Stronger lockdown and clearer Conditional Access handling
- Legacy mail protocols are now disabled at offboarding (Step 3). In addition to removing ActiveSync partnerships, the tool turns off IMAP, POP, ActiveSync, and authenticated SMTP on the mailbox (
Set-CASMailbox), closing the app-password / basic-auth path even if the account is ever re-enabled. - App-only backdoor review (Step 5). Alongside revoking delegated OAuth grants, the tool now lists any app registrations or service principals the departing user owns - an app with its own secret and application permissions keeps access independent of the user account. These are surfaced (advisory, no automatic deletion) so an admin can remove ownership and rotate credentials.
- Conditional Access on tenants without Entra ID P1 (Step 10). On a tenant that does not include Conditional Access (for example Microsoft 365 Business Standard), the step now reports a clear message - it skips the optional CA policy and notes that disabling the account (Step 2) is the enforcing block - instead of a raw error.
Full Changelog: v1.9.0...v1.10.0