Detecting Exchange Online Shared Mailboxes That Need Licenses

Exchange Online shared mailboxes only need licenses if they have an archive, exceed 50 GB in size, or are on litigation hold. The rules are there, but how many tenants check their shared mailboxes to make sure that they’re in compliance. This article explains how to use PowerShell to detect shared mailboxes that need licenses.

Report the Membership of Teams Private Channels

In this article, we explain how to create a report about the Teams private channels found in a tenant together with the members and owners of each channel. The PowerShell script is relatively straightforward and once the data is extracted from Teams, it can be sliced and diced in different ways.

Using Azure Key Vault with Microsoft 365 PowerShell

A previous article explains how to use an Azure Automation runbook to write information to a SharePoint Online site and Teams channel. At the time, I used a stored credential to authenticate and access SharePoint and Teams. Azure Key Vault offers another way to store secrets (bits of information) securely. This article explores how to store secrets in Azure Key Vault and retrieve and use the secrets in a runbook script and interactive PowerShell.

Using the Get-AssociatedTeam Cmdlet to Report Team Memberships

The Get-AssociatedTeam cmdlet is part of V4.6 of the Microsoft Teams PowerShell module. It reports the membership a user account has in teams, including where the account has direct membership of shared channels. The cmdlet makes it easy to generate a report of teams membership, and the PSWriteHTML module makes it easy to output nice PDF reports.

Populate the Membership of a Teams Shared Channel for All Users

This article explains how to populate the membership of a Teams shared channel using PowerShell. The idea is to create a shared channel that’s used for organization-wide communications, like a HR questions and answers channel. Alternatives like using a dynamic Azure AD group with a filter to find Teams users are also considered.

Upgrading the Microsoft 365 User Activity Report with a 180-day Lookback Period

A new version of the Microsoft 365 user activity report PowerShell script is available. This version extends the activity lookback period to 180 days, which is helpful when assessing if user accounts are active when people might be on parental leave or sabbaticals.

Using the Get-TeamAllChannel Cmdlet to Report Microsoft Teams Channels

Version 4.6 of the Microsoft Teams PowerShell module includes the Get-TeamAllChannel cmdlet. As the name implies, the cmdlet returns details of all channels in a team (regular, private, and shared). To see what it does, we wrote a script to report all the channels in teams in a tenant.

Reporting SharePoint Online External Users with PowerShell

There are many versions of PowerShell scripts to report SharePoint external users online. Most don’t handle team-connected sites, so we take the time to explain the oddities of the Get-SPOExternalUser cmdlet and create some data that we can report using the PSWriteHTML module. All in day’s work with Microsoft 365.

Use the Debug Parameter for Microsoft Graph PowerShell SDK Cmdlets to Expose Graph API Requests

Cmdlets in the Microsoft Graph PowerShell SDK module can interact with many types of Microsoft 365 data using Graph API requests. Adding the Debug parameter gives you an insight into what happens when SDK cmdlets run Graph requests. The knowledge can help you write better code and avoid mistakes, and that’s always a good thing.

How to Report Azure AD Admin Accounts Not Protected by MFA

Many example PowerShell scripts exist to report Azure AD accounts and their MFA status. Most of the scripts use the old MSOL module. Now we can use the Microsoft Graph PowerShell SDK and some Graph API requests to do the same job, This article explains how, including how to highlight unprotected Azure AD accounts that hold administrative roles.

Imminent Deprecation of Azure AD PowerShell Modules Creates Knowledge Gap in Documentation

Time is ebbing away and the date when the Azure AD PowerShell modules will start not to work is approaching. Microsoft wants customers to upgrade to the Microsoft Graph PowerShell SDK or Graph API requests. That’s fine, but a knowledge gap exists because most of the examples – including in Microsoft’s own documentation – for how to interact with Azure AD via PowerShell use the old modules. And then every other blog on the planet (with some notable exceptions) does the same. So we have work to do to bridge the knowledge gap and help people to make the transition.

How to Create Mailbox Exclusions for Microsoft 365 Sensitivity Label Policies

The GUI of the Microsoft Purview compliance center doesn’t support the exclusion of selected mailboxes when the special All target is used. However, you can use PowerShell to add mailbox exclusions to sensitivity label policies, including adding the members of a group as exclusions.

Microsoft Introduces Control Over Delegated Access to Encrypted Email

Microsoft is introducing new controls for delegate access to encrypted emails accessed via Outlook clients other than Outlook for Windows. The controls are implemented in three new PowerShell cmdlets which can block, validate, and allow delegate access to encrypted messages. It’s nice to see some coherence being introduced for almost all the Outlook clients, even if Outlook for Windows does its own thing.

