
M365 Roundup, May 2026: Teams Gets Its Own Threat Reports
May 2026 in Microsoft 365: Teams adds external user reporting and a Security Detection Report, SharePoint starts enforcing storage quotas, and Entra locks new app instances by default.
Topic

May 2026 in Microsoft 365: Teams adds external user reporting and a Security Detection Report, SharePoint starts enforcing storage quotas, and Entra locks new app instances by default.

Blue Team Labs is a free training platform where MSP techs investigate realistic Microsoft 365 incidents using simulated sign-in logs, audit logs, and email headers. No videos, no quizzes.

Entra passkey profiles auto-enable in March 2026, Teams gains four security features, and standalone SharePoint and OneDrive plans head for retirement. The January 2026 changes, sorted by what to do.

Adversary-in-the-middle phishing steals session tokens after a successful MFA prompt. Here is how to deploy MFA in 2026 so the stolen phish is worthless.

New Defender and Purview add-on SKUs for Business Premium, Anthropic models in Copilot, an auto-installing Copilot app, and a browser policy that needs action now.

Token protection reaches Entra ID P1, Defender gains mail-bombing detection, the Conditional Access Optimization Agent hits GA, and Intune ships LAPS for macOS.

Entra flags risky users by default, but nobody gets told and nothing happens without P2. How to route risk detections to your PSA and the one policy that prevents most compromises.

Token theft via AiTM phishing hit 51% of webinar respondents in the past year. Five layered controls, from Defender tuning to attack disruption, break the kill chain at each stage.

A stolen session token becomes a BEC campaign fast. This runbook walks the full cleanup, confirm, scope, evict, recover, with the exact portals, KQL queries, and PowerShell for each step.

A malicious OAuth app keeps mailbox access after every password reset. How attackers plant them in Microsoft 365, plus the consent lockdown and hunting runbook.

Exchange Online enforces tenant-wide outbound email limits, E5 Security arrives as a Business Premium add-on, and the Report Message add-in enters maintenance mode.

By default, anyone with a Microsoft 365 tenant can open a Teams chat with your users. Here is the attack that exploits it and the four controls that break the kill chain.