horrible job of announcing the news, but now that the SDK V2 is available, it's time to migrate scripts from earlier versions. Splitting the V1.0 and beta cmdlets into different modules is a big difference, as is renaming the beta cmdlets. But other points exist to consider as you migrate from the Microsoft Graph PowerShell SDK V1 to V2.

with managed identities. I don't have any issue with the proposal because managed identities are more secure and a better overall solution. It would have been nice if Microsoft had communicated the change more broadly. I guess if you were in the know, you found out about this development, but maybe the average Microsoft 365 tenant administrator might have struggled to discover what's happening.

Exchange Online management PowerShell module. The change happens when you connect a new PowerShell session to Exchange Online and the cmdlets are downloaded into a session.

of years. Now the time has come when things happen. Cmdlets that set licenses for Azure AD accounts are now retired and will stop working on or before June 30, 2023. If you haven't already upgraded scripts, it's time to do so.

retirement is not big news because it's been coming for a while. If you want to get ahead of the game, you can remove the Kaizala service plans from the Office 365 licenses assigned to user accounts. We explain how to do the job in an example PowerShell script.

from queries than is available. In this article, we explain how to use pagination to retrieve data using Graph queries and SDK cmdlets.

Graph module) comes in two versions. The general availability version is intended for production while the preview version (AzureADPreview) contains the cmdlets from the general availability version plus some new cmdlets under development group. The current version of the AzureADPreview module is 2.0.2.105, released in July.

runbook, it must have the permission to act as an administrator. In this article, we cover how to assign the necessary role to a service principal.

it creates a dependency on a specific workstation and isn't as secure as you might like. Running Microsoft 365 PowerShell scripts in Azure Automation is a much better idea. It's time to dump the Task Scheduler!

expiration. In other words, the default lifetime of tokens issued by Azure AD is too short to allow the script to complete before the token expires. Two solutions exist. Use a token lifetime policy to prolong access token lifetimes or check in code for potential expiration and renew when necessary.

SDK. We didn't have one to hand, so we wrote a new script to illustrate the principles of how to process license assignments for a set of user accounts (which don't necessarily have to come from a CSV file). We even included some error handling!

it was possible to create a team from the membership of a dynamic distribution list. The answer is that the steps are straightforward to create a static Microsoft 365 group. Things get more complicated if you contemplate using a dynamic Microsoft 365 group.

properties shown by the Microsoft 365 user profile card. Previously this was possible using a Graph API request to the beta endpoint. Now everything is in production and Graph SDK cmdlets are available to make customization a tad easier.

Microsoft 365 PowerShell and use ISV products instead. It's a silly position to argue. PowerShell is an important automation tool for administrators that can't be replaced by any ISV product. ISV products have their place and fill many gaps, but arguing to dump PowerShell and use ISV products instead just can't be justified.

created by applications in the directories of Office 365 tenants. The accounts are created through Azure B2B collaboration (by applications that generate invitations to join Office 365 Groups, like Teams and Planner) or SharePoint sharing invitations for documents or folders. It's one thing to invite people outside your tenant to collaborate; it's a horse of a different color to manage the resulting guest accounts.

Pnp.PowerShell is now the best option as not much is happening in the official SharePoint Online management module or the tenant settings Graph API. the lack of progress is a pity, but perhaps it's also true that community-driven projects sometimes deliver better results.

action against user accounts. The new property is available through the Graph beta endpoint. Quite a difference can exist between the last successful sign in and the last sign in, as explored in this article.

registered apps is becoming the default for new apps. In this article, we describe how to update the app instance property lock to reflect the new default setting using cmdlets from the Microsoft Graph PowerShell SDK, including a script you can download and run.

requires some PowerShell to figure out the answer with some human-friendly results. The outcome is a script that analyzes sensitivity label policies to find where a user gets their labels from. It's another example of how useful PowerShell can be.

2016 (not all the time). Some recent Graph hiccups meant that I had to apply some fixes and workarounds. At the same time, some users hit the infamous 'not recognized as a valid datetime' problem, so another update was needed. All good, clean fun.

they realized that it would take time for administrators to become accustomed to PowerShell. Sensibly, Microsoft included a cmdlet logging facility in the Exchange Management Console (EMC) to allow administrators to see the PowerShell code used to execute different actions, such as creating a new mailbox.

directory. A PowerShell script does the job, even if some constraints in how Entra ID processes membership rules means that the rules can't be quite as precise as I would like them to be.

article describes why some common Graph API errors occur in scripts and what to do when the errors happen. Most errors are due to permissions assigned to the Azure AD apps used to run scripts and getting the basics will resolve those problems.

