As per Microsoft’s announcement in March, MSOnline (MSOL) Powershell module will be phased out progressively starting in August this year. Office Protect is using this module for a few of our settings:

  • Do Not Allow Third-Party Integrated Applications
  • Account Passwords Never Expire
  • Enable Multi-Factor Authentication

We also need to phase out MSOL for two of our Advanced Reports:

  • Tenant Licenses:
    • License Type field is removed
    • Subscription Date field is removed
    • Next Lifecycle Date is removed
    • Warning now gives the count of subscriptions expiring within the next 30 days

  • User MFA Status: This report now only supports modern MFA policies, as per-User MFA will be deprecated by Microsoft

How to prepare your organization for the change

Office Protect’s development team will deploy the necessary changes to ensure that the settings are functional without using MSOnline. However, applying these settings requires new permissions for the Office Protect application:

  • Policy.ReadWrite.Authorization
  • Policy.ReadyWrite.ConditionalAccess
  • Policy.ReadWrite.AuthenticationMethod
  • SharePointTenantSettings.ReadWrite.All 

If you purchased Microsoft 365 with Sherweb, you are not impacted by this change. If you did not purchase Microsoft 365 with Sherweb, the Office Protect application requires the aforementioned permissions. To minimize the impact on your organizations, we will use Office Protect Global Administrator account to grant the new permissions to Office Protect.

The change will be entirely transparent to you and your users, you don’t have to do anything. The actions performed by our Monitoring User (secmon) will be available in your Azure AD audit logs. Here’s a sample of the logs you will find once we perform the operation: 

Note that secmon will attempt to consent to all the required Office Protect permissions, which means that you will also see "Add app role assignment to service principal" activity with a failure status such as the following: 

More impacts on Office Protect

As we move away from MSOL, Office Protect will be phasing out per-User MFA setting and replacing it with a new setting called Security Defaults, as the feature is not reconducted from MSOL to new technology. Read more about MFA Deprecation. 

This is also the first step in removing our Global Administrator user from your tenant later this summer, stay tuned for a more detailed plan!