Powershell

What’s that? Just another script for listing users and their group memberships. You feed it a text file with UPNs, it queries Microsoft Graph, and spits out a flat CSV like: UserPrincipalName PrimarySmtpAddress GroupName GroupEmail GroupType [email protected] [email protected] Some DL [email protected] DistributionList [email protected] [email protected] Security Group ABC [email protected] MailSecurityGroup [email protected] [email protected] Some DL [email protected] DistributionList Where’s it? On GitHub Requirements PowerShell 5.1+ or PowerShell 7+ Microsoft Graph PowerShell SDK Permissions: User.Read.All, GroupMember.Read.All, Group.Read.All

Problem If you want to add or remove (basically update) a proxy address on a cloud-only account - without an Exchange mailbox - you cannot. There is no such option in the GUI and PowerShell won’t allow it either, throwing an error: Set-MgUser : Property 'proxyAddresses' is read-only and cannot be set. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Solution Use the Graph API BETA endpoint. Method: PATCH URL: https://graph.microsoft.com/beta/users/<User_ID> Request Body: 1 2 3 4 5 6 7 8 { "proxyAddresses": [ "SMTP:PrimarySMTPAddress", "smtp:Alias1", "smtp:Alias2", "smtp:Alias3" ] } Expected Response: 204 No Content An example ...

Domain Removal Issues If you want to remove a domain from an M365 tenant, you need to deprovision all associated objects first - easy to say, harder to do. If the domain is not federated, M365 can handle it for you - it simply removes aliases and updates the Primary SMTP address and/or UPN to the default domain (domain.onmicrosoft.com). However, this does not work for federated domains. You have to remove everything manually, which is manageable for one domain. In my case, I had to remove 150. ...

Introduction When working with Microsoft Graph API to automate SharePoint operations (like writing script outputs, saving reports, updating Excel files), we can’t just use file paths. We need to work with unique identifiers - specifically - the file ID. This guide walks you through the process of finding a SharePoint item ID by navigating the site hierarchy using Graph API Explorer. The Goal In this example, we’ll find the ID of an Excel file located deep within a SharePoint site structure: ...

Add: 1 Get-Content <file path> | foreach {Set-MgUserLicense -UserId $_ -AddLicenses @{SkuID = '2ced8a00...'} -RemoveLicenses @()} Remove: 1 Get-Content <file path> | foreach {Set-MgUserLicense -UserId $_ -RemoveLicenses @('3db7c7ead579...') -AddLicenses @{}} Check for a license SkuId: Get-MgUserLicenseDetail -UserId <UPN>orGet-MgSubscribedSku | fl SkuPartNumber, skuid File path is a TXT file containing UPNs one-per-line.

The Problem Classic Exchange Online scenario - trying to remove an orphaned (maybe used to be synced) object. Getting slapped in the face with error The Solution Two words: Graph API. Step 1: Get the Mail Contact ID First, we need to identify the exact object we’re dealing with: 1 Get-MailContact [email protected] | Format-List Id This will give the unique identifier for the mail contact. Step 2: Verify the Object in Graph API Better safe than sorry- let’s do a double check. Replace <ID> with the ID from Step 1: ...

Permissions Consent Pop-up Every new user must approve permissions when accessing an app. Existing users see this prompt again after app logic or connector updates. App permissions consent pop-up In most scenarios, this pop-up can be bypassed. Hiding consent pop-up This requries a single PowerShell command: 1 Set-AdminPowerAppApisToBypassConsent -EnvironmentName [Guid] -AppName [Guid] Expected result: BypassConsent flag is set We can get guids using PowerShell: ...

Just a simple one-liner When you have many room mailboxes, granting someone access to each room calendar one-by-one is painful. This one-liner reads a list of room SMTP addresses from a text file and applies the same permission to each mailbox calendar. 1 2 3 4 5 Get-Content .\rooms.txt | % { Write-Host "Working on $_" -ForegroundColor Cyan Add-MailboxFolderPermission -Identity "$($_.Trim()):\Calendar" -User "[email protected]" -AccessRights Reviewer } Notes Text file we import via Get-Content contains a room email address per line .Trim is being used to remove blank spaces in TXT file - (’ [email protected]’ -> ‘[email protected]’) - it’s just a safety feature I like to use In some tenants, the calendar folder name might be localized (for example “Kalendarz” in Poland, “Kalender” in Germany and “Calendier” for France) If permissions are already granted for an user, you need to either remove these and re-add or use Set-MailboxFolderPermissions

The easy part Creating distribution lists in bulk is quite simple. Just a CSV file: 1 2 3 4 name,mail Fancy Group,[email protected] Another Fancy Group,[email protected] Not That Fancy Group,[email protected] And for-each loop 1 2 3 4 5 6 7 Import-Csv .\groups.csv | ForEach-Object { New-DistributionGroup -Name $_.name -PrimarySmtpAddress $_.mail -OrganizationalUnit 'OU=Groups,DC=wrong,DC=went,DC=something,DC=dev' -Type Security } Result: Name DisplayName GroupType PrimarySmtpAddress Fancy Group Fancy Group Universal, SecurityEnabled [email protected] Another Fancy Group Another Fancy Group Universal, SecurityEnabled [email protected] Not That Fancy Group Not That Fancy Group Universal, SecurityEnabled [email protected] But updating msExchExtensionAttribute is different A below won’t work as there is no such command under Set-DistributionGroup. ...