Like any mail-enabled object managed by Exchange Online, distribution list proxy addresses determine if Exchange can deliver messages to an object. Sometimes the proxy addresses aren’t correct or need adjustment, such as in the case when an organization wants to make sure that all distribution lists have primary SMTP addresses from a specific domain. This article explains how to use PowerShell to adjust the primary SMTP address when necessary.
Microsoft 365 group display names longer than 120 characters will cause problems for Graph API requests attempting to fetch the groups. A workaround exists, which is to make the request an advanced query rather than a regular one. But the question really should be “who needs group display names that are longer than 120 characters?”
The question of how best to block PowerShell access for Microsoft 365 user accounts deserved some consideration. The answer lies in service principals for the enterprise accounts created by Microsoft to allow PowerShell modules to authenticate with Entra ID. By restricting access to an assigned security group, you effectively block access to anyone outside that group.
This article explains how to use PowerShell to remove licenses from disabled accounts, including some caveats such as not removing Exchange Online licenses. Organizations might want to do this to save money on Microsoft 365 license fees while an account is temporarily unused. Removal of Exchange Online licenses can result in the loss of a mailbox, and you don’t want that to happen if you’re disabling accounts just because someone is on a long-term sabbatical or other leave of absence.
This article explains how to use PowerShell to create dynamic Microsoft 365 groups (and teams) based on the departments assigned to Entra ID user accounts. Creating a new group is easy. The trick in team-enablement is to wait for the synchronization between Entra ID and Teams to finish before you go ahead. After that, it’s plain sailing.
Microsoft announced that they will deprecate the user photo cmdlets from Exchange Online from November 30, 2023. Microsoft Graph PowerShell SDK cmdlets replace the EXO cmdlets because user photo data is stored in Entra ID. Although inconvenient for those who need to update scripts, this is part of an effort to rationalize how Microsoft 365 handles user profile information.
The Teams 2.1 client uses a different folder and naming convention for custom background images. People who switch must move their images, so here’s a script to do the job by resizing images to meet Teams requirements, renaming the files to comply with the new naming scheme, and copying the files from the old to the new folder, It’s PowerShell, so you can change the code as you like.
An old script created to report quotas for user mailboxes provided the basis for email-based reporting of shared mailbox quotas. The old script used just Exchange Online PowerShell. This versions mixes Exchange Online and the Graph SDK and throws in some certificate-based authentication to boot to allow the script to send email from something other than the signed-in account.. It all comes together, using chunks of code from other scripts to speed up writing. It’s the PowerShell way…
I was asked how easy it would be to write a PowerShell script to monitor new teams members and reject any additions that met specific criteria. Easy, we said, so we set to creating a script to interrogate the unified audit log to find new member events. Once that was done, it’s a matter of analyzing the events to find if we should reject the addition of any of the added members.
After writing a previous article about using PowerShell to analyze message trace data, I was asked about analyzing user (or mailbox) sending patterns to discover who’s sending email and where they’re sending messages to. As in many similar situations, PowerShell is a great tool to use because of its flexibility. This article explains how to generate a per-mailbox report of how many messages are sent and the percentage of internal versus external, plus the external domains the email goes to.
A reader asked how they could create dynamic administrative units for every department in their directory. A PowerShell script does the job, even if some constraints in how Entra ID processes membership rules means that the rules can’t be quite as precise as I would like them to be.
It’s possible to use PowerShell to create a report detailing the SharePoint Online site URLs used with Teams. My first attempt used the Exchange Online module, but is the Graph any faster? As it turns out, not really. At least, not for interactive sessions using the Microsoft Graph PowerShell SDK (things are different when running SDK code using a registered app). I tried several approaches, but Graph permissions got in the way every time.
This article describes how to use PowerShell to extract and analyze Exchange Online message trace data to figure out the volume of traffic to outbound domains and from inbound domains. You might think that this is the same information as available in the Exchange admin center mail flow report, but it’s not. Once again, the value of PowerShell in retrieving and using data is evident.
A question about how to report specific changes to Teams memberships gave another excuse to use PowerShell with the unified audit log to deliver a solution. The idea is that you can check audit log entries to see when specific user accounts join the membership of Teams. Once you’ve found that data, it’s a simple matter of creating email to share the results. All done with a few lines of PowerShell…
You can now define Entra ID guest account sponsors using the Entra ID admin center or PowerShell. A sponsor is an account or group that knows why a guest account exists. During operations like account reviews of the membership of a Microsoft 365 group, sponsors can help group owners decide if guest accounts should continue as members or should be removed. I’m sure others will come up with ideas for using guest account sponsors, but that’s what we have for now.
