Sharing information generated by a PowerShell script running in Azure Automation can be a challenge. Some time ago, I wrote about creating an output file in a SharePoint Online document library. Here I explore how to do the job by posting to a Teams channel using two different methods.
This article explains how to create a new Microsoft 365 group and team using the membership and properties of an Exchange Online dynamic distribution list. The process is reasonably straightforward, but as always with PowerShell, there are some interesting turns and twists that must be navigated en route.
The Microsoft 365 Groups and Teams Activity report is a PowerShell script which tries to work out if groups and teams are inactive by checking various usage indicators. Because it’s written in PowerShell, tenants can change the script as they like, perhaps even adding some extra turbocharging to the ideas we’ve incorporated into the code.
The transition of Whiteboard storage from Azure to OneDrive for Business is approaching its end. A set of updated clients delivered at the end of March 2022 should do the trick. However, storing newly-created boards in OneDrive is one thing. Migrating old boards and updating components like the Whiteboard Admin PowerShell app are another. We don’t know what’s happening there and Microsoft hasn’t published any guidance.
Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Azure AD.
The Microsoft 365 group expiration policy can remove inactive groups after a set period. This helps clean up Azure AD, but the removal of a group might come as a surprise. To help remind administrators when groups will expire, we can use PowerShell to create a report of groups within the cope of the expiration policy and their next renewal dates. And to speed things up, we can turbo-charge matters with a Graph query.
Service principal sign-in data from Azure AD is now accessible through a Microsoft Graph API. This means that you can analyze sign-in data to locate problem apps and remove old or unwanted service principals from your Microsoft 365 tenant. It’s time for spring cleaning!
Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.
A new List Teams API is available in the beta version of the Microsoft Graph. In time, the new API might replace the existing methods used to fetch sets of teams for processing. For now, there’s no need to update any code as we wait for Microsoft to fully bake the new API. Maybe it will be more performant and functional in the future!
Microsoft Teams posts system messages to a team’s information pane to let people know about membership changes. You can’t stop Teams doing this because Microsoft doesn’t provide control over the system messages at the tenant or team level. You can obscure the names of new members by changing their display name, but maybe the best idea is not to add new members until the time is right.
The SharePoint Online admin center displays an insight card for the number of unlabeled sites in the tenant. For some reason, many of the labels assigned to Microsoft 365 Groups and Teams had not reached SharePoint. Some PowerShell does the job to fetch the sensitivity label information from Exchange Online and update sites with the missing label information.
To help you recover from the blizzard of Microsoft 365 information released at Fall Ignite 2021, here are some notes about features and functionality you might have missed. Like any list created by a conference (virtual) attendee, it reflects my interests and what I was looking for. Feel free to disagree on the importance of any or all of the topics discussed here… and suggest some of your own in the comments.
A 1.5 TB limit applies to Exchange Online archive mailboxes from November 1, 2021. In this article, we use PowerShell to report how close expandable archives are to the new limit. In reality, not many archive mailboxes will approach the new limit, but it’s nice to know things like the daily growth rate for an archive and how many days it will take for an archive to reach 1.5 TB. All whimsical stuff calculated with PowerShell!
By default, Exchange Online allows other users in your tenant to see limited details of your availability when scheduling meetings. More information can be displayed by updating the calendar permissions for mailboxes. This is easy to do with PowerShell, but needs to be done on an ongoing basis because Exchange Online doesn’t have an organization or mailbox plan setting to assign the value to new mailboxes.
Understanding how to create effective queries using the Microsoft Graph APIs takes some work, especially with some of the more complex filters used to refine the data returned by the Graph. In this article, we look at how filters using lambda qualifiers work and explore some examples of these qualifiers in use.
Microsoft has replaced the controls which disabled document insights in Delve with new Graph-based settings. However, you might still have a bunch of users with the Delve settings who need to migrate to the Graph settings. In this article, we explore how the settings work and how to query the Graph to find the set of users who disabled the setting in Delve. We can then use PowerShell to add those accounts to the group of disabled insights users for the Graph-based settings.
In this post, we describe how to use PowerShell to remove a single service plan from Microsoft 365 licenses using PowerShell. The script can remove any service plan from any SKU (license) in a tenant. You might want to do this to disable access to an obsolete feature (like Sway) or to prevent access to a new feature until the organization is ready to support user activity.
The message center in the Microsoft 365 admin center will soon use a new data privacy tag to highlight specific service updates to tenant administrators. No messages with the new tag have yet appeared, so it’s hard to know how Microsoft plans to use the new tag or what kind of attachments it will make available to administrators to help understand the sensitive data involved in data privacy. While we’re waiting, we took at look at the tags in use today and wrote some PowerShell to report which tag is most popular.
Many PowerShell scripts which access Office 365 data could do with a speed boost. Replacing cmdlets with Microsoft Graph API calls is one way to get extra speed. In this article, we take a PowerShell script to report the memberships users have of Microsoft 365 groups and replace some important cmdlets with Graph API calls. The result is a big speed increase.
Office 365 tenants users will soon be able to execute self-service purchase Windows 365 licenses. That is, unless you stop them by running some PowerShell commands to disable the capability. In this article, we explain the Windows 365 options available for self-service purchase and the PowerShell commands necessary to disable the option, if you think it’s a bad idea (as some do).
The thoughts of using Microsoft Graph API calls with PowerShell might seem to be too much trouble, but used correctly, Graph API calls help scripts speed up and get to some data that is not reachable through a cmdlet. I have a simple four-step approach that I use to figure out if I need to include some Graph API calls. The routine works for me. Feel free to disagree.
How do you create a report of all the Teams in a tenant and their SharePoint Online sites? As it turns out, a two-line script does the job. We make the script slightly prettier, but it’s still simple. And because it’s PowerShell, anyone can change the code to make it work the way they want it to.
Auto-label policies are a good way to assign retention labels to important files stored in SharePoint Online and OneDrive for Business. The big problem is tracking the progress of auto-labeling. In this article, we explore how to use events logged in the Office 365 audit log to figure out what files are labeled and how long it takes the auto-label policies to process the files. The example explored here is an auto-label policy for Teams meeting recordings.
Sometimes it’s wise to give PowerShell scripts a turbo boost. This is certainly true for the Groups and Teams Activity report script, where a large amount of PowerShell processing has been replaced with speedy Microsoft Graph API calls. The result is much faster processing, which means that the script is more useful in large tenants. I still wouldn’t try to run it against 100,000 groups, but anything smaller should be OK. I think!
Finding out which Azure AD accounts have licenses (service plans) for different applications isn’t difficult. You can do it with either PowerShell or the Microsoft Graph API. This article explains how to use PowerShell (and the equivalent Graph API call) to find accounts which have a certain license (service plan) enabled or disabled. Once you know how to navigate license data in Azure AD accounts, you can take the code and adapt it for different purposes.
Compliance role groups control access to Microsoft 365 compliance functionality. A new permissions page makes it easier to manage these groups in the Microsoft 365 compliance center, where you can also manage the Azure AD roles used by Microsoft 365 compliance. If you want to generate a report about who holds what role, you’ve got to use PowerShell. The code is easy once you know which roles you want to report.
Blocking domains through the Azure AD B2B collaboration policy stops group owners adding new guest accounts from certain domains. It does nothing about existing guests from those domains. Fortunately, it’s relatively easy to check the guest membership of Groups and Teams to find guests from the blocked domains. And once you know those problem guests, you can decide what to do up to and including removing guest accounts from the tenant.
Without warning (for security reasons), Microsoft stopped the Exchange Online Set-User cmdlet being able to update the work and mobile numbers for Azure AD accounts. We don’t know what kind of security concerns caused Microsoft to take this action, but it might be associated with administrative roles. In any case, this disappointing example of how to communicate with customers might end up with people having to update some PowerShell scripts – and no one likes unexpected work.
Azure B2B collaboration is used by Microsoft 365 Groups-based apps like Teams, Planner, and Yammer to create new guest accounts. You can update settings in the Azure AD portal to stop new accounts from specific domains or restrict guests to a list of known domains. But before you go ahead and update the settings, it’s a good idea to know where existing guest accounts come from. It’s easy to create a report with PowerShell. The next step might be to remove guests from offending domains.
Office 365 administrators can update Azure AD guest accounts with photos. Guests can do the job themselves using three PowerShell commands. Other approaches work too, but this is the easiest and quickest method to do the job, especially if you have guest accounts in multiple tenants.
PowerShell pros know the secrets of typed variables and why this matters when cmdlets return data, but some of us have been doing things wrong for years. Which is why I spent a couple of hours contemplating the differences between typed and untyped variables when handling items returned by cmdlets. They say that old dogs can’t learn new tricks. I beg to differ…
Azure AD holds information about managers and their direct reports. It’s easy for that data to go out of date, so we create a report to tell us who are the managers and how many direct reports they have. Azure AD has some cmdlets to retrieve information about managers and direct reports, but as it turns out, the older Get-User cmdlet is the best way to proceed.
Sensitivity labels are a great way to protect confidential documents stored in SharePoint Online. Sometimes the documents must be decrypted. This article explains how to build a PowerShell script which uses Graph API calls to navigate to a folder in a SharePoint Online document library and decrypt the protected documents found in the folder.
Microsoft has released V2.0 of the Teams PowerShell module. It brings some welcome improvements, notably the inclusion of all the management cmdlets, but has a downside too. The new cmdlets for managing teams templates are not easy to use and some authentication issues affect the Connect-MicrosoftTeams cmdlet after a change in authentication libraries. Microsoft has some work to do to improve this version of the module.
There are many examples of PowerShell scripts which create reports about the membership of Microsoft 365 Groups. Most are slow. This version is faster because of its per-user rather than per-group approach to processing. The output is a nice HTML report and two CSV files containing a list of memberships in Microsoft 365 Groups and summary data for each user in the tenant.
Audit records are a great way to gain an understanding of what happens inside Office 365. We use PowerShell to report actions taken with sensitivity labels such as protecting files and containers. The latest development is the addition of support in the Microsoft 365 apps for enterprise (Office desktop) to log audit events when users interact with sensitivity labels. Unsurprisingly, more events are often logged by the desktop apps than their online equivalents.
The inbound webhook connector used by Teams and Microsoft 365 Groups to accept information from external sources is getting a new format. Existing connectors must be updated by April 11, 2021. If not, data will stop flowing into the target channel or group, and that would be a bad thing.
You can create an Azure AD Access Review for all guests in teams and groups in your tenant and then see what’s happening with the Graph API. In this case, we use PowerShell with the API to grab the access review data and create a report about the overall status of the review in a tenant.
Sometimes delegate access for an Exchange Online calendar goes awry due to corrupted items in the mailbox. To help sort out problems, Microsoft has upgraded the Remove-MailboxFolderPermission cmdlet to do the work that used to be done by a multi-phase fix performed using the MFCMAPI or EWS editor utilities. The nice thing is that this method is quick, simple, and works well.
Bing publishes a new image daily in its home page. You can download the images and use them as custom background for Teams meetings. A PowerShell script automates the task and downloads the images for the last seven days and cleans up any Bing images older than 30 days.. It’s a nice way to use some attractive images to liven up Teams meetings.