Merge branch 'main' into patch-1

Author: aditisrivastava07

exchange/docs-conceptual/app-only-auth-powershell-v2.md

@@ -3,7 +3,7 @@ title: App-only authentication in Exchange Online PowerShell and Security & Comp
 ms.author: chrisda
 author: chrisda
 manager: orspodek
-ms.date: 10/24/2025
+ms.date: 11/25/2025
 ms.audience: Admin
 audience: Admin
 ms.topic: article
@@ -37,7 +37,7 @@ Certificate based authentication (CBA) or app-only authentication as described i
 >
 > - REST API connections in the Exchange Online PowerShell V3 module require the PowerShellGet and PackageManagement modules. For more information, see [PowerShellGet for REST-based connections in Windows](exchange-online-powershell-v2.md#powershellget-for-rest-api-connections-in-windows).
 >
->   If the procedures in this article don't work for you, verify that you don't have preview versions of the PackageManagement or PowerShellGet modules installed by running the following command: `Get-InstalledModule PackageManagement -AllVersions; Get-InstalledModule PowerShellGet -AllVersions`.
+> - If the procedures in this article don't work for you, verify you don't have preview versions of the PackageManagement or PowerShellGet modules installed by running the following command: `Get-InstalledModule PackageManagement -AllVersions; Get-InstalledModule PowerShellGet -AllVersions`.
 >
 > - In Exchange Online PowerShell, you can't use the procedures in this article with the following Microsoft 365 Group cmdlets:
 >   - [New-UnifiedGroup](/powershell/module/exchangepowershell/new-unifiedgroup)
@@ -47,11 +47,14 @@ Certificate based authentication (CBA) or app-only authentication as described i
 >
 >   You can use Microsoft Graph to replace most of the functionality from those cmdlets. For more information, see [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview).
 >
-> - In Security & Compliance PowerShell, you can't use the procedures in this article with the following Microsoft Purview cmdlets:
+> - In Security & Compliance PowerShell, you can't use the procedures in this article with Microsoft Purview cmdlets, including but not limited to:
 >   - [Get-ComplianceSearchAction](/powershell/module/exchangepowershell/get-compliancesearchaction)
 >   - [New-ComplianceSearch](/powershell/module/exchangepowershell/new-compliancesearch)
 >   - [Start-ComplianceSearch](/powershell/module/exchangepowershell/start-compliancesearch)
 >   - [New-ComplianceSearchAction](/powershell/module/exchangepowershell/new-compliancesearchaction)
+>   - [Invoke-HoldRemovalAction](/powershell/module/exchangepowershell/invoke-holdremovalaction)
+>   - [Invoke-ComplianceSecurityFilterAction](/powershell/module/exchangepowershell/invoke-compliancesecurityfilteraction)
+>   - [Invoke-ComplianceSearchActionStep](/powershell/module/exchangepowershell/invoke-compliancesearchactionstep)
 >
 > - Delegated scenarios are supported in Exchange Online. The recommended method for connecting with delegation is using GDAP and App Consent. For more information, see [Use the Exchange Online PowerShell v3 Module with GDAP and App Consent](/powershell/partnercenter/exchange-online-gdap-app). You can also use multitenant applications when CSP relationships aren't created with the customer. The required steps for using multitenant applications are called out within the regular instructions in this article.
 >
@@ -201,7 +204,7 @@ For a detailed visual flow about creating applications in Microsoft Entra ID, se
 
    When you're finished on the **App registrations** page, select **Register**.
 
-5. You're taken to the **Overview** page of the app you just registered. Leave this page open. You use it in the next step.
+5. You're taken to the **Overview** page of the app you registered. Leave this page open. You use it in the next step.
 
 ### Step 2: Assign API permissions to the application
 
@@ -433,7 +436,7 @@ The supported Microsoft Entra roles are described in the following table:
 
 The Security Administrator role doesn't have the necessary permissions for those same tasks.
 
-² Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+² Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
 
 For general instructions about assigning roles in Microsoft Entra ID, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
 
@@ -457,6 +460,7 @@ For general instructions about assigning roles in Microsoft Entra ID, see [Assig
      ![Find and select a supported Security & Compliance PowerShell role by clicking on the role name.](media/exo-app-only-auth-find-and-select-supported-role-scc.png)
 
 3. On the **Assignments** page that opens, select **Add assignments**.
+
    - **Exchange Online PowerShell**:
 
      ![Select Add assignments on the role assignments page for Exchange Online PowerShell.](media/exo-app-only-auth-role-assignments-click-add-assignments.png)

exchange/exchange-ps/ExchangePowerShell/Cancel-SensitiveInformationScan.md

@@ -0,0 +1,116 @@
+---
+applicable: Security & Compliance
+author: chrisda
+external help file: Microsoft.Exchange.TransportMailflow-Help.xml
+Locale: en-US
+Module Name: ExchangePowerShell
+ms.author: chrisda
+online version: https://learn.microsoft.com/powershell/module/exchangepowershell/cancel-sensitiveinformationscan
+schema: 2.0.0
+title: Cancel-SensitiveInformationScan
+---
+
+# Cancel-SensitiveInformationScan
+
+## SYNOPSIS
+This cmdlet is available only in Security & Compliance PowerShell. For more information, see [Security & Compliance PowerShell](https://learn.microsoft.com/powershell/exchange/scc-powershell).
+
+Use the Cancel-SensitiveInformationScan cmdlet to cancel sensitive information scans.
+
+For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://learn.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).
+
+## SYNTAX
+
+### Identity (Default)
+```
+Cancel-SensitiveInformationScan [-Identity] <PolicyIdParameter>
+ [-Confirm]
+ [-WhatIf]
+ [<CommonParameters>]
+```
+
+## DESCRIPTION
+To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see [Permissions in the Microsoft Purview compliance portal](https://learn.microsoft.com/purview/microsoft-365-compliance-center-permissions).
+
+## EXAMPLES
+
+### Example 1
+```powershell
+Cancel-SensitiveInformationScan -Identity "HR Department"
+```
+
+This example cancels the specified sensitive information scan.
+
+## PARAMETERS
+
+### -Identity
+
+> Applicable: Security & Compliance
+
+The Identity parameter specifies the sensitive information scan that you want to cancel. You can use any value that uniquely identifies the scan. For example:
+
+- Name
+- Distinguished name (DN)
+- GUID
+
+```yaml
+Type: PolicyIdParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Confirm
+
+> Applicable: Security & Compliance
+
+The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
+
+- Destructive cmdlets (for example, Remove-\* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: `-Confirm:$false`.
+- Most other cmdlets (for example, New-\* and Set-\* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+
+> Applicable: Security & Compliance
+
+The WhatIf switch doesn't work in Security & Compliance PowerShell.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/p/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS

exchange/exchange-ps/ExchangePowerShell/ExchangePowerShell.md

@@ -1738,6 +1738,8 @@ Exchange PowerShell is built on PowerShell technology to a powerful command-line
 ### [Update-ExchangeHelp](Update-ExchangeHelp.md)
 
 ## policy-and-compliance Cmdlets
+### [Cancel-SensitiveInformationScan](Cancel-SensitiveInformationScan.md)
+
 ### [Check-PurviewConfig](Check-PurviewConfig.md)
 
 ### [Disable-JournalArchiving](Disable-JournalArchiving.md)
@@ -1796,6 +1798,10 @@ Exchange PowerShell is built on PowerShell technology to a powerful command-line
 
 ### [Get-ReviewItems](Get-ReviewItems.md)
 
+### [Get-SensitiveInformationScan](Get-SensitiveInformationScan.md)
+
+### [Get-SensitiveInformationScanRule](Get-SensitiveInformationScanRule.md)
+
 ### [Get-SupervisoryReviewPolicyV2](Get-SupervisoryReviewPolicyV2.md)
 
 ### [Get-SupervisoryReviewRule](Get-SupervisoryReviewRule.md)
@@ -1834,6 +1840,10 @@ Exchange PowerShell is built on PowerShell technology to a powerful command-line
 
 ### [New-ProtectionAlert](New-ProtectionAlert.md)
 
+### [New-SensitiveInformationScan](New-SensitiveInformationScan.md)
+
+### [New-SensitiveInformationScanRule](New-SensitiveInformationScanRule.md)
+
 ### [New-SupervisoryReviewPolicyV2](New-SupervisoryReviewPolicyV2.md)
 