Guest Accounts Can’t Update Their Photos with the Microsoft Graph PowerShell SDK

The Azure AD PowerShell module allows guest accounts to sign into target tenants and update their account photo there. The Microsoft Graph PowerShell SDK includes a cmdlet to do the job, but it doesn’t work when connected to a target tenant. Permissions are the reason why, which is what we explain in this article.

How Many Teams Compliance Records Are in Your Tenant?

The Microsoft 365 substrate captures Teams compliance records for chats and channel conversations and stores them in Exchange Online. How many do you have? Although you might not care, sometimes it’s good to know (like a tenant to tenant migration), so we explain how to count Teams compliance records for chats and channel conversations.

Graph X-Ray Tool Helps PowerShell Developers Master the Graph

The new Graph X-Ray extension available for the Chrome and Edge browsers gives developers an insight into how the Azure AD admin center uses Graph API commands to retrieve user and group objects. The insight is invaluable when teasing out some of the syntax needed to get work done with the Graph. It’s much appreciated.

Using the Graph API to Generate Mailbox Folder Statistics

A reader asked if it’s possible to use PowerShell to return the unread count for the Inbox folder in user mailboxes. The standard Exchange Online PowerShell cmdlets tell you a lot about mailbox folder statistics, but they can’t look inside a folder. But the Microsoft Graph APIs can, so a combination of PowerShell and the Graph deliver a solution to the problem.

Basic Authentication Deprecation Can Stop Exchange Online Scripts Working

The upcoming removal of support for basic authentication in seven Exchange Online connectivity protocols could mean trouble for some Office 365 tenants if they don’t take care to ensure that modern authentication is used for PowerShell connections. The old-style Remote PowerShell connection must be replaced with the Connect-ExchangeOnline cmdlet from the Exchange Online management module (aka the V2 module). Apart from anything else, this should improve the performance and robustness of scripts, especially after Microsoft finishes the work to remove the WinRM dependency for older cmdlets.

ImportExcel PowerShell Module Worthwhile Addition to Microsoft 365 Admin Toolkit

The ImportExcel PowerShell module is a useful addition to any Microsoft 365 tenant administrator’s toolbox. Although standard cmdlets exist to interact with spreadsheet data, they are limited to CSV files and can’t exploit the full power of Excel in the way that ImportExcel can do, all without needing to install the Excel application on a workstation.

How to Report Team Archive and Restore Events

It’s a good idea for administrators to know when people archive or restore teams, just in case users lose access to private or shared channels. This article explains how to search the audit log to find records for these actions, extract the relevant data, find information about channels belonging to the teams, and create a report.

Use Message Tracing to Report Exchange Online Email Sent to External Recipients

A management request came in to report email sent by some users to external recipients. Although you might not agree that this is the right thing for any organization to do, it’s very possible by exploiting the message trace information retained by Exchange Online for 90 days. As a bonus, we email the report generated from message tracing data to the requesting manager. Isn’t PowerShell just wonderful?

How to Find Unused Exchange Online Mailboxes

Finding and removing unused Exchange Online mailboxes used to be a good way to keep Office 365 licenses costs under control. Given the widespread use of Exchange Online as part of bundles like Office 365 and the effect of Teams on email for internal communication, looking for unused mailboxes might not be so important now. In any case, the techniques of looking for evidence of mailbox under-use are interesting and useful for tenant administrators to understand, which is why we have this article!

Post to Teams Channels Using Azure Automation Runbooks

Sharing information generated by a PowerShell script running in Azure Automation can be a challenge. Some time ago, I wrote about creating an output file in a SharePoint Online document library. Here I explore how to do the job by posting to a Teams channel using two different methods.

Per-Team Activity Data Available via Graph API

A new Microsoft Graph query makes it easy to fetch per-team activity data for reporting. You can also fetch the data with the Microsoft Graph PowerShell SDK. The data goes back a maximum of 90 days and is at least two days old when you fetch it. Those facts are easy to live with. What’s not so good is that the activity data focuses exclusively on channel activity and avoids everything else which happens in Teams.

Track User Access to Teams Shared Channels with Azure AD Sign-In Logs

Teams shared channels are now in public preview, meaning that many organizations are trying them out to see how effective a means of collaboration these channels are. One of the administrative challenges of implementing shared channels for cross-tenant collaboration is knowing who uses the channels. An answer can be found in the Azure AD sign-in logs, but only after you go looking.

Assign Azure AD Roles to User Accounts with the Microsoft Graph PowerShell SDK

Assigning Azure AD roles to user accounts is the way users receive permissions to perform certain administrative actions. You can automate these assignments using cmdlets from the Microsoft Graph PowerShell SDK. That is, until the time comes to remove assignments.

