Dear colleagues,

Microsoft is changing how certain Power Automate workflows start. If you are a Power Automate user and your workflow begins when it receives a web request or a Teams webhook, you must update the URL that other tools use to call your flow before November 30, 2025.
Flow owners may also see an email titled ‘Your flow has a new trigger URL’ and will see an in-product banner. 

What is changing

Microsoft is updating the trigger URLs used in flows with “When an HTTP request is received” or Microsoft Teams Webhook triggers. 

When you open one of these flows: 

• You’ll see a new trigger URL displayed in the trigger card. 

• A banner will also appear showing the old URL, reminding you to update any systems or services that use it. 

Please update your flows and any connected systems to use the new URL before November 30, 2025. 

After that date, the old URLs will stop working, and any flows still using them will fail to trigger. 

Steps to Update Your Flow 

1. 1. Open your flow in Power Automate that uses either 
      • “When an HTTP request is received”, or 
      • Microsoft Teams Webhook trigger. 
   2. Find the new trigger URL shown in the trigger card. You’ll also see a banner with the old URL — use this as a reminder to update your connections. 
   3. Update all places where the old URL is used, such as app, script, website, Power App, Power Page, or any external system. 
   4. Test your flow after updating to confirm it still triggers correctly. 
   5. If the new URL looks long, make sure the system you’re connecting to supports URLs longer than 255 characters (some older systems may have limits). 

Timeline 

• • Now – November 30, 2025: Both the old and new URLs will work. Please update your links as soon as possible.  

• • After November 30, 2025: Old URLs will stop working, and any flows still using them will fail to trigger. 

Resources 

• • Troubleshoot common issues with triggers (see “Changes to HTTP or Teams Webhook trigger flows”) 

If you have any further questions or concerns, please submit a ticket to the Enterprise Service Centre at (https://uoft.me/m365help). 

Kind regards, 

Enterprise Applications & Solutions Integration (EASI)
Information Technology Services, University of Toronto

Dear colleagues, 

Microsoft has announced the rollout of the External Recipient Rate Limit (ERR) for Exchange Online. This feature is designed to limit the number of external recipients a mailbox can send messages to within a 24-hour period. This change is designed to support responsible usage and ensure fair resource usage within Exchange Online. 

What is changing 

Currently, each mailbox in Microsoft 365 can send emails to up to 10,000 total recipients in a 24-hour period. Under the new policy, Microsoft will apply an additional sub-limit specifically for external recipients (addresses outside the university’s email domains): 

• • New Limit: Each mailbox can send to up to 2,000 external recipients in a 24‑hour window.  

• • Internal emails: (to addresses ending in @utoronto.ca, @toronto.edu, or other approved university approved domains) are not affected. 

• • Once a mailbox reaches the 2,000 external recipients, any further messages to external addresses will be temporarily blocked until the 24-hour window resets. Internal messages can still be sent normally. 

This change is enforced by Microsoft and cannot be disabled. 

Action required 

• • Review your current mailing practices. 

• • If your mailbox needs to send more than 2,000 external recipients in 24 hours, use approved mass-mailing tools (i.e. SendGrid, Constant Contact, or Azure Communication Services for Email) designed for high-volume external communications.  

• • Learn more: Exchange Online to introduce External Recipient Rate Limit 

Timeline 

• • October 1, 2026: ERR enforcement begins for all existing tenants. 

If you have any further questions or concerns, please submit a ticket to the Enterprise Service Centre at https://uoft.me/m365help. 

Kind regards, 

Enterprise Applications & Solutions Integration (EASI)
Information Technology Services, University of Toronto
215 Huron Street, Toronto

Dear colleagues, 

As part of our ongoing efforts to enhance the security of our Microsoft 365 environment, we will be enabling the Idle Session Timeout feature across the tenant starting October 28, 2025. 

What’s changing 

Microsoft has announced the retirement of “Activity-Based Authentication Timeout” for Outlook on the web. This is being replaced by a more robust Idle Session Timeout for Microsoft 365, which offers broader protection across a wider range of Microsoft 365 web applications. 

What is Idle Session Timeout? 

Idle Session Timeout is a security feature that automatically signs users out of Microsoft 365 web apps after 9 hours of browser-based inactivity. This change is designed to reduce the risk of unauthorized access, particularly when devices are left unattended while still logged in. 

Key Points: 

• • The timeout policy applies to all web browsers except Microsoft Edge on Intune-managed desktops. It affects Microsoft 365 web applications such as Outlook Web App, SharePoint, OneDrive, Word, Excel, PowerPoint Online, Microsoft365.com, Admin Center, and others. 

• • Works on a per-browser session basis in all web browsers, except for Microsoft Edge on Intune Managed Devices which already have a 10-minute inactivity timeout set at the OS level. 

• • If your session remains inactive for 9 hours, you will receive a notification prompting you to stay signed in. If no action is taken, you will be automatically signed out and prompted to re-authenticate when you return. 

• • Actively using Microsoft 365 web apps will keep your session alive; only idle users will be affected. 

Implementing Idle Session Timeout helps protect university data and user accounts by ensuring that unattended browser sessions are not left open indefinitely. This is an important step in strengthening our overall information security posture. 

If you have any questions or concerns, please submit a ticket to the Enterprise Service Centre at (https://uoft.me/m365help). 

Kind regards,  

Enterprise Applications & Solutions Integration (EASI)  

Information Technology Services 

University of Toronto 

Dear colleagues,

Microsoft has announced that Microsoft Publisher will reach end of life in October 2026. After that time, Publisher will no longer be included in Microsoft 365 or supported in on-premises Office suites. 

What is changing 

Support for Microsoft Publisher, including the perpetual (on-premises) version, will end in October 2026. Until then, users can continue to access and use Publisher with its current functionality. After the retirement date, Publisher will no longer be available in Microsoft 365 subscriptions, and existing installations will not receive updates or technical support. 

Microsoft is exploring modern ways to address common Publisher use cases through other applications such as Microsoft Word, PowerPoint, and Designer. 

Who is affected 

• • All users of Microsoft Publisher. 

• • IT administrators supporting Microsoft 365 or Office LTSC 2021 deployments. 

Action required 

• • All users and departments using Publisher should begin planning to transition documents and workflows to alternative applications before October 2026. 

• • Microsoft recommends converting Publisher files to other formats (e.g., PDF or Word) before the retirement date – Transition Guidance. 

Timeline 

• • Until October 2026: Publisher remains available and supported. 

• • October 13, 2026: End of support for Microsoft Publisher (including Office LTSC 2021). Publisher will be removed from Microsoft 365 offerings.

If you have any further questions or concerns, please submit a ticket to the Enterprise Service Centre at https://uoft.me/m365help. 

Kind regards,
Enterprise Applications & Solutions Integration (EASI)
Information Technology Services, University of Toronto