A new preview capability supports filtering against the Azure AD employee hire date property (Entra ID). Two different filter types are available to support the PowerShell ge and le operators. One filter checks against a set date, the other uses a calculated date. Both work well, and hopefully this development means that the Entra ID developers will enable the same capability for the Get-MgUser cmdlet.
A reader asked why some deleted Microsoft 365 user accounts appear to have assigned licenses. That seemed strange because licenses are freed up for reuse when accounts are deleted, so we took a look behind the scenes to find out why some deleted user accounts keep license information in their properties and some do not.
Exchange retention tags can be assigned to mailbox folders. In this article, we explain how to retrieve details of folder and personal tags assigned to folders plus the default archive and delete tags defined in the mailbox retention policy. We also explore if it’s possible to report retention tags assigned to individual messages and conclude that it’s not worthwhile.
PIM, or Privileged Identity Management, is a solution for managing the assignment of privileged Entra ID roles to users and groups. PIM role assignments can be active or eligible. If you report “normal” role assignments, you only see the currently active set. Some more processing is needed to fetch the PIM assignments. Here’s our version of a script to do the job for holders of the Exchange administrator and Global administrator roles.
The Microsoft Graph PowerShell SDK V2 attained general availability on July 4, 2023. Microsoft did a horrible job of announcing the news, but now that the SDK V2 is available, it’s time to migrate scripts from earlier versions. Splitting the V1.0 and beta cmdlets into different modules is a big difference, as is renaming the beta cmdlets. But other points exist to consider as you migrate from the Microsoft Graph PowerShell SDK V1 to V2.
Up to now, the Microsoft Graph PowerShell SDK has not included a cmdlet capable of reporting the renewal dates for Microsoft 365 subscriptions. A new beta Graph subscriptions endpoint is a method to retrieve the renewal information. Even if you can’t use an off-the-shelf cmdlet, you can still get the data.
Although SharePoint Online doesn’t support the allocation of OneDrive storage quotas via group membership, this is an easy solution to code with PowerShell. In this article, we discuss the steps needed to use groups to set a desired storage allocation for group members and how to apply those allocations to OneDrive for Business accounts. If you don’t want to use groups, Azure AD administrative units or even Exchange Online dynamic distribution lists would work too.
Sometimes administrators need to intervene and cancel meetings on behalf of users. That’s why the Remove-CalendarEvents cmdlet exists. The cmdlet scans a user mailbox to find meetings organized by the user for a defined period and cancels the events. Meeting participants receive a cancellation notice. It’s a useful cmdlet to know about, just in case.
Using Connect-MgGraph scopes to request a precise set of permissions at the start of a PowerShell script is the right way to make sure that the script can run and access the data it needs to process. Two schools of thought exist. Is it best to use the Scopes parameter to define the set of permissions when connecting with Connect-MgGraph, or should you go ahead and connect and check afterward? I favor the first approach, but either way works.
Sometimes, long running PowerShell scripts encounter the problem of Azure AD access token lifetime expiration. In other words, the default lifetime of tokens issued by Azure AD is too short to allow the script to complete before the token expires. Two solutions exist. Use a token lifetime policy to prolong access token lifetimes or check in code for potential expiration and renew when necessary.
Container management labels apply settings to the Microsoft 365 Groups to which they are assigned. This article describes how to generate a report about the container management labels assigned to groups. The report highlights groups that don’t have labels and those that don’t have owners.
The Microsoft Graph PowerShell SDK includes two cmdlets to revoke access for Entra ID accounts. As it turns out, Microsoft would prefer if developers use the Revoke-MgUserSignInSession cmdlet instead of Invoke-MgInvalidateUserRefreshToken, but who would have known if we hadn’t asked the question?
Following the removal of Remote PowerShell connections for Exchange Online, Microsoft is removing Remote PowerShell for the compliance endpoint. The change to REST-based cmdlets is expected to deliver better performance and reliability. The changes are implemented in V3.2 of the Exchange Online management module, which should be available on May 1.
