Signal Roundup — 24 May 2026
Four items from the past week: Microsoft Entra ID Account Recovery and Purview DSPM reach general availability; Exchange Online DLP shifts OWA client-side checks from Transport to Data Classification Services; AutoRest deprecation creates risk for the Graph PowerShell SDK; and Search-UnifiedAuditLog gets a MoreRecordsAvailable property.
Entra ID Account Recovery and Purview DSPM reach general availability
The May monthly security summary announced two GAs that matter for SMB and MSP work. Microsoft Entra ID Account Recovery is the long-missing path for users who have lost every registered authentication method — it relies on certified identity verification providers (government ID plus biometrics) rather than helpdesk knowledge-based questions, which closes a common social-engineering gap. Microsoft Purview Data Security Posture Management (DSPM) is now GA, bundling sensitive-data discovery, risk assessment, and guided remediation into a unified workflow; Data Security Investigations also picked up OCR for image-borne content and a custom examination capability. Worth reading end-to-end before the next compliance review.
Source: Microsoft Security Blog — What's new in Microsoft Security: May 2026
Exchange Online is shifting OWA DLP client-side checks from Transport to Data Classification Services
Microsoft is updating how Outlook on the Web evaluates DLP policy, moving client-side checks from the Exchange Transport pipeline to the Data Classification Services pipeline used elsewhere in Microsoft Purview. Tony Redmond's analysis flags the practical risk: tenants running mature DLP rules with Exchange-specific predicates may find that DCS cannot evaluate those predicates, so policy enforcement silently degrades. If you have inherited a long-standing DLP configuration, this is a good week to audit which conditions are actually still being checked in OWA.
Source: Office 365 for IT Pros — Switching DLP Client-Side Checks for OWA
AutoRest deprecation puts the Microsoft Graph PowerShell SDK generation pipeline at risk
Microsoft has marked AutoRest — the tool that generates the Microsoft Graph PowerShell SDK and the .NET SDK — as deprecated. For MSP and automation work built on the Microsoft.Graph cmdlets, this is the underlying machinery that keeps the SDK aligned with the Graph API surface; a stalled generator means future Graph changes may take longer to reach the PowerShell module. Tony Redmond's post walks through what the deprecation notice covers and the practical risk to production automation. No action required this week, but worth tracking for anyone whose runbooks lean heavily on Graph PowerShell.
Source: Office 365 for IT Pros — Automating Microsoft 365 with PowerShell (June 2026 update)
Search-UnifiedAuditLog gains a MoreRecordsAvailable property for large audit searches
A small but operationally useful change for incident-response work: Search-UnifiedAuditLog now returns a MoreRecordsAvailable property that indicates whether further records remain to be fetched for the current query. Previously, investigators paginating through large windows — mailbox compromise timelines, post-incident review across weeks of activity — had to infer completeness from record counts and hope nothing was silently truncated. The new property makes the loop deterministic. Update any audit-pull scripts to honour the flag.
Source: Office 365 for IT Pros — Search-UnifiedAuditLog Updated for Large Audit Searches