PowerShell – nullify extension attributes for all users in AAD using Graph API

Extensions attributes in AAD are a great way to store any auxiliary information that does not belong in any other user properties. The only sad part, it's only 15 of them and they are text fields. If you ever need to clear some or all of them, the script below will be a great help! Benefits of the script: makes changes in batches - only takes seconds to run; dry or wet run depending on the switch (see the important note below). This script uses an App-only access rather than Delegated access unlike my other script ( https://365basics.com/powershell-find-and-update-a-string-value-within-all-dynamic-group-membership-rules/ ). If you would like to learn more - https://learn.microsoft.com/en-us/graph/auth/auth-concepts/ Important! This line (#116) of code is responsible for either dry or wet run of the script. I left it commented on purpose and by default. # $UserAdjustments = Invoke-RestMethod @Parameters Technically, you can adjust this script to clear and/or populate any user attributes. #…

Continue ReadingPowerShell – nullify extension attributes for all users in AAD using Graph API

PowerShell – find and update a string value within all dynamic group membership rules

If your company benefits from using dynamic groups, then you probably know that feature takes its toll - proper maintenance and updates. It usually happens when there are some organizational changes - updated job titles or another department, just to name a few. The purpose of this script is to take that burden away and make updates at once to every single dynamic group that matches the scope of the adjustment. Benefits and nuances of the script: can find and update any string value - doesn't matter if you update a property name or a property value; saves a CSV log file with all values before and after the update; only takes a few seconds to run and adjust up to 20 groups at once; 20 group number comes from a Graph API Batch limitation, more on that here - https://learn.microsoft.com/en-us/graph/json-batching retains membership rule formatting if you used one, more…

Continue ReadingPowerShell – find and update a string value within all dynamic group membership rules

PowerShell – Office 365 – Disable an entire license package for each user

The purpose of this script is to remove an entire license package from every user. It is especially useful when removing trial license packages but of course not limited to them. Every license package consists of several service plan options. You can disable them one by one with the PowerShell – Office 365 – Enable or disable service plan options within each license package while respecting current configuration for each user script. However, when it comes to the last option left, it won't disable the whole license package. That surely makes you scratch your head and this is why this script is much needed. Just like before, I tried to make it as interactive as possible: the script is interactive - just select all actions; no need to predefine any variables; works with all license packages. This script assumes you are already connected to the right services and have all…

Continue ReadingPowerShell – Office 365 – Disable an entire license package for each user

PowerShell – Office 365 – Enable or disable service plan options within each license package while respecting current configuration for each user

Even when using PowerShell, Microsoft doesn't make it simple when it comes to adjusting licensing in bulk and service plan options/apps within. Mainly that is because there is no easy way to keep a current configuration - any license change you apply to a user overwrites their existing setup. To address that letdown I created a script you can find below. I tried to make this script very flexible and user friendly, please see the highlights of the script: the script is interactive - just select all actions; no need to predefine any variables; works with all license packages; allows both enabling and disabling services/apps; respects the currents configuration for each user. This script assumes you are already connected to the right services and have all modules installed. # List License Packages $LicensePackageChoices = @() $i = 0 $LicensePackages = Get-MsolAccountSku ForEach ($LicensePackage in $LicensePackages) { $outObject = "" |…

Continue ReadingPowerShell – Office 365 – Enable or disable service plan options within each license package while respecting current configuration for each user

PowerShell – SharePoint – Move folders between site collections, subsites, and libraries

There are several ways to move data between libraries in SharePoint. One of them is using UI. While this method has become better over the years, it's still slow and buggy at times. Just recently I had an issue where SharePoint UI would not move more than 20 folders, it would time out.  Another method is using PowerShell to do such a task. Out there you can definitely find scripts that would move data; however, you need to provide all prerequisite information and do it correctly. A typo or a library display name vs different internal name would leave you scratching your head for quite some time. If you do use subsites in your site collections, then things become progressively more complicated. To address most of the struggle I decided to create a script that will do it all. The goal was to automate everything where an admin would only…

Continue ReadingPowerShell – SharePoint – Move folders between site collections, subsites, and libraries

PowerShell – SharePoint – Permission report for all lists and libraries within every site collection and subsite

