Monday, July 6, 2026

Create a new spam filter

Create a new spam filter
You can edit the default spam filter, but I recommend creating a new one for testing purposes that applies to only you or a select group of beta users.
In your Exchange Admin Center, under Protection, click Spam Filter. Click the plus sign (+) to create a new filter. Name it whatever you like. Set both “Spam” and “High confidence spam” to “Quarantine message.” You’ll ultimately get a red message that advises you to configure end-user spam notifications.
New spam filter in Microsoft Exchange
You’ll need to first fill out the rest of the form to your liking, and the “Applied To” section near the bottom is mandatory. You can apply this new spam filter to specific recipients by name, domain, or group membership. You can also add exceptions and additional criteria to your heart’s content before you click Save. 
2. Configure end-user spam notification
Turning on notifications is really easy, so Microsoft put the control in a really stupid place to make sure you don’t get bored. You might notice, once you save your new filter, that the pane on the right mentions “End-user spam notifications: Disabled” for that filter. Can you double-click on your new filter and enable them? Of course not.
What you need to do is highlight the Default filter and click “Configure end-user spam notifications…” on the right.
How to configure end user spam notification
In here, just tick the only box available and fill in a number for however many days you want between notifications. Choose your language and hit Save. Yes, this applies to your custom filters. No, I don’t know why the control is in the Default filter. Yes, your custom filters will still say “End-user spam notifications: Disabled.” Why? Just because.
Configure spam notification frequency
3. Read the notification emails
After a day has gone by, your test users will receive their first notification email fromquarantine@messaging.microsoft.com. It’s helpfully subjected “Spam Notification” with the number of messages quarantined.
Each message contains the following elements of each message:
·         Sender’s alleged email address
·         Email subject line
·         Date and time in UTC (Coordinated Universal Time)
·         Size in bytes
·         “Release to Inbox” link
·         “Report as Not Junk” link
The email address is “alleged” because most spammers aren’t using genuine email accounts. It’s trivially easy to forge the Sender field, so it should never be taken as gospel.
The subject line, if my current notifications are at all representative, will likely be something about Gwen Stefani and/or Blake Shelton.
The date and time are shown in UTC, the standard for electronic communications. It’s generally equivalent to Greenwich Mean Time (GMT), so unless your users are in western Africa, Portugal, the British Isles, or Iceland, they’ll need to do some conversion.
The size is just a clue to the message’s legitimacy. A phishing email can be a single sentence with a spoofed email address of a trusted contact, under 10KB, or it could be that person just saying hi. A message over 100KB could be a perfectly safe HTML message with lots of formatting, or it could be an advertisement.
If you suspect a quarantined message is actually wanted, click the “Release to Inbox” link. That will open a webpage that says, “Spam message was released from quarantine.” It’ll show up in your inbox soon, but will not influence future spam detections. (Occasionally this webpage throws a certificate error or is not found or something. In my experience, the message is usually released anyway.)
The “Report as Not Junk” link tells Microsoft that, well, this message is not junk. It will become one tiny data point in their massive spam-detecting engine but will not automatically be delivered. “Report as Not Junk” and “Release to Inbox” are completely separate.
4. Inform your users
After you set up your notification frequency, spam-detection level, or other criteria, make sure to communicate with your users about these spam-notification emails. You might still need to add senders to allow and block lists on an administrative level, but users will get a summary of quarantined messages right in their inbox. They can even move the actual messages to their inbox.
This solution isn’t right for everyone — that’s why I suggest creating a new spam filter for testing. Since it can be customized by group or individual email address, you can expand and edit it for just the users who want it.

 
 
 

Microsoft Entra ID in 2026 – Part 2: Microsoft Entra Cloud Sync Deep Dive – Architecture, Installation, Best Practices and Migration

 

Saturday, June 27, 2026

Microsoft Entra Connect Sync Is Being Retired — What Every IT Admin Needs to Know (2026)

If you are an IT admin managing a hybrid Microsoft environment, 2026 is the year you cannot afford to look away from Microsoft Entra ID. Microsoft is actively retiring on-premises identity tooling, enforcing new security baselines, and pushing organizations firmly toward cloud-native identity management. This post is the first in a series covering everything you need to know — starting with the biggest infrastructure change: the end of Microsoft Entra Connect Sync. 

