Exchange Online writes audit records into the Office 365 audit log when messages are deleted by delegates and administrative action. We can analyze the audit records to find out who deleted a specific message. Some challenges exist to interpret the audit records for admin-generated deletions (for example, when you run Search-Mailbox), but it’s easy enough to code the necessary checks in PowerShell.
Microsoft makes a strong case that all Azure Active Directory accounts should be protected with multi-factor authentication (MFA). That’s a great aspiration, but the immediate priority is to check accounts holding administrative roles. This post explains how to use PowerShell to find and report those accounts.
The ability to see the PowerShell commands executed by Exchange administrative centers has existed since Exchange 2007. Now something has changed in Exchange Online and the command log is blank. It’s sad because many administrators learned to use PowerShell by examining how Microsoft used it to manage Exchange. Let’s hope that Microsoft fixes this bug soon.
Teams does a good job of storing compliance records in Exchange Online mailboxes so that the data is available for Office 365 eDiscovery. But the number of records can impact the mailbox quotas of frontline workers, especially if they send graphics in personal and group chats. Here’s some PowerShell to help discover how much mailbox quota is being absorbed by compliance records.
Org-wide teams are great because they feature automatic membership management. But sometimes you don’t want new Office 365 accounts showing up in org-wide teams. The solution is to create the account with some dummy details to mask the identity of the real person and update the account after they join the company.
A reader wants the benefits of dynamic Office 365 groups without having to pay for Azure AD premium licenses. It’s relatively straightforward to maintain the membership of a group with PowerShell. That is, if your directory is accurately populated and the right results are returned when you look for who the set of group members should be.
Exchange Online supports inactive mailboxes as a way to keep mailbox data online after Office 365 accounts are removed. Inactive mailboxes are available as long as a hold exists on them. You can update mailbox properties to exclude all or some org-wide holds. If you exclude holds from a mailbox, you run the risk that Exchange will permanently remove the mailbox. If that’s what you want, all is well, but if it’s not, then you might not be so happy.
How best to add every team in your tenant to the Office 365 Groups Expiration Policy? Well, one way is to check all groups for Teams. Another is to use Get-Team to return the set of teams and process those. But then you should think about how to mark the teams that are in the policy in such a way that you don’t process them again. It’s easy to do this with one of the Exchange Online custom attributes.
Every Office 365 group (and team) has a SharePoint site. But how to find the URLs of all the sites used by teams in a tenant. One PowerShell answer came from Syskit, but it’s an old technique and we can do better now by fetching a list of teams in the tenant and then retrieving the URL for each team-enabled group.
Although Office 365 supervision policies are intended to monitor a subset of user communications, usually involving specific groups of people, you might want to use a policy to monitor all email. In that case, how do you make sure that your policy has everyone in scope? The problem is that supervision policies don’t support dynamic distribution lists, so you need to do some work to build and maintain a distribution list containing all user mailboxes.
If you work with Office 365 through PowerShell, you probably have your own script to connect to the various services. If you don’t want to write your own script, you can download one from GitHub or the TechNet Gallery. This article covers two that you might like to try, including one with a GUI to choose which Office 365 services it should connect to.
PowerShell is hugely useful when the time comes to automate Office 365 processes. Other tools exist that can help, including Flow. Maybe it’s the right time to consider Flow, especially when it is highly capable of knitting together different Office 365 components to get work done.
The Search-Mailbox cmdlet is a very powerful weapon for Exchange administrators. It has some quirks, but the Invoke-Command cmdlet helps us get around one, which is how to use a different search query for each mailbox processed in a set of mailboxes.
Microsoft has released details of an Exchange Online transport rule to encrypt outbound email containing sensitive data types like credit card numbers. The rule works (after fixing the PowerShell), but needs to be reviewed and possibly adjusted to meet the needs of Office 365 tenants.
A recent article prompted a check to see whether a PowerShell recommendation made sense and delivered better performance when executing a command to extract the membership of Office 365 Groups performance. As it turns out, the recommendation is valid, but whether you notice any difference is arguable.
It’s easy to create a webhook connector to post information to a team channel or an Microsoft 365 group. What might not be quite so easy is formatting the JSON payload. Here’s how to use a template card to simplify the process.
You can use a public folder to store and share global email contacts, but a better approach is to use Exchange mail contacts. These objects show up in the Exchange GAL and OAB and are available to all Outlook clients (and some third-party clients too).
Knowing how retention policies process Office 365 data can be hard to understand, especially if multiple policies are involved. Office 365 doesn’t give a global view of how retention policies affect workloads, but here’s how to use PowerShell to find out what policies process the sites in a tenant.
