Skip to main content

M365 Roundup, October 2023: Just-in-Time Access Grows Up, Server 2012 Clocks Out

Nick Ross5 min read

TL;DR

  • Privileged Identity Management now supports just-in-time membership for security and Microsoft 365 groups, with Conditional Access authentication context enforceable on role activation, both requiring Entra ID P2.
  • The Microsoft Graph Activity Log, in public preview as of October 2023, records every Graph API read, write, and delete, closing the gap between sign-in logs and audit logs during investigations.
  • Entra ID Governance access reviews can now detect inactive accounts, flagging users with no sign-in for 90 days or more.
  • Windows Server 2012 R2 reached end of support on October 10, 2023, with Extended Security Updates purchasable annually until October 13, 2026.
  • Microsoft 365 Business Premium jumps from 5 to 100 Universal Print jobs per license per month starting November 14, 2023, pooled across licensed users.

October 2023 belongs to identity governance. PIM learned to grant group membership just in time and to demand Conditional Access conditions before a role activates, Graph API calls became fully loggable, and access reviews learned to spot accounts nobody has signed into for 90 days. Around the edges: Windows Server 2012 R2 left support for good, Microsoft started enforcing PIN verification on support calls, and Teams shipped its usual armful. Here it all is, grouped by product.

Entra ID logo

Entra ID: the identity governance month

PIM adds just-in-time groups and Conditional Access enforcement

Requires Entra ID P2 licensing.

The new just-in-time group membership capability extends least privilege to any resource that supports security group or Microsoft 365 group assignment: Microsoft Entra roles, Azure resource roles, Microsoft Intune, and non-Microsoft application roles and services. IT admins, developers, and security staff activate a group membership once and get access to all defined resources precisely when they need it.

The Conditional Access side is just as useful: authentication context lets you apply granular policies to sensitive actions, beyond app-level policies, and combining it with PIM means role activations can carry their own requirements. Scenarios customers used during the public preview:

  • Requiring strong modern authentication methods via Conditional Access authentication strengths
  • Requiring a compliant device for role activation
  • Validating the user's location through GPS-based named locations
  • Blocking activation for risky users using Microsoft Entra ID Protection

Now generally available. Full announcement: Just-in-time access to groups and Conditional Access integration in Privileged Identity Management (opens in new tab)

PIM group membership activation settings
Conditional Access authentication context applied to PIM role activation

Graph API calls are now loggable: public preview

Sign-in logs show authentication, audit logs show resource changes, and until now the middle was dark. The Microsoft Graph Activity Log fills it, recording API request activity (reads, writes, and deletes) along with request and client application details, so you can trace from token request to API call to the eventual resource change. Common use cases:

  • Identifying the activities a compromised user account conducted in your tenant
  • Building detections and behavioral analysis for suspicious Graph usage, such as an application enumerating all users or probing with many 403 errors
  • Investigating unexpected or unnecessarily privileged application permission assignments
  • Identifying problem client behaviors like call volumes that exhaust tenant rate limits

Full announcement: Microsoft Graph Activity Log is now available in public preview (opens in new tab)

Microsoft Graph Activity Log entries showing API request details

Access reviews learn to flag inactive accounts

Requires Entra ID P2 licensing.

Inactive accounts pile up for predictable reasons: former employees, service providers, and service accounts tied to products or services. An account inactive for 90 days or more tends to stay that way, and every one of them is unreviewed attack surface. Entra ID Governance access reviews can now detect inactive accounts directly, putting the cleanup on a schedule instead of a someday list.

Configuring an access review scoped to inactive users
Access review results identifying inactive accounts

Full guide: Step-by-step guide to identify inactive users by using Microsoft Entra ID Governance access reviews (opens in new tab)

Microsoft Teams logo

Teams: eight changes, from forwarding to encryption

Forward messages between chats

Users will be able to send chat messages from one chat to another: 1:1 chats, group chats, and meeting chats, with the option to add extra context for the recipient. Rolling out across Teams desktop, web, and mobile in mid-January 2024.

Forwarding a message from a Teams chat
Forwarded message with added context in Teams

Private teams become discoverable, on the admin's terms

An admin-only control makes all, or label-based, private teams discoverable through the "Join team gallery," for all or scoped end users, with a simple toggle. Users who find a private team still need owner approval to join. Rollout: early January 2024, completing by mid-January 2024.

Chat button on missed calls

A chat button appears on missed call activity so users can reply by message instead of calling back. Rollout: late November, completing by early December.

