Powershell

Microsoft Exchange spoiled us - mail-enabled objects always had a set of custom attributes ready to use out of the box. Entra ID is less generous, you have to extend the schema yourself from scratch. 1. Create an Application Registration Application Registration works as the namespace for extension attributes. 1 New-MgApplication -DisplayName "Extension Attribute Sample Application" -SignInAudience AzureADMyOrg 2. Create an Extension Property Now we create an attribute itself. 1 New-MgApplicationExtensionProperty -ApplicationId <Id> -Name "Att1" -DataType String -TargetObjects @("Group") 3. Create a Service Principal Without a Service Principal, the extension attributes are defined but cannot be used - the application exists only as a ‘definition’, not as an active entity in your tenant. ...

Introduction When working with Microsoft Graph API to automate SharePoint operations (like writing script outputs, saving reports, updating Excel files), we can’t just use file paths. We need to work with unique identifiers - specifically - the file ID. This guide walks you through the process of finding a SharePoint item ID by navigating the site hierarchy using Graph API Explorer. The Goal In this example, we’ll find the ID of an Excel file located deep within a SharePoint site structure: ...

Add: 1 Get-Content <file path> | foreach {Set-MgUserLicense -UserId $_ -AddLicenses @{SkuID = '2ced8a00...'} -RemoveLicenses @()} Remove: 1 Get-Content <file path> | foreach {Set-MgUserLicense -UserId $_ -RemoveLicenses @('3db7c7ead579...') -AddLicenses @{}} Check for a license SkuId: Get-MgUserLicenseDetail -UserId <UPN>orGet-MgSubscribedSku | fl SkuPartNumber, skuid File path is a TXT file containing UPNs one-per-line.

The Problem Classic Exchange Online scenario - trying to remove an orphaned (maybe used to be synced) object. Getting slapped in the face with error The Solution Two words: Graph API. Step 1: Get the Mail Contact ID First, we need to identify the exact object we’re dealing with: 1 Get-MailContact [email protected] | Format-List Id This will give the unique identifier for the mail contact. Step 2: Verify the Object in Graph API Better safe than sorry- let’s do a double check. Replace <ID> with the ID from Step 1: ...

Permissions Consent Pop-up Every new user must approve permissions when accessing an app. Existing users see this prompt again after app logic or connector updates. App permissions consent pop-up In most scenarios, this pop-up can be bypassed. Hiding consent pop-up This requries a single PowerShell command: 1 Set-AdminPowerAppApisToBypassConsent -EnvironmentName [Guid] -AppName [Guid] Expected result: BypassConsent flag is set We can get guids using PowerShell: ...

Just a simple one-liner When you have many room mailboxes, granting someone access to each room calendar one-by-one is painful. This one-liner reads a list of room SMTP addresses from a text file and applies the same permission to each mailbox calendar. 1 2 3 4 5 Get-Content .\rooms.txt | % { Write-Host "Working on $_" -ForegroundColor Cyan Add-MailboxFolderPermission -Identity "$($_.Trim()):\Calendar" -User "[email protected]" -AccessRights Reviewer } Notes Text file we import via Get-Content contains a room email address per line .Trim is being used to remove blank spaces in TXT file - (’ [email protected]’ -> ‘[email protected]’) - it’s just a safety feature I like to use In some tenants, the calendar folder name might be localized (for example “Kalendarz” in Poland, “Kalender” in Germany and “Calendier” for France) If permissions are already granted for an user, you need to either remove these and re-add or use Set-MailboxFolderPermissions

The easy part Creating distribution lists in bulk is quite simple. Just a CSV file: 1 2 3 4 name,mail Fancy Group,[email protected] Another Fancy Group,[email protected] Not That Fancy Group,[email protected] And for-each loop 1 2 3 4 5 6 7 Import-Csv .\groups.csv | ForEach-Object { New-DistributionGroup -Name $_.name -PrimarySmtpAddress $_.mail -OrganizationalUnit 'OU=Groups,DC=wrong,DC=went,DC=something,DC=dev' -Type Security } Result: Name DisplayName GroupType PrimarySmtpAddress Fancy Group Fancy Group Universal, SecurityEnabled [email protected] Another Fancy Group Another Fancy Group Universal, SecurityEnabled [email protected] Not That Fancy Group Not That Fancy Group Universal, SecurityEnabled [email protected] But updating msExchExtensionAttribute is different A below won’t work as there is no such command under Set-DistributionGroup. ...