content from wiki to OneNote. That's great, but you need to know what channels include the wiki tab before you can decide what material should be migrated. This article explains how to use PowerShell to create a report of Teams channel tabs for wikis.

are not. If you want to hide all the groups used by Teams, here's how to do the job with PowerShell

reject any additions that met specific criteria. Easy, we said, so we set to creating a script to interrogate the unified audit log to find new member events. Once that was done, it's a matter of analyzing the events to find if we should reject the addition of any of the added members.

some caveats such as not removing Exchange Online licenses. Organizations might want to do this to save money on Microsoft 365 license fees while an account is temporarily unused. Removal of Exchange Online licenses can result in the loss of a mailbox, and you don't want that to happen if you're disabling accounts just because someone is on a long-term sabbatical or other leave of absence.

expire over time, so it's good to review app credential expiration dates periodically. This article explains how to use the Microsoft Graph PowerShell SDK to generate a report about app credential expiration dates to allow tenant administrators to manage registered apps a little better...

permissions that hackers like to exploit. This article explains how to use PowerShell to detect apps with high-priority permissions and report them to administrators for review.

accounts, but by combining data from multiple sources we can write a script to generate a report showing details of user password settings and MFA status.

only retrieved the first 200 workspaces. I hadn't realized that the Get-SPOContainer cmdlet supported an odd form of pagination to retrieve workspace data. In any case, I figured out how to page top find all available workspaces and updated the script. It's just another example of oddness in the SharePoint Online PowerShell module

reporting of shared mailbox quotas. The old script used just Exchange Online PowerShell. This versions mixes Exchange Online and the Graph SDK and throws in some certificate-based authentication to boot to allow the script to send email from something other than the signed-in account.. It all comes together, using chunks of code from other scripts to speed up writing. It's the PowerShell way...

update elements through the admin center or PowerShell. This article explains how to use the Microsoft Graph PowerShell SDK to customize the sign-in text and background image for the sign-in screen.

Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.

three learnings that might be of interest to others. Debugging, cost, and tracking the use of Azure Automation PowerShell might not interest everyone, but they've certainly helped me to understand how the platform works.

profile, you can update an account's password and force actions like force the user to change their password on the next sign-in or force the user to enable multifactor authentication for the account. All done with cmdlets from the Microsoft Graph PowerShell SDK.

PowerShell SDK, some inconsistencies await unwary developers. The SDK doesn't like $Null, doesn't support pipelining, insists on specific property casing at times, sometimes accepts user principal names and sometimes doesn't, and sticks valuable data in hash tables hiding in a property you might know nothing about. Good as it is to have the SDK cmdlets, they need to be treated with care as you transition from the old Azure AD and MSOL modules.

set of supported languages for code snippets.

coverage has been administrative interfaces for SharePoint Online and Exchange Online. A small but valuable step in the right direction happened with the appearance of the settings resource type in the TenantAdmin namespace.

PowerShell to expose information that can't be accessed with PowerShell cmdlets. In the example given, we use the PowerShell Invoke-WebRequest cmdlet to make Graph calls to fetch the email addresses of Teams channels because this is a property that you can't get with any of the cmdlets in any Office 365 PowerShell module.

about disposition review items in either a pending or disposed state. It's possible that you don't care very much about records management, retention labels, or disposition processing, but if you do, you'll be glad that the new cmdlet exists.

to March 30, 2024. The nine-month extension is there to help customers convert scripts to use the Microsoft Graph PowerShell SDK or Graph API requests. On the upside, the extra time is good as it creates space to migrate scripts. On the downside, there's still some challenges in converting from the old Azure AD modules.

federation configuration again to improve how a script works. Instead of taking all the domains guest accounts came from and adding them to the configuration, I created a function to check if the tenant uses Microsoft 365. If it does, we add the tenant to the allow list in the tenant federation configuration. If not, we ignore the domain.

you to redirect common (well-known) folders from your PC to OneDrive so that anything created in Documents, Pictures, and the desktop is automatically saved in your OneDrive for Business account. Generally, everything works well, and I have been very happy. Except until the time came to update the Azure Active Directory preview module from 2.0.2.77 to 2.0.2.89.

Business sync client through the SharePoint Online admin center, PowerShell, or GPO. A change in the client now exposes the excluded file types to user view for the first time. Meantime, the OneDrive Personal client also gains support for file type exclusions.

explains how to use PowerShell to remove licenses from accounts when an equivalent service plan is available from another license. It's the kind of fix-up operation that tenant administrators need to do on an ongoing basis.

explains how to use PowerShell to remove licenses from accounts when an equivalent service plan is available from another license. It's the kind of fix-up operation that tenant administrators need to do on an ongