Microsoft announced a breaking change to the Microsoft Graph API affecting Exchange Online: from December 31, 2026, applications that modify sensitive email properties -- such as the subject, body, or recipients -- on delivered messages must hold elevated Mail-Advanced.ReadWrite permissions. Until now, the standard Mail.ReadWrite permission was sufficient for these operations. The new permissions require explicit approval from the tenant administrator ("admin consent"). If you operate Microsoft 365 and have custom applications or third-party tools that interact with email via the Graph API, you need to audit and potentially update these apps before the enforcement date.

Source

Exchange Online now lets you choose, per outbound connector, whether SMTP DANE and MTA-STS are enforced opportunistically, mandatorily (for DANE), or not at all. These new connector modes give you granular control over how strictly Exchange Online enforces modern email security standards when sending mail to external domains.

Source

Microsoft is developing Priority Cleanup V2, an updated data-purging feature in Microsoft Purview that deletes Exchange Online mailbox content even when protected by retention policies or eDiscovery holds. This proposed version is designed to reduce the number of approval stages from three to two, accelerate deletion from days to hours, and introduce batch-processing safeguards.

Source

Microsoft is retiring Exchange Web Services (EWS) in Exchange Online, with a phased shutdown beginning October 1, 2026, and complete retirement by April 1, 2027. You must migrate your applications to the Microsoft Graph API before the final deadline to maintain access to Exchange Online mailboxes. This retirement only affects Exchange Online in Microsoft 365 environments and does not impact on-premises Exchange Server installations. Organizations using EWS-dependent applications face service interruptions unless they transition to supported alternatives. The nearly 20-year-old protocol no longer meets modern security, scale, and reliability requirements.

Source

Microsoft has indefinitely canceled the planned limit on bulk email sending in Exchange Online following significant customer feedback about operational challenges. However, Microsoft advises using Azure Communication Services for Email for organizations that require sending large volumes of email to external recipients. 

Source

Microsoft 365 users face a critical bug in Classic Outlook that prevents recipients from opening encrypted emails. In Classic Outlook, trying to open an encrypted email shows a specific error message in the Reading Pane: "This message with restricted permission cannot be viewed in the reading pane until you verify your credentials. Open the item to read its contents and verify your credentials." This issue stems from a client-side regression in how Classic Outlook handles encryption settings, and Microsoft is currently investigating the problem.

Source