Managing Office 365 Group Membership with PowerShell

A reader wants the benefits of dynamic Office 365 groups without having to pay for Azure AD premium licenses. It’s relatively straightforward to maintain the membership of a group with PowerShell. That is, if your directory is accurately populated and the right results are returned when you look for who the set of group members should be.

Excluding Inactive Mailboxes from Org-Wide Retention Holds

Exchange Online supports inactive mailboxes as a way to keep mailbox data online after Office 365 accounts are removed. Inactive mailboxes are available as long as a hold exists on them. You can update mailbox properties to exclude all or some org-wide holds. If you exclude holds from a mailbox, you run the risk that Exchange will permanently remove the mailbox. If that’s what you want, all is well, but if it’s not, then you might not be so happy.

Using PowerShell to Add Teams to the Groups Expiration Policy

How best to add every team in your tenant to the Office 365 Groups Expiration Policy? Well, one way is to check all groups for Teams. Another is to use Get-Team to return the set of teams and process those. But then you should think about how to mark the teams that are in the policy in such a way that you don’t process them again. It’s easy to do this with one of the Exchange Online custom attributes.

Finding the SharePoint URLs for Teams

Every Office 365 group (and team) has a SharePoint site. But how to find the URLs of all the sites used by teams in a tenant. One PowerShell answer came from Syskit, but it’s an old technique and we can do better now by fetching a list of teams in the tenant and then retrieving the URL for each team-enabled group.

Making Sure Everyone’s Covered by an Office 365 Supervision Policy

Although Office 365 supervision policies are intended to monitor a subset of user communications, usually involving specific groups of people, you might want to use a policy to monitor all email. In that case, how do you make sure that your policy has everyone in scope? The problem is that supervision policies don’t support dynamic distribution lists, so you need to do some work to build and maintain a distribution list containing all user mailboxes.

Configuring PowerShell for Office 365

If you work with Office 365 through PowerShell, you probably have your own script to connect to the various services. If you don’t want to write your own script, you can download one from GitHub or the TechNet Gallery. This article covers two that you might like to try, including one with a GUI to choose which Office 365 services it should connect to.

Automating Office 365 with PowerShell and Flow

PowerShell is hugely useful when the time comes to automate Office 365 processes. Other tools exist that can help, including Flow. Maybe it’s the right time to consider Flow, especially when it is highly capable of knitting together different Office 365 components to get work done.

Using Search-Mailbox to Process Multiple Mailboxes

The Search-Mailbox cmdlet is a very powerful weapon for Exchange administrators. It has some quirks, but the Invoke-Command cmdlet helps us get around one, which is how to use a different search query for each mailbox processed in a set of mailboxes.

Exchange Online Transport Rule to Encrypt Sensitive Email

Microsoft has released details of an Exchange Online transport rule to encrypt outbound email containing sensitive data types like credit card numbers. The rule works (after fixing the PowerShell), but needs to be reviewed and possibly adjusted to meet the needs of Office 365 tenants.

Tuning PowerShell for Office 365 Group Membership

A recent article prompted a check to see whether a PowerShell recommendation made sense and delivered better performance when executing a command to extract the membership of Office 365 Groups performance. As it turns out, the recommendation is valid, but whether you notice any difference is arguable.

Using the Inbound WebHook to Post to a Team Channel or Office 365 Group

It’s easy to create a webhook connector to post information to a team channel or an Office 365 group. What might not be quite so easy is formatting the JSON payload. Here’s how to use a template card to simplify the process.

Adding Global Contacts for an Office 365 Tenant

You can use a public folder to store and share global email contacts, but a better approach is to use Exchange mail contacts. These objects show up in the Exchange GAL and OAB and are available to all Outlook clients (and some third-party clients too).

What Office 365 Retention Policies Apply to SharePoint Online Sites?

Knowing how retention policies process Office 365 data can be hard to understand, especially if multiple policies are involved. Office 365 doesn’t give a global view of how retention policies affect workloads, but here’s how to use PowerShell to find out what policies process the sites in a tenant.

