Added

• Offboarding: -HideFromGal to hide mailbox from Global Address List (Set-Mailbox -HiddenFromAddressListsEnabled).
• Offboarding: -SkipDirectLicenseFallback to suppress Graph REST fallback for direct license removal.
• Offboarding: SkipGroups now accepts DisplayName, SMTP address, or ObjectId (AAD Id).
• Onboarding/Offboarding: GroupDisambiguation config in config/appsettings.json to map ambiguous display names to a unique SMTP or ObjectId.
• Docs: Troubleshooting section with concrete commands to resolve distribution group ambiguity; consolidated SiteCode usage across onboarding/offboarding.
• Installer: ensure Microsoft.Graph.Users.Actions is installed so Update-MgUserLicense is available.
• Onboarding: Welcome document (DOCX) generation
  • Per-row GenerateWelcome column and CLI -GenerateWelcome switch
  • <TempPassword> auto-injected from onboarding (force change on next sign-in)
  • <ManagerName> auto-resolved from ManagerUPN when present
  • Config defaults: DefaultWelcomeTemplatePath, DefaultWelcomeOutputDir
• Scheduler: CSV-driven onboarding/offboarding scripts
  • scripts/schedule-onboard.ps1, scripts/schedule-offboard.ps1, scripts/schedule-tenants.ps1
  • Example tenants config at config/example.tenants.json
• Offboarding permission cache policy controls
  • -MaxCacheAgeDays to force rebuild when cache age exceeds the cap (default 30)
  • -AutoRefreshStaleCache to auto-rebuild when stale (past TTL) but within max age
  • -AllowStaleCache to use stale cache without prompting when within max age
• Config defaults in config/appsettings.json:
  • MaxCacheAgeDays, AutoRefreshStaleCache, AllowStaleCache
• Placeholder standard and tooling:
  • New XML-safe placeholders {{Name}} supported alongside legacy <Name> in both welcome DOCX and OOO templates.
  • Helper: tools/convert-placeholders.ps1 to convert <Name>/<Name> → {{Name}} across .docx, .txt, .html (supports -DryRun and -Backup).

Changed

• Onboarding: hardened DL/mail-enabled group adds with robust EXO resolution (SMTP/ObjectId/DisplayName/ANR) and retries; parity with offboarding.
• Offboarding: DL removal now performs membership-based disambiguation and removes from each candidate that actually contains the user.
• Offboarding: -NoConfirm is fully honored for direct license removal; ShouldProcess prompt bypassed unless -WhatIf.
• README: renamed onboarding CSV to example-onboard.csv throughout; parameter matrix updated; added guidance for SiteCode and ambiguity remediation.
• README reorganized: new Templates section under Input Files with OOO + Welcome DOCX; FAQ moved before Troubleshooting; TOC updated and anchors verified.
• Offboarding now prompts on stale cache (past TTL) unless -AutoRefreshStaleCache or -AllowStaleCache is used; forces rebuild when older than MaxCacheAgeDays with clear age-in-days logging.
• License removal prefers SDK Set-MgUserLicense (Microsoft.Graph.Users); fall back to REST only if unavailable.
• Interactive/device Graph connection now requests Directory.ReadWrite.All (instead of Directory.AccessAsUser.All) alongside User.ReadWrite.All and Group.ReadWrite.All.
• README now serves as a concise entry point; authoritative deep dives live under docs/.
• Welcome document generator improvements:
  • Replaces placeholders in word/document.xml, headers, footers, comments/notes (word/footnotes.xml, word/endnotes.xml, word/comments.xml) and drawings (word/drawings/*.xml).
  • Handles both raw <Name> and XML-escaped <Name> placeholders; adds support for {{Name}} format.
  • Merges common run boundaries to detect placeholders split across runs.
  • Adopts DefaultSitesCsv from config/appsettings.json when -SitesCsv is omitted (mirrors onboarding behavior).
• OOO placeholder expansion supports {{...}} alongside legacy <...> and HTML-escaped forms; sample OOO templates updated.

Fixed

• Offboarding: eliminated interactive confirmation prompts under -NoConfirm for direct license removal.
• Offboarding: improved error messages and candidate logging when EXO returns “matches multiple entries”.
• Reduced 405 errors by preferring Update-MgUserLicense; REST fallback is now optional and skippable.
• Batch/Single offboarding: ensured user Id is present when removing licenses by explicitly projecting id,assignedLicenses and refetching if needed; resolves empty UserId errors.
• Welcome DOCX generator:
  • Fixed false negative validation when checking for word/document.xml inside the template zip.
  • Ensured XML-escaped placeholders (e.g., <Email>) are detected and replaced.
• Converter script: renamed internal functions to approved verbs to satisfy PSScriptAnalyzer (no functional change).

Notes

• This release focuses on reliability and UX: fewer EXO group add errors for brand-new mailboxes, clearer logs, and smoother auth/session handling.

Docs

• Authentication: reorganized with a “Quick permissions (app auth)” cheat sheet (Graph + EXO ManageAsApp + EXO App RBAC); certificate creation moved to docs with cross-platform notes.
• Service providers: clarified multi-tenant guidance; EXO app RBAC assignment references official docs and examples; consolidated under docs/scheduling.md.
• Configuration: large tables moved to docs/configuration.md (README shows a minimal example and links to the authoritative matrix).
• Templates: full placeholder/reference for OOO + Welcome moved to docs/templates.md.
• Troubleshooting: detailed remediation (e.g., distribution group ambiguity) moved to docs/troubleshooting.md; README now links briefly.
• README: Features list added under “What this tool does”; TOC verified.
• Templates: standardized on {{Placeholder}}; legacy <Placeholder> supported during transition.
  • Added "Migration helper" section documenting tools/convert-placeholders.ps1.
• Configuration: documented that scripts/generate-welcome.ps1 adopts DefaultSitesCsv when -SitesCsv is omitted.
• Docs: anchors added/updated for cross-referencing (templates, examples, scheduling, troubleshooting).