Understanding what Graph permissions are required by apps can be challenging. In this article we discuss how the Group.Read.All and GroupMember.Real.All permissions work and why you should choose one permission over the other and respect the principle of least permission when it comes to assigning Graph permissions to your apps and PowerShell scripts.
In 2024, I wrote a script explaining how to report details of Teams online meetings, including participants. Now someone wants to report single-user meetings. Their reason is that company management believe that some remote workers schedule online meetings that only they attend with the intention of appearing active if anyone checks. It’s an odd ask, but we can do the job with PowerShell.
The May 2026 update for the Automating Microsoft 365 with PowerShell eBook is available. Current subscribers can download new PDF and EPUB files. The paperback edition of the book (available on demand from Amazon) is also updated. With over 400 pages of content, including twice that number of practical examples of using PowerShell to interact with Microsoft 365, the book is going from strength to strength.
A reader wanted a weekly incomplete task digest to send details of Planner tasks to people with outstanding work to do. We used PowerShell to scan for incomplete tasks for people who are members of a group, perform some analysis on the data, and create and send email. Despite some deficiencies in the Planner Graph API, the code is pretty straightforward.
The April 2026 update for the Automating Microsoft 365 with PowerShell eBook is now available for subscribers to download. Refreshed EPUB and PDF files can be downloaded from Gumroad.com. The Kindle and paperback editions are also updated. This month we reflect on V2.36.1 of the Microsoft Graph PowerShell SDK and why so little has changed in this important component.
Shared mailboxes are not CRM systems. However, many Microsoft 365 tenants use shared mailboxes to handle customer queries and then want to measure KPIs such as agent responsiveness to customer queries or the number of queries handled per agent in a month. As explored in this article, it’s possible to use the Microsoft Graph to extract some KPI-like data from shared mailboxes.
This article explains how to use scoped Graph permissions to restrict app access to lists and list items in SharePoint Online and OneDrive for Business sites. It’s a follow-up to other articles covering how to restrict app access to SharePoint Online sites and files. Scoping app access to specific objects is important because otherwise apps can access everything in SharePoint Online, and that isn’t good.
Update #21 for the Automating Microsoft 365 with PowerShell eBook is now available for current subscribers to download from Gumroad.com. Refreshed PDF and EPUB files are available and the paperback version available from Amazon.com is also updated. Automating Microsoft 365 with PowerShell is packed with practical ready-to-use examples of working with apps, sites, mailboxes, teams, plans, and other data. Every Microsoft 365 administrator should have this book!
Dev Proxy is a Microsoft tool built to help developers figure out the most effective way of using Microsoft Graph API requests. On the surface, Dev Proxy doesn’t seem like a tool that would interest people who use the Microsoft Graph PowerShell SDK to write scripts for Microsoft 365. But all tools have some use, and Dev Proxy can help.
The temptation to use the Mail.Send application permission in scripts can lead PowerShell developers into trouble because the permission allows access to all mailboxes, including sensitive executive and financial mailboxes. Fortunately, RBAC for Applications allows tenants to control the access that apps have to mailboxes and other Exchange content. All explained here with an example script to test RBAC of Applications.
On February 12, Microsoft announced the deprecation of the Credential parameter for the Connect-ExchangeOnline cmdlet in the Exchange Online PowerShell module. The deprecation won’t affect interactive sessions (which should all be protected by MFA), but it might stop some background jobs running when Microsoft retires the server components that currently support the ROPC authentication flow. Time to check scripts!
Update #19 of the Automating Microsoft 365 with PowerShell eBook is now available. Subscribers can download the updated PDF and EPUB files from Gumroad.com. A paperback version is also available, but we can’t update the print characters. In any case, a new SharePoint create Site API is in beta, and a new version of the Microsoft Graph PowerShell SDK is available. Both have their moments, as we discuss here.
Shared mailboxes might need Microsoft Defender for Office 365 licenses, but how do you identify how many licenses? We use PowerShell to do the job by analyzing external email sent to shared mailboxes. If a mailbox receives external email, then by definition the mailbox receives benefit from MDO, and that’s the test for requiring a license.
The December 2025 update (version 18) of the Automating Microsoft 365 with PowerShell eBook is now available to download. Current subscribers can fetch the updated EPUB and PDF files from Gumroad.com using the link in their account (or receipt), but we can’t do much for the paperback edition except consider using scissors, paste, and Tippex, just like the old days.
The Entra ID Governance solution includes a workflow to detect and remove inactive user accounts. Sounds good, but the same can be done with PowerShell if you want to avoid the cost of Entra ID Governance licenses or want to create a bespoke workflow that’s better suited to the business needs of the organization. Azure Automation would be a good way to process this workflow.
If you can’t use managed identities, credential resources are a way to manage username and password credentials for Azure Automation runbooks. The Secret Management module is an alternative, and it’s a good option to manage credentials that are shared between interactive scripts and automation runbooks. This article describes how to use the Secret Management PowerShell module to fetch credentials stored in Azure Key Vault for use in an automation runbook.
An assembly clash happens when a PowerShell module attempts to load a .NET assembly only to find that a different version is already loaded in the session. Unhappily, this kind of thing happens far too often with Microsoft 365 modules, which implies that there isn’t a great deal of coordination between different development groups. All you can do is to load modules in the right order.
A change to a Graph beta API meant that some data used to create the user password and authentication report was no longer available. A script update was required. The experience underlines the truth that developers should not rely on the Graph beta APIs because the APIs are prone to change at any time as Microsoft moves them along to become production-ready.