AI-generated backgrounds for channel announcements

Announcement posts get custom backgrounds generated by Microsoft Designer. The old Channels 1.0 complaint was hunting for the right image and fighting banner sizing; now users can start from an image, an idea, or nothing at all. Rollout: early November, completing by mid-November.

Generating an announcement background with Microsoft Designer in Teams
Custom announcement post background in a Teams channel

Out of Office from Teams mobile

Mobile users can set Out of Office with an autoreply from the Teams iOS or Android app: tap the avatar, then Out of Office. Rollout: mid-October 2023, completing by late October 2023.

Setting Out of Office from the Teams mobile app

Quick Capture on mobile, with labels enforced

Meeting content usually escapes through OS-level screenshots or buried recordings. Quick Capture lets users screenshot, annotate, and add text to content, then save or share inside or outside Teams, with sensitivity labels ensuring only content allowed to be saved or shared gets out. Rollout: early November 2023, completing by late November 2023.

Quick Capture annotation tools in Teams mobile

End-to-end encrypted meetings scale to 200 participants

For meetings needing heightened confidentiality, E2EE encrypts at origin and decrypts at destination. The limit launched at 50 participants in February 2023 and now rises to 200. Scope unchanged: only audio, video, and video-based screen sharing are end-to-end encrypted; apps, avatars, reactions, chat, and Q&A are not. Rollout: late October, completing by early November. More information: Use end-to-end encryption for Teams meetings (opens in new tab)

End-to-end encryption indicator in a Teams meeting

Loop components reach channels

The collaborative Loop components from Teams chats are coming to channels: create, share, and edit components synchronously or asynchronously without leaving the conversation, and copy and paste them between channels, chats, Outlook emails, and other supported Microsoft 365 apps, always showing the latest updates wherever they live. Rollout: late November 2023, completing by late December 2023.

Microsoft Intune logo

Intune: Security Copilot opens early access

In March 2023, Microsoft announced Security Copilot (opens in new tab), its generative AI security product. October brought the Early Access Program (opens in new tab), with deep integration across Microsoft 365 Defender, Microsoft Intune, and Microsoft Sentinel so customers can investigate and respond to incidents faster. Watch the early access demo (opens in new tab).

Full Intune updates: Security Copilot with Microsoft Intune Early Access Program (opens in new tab)

Microsoft 365 admin logo

Platform and admin: print jobs, support PINs, and a funeral

Business Premium print jobs jump from 5 to 100

Starting November 14, 2023, Microsoft 365 Business Premium licenses include one hundred Universal Print jobs per license per month, up from five. Jobs refresh monthly and are pooled across all licensed employees, mirroring the April 2023 (opens in new tab) extension for Microsoft 365 E3 and E5.

PIN verification on support calls becomes mandatory

The PIN-based step added to phone-based verification in 2020 is enforced as of November 1, 2023. When you call support, the Microsoft representative sends a verification code to the registered email or phone in your Admin Center profile, and you provide it to grant access to the organization's account. To avoid a slow support experience, make sure profile contact info is current: Admin center > Users > Active users > Admin Name > Manage contact information (opens in new tab).

Windows Server 2012 R2 reaches end of support

Windows Server 2012 R2 (opens in new tab) reached end of support on October 10, 2023, and the October 2023 security update (opens in new tab) is its last. Devices on this version no longer receive monthly security and preview updates.

The recommended path is Windows Server 2022 (opens in new tab) (see the upgrade overview (opens in new tab)). Where upgrades cannot happen yet, Extended Security Updates are available for purchase, renewable annually for three years, ending October 13, 2026. Details: KB5031043 (opens in new tab).

Frequently asked questions

What can you investigate with the Microsoft Graph Activity Log?

The full API activity picture in a tenant: what a compromised account did, suspicious Graph usage patterns like user enumeration or repeated 403 probing, unexpectedly privileged application permission assignments, and client apps exhausting tenant rate limits.

Is there any way to keep Windows Server 2012 R2 patched after end of support?

Extended Security Updates are available for purchase, renewable annually for three years, with the final extension date on October 13, 2026. Microsoft's recommendation is upgrading to Windows Server 2022.

October's changes, checked against every tenant

PIM options, support PINs, retired servers: each month moves the bar on what good looks like. CloudCapsule rechecks 250+ controls per tenant in about 60 seconds so nothing quietly slips.

Run a free assessment
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading