Monitor and Report Additions to Teams Membership

A question about how to report specific changes to Teams memberships gave another excuse to use PowerShell with the unified audit log to deliver a solution. The idea is that you can check audit log entries to see when specific user accounts join the membership of Teams. Once you’ve found that data, it’s a simple matter of creating email to share the results. All done with a few lines of PowerShell…

Updating Entra ID Risky Users with PowerShell

Entra ID risky users are accounts that Entra ID Identity Protection detects as exhibiting signs of suspicious activity that might mean the accounts are compromised. In this article, we consider the value of Entra ID risky accounts and how they can be used in conditional access policies. And a look at the Microsoft Graph PowerShell SDK cmdlets that are available to risky users too!

Managing Assigned Licenses for Deleted User Accounts

A reader asked why some deleted Microsoft 365 user accounts appear to have assigned licenses. That seemed strange because licenses are freed up for reuse when accounts are deleted, so we took a look behind the scenes to find out why some deleted user accounts keep license information in their properties and some do not.

Generate a HTML Report of Managers and Direct Reports with the Graph SDK

Entra ID managers and direct reports

Two years ago, I wrote about how to generate a report about managers and the direct report from the information stored in Entra ID. As it turns out, the Get-User and Get-Recipient cmdlets have a little flaw that can make the data they return inaccurate. To make sure that the data is correct, a new version of the script uses cmdlets from the Microsoft Graph PowerShell SDK to report Entra ID managers and reports. We also format the output in a nicer way, so it’s all good.

Time Running Out for AzureAD and MSOL PowerShell Modules

AzureAD PowerShell Retirement

The AzureAD PowerShell retirement date is approaching quickly. After March 30, 2023, Microsoft says that the module will work for six months. Then? Who knows!. Cmdlets that set licenses for Azure AD accounts are now retired and will stop working on or before March 30, 2024. If you haven’t already upgraded scripts, it’s time to do so.

Document Entra ID Conditional Access Policies with the IdPowerToys App

The first app in a new community project called IdPowerToys helps Microsoft 365 tenants to document conditional access policy settings in PowerPoint. The information used to document the CA policies is extracted (manually or automatically) from Azure AD, analyzed, and output as a PowerPoint presentation. It’s a nice way to see what CA policies exist in a Microsoft 365 tenant and helpful if you want to rationalize the set of policies in use.

How to Purge Guest Accounts with Unredeemed Invitations from Entra ID

It’s easy to invite people to become guest users in a Microsoft 365 tenant, but some of the invitees never accept the invitation. Perhaps they don’t need to redeem the invitation to do work or maybe it’s because they don’t want to. In either case, Entra ID guest accounts with unredeemed invitations can accumulate and become stale. In this post, we discuss how to use PowerShell to find and remove those stale accounts in a safe manner.

Reporting Operating System Versions for Registered Devices

Entra ID registered devices store some information about the operating system and version used when registration occurs. Although this information changes over time and isn’t updated by Azure AD, it might be of some interest and use to tenant administrators, so we show how to report it here. If you want accurate information, you’ll need to use Intune.

Fetching Group Membership Information for an Entra ID User Account

As developers update PowerShell scripts in preparation for the deprecation of the Azure AD and MSOL modules, they might need to insert new code to retrieve the membership of Entra ID groups for specific accounts. We cover that topic here, including the interesting case of the AdditionalProperties property returned by several Microsoft Graph PowerShell SDK cmdlets and the valuable information found there.

Updating Extension Attributes for Entra ID Registered Devices with the Microsoft Graph PowerShell SDK

Entra ID registered devices have 15 extension attributes that tenants can use for their own purposes. In this article, we explore how to use the Microsoft Graph PowerShell SDK to update extension attributes for registered devices, and even better, access the content in the extension attributes afterward.

Outlook Org Explorer Gives More Reasons to Pay Attention to User Data

Outlook’s Org Explorer (available in Insider builds) brings together information from multiple Microsoft 365 sources to help users understand the people they work with in an organization. It’s like an Office 365 profile card on steroids, but only for user accounts as guest accounts and other external people are ignored. In other news, roaming signatures for Outlook desktop are getting closer as OWA now supports the creation and use of multiple web signatures, all of which can be used by Outlook desktop.

Basic Entra ID Group Management with the Microsoft Graph PowerShell SDK

The Microsoft Graph SDK for PowerShell includes cmdlets to create Entra ID Groups and manage those groups afterward. The cmdlets work and in some places they are screamingly fast compared to Exchange Online or Azure AD cmdlets. In other places, the cmdlets are a tad bizarre and expose a little too much of their Graph underpinnings. Oh well, at least after reading this article, you’ll know where the holes lie.

Delete and Restore Entra ID User Accounts with the Microsoft Graph PowerShell SDK

Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Entra ID accounts using cmdlets from the Microsoft Graph PowerShell SDK.

Understanding What’s in an Entra ID Access Token

Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Entra ID.

How to Create an Entra ID B2B Collaboration Policy

Azure B2B collaboration is used by Microsoft 365 Groups-based apps like Teams, Planner, and Yammer to control the creation of new guest accounts. You can update settings in the Azure AD portal to stop new accounts from specific domains or restrict guests to a list of known domains. But before you go ahead and update the settings, it’s a good idea to know where existing guest accounts come from. It’s easy to create a report with PowerShell. The next step might be to remove guests from offending domains.

How to Review and Clean Up Entra ID Enterprise Apps

Over time, a Microsoft 365 tenant might accumulate many Entra ID enterprise apps. Do you know what these apps do or who uses them? It’s good to do a regular audit and cleanout of unwanted apps left behind for tests, trials, or expired applications. We use a script published on Practical365.com to grab the data from Azure AD and then import it into Microsoft Lists. The results we got might surprise you.

The 1-2-3 of Exchange Online Certificate Based Authentication for PowerShell

Exchange Online PowerShell is a critical automation tool for many Office 365 tenants. In 2021, Microsoft will remove basic authentication for PowerShell, so it’s time to change over to modern authentication. For scripts that run as batch or background jobs, that means converting to certificate-based authentication. In this post, we explore how to get the self-signed cert to glue everything together.

Block Guest Members for Individual Microsoft 365 Groups and Teams

By default, the Groups policy for an Office 365 tenant allows group owners to add guest users to group membership. You can block this access if necessary, but it’s probably not what you want to do as blocking brings guest access to a complete halt across the tenant.

How to Create Org-Wide Teams in Microsoft Teams

Teams supports the ability to create org-wide teams, but only if your tenant has fewer than 10,000 accounts. It’s a neat idea, if you can use it, but if your organization spans more than 10,000 accounts, there are other ways to foster company-wide communications.