The Office 365 for IT Pros team is happy to announce the availability of the October 2025 update for the Automating Microsoft 365 with PowerShell eBook. Subscribers can download the latest PDF and EPUB files from Gumroad.com. In other news, a new eBook about Exchange Server Subscription Edition (SE) is available. It’s always nice to see new sources of knowledge open up!
The Office 365 for IT Pros eBook team is proud to announce the availability of update 15 for the Automating Microsoft 365 with PowerShell eBook. The book includes extensive coverage of how to work with Microsoft 365 workloads through standard modules, Graph APIs, and the Microsoft Graph PowerShell SDK, including hundreds of practical examples over 350-plus pages. No fluff, just real-world code.
After being asked whether licenses are needed to include shared mailboxes in Microsoft 365 retention policies, I investigated and found that licenses are not. This led to a consideration of the steps needed to create a special retention policy for shared mailboxes (with PowerShell, naturally) and how to avoid retention setting collisions with other policies. All explained in detail here.
Deleting an Entra ID user account can result in ownerless groups if the account being removed is the only group owner. Before deleting accounts, it’s a good idea to proactively replace group owners. This article explains how to replace group owners in the fastest and most scalable manner using the Microsoft Graph PowerShell SDK.
After many twists and turns since August 2021, the MSOnline module retirement will happen in April 2025. The AzureAD module will then retire in the 3rd quarter. It’s way past time to upgrade PowerShell scripts. The question is whether to use the Entra module or the Microsoft Graph PowerShell SDK. I know which option is best and say why in this article.
The Office365ITPros GitHub repository holds over 370 PowerShell scripts showing how to interact with Microsoft 365 and Entra ID. Anyone can contribute to Office365ITPros by forking the code to a copy of the repository and making changes to scripts there. If you want, you can push the changes back to us so that we can consider their inclusion in Office365ITPros. It’s a great example of community in action.
The latest technology initiative from Microsoft comes in the form of Teams custom emojis, designed to bring light and happiness to Microsoft 365 tenants. Of course, the light and happiness will only happen if tenants don’t disable the settings in Teams messaging policies that allow users to upload custom emojis. A tenant can support up to 5,000 Teams custom emojis. That’s a lot of room for people to get inventive.
This article explains how to use PowerShell to create dynamic Microsoft 365 groups (and teams) based on the departments assigned to Entra ID user accounts. Creating a new group is easy. The trick in team-enablement is to wait for the synchronization between Entra ID and Teams to finish before you go ahead. After that, it’s plain sailing.
A reader asked how they could create dynamic administrative units for every department in their directory. A PowerShell script does the job, even if some constraints in how Entra ID processes membership rules means that the rules can’t be quite as precise as I would like them to be.
Microsoft makes a 30-day Teams Premium trial license available to allow customers to test the premium features. Once the trial finishes, it’s a good idea to clean up and remove the Teams Premium trial licenses from the Azure AD accounts that participated in the trial, especially as the trial license has the same display name as the paid-for Teams Premium license. You can accomplish the task through the Microsoft 365 admin center, but we explain how to do the job with PowerShell too. The same technique works to remove any specific license from a set of user accounts.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
This article describes how to adapt the Microsoft 365 licensing report script to highlight Azure AD accounts that haven’t signed in for a long time. Because Microsoft charges for licenses on a monthly basis, every month that goes by racks up cost for underused accounts. The new version of the script tells you what accounts to check to help you focus on driving down licensing costs.
In this article, we explain how to create a report about the Teams private channels found in a tenant together with the members and owners of each channel. The PowerShell script is relatively straightforward and once the data is extracted from Teams, it can be sliced and diced in different ways.
Sharing information generated by a PowerShell script running in Azure Automation can be a challenge. Some time ago, I wrote about creating an output file in a SharePoint Online document library. Here I explore how to do the job by posting to a Teams channel using two different methods.
This article explains how to create a new Microsoft 365 group and team using the membership and properties of an Exchange Online dynamic distribution list. The process is reasonably straightforward, but as always with PowerShell, there are some interesting turns and twists that must be navigated en route.
The Microsoft 365 Groups and Teams Activity report is a PowerShell script which tries to work out if groups and teams are inactive by checking various usage indicators. Because it’s written in PowerShell, tenants can change the script as they like, perhaps even adding some extra turbocharging to the ideas we’ve incorporated into the code.
The transition of Whiteboard storage from Azure to OneDrive for Business is approaching its end. A set of updated clients delivered at the end of March 2022 should do the trick. However, storing newly-created boards in OneDrive is one thing. Migrating old boards and updating components like the Whiteboard Admin PowerShell app are another. We don’t know what’s happening there and Microsoft hasn’t published any guidance.
Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Entra ID.
The Microsoft 365 Groups expiration policy can remove inactive groups after a set period. This helps to clean up Entra ID, but the removal of a group might come as a surprise. To help remind administrators when groups will expire, we can use the Microsoft Graph PowerShell SDK to create a report of groups within the scope of the expiration policy and their next renewal dates.
Service principal sign-in data from Entra ID is now accessible through a Microsoft Graph API. This means that you can analyze sign-in data to locate problem apps and remove old or unwanted service principals from your Microsoft 365 tenant. It’s time for spring cleaning!
Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.
A new List Teams API is available in the beta version of the Microsoft Graph. In time, the new API might replace the existing methods used to fetch sets of teams for processing. For now, there’s no need to update any code as we wait for Microsoft to fully bake the new API. Maybe it will be more performant and functional in the future!