 ### [New-SupervisoryReviewRule](New-SupervisoryReviewRule.md)
@@ -1860,6 +1870,10 @@ Exchange PowerShell is built on PowerShell technology to a powerful command-line
 
 ### [Remove-ProtectionAlert](Remove-ProtectionAlert.md)
 
+### [Remove-SensitiveInformationScan](Remove-SensitiveInformationScan.md)
+
+### [Remove-SensitiveInformationScanRule](Remove-SensitiveInformationScanRule.md)
+
 ### [Remove-SupervisoryReviewPolicyV2](Remove-SupervisoryReviewPolicyV2.md)
 
 ### [Remove-TransportRule](Remove-TransportRule.md)
@@ -1884,6 +1898,10 @@ Exchange PowerShell is built on PowerShell technology to a powerful command-line
 
 ### [Set-ProtectionAlert](Set-ProtectionAlert.md)
 
+### [Set-SensitiveInformationScan](Set-SensitiveInformationScan.md)
+
+### [Set-SensitiveInformationScanRule](Set-SensitiveInformationScanRule.md)
+
 ### [Set-SupervisoryReviewPolicyV2](Set-SupervisoryReviewPolicyV2.md)
 
 ### [Set-SupervisoryReviewRule](Set-SupervisoryReviewRule.md)

exchange/exchange-ps/ExchangePowerShell/Get-SensitiveInformationScan.md

@@ -0,0 +1,144 @@
+---
+applicable: Security & Compliance
+author: chrisda
+external help file: Microsoft.Exchange.TransportMailflow-Help.xml
+Locale: en-US
+Module Name: ExchangePowerShell
+ms.author: chrisda
+online version: https://learn.microsoft.com/powershell/module/exchangepowershell/get-sensitiveinformationscan
+schema: 2.0.0
+title: Get-SensitiveInformationScan
+---
+
+# Get-SensitiveInformationScan
+
+## SYNOPSIS
+This cmdlet is available only in Security & Compliance PowerShell. For more information, see [Security & Compliance PowerShell](https://learn.microsoft.com/powershell/exchange/scc-powershell).
+
+Use the Get-SensitiveInformationScan cmdlet to view the properties of sensitive information scans.
+
+For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://learn.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).
+
+## SYNTAX
+
+```
+Get-SensitiveInformationScan [[-Identity] <PolicyIdParameter>]
+ [-IncludeImpactAssessment <Boolean>]
+ [-IncludeProgressForAllActiveScans <Boolean>]
+ [-IncludeScanProgress <Boolean>]
+ [<CommonParameters>]
+```
+
+## DESCRIPTION
+To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see [Permissions in the Microsoft Purview compliance portal](https://learn.microsoft.com/purview/microsoft-365-compliance-center-permissions).
+
+## EXAMPLES
+
+### Example 1
+```powershell
+Get-SensitiveInformationScan | Format-Table Name,ParentPolicyName
+```
+
+This example returns a summary list of all sensitive information scans in the organization.
+
+### Example 2
+```powershell
+Get-SensitiveInformationScan -Identity "HR Department Scan"
+```
+
+This example returns detailed information for the specified scan.
+
+## PARAMETERS
+
+### -Identity
+
+> Applicable: Security & Compliance
+
+The Identity parameter specifies the sensitive information scan that you want to view. You can use any value that uniquely identifies the scan. For example:
+
+- Name
+- Distinguished name (DN)
+- GUID
+
+```yaml
+Type: PolicyIdParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -IncludeImpactAssessment
+
+> Applicable: Security & Compliance
+
+The IncludeImpactAssessment parameter specifies whether to refresh the latest scan status during the estimation stage. Valid values are:
+
+- $true: Get the latest estimation status.
+- $false: Return the last updated scan status.
+
+```yaml
+Type: Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncludeProgressForAllActiveScans
+
+> Applicable: Security & Compliance
+
+This parameter is reserved for internal Microsoft use.
+
+```yaml
+Type: Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncludeScanProgress
+
+> Applicable: Security & Compliance
+
+The IncludeScanProgress parameter specifies whether to refresh the latest scan status during the classification phase. Valid values are:
+
+- $true: Get the latest classification status.
+- $false: Return the last updated scan status.
+
+```yaml
+Type: Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/p/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS