Microsoft Exchange Online for Security Operations release notes

  • Release version: Store
  • Updated June 11, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Exchange Online for Security Operations Release Notes

    The Microsoft Exchange Online for Security Operations application integrates with ServiceNow Security Incident Response to enhance email threat hunting, search, and deletion capabilities within Microsoft Exchange Online environments. This solution supports security operations teams by automating email investigations and response workflows tied to phishing and other email-based threats.

    Show full answer Show less

    Key Enhancements and Fixes

    • Email Search Improvements: Enhanced keyword matching in subject lines, support for special and non-ANSI characters, and better handling of quotation marks and encoding issues improve the accuracy and reliability of email searches.
    • Security and Compliance: Upgraded read-only fields to strict enforcement at all levels prevent unauthorized changes, and audit trails record delete request details and workflow actions for compliance.
    • User Experience and Workflow Automation: Migrated workflows to Flow Designer for better automation, added multi-factor authentication (MFA) support at the tenant level, and improved error handling and logging for troubleshooting.
    • Notifications and Incident Handling: Automatic tagging of security incidents and creation of work notes when searches or deletions fail, along with email notifications for credential expiration and search completions, keep SOC teams informed.
    • MID Server and Integration: Introduced routing changes to selectively route searches to MID Servers with appropriate capabilities, with status indicators to distinguish authentication issues from MID Server availability.
    • Approval Processes: Configurable approval workflows ensure suspicious emails are only deleted with proper authorization, with rejection comments logged in incident work notes.

    Practical Benefits for ServiceNow Customers

    • Security analysts can define precise phishing threat search criteria based on sender, recipient, and subject to streamline investigations.
    • Automated notifications and audit trails provide transparency and accountability in incident response workflows involving email threats.
    • Improved search accuracy and handling of special characters ensure comprehensive threat detection within Exchange Online.
    • Enhanced security controls and strict read-only enforcement reduce risks of unauthorized configuration changes.
    • Integration with MID Servers and robust error handling facilitate stable, scalable deployments suitable for enterprise environments.
    • MFA support strengthens access security at the tenant level, aligning with enterprise compliance requirements.

    What to Expect Going Forward

    Customers can expect ongoing improvements focused on security, usability, and integration stability. The version history demonstrates a commitment to resolving issues promptly, enhancing threat hunting capabilities, and supporting compliance needs. Regular updates provide new features and security enhancements, ensuring the application remains aligned with evolving Microsoft Graph API requirements and enterprise security standards.

    Version history for the Microsoft Exchange Online for Security Operations application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 10.7.4 - June 2026
    Fixed: Email search by subject line keywords returned no results because the Hunting API query used exact match (==) instead of keyword match (has) for the Subject field.
    Version 10.7.3 - March 2026
    • Fixed:
      • Comments entered while rejecting email requests are now correctly reflected in the associated Security Incident Response.
      • Email search requests no longer fail when the subject query contains quotation marks.
    Version 10.7.2 - January 2026
    Fixed: Fixed an incorrect “email search is still running” message shown during the deletion approval step.
    Version 10.7.0 - December 2025
    New: Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes. This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
    Version 10.6.5 - May 2025
    Fixed: Remove/hide unsupported email fields from the email search criteria.
    Version 10.6.3 - February 2025
    Changed: Migrated workflows to flow designer.
    Version 10.6.2 - March 2024
    • Fixed:
      • Supports non-ANSI characters in Threat-Hunting API query.
      • Supports Graph URL configuration for Federal customers.
    Version 10.5.5 - December 2023
    Fixed: Addressed the misconfiguration of table/field ACLs within the com.snc.secops.ms.exchange.online plugin.
    Version 10.5.2 - November 2021
    • Fixed:
      • Added additional password-related policies.
      • Failure of Email search, if the Exchange Module V2 is not present in MID server.
      • Termination of Email search workflow because of an activity count limit.
      • Improved PowerShell error logging for proper stack trace if an error is seen in the processing.
    Version 10.5.0 - August 2021
    • New: Support for Multi Factor Authentication (MFA) at the Tenant Level
    • Fixed: Ability to delete emails from the email server through the UI action - 'Delete Emails from Exchange Online' that is present under the Email Search Results section
    Version 10.4.2 - February 2021
    Fixed: This release includes a fix from double encoding a query to single encoding, to address the functionality change by Microsoft Graph API. Microsoft Graph API has modified their functionality which causes no results to appear when running a query. For example, if the subject contains a space, then results don't appear. Only the count of emails is returned. A system property sn_sec_ms_ex_on.single_encode has been added to specify the use of single encoded or double encoded search queries. It defaults to single encoded queries.
    Version 10.4.1 - December 2020
    • New:
      • A security tag is applied to a security incident, and a work note is created when the search and delete action fails.
      • An error email notification is sent to a group, and a work note is created when the Microsoft Exchange Online OAuth credentials expire.
    • Changed:
      • Email Search and delete action includes junk folder for matching phishing emails and deletes them.
      • Email Search Result record is created when the search and delete action fails.
    Version 10.3.2 - June 2020
    • New: Additional setting Email Result Threshold for Approvals
    • Changed: Threshold configuration for Request Delete Approvals
    Version 10.0.1 - March 2020
    • New:
      • Introduced troubleshooting capabilities by adding diagnostics tests that provide the ability to isolate issues with the integration
      • New system property added to increase debug level logging
    • Fixed: UI alignment of buttons present on the Microsoft Exchange Online configuration settings
    Version 8.0.3 - September 2019
    Fixed:
    • Improved error handling for unsupported characters
    • Fixed support for valid special characters such as apostrophes, double quotations, and colons (PRB1358086)
    Version 8.0.2 - August 2019
    • New:
      • Additional Settings parameters for Maximum Search Duration and Search Completion Notification
      • MID Server Routing Changes: Provides ability to selectively route the integration searches to designated MID Servers that have the necessary MID Server capabilities enabled (instead of all MID Servers)
    • Changed:
      • Application tile configuration modifications: With the MID Server routing changes in this update, it is no longer necessary to designate a MID Server during the initial authentication set-up. In addition, there is a new status indicator for the MID Server Ready that will distinguish an authentication credential problem from a MID Server availability issue.
      • Approval rejection notes are now posted to the work notes when an approval is rejected and the approver provides a reason to the SOC analyst.
      • Email search results now contain the full message details, including the subject field that was missing with some platform versions.
    • Fixed: Searches were previously not able to retrieve matching messages when the subject contained special characters, such as #. Special characters are now supported in the email subject parameter for searches.
    Version 5.0.0 - March 2019
    • Configure search criteria for phishing threats in Security Incident Response based on combinations of the sender, recipient, and subject fields on email messages.
    • For large and lengthy email searches, the security incident analyst is notified via email when a search is successfully completed, along with the number of matched messages.
    • Status for individual messages informs you if recipients have read or deleted suspicious emails.
    • If configured, optional approval processes ensure that suspicious emails are not deleted without prior approval.
    • A complete audit trail for delete requests that includes the number of deleted emails is logged in the work notes of security incidents.
    • If tagging is configured, security tags record when email search and delete workflows are initiated and successfully completed on security incidents.