Reporting the Connection Protocol Used by Outlook Mobile Clients

Microsoft has refreshed the Outlook Mobile architecture (now called “Microsoft Sync Technology”). They suggest that you run some PowerShell to report clients connecting via the old and new architectures. Their code works, but we think ours is better.

Reporting Protected Files

The availability of Azure Information Protection and Office 365 sensitivity labels allow tenants to protect important and confidential files. That’s nice, but it’s even better when you know what files are protected. Here’s how to use PowerShell to create a report about those files.

Protecting Email Holding Sensitive Data

Office 365 offers different ways to apply encryption to important messages. When those messages hold sensitive data known to Office 365, like credit cards or passport numbers, we can define a transport rule or DLP policy to protect outbound email automatically. And while you can define rules and policies through the GUI, PowerShell is available too.

Migrating On-Premises Distribution Lists to Exchange Online

If you run a hybrid Exchange deployment, you probably have some on-premises distribution lists that you’d like to move to the cloud. Office 365 offers no way to do this, so it’s up to PowerShell. Instead of starting from scratch, you can use a script created by Tim McMichael of Microsoft and amend it to meet your needs. PowerShell is just great.

How to Find Click to Run Configuration in the System Registry

Microsoft would like Office 365 tenants to use the Click to Run (C2R) version of the Office desktop applications because C2R is automatically updated with new features. We like C2R, but we also like knowing what’s installed on user workstations. Here’s how to check the Click to Run configuration with PowerShell.

Tip: Check Your Azure AD Accounts Before Adding Org-Wide Teams

Org-Wide Teams are a nice feature, but calculating their membership can be puzzling, as in the case of some perfectly valid accounts that were not added to a team. As it turns out, the error lies in Azure Active Directory.

Synchronizing AAD Security Groups with Office 365 Groups

Security groups are often used to protect access to resources, but they can’t be used to control membership for Office 365 Groups or Teams. If you want to use AAD security groups to control membership for Groups and Teams, you need to come up with a way to synchronize. PowerShell is available to do the job, and as it turns out, it’s not too difficult.

Office 365 Groups and the ProvisioningOption property

Some will tell you that you can figure out what resources an Office 365 Group is connected to by checking the ProvisioningOption property with the Get-UnifiedGroup cmdlet. Well, you can’t. If you want to do something like check for team-enabled groups, you’ll need a different approach.

Office 365 Audit Records Truncated for Azure Active Directory Events

A demo to show how easy it is to use PowerShell to manage Office 365 Groups and Teams was progressing nicely at the UK Evolve conference when a problem happened with code that used to run perfectly. Sounds like a normal programming situation, but in this case, Microsoft had changed the format of Office 365 audit records for Azure Active Directory operations. That’s not so good. What’s worse is that some essential data is now missing from the audit records.

Enabling Access to Teams for Guest Users with PowerShell

During transitions, things sometimes don’t go so smoothly. Such is the case if you want to enable or disable guest user access to Teams and find that the setting to control the access is no longer available in the Office 365 Admin Center. But PowerShell can control the setting, so that’s the solution to the problem.

“Unable to discover PowerShell endpoint URI” when using MFA with Skype Online

Grrr. It’s been that kind of day. While chasing a Teams bug (about which more another time, once I have a consistent repro case), I needed to log on to Skype Online PowerShell. We use the Azure baseline policy that forces MFA for all admin accounts in our tenant; I just updated Chapter 3 of …

Adding a New Microsoft 365 Group to an Existing (Classic) SharePoint Online Site

As announced in this post in the Microsoft Tech Community, the ability to add a new Office 365 Group to an existing SharePoint Online (SPO) site is finally available to Office 365. You will be able to connect existing classic SPO sites to new Office 365 Groups by means of two possible mechanisms: PowerShell (first …

How to Remove a Feature from an Office 365 Plan with PowerShell

Need a script to turn off sub-options in Office 365 plans like the one that controls Microsoft Teams? Here’s a Petri.com article that explains how to do it with the Microsoft Online Services PowerShell module.

Removing Email Addresses from Office 365 Groups

Like all mail-enabled objects, Office 365 Groups can have multiple proxy addresses. Microsoft has fixed a bug in the Set-UnifiedGroup cmdlet so that you can remove proxy addresses from groups, but take care before you do.