tenant-specific terminology in meeting transcripts. Both Copilot and Intelligent Recap benefit. Early July 2025 through mid-July 2025.

Agents join Teams meetings and 1-on-1 calls. Interactive agents are coming to meetings and calls, with group or private engagement, zero-state prompts, and history support. Before this rollout, only agents built on Microsoft Copilot supported sessions that remember context from earlier in the same session. After it, all agents from Microsoft 365 Copilot Chat and Microsoft Copilot Studio become available in meetings and calls, and developers can invite colleagues to test agents without touching sensitive data or production channels. Mid-June 2025 through late June 2025.

Meeting prep goes mobile. Copilot on mobile can summarize key meeting-related content, including emails, documents, action items, and previous meeting recaps, so users arrive prepared. Early July 2025 through late July 2025.

Email threads become meetings in one step. The new Schedule with Copilot option analyzes an email thread and creates a meeting invitation with the title and agenda pre-filled, the thread attached, and attendees pulled from the email. Review, edit, send. Early July 2025 through late August 2025.

Priority view lands in Outlook mobile. Users can enable it under Outlook Settings > Copilot > Prioritize > Priority view, choose one to three days of email to include, and pick all messages or unread only. Late June 2025 through late December 2025.

PowerPoint can reference Teams meetings. Users will be able to point Copilot at a Teams meeting when searching for source files to build a presentation. Late July 2025 through mid-August 2025.

Frequently asked questions
What changes with Microsoft 365 secure by default settings in July 2025?
Microsoft 365 will update tenant defaults to block legacy browser authentication and require admin consent before third-party apps can access company data. The rollout runs from mid-July 2025 through August 2025.
What happens to Safe Attachments policies set to Monitor?
Microsoft will automatically change the action from Monitor to Block as part of the retirement, which starts early July 2025 and completes by late August 2025. Review any tenant relying on Monitor before the switch happens for you.
When does Hotpatch become the default in Windows Autopatch?
On June 23, 2025 the Hotpatch setting flips to enabled by default in Quality Update policies. The option 'When available, apply without restarting the device (Hotpatch)' will be set to Allow on devices that meet the prerequisites.
Defaults are changing under your tenants right now
Monitor flips to Block, Hotpatch turns itself on, and secure defaults rewrite consent settings. CloudCapsule scans 250+ controls per tenant in 60 seconds so every silent change shows up as a finding, not a surprise.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