Microsoft is transitioning from Microsoft Entra Connect Sync to the cloud-native Entra Cloud Sync to simplify hybrid identity management and strengthen Zero Trust security, reducing on-premises complexity while improving reliability, security, and day-to-day operations. This is arguably the most impactful change for enterprise IT admins — if you're still running Connect Sync, your migration window notification will arrive via M365 Message Center starting July 2026. Microsoft Community Hub


Upcoming Change - Migrate from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync

Type: Plan for change
Service category: Entra Connect
Product capability: Entra Connect

As organizations look to strengthen identity security and advance their Zero Trust strategies, many are looking for simpler, more reliable ways to manage hybrid identity. To support these needs, we’re beginning the transition from Microsoft Entra Connect Sync to the cloud‑native Microsoft Entra Cloud Sync - helping reduce on‑premises complexity while improving security, reliability, and day‑to‑day manageability.

This shift is a key step toward a cloud-managed identity future that will provide a more secure, resilient, and easier-to-operate synchronization experience. As part of ongoing modernization efforts, Microsoft’s strategy remains to deliver stronger security, improved reliability, and simpler identity operations.

What's next

Beginning in July 2026, we will begin notifying customers through the M365 Message Center, Entra Connect Health, and targeted emails about their individual transition timelines. The transition will be rolled out in phases, and we will reach out directly to each organization when their assigned transition window begins. This phased approach ensures that we can provide tailored guidance and support to all our customers.

  • Initial phases: In the first waves, we will focus on tenants for whom Entra Cloud Sync already meets all their identity synchronization needs. If your organization relies on advanced features or has a large directory, you will not be among the initial targeted groups. We will prioritize early transitions for customers with straightforward configurations that are fully supported by Entra Cloud Sync’s current capabilities.

  • Subsequent phases: As Entra Cloud Sync’s capabilities expand, we will progressively notify the later groups and ensure they can transition successfully once equivalent support is available in Entra Cloud Sync

We are committed to supporting you by providing tooling and documentation for the transition to Entra Cloud Sync.

What's changing

Once your organization is notified of its assigned transition window, you will receive detailed guidance and resources to help you begin the move to Entra Cloud Sync. During this period:

  • You will need to review your current configuration, assess readiness, and familiarize yourself with Cloud Sync’s capabilities.

  • You will gain access to the transition tool and step-by-step documentation to support a smooth transition.

  • You will move and test your synchronization environment in Entra Cloud Sync before any permanent changes are made.

Once your transition to Entra Cloud Sync is successfully completed:

  • Entra Cloud Sync will be the primary mechanism for identity synchronization capabilities between Active Directory and Entra ID, replacing the identity sync functionality in Entra Connect tool.

What's not changing

Once you migrate to Cloud Sync, your hybrid authentication features that enable on‑premises credentials to be used for accessing cloud resources will continue to be available after migration on the Connect Sync config wizard.

What should you do right now?

If your organisation is still running Microsoft Entra Connect Sync, here are the three immediate actions to take before your migration window arrives:

  1. Assess Cloud Sync readiness — Run the Microsoft readiness assessment tool to check if your current configuration is supported by Entra Cloud Sync. Organisations with advanced features or large directories will not be in the first migration wave, but it is never too early to know your gap.
  2. Watch your M365 Message Center — Starting July 2026, Microsoft will notify each organisation individually with their assigned transition window. Make sure your admin notification email is current and someone is monitoring the Message Center actively.
  3. Upgrade Entra Connect now — Even before your migration window, upgrade to the latest version of Microsoft Entra Connect and disable hard-match takeover. This protects against SyncJacking attacks independently of when you migrate.

This is Part 1 of a series on Microsoft Entra ID changes in 2026. Coming next: SyncJacking — what it is, how the attack works, and how to fully harden your hybrid environment against it.

Found this useful? Leave a comment below— I read every one. You can also follow this blog for more Microsoft identity and infrastructure deep-dives from a practising IT admin with 15 years in the field.