Here is a script that comes very handy when you need to replace some SharePoint groups with other ones. While doing so you definitely want to make sure no one has lost access. So you need to know where each group has been used. To create this script I used Salaudeen Rajack's PnP PowerShell to Export Document Library Permissions in SharePoint Online script posted here (https://www.sharepointdiary.com/2019/02/sharepoint-online-pnp-powershell-to-export-document-library-permissions.html), then did some adjustments to it including converting it to a function. Then added my code to go through each site collection and subsite. What this script does and how it might be beneficial to you: goes through every site collection and subsite, then library and list; has a list of site collections to exclude; does not include Office 365 Group sites; outputs the following data - site/subsite URL, library/list title, user/group name, user/group type, permission level, how it's granted. This script might take…

Continue ReadingPowerShell – SharePoint – Permission report for all lists and libraries within every site collection and subsite

PowerShell – Script to migrate a security group and all its members from AD to AAD

When you decide it's time to migrate your security groups from on-premise AD to the Cloud, you might find it very tedious and prone to mistakes. Of course that is if you have lots of groups to move. The script in this post should come to your aid as it finds the group you would like to migrate, creates a new group in AAD with a name you choose, then it adds all users and nested groups into the newly created group - the same as your AD group had. A few nice things this script also does: checks if the group you are about to migrate exists in AD; makes sure a group you will be creating in AAD doesn't already exist; combines description and notes, then adds them to a newly created group in AAD. Note that for this script to work well all nested groups must be…

Continue ReadingPowerShell – Script to migrate a security group and all its members from AD to AAD

PowerShell – script to reset user password in AAD and AD then force sign out from Office 365 services

The only purpose of this script is to act as fast as possible when dealing with a successful phishing attack where one of your users got compromised. You can perform all the steps below one by one using UI but it takes more time which must not be wasted in such a case. So, here are actions the script does: Creates a new random password (you can play with how your temp password should look like). Your user will be forced to change it. Resets a password in the cloud / Office 365. Optionally resets a password in your on-premise AD (if your accounts are synced with Active Directory) Terminates all active Office 365 sessions (Invalidates the refresh tokens issued to applications for a user per Microsoft). In order to reset passwords in AD the script must “Run As” an account that can edit AD. If you are remote, you…

Continue ReadingPowerShell – script to reset user password in AAD and AD then force sign out from Office 365 services

PowerShell – script to show all mailbox rules and disable selected ones

Ever needed to quickly find and disable mail rules in user mailboxes? Look no further as the script below does all of it. It’s a convenience by itself to not go into Exchange Admin Portal, but there might be cases where your user gets hacked, some bad person creates a rule or two. Then you need to disable those quickly. So this script does the following to a specified email: lists all mailbox rules and shows their most important info - its actions, description, and status; then you can select and disable any rule by typing its number until (if desired) all rules are disabled. Don’t forget to replace @contoso.com with your own domain. #---------------------------------------[Functions]--------------------------------------------------- Function List-Rules { param ( [Parameter(Mandatory=$True)]$email ) Begin{} Process{ $collection = @() $i = 0 $rules = Get-InboxRule -Mailbox $email ForEach ($rule in $rules) { $outObject = "" | Select Number,Status,"Rule Name","Applies to emails From","Delete…

Continue ReadingPowerShell – script to show all mailbox rules and disable selected ones

PowerShell – auxiliary script to populate CustomAttribute10 with a Purged Items FolderID

Originally this script ( New-ComplianceSearch script ) would search through Purged Items. That was the downside of it comparing to a "classic" Search-Mailbox you can find here ( Search-Mailbox script ). So imagine you run the script the 1st time, find target messages, and then delete them - the found results make sense. However, should you run the script the 2nd time with the same search criteria, it would find those already purged messages again. That creates some confusion. So it would be great to exclude Purged Items folders from the search. Now, it is possible to do so on the fly ( https://docs.microsoft.com/en-us/microsoft-365/compliance/use-content-search-for-targeted-collections ) but it is very time consuming and takes about 1-3 seconds for each mailbox which stacks up pretty fast. So I came up with a script to take care of this issue by storing a Purged Items FolderID in a CustomAttribute10 of each mailbox. So…

Continue ReadingPowerShell – auxiliary script to populate CustomAttribute10 with a Purged Items FolderID