Why It’s Difficult to Transfer Membership Rules from Exchange Online to Azure AD

It seems like it should be possible to transfer a membership rule from an Exchange dynamic distribution list to a dynamic Microsoft 365 group/team, but it’s not. Different directories, schemas, properties. and syntax conspire to stop easy conversion. It’s a pity, but that’s the way life and technology sometimes go…

Microsoft Sets New Deprecation Schedule for Azure AD PowerShell

Lots of news has emerged from Microsoft recently regarding the deprecation of the Azure AD PowerShell module and the older MSOL module. Although dates have slipped from the original June 30, 2022 deadline, the signs are that Microsoft will retire the modules in early 2023. However, the Azure AD and MSOL license management cmdlets will stop working on August 26, 2022, so that’s the immediate priority for script upgrades.

How to Create a Report About Teams Tags

Teams tags appeared in early 2020 as a method to address subsets of a team membership in channel conversations. Microsoft doesn’t provide a method to report what teams use tags and what those tags are, but we can find out using the Graph APIs. In this article, we show how to use the Microsoft Graph PowerShell SDK to create a report of all teams which use tags, the names of the tags, and the team members assigned the tags.

All About the Microsoft 365 Groups and Teams Activity Report

The Microsoft 365 Groups and Teams Activity report is a PowerShell script which tries to work out if groups and teams are inactive by checking various usage indicators. Because it’s written in PowerShell, tenants can change the script as they like, perhaps even adding some extra turbocharging to the ideas we’ve incorporated into the code.

Whiteboard Nears End of Transition to OneDrive

The transition of Whiteboard storage from Azure to OneDrive for Business is approaching its end. A set of updated clients delivered at the end of March 2022 should do the trick. However, storing newly-created boards in OneDrive is one thing. Migrating old boards and updating components like the Whiteboard Admin PowerShell app are another. We don’t know what’s happening there and Microsoft hasn’t published any guidance.

Creating an Authentication Method Report for Azure AD Accounts

With the upcoming deprecation of the Azure AD and Microsoft Online Services (MSOL) PowerShell modules, it’s time to upgrade scripts which depend on the cmdlets from these modules. In this example, we use the Microsoft Graph SDK for PowerShell to create a report for Azure AD accounts showing the authentication methods each account uses. The idea is to highlight accounts not protected by strong authentication so that administrators can help users to upgrade their protection against attack.

Understanding What’s in an Azure AD Access Token

Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Azure AD.

How to Report Groups Under the Control of the Microsoft 365 Groups Expiration Policy

The Microsoft 365 group expiration policy can remove inactive groups after a set period. This helps clean up Azure AD, but the removal of a group might come as a surprise. To help remind administrators when groups will expire, we can use PowerShell to create a report of groups within the cope of the expiration policy and their next renewal dates. And to speed things up, we can turbo-charge matters with a Graph query.

New Way Available to Fetch a List of Microsoft Teams with the Microsoft Graph

A new List Teams API is available in the beta version of the Microsoft Graph. In time, the new API might replace the existing methods used to fetch sets of teams for processing. For now, there’s no need to update any code as we wait for Microsoft to fully bake the new API. Maybe it will be more performant and functional in the future!

How to Search the Microsoft 365 Audit Log for SharePoint and OneDrive Deletion Events

The Microsoft 365 audit log holds all kinds of useful data, including events logged for SharePoint Online and OneDrive for Business file deletions. It’s easy to use PowerShell to search the audit log to find and interpret the events and create a report. Large tenants might need to export the audit data on a regular basis to an external repository to allow for long-term retention and analysis. We explain the principles of the process in this article.

How to Enable Users to Receive Copies of Email They Send to Microsoft 365 Groups

It might seem like a small thing, but some users are upset when they don’t receive copies of their messages sent to Outlook Groups in their Inbox. A new setting allows users and administrators to control if they receive copies of messages from groups, but only when the user is a subscriber to groups (Follow in Inbox is turned on). In this article, we explore how to set the EchoGroupMessageBackToSubscribedSender control via OWA options and PowerShell, and how to sign up to be a group subscriber by yourself or with a little help from an Exchange administrator.

How to Analyze Audit Records for SharePoint Online Sharing Events

When SharePoint users share information, Office 365 captures events in its audit log. By analyzing the events, we can build a picture of how people share information. The sad thing is that the audit events logged when someone extends the validity of a sharing link doesn’t contain as much information as you might like. Even so, we can still analyze the sharing events to build a picture of what happens in an Office 365 tenant.

Microsoft Flags Need to Upgrade PowerShell Scripts to Use TLS 1.2

Microsoft is removing TLS 1.0 and 1.1 from Microsoft 365. This has been well flagged, but tenants might not understand the impact on PowerShell scripts which send email using the Send-MailMessage cmdlet and SMTP AUTH. In a nutshell, unless you force PowerShell to use TLS 1.2, attempts to send messages via Exchange Online will fail. It’s time to check those scripts and ,consider how to move away from SMTP AUTH and Send-MailMessage.