Microsoft has refreshed the Outlook Mobile architecture (now called “Microsoft Sync Technology”). They suggest that you run some PowerShell to report clients connecting via the old and new architectures. Their code works, but we think ours is better.
Teams has released version 0.9.6 of its PowerShell module. You should upgrade to the new module because it fixes some bugs and allows administrators to manage any team, even when they’re not a team owner.
The availability of Azure Information Protection and Office 365 sensitivity labels allow tenants to protect important and confidential files. That’s nice, but it’s even better when you know what files are protected. Here’s how to use PowerShell to create a report about those files.
A recent correspondent asked how to find inactive distribution lists in Exchange Online. We didn’t have a good answer in the book, so here’s some PowerShell code to do the trick.
Office 365 doesn’t include a way to export a list of Teams in a form that can be imported by Power BI, but PowerShell makes it an easy task to accomplish. Here’s a script to help solve the problem.
Team owners can set the picture for their teams, but can tenant administrators do the same thing? As it turns out, no. But there’s a reason why.
The new version of the Teams PowerShell module (0.9.5) supports a Get-Team that’s actually useful because it can return a full list of teams in the tenant. But there’s still some work to do…
Office 365 offers different ways to apply encryption to important messages. When those messages hold sensitive data known to Office 365, like credit cards or passport numbers, we can define a transport rule or DLP policy to protect outbound email automatically. And while you can define rules and policies through the GUI, PowerShell is available too.
If you run a hybrid Exchange deployment, you probably have some on-premises distribution lists that you’d like to move to the cloud. Office 365 offers no way to do this, so it’s up to PowerShell. Instead of starting from scratch, you can use a script created by Tim McMichael of Microsoft and amend it to meet your needs. PowerShell is just great.
Microsoft would like Office 365 tenants to use the Click to Run (C2R) version of the Office desktop applications because C2R is automatically updated with new features. We like C2R, but we also like knowing what’s installed on user workstations. Here’s how to check the Click to Run configuration with PowerShell.
Org-Wide Teams are a nice feature, but calculating their membership can be puzzling, as in the case of some perfectly valid accounts that were not added to a team. As it turns out, the error lies in Azure Active Directory.
A quirky side of the New-Team cmdlet is that it creates some interesting values for the properties of the underlying Office 365 group that you might like to control better. As it turns out, the Alias parameter is what you need to set.
If you attended Tony’s session at the Ignite conference about how to use PowerShell to get real stuff done inside Office 365, you might like a list of where to get the code examples, So here it is.
Search-Mailbox is a very useful cmdlet but running the cmdlet can be very dangerous as you might end up permanently removing some data that you’d prefer to keep. And in the cloud, there’s no backups…
Security groups are often used to protect access to resources, but they can’t be used to control membership for Microsoft 365 Groups or Teams. If you want to use AAD security groups to control membership for Groups and Teams, you need to come up with a way to synchronize. PowerShell is available to do the job, and as it turns out, it’s not too difficult.
Some will tell you that you can figure out what resources an Office 365 Group is connected to by checking the ProvisioningOption property with the Get-UnifiedGroup cmdlet. Well, you can’t. If you want to do something like check for team-enabled groups, you’ll need a different approach.
A demo to show how easy it is to use PowerShell to manage Office 365 Groups and Teams was progressing nicely at the UK Evolve conference when a problem happened with code that used to run perfectly. Sounds like a normal programming situation, but in this case, Microsoft had changed the format of Office 365 audit records for Azure Active Directory operations. That’s not so good. What’s worse is that some essential data is now missing from the audit records.
During transitions, things sometimes don’t go so smoothly. Such is the case if you want to enable or disable guest user access to Teams and find that the setting to control the access is no longer available in the Office 365 Admin Center. But PowerShell can control the setting, so that’s the solution to the problem.
Grrr. It’s been that kind of day. While chasing a Teams bug (about which more another time, once I have a consistent repro case), I needed to log on to Skype Online PowerShell. We use the Azure baseline policy that forces MFA for all admin accounts in our tenant; I just updated Chapter 3 of …
Read More ““Unable to discover PowerShell endpoint URI” when using MFA with Skype Online”
As announced in this post in the Microsoft Tech Community, the ability to add a new Office 365 Group to an existing SharePoint Online (SPO) site is finally available to Office 365. You will be able to connect existing classic SPO sites to new Office 365 Groups by means of two possible mechanisms: PowerShell (first …
Read More “Adding a New Microsoft 365 Group to an Existing (Classic) SharePoint Online Site”
Do you want to create an all-employees team spanning everyone in the company? Here’s a PowerShell script that will create and populate the team for you.
Need a script to turn off sub-options in Office 365 plans like the one that controls Microsoft Teams? Here’s a Petri.com article that explains how to do it with the Microsoft Online Services PowerShell module.