The Get-ReviewItems cmdlet (in the Exchange Online management module) is available to export details about disposition review items in either a pending or disposed state. It’s possible that you don’t care very much about records management, retention labels, or disposition processing, but if you do, you’ll be glad that the new cmdlet exists.
Two years ago, I wrote about how to generate a report about managers and the direct report from the information stored in Entra ID. As it turns out, the Get-User and Get-Recipient cmdlets have a little flaw that can make the data they return inaccurate. To make sure that the data is correct, a new version of the script uses cmdlets from the Microsoft Graph PowerShell SDK to report Entra ID managers and reports. We also format the output in a nicer way, so it’s all good.
In an unannounced move, Microsoft imposed a new limit on Graph requests using the List Users API that include the SignInActivity property. The old limit allowed a request to fetch 999 items; the new reduces it to 120 items. I’m sure that the change is made with the best possible motive, but introducing something like this without warning broke a lot of programs and scripts, and that’s just unacceptable.
The AzureAD PowerShell retirement date is approaching quickly. After March 30, 2023, Microsoft says that the module will work for six months. Then? Who knows!. Cmdlets that set licenses for Azure AD accounts are now retired and will stop working on or before March 30, 2024. If you haven’t already upgraded scripts, it’s time to do so.
Version 5.0 of the Microsoft Teams PowerShell module contains a major overhaul for the Get-CsOnlineUser cmdlet, which receives better filtering capabilities. The overhaul is part of Microsoft’s ongoing efforts to modernize and enhance the cmdlets inherited from the Skype for Business Online connector. Although there’s still work to do to fix some glitches, the update is welcome.
As part of its rebranding of Yammer to Viva Engage last week, Microsoft added the Viva Engage Core service plan to user accounts. Which is nice, unless a tenant had blocked Yammer. The new service plan means that accounts can now use Yammer In many cases, it won’t matter too much that users can now access Yammer, but in other instances it will. In any case, we should tidy up by removing the Viva Engage Core service plan from any account that already blocks Yammer. Some PowerShell does the trick, but it would have been nice if Microsoft had thought things through a little more.
After a while, you discover the holes in any technology. In the case of the Microsoft Graph PowerShell SDK, some inconsistencies await unwary developers. The SDK doesn’t like $Null, doesn’t support pipelining, insists on specific property casing at times, sometimes accepts user principal names and sometimes doesn’t, and sticks valuable data in hash tables hiding in a property you might know nothing about. Good as it is to have the SDK cmdlets, they need to be treated with care as you transition from the old Azure AD and MSOL modules.
Room mailboxes are still heavily used for in-person meetings. It’s good to know how often and when rooms are used, which is why we have the room mailbox report script. In the second version of the script, we include code to figure out the daily usage pattern of individual rooms and for all rooms across the organization. The graphics in our bar chart are crude, but the chart is generated with a few lines of PowerShell, so feel free to improve the script.
Microsoft makes a 30-day Teams Premium trial license available to allow customers to test the premium features. Once the trial finishes, it’s a good idea to clean up and remove the Teams Premium trial licenses from the Azure AD accounts that participated in the trial, especially as the trial license has the same display name as the paid-for Teams Premium license. You can accomplish the task through the Microsoft 365 admin center, but we explain how to do the job with PowerShell too. The same technique works to remove any specific license from a set of user accounts.
It’s easy to invite people to become guest users in a Microsoft 365 tenant, but some of the invitees never accept the invitation. Perhaps they don’t need to redeem the invitation to do work or maybe it’s because they don’t want to. In either case, Entra ID guest accounts with unredeemed invitations can accumulate and become stale. In this post, we discuss how to use PowerShell to find and remove those stale accounts in a safe manner.
Microsoft plans to retire Azure Automation Run As Accounts on September 30, 2023 and replace them with managed identities. I don’t have any issue with the proposal because managed identities are more secure and a better overall solution. It would have been nice if Microsoft had communicated the change more broadly. I guess if you were in the know, you found out about this development, but maybe the average Microsoft 365 tenant administrator might have struggled to discover what’s happening.
Discovering new PowerShell tricks is always a delight, especially if they help solve problems. In this post, I cover a situation where a trick from the dawn of PowerShell helped answer a query about the Microsoft 365 Groups and Teams activity report script. I also discuss why better alternatives exist to the Export-CSV cmdlet when it comes to exporting report data containing non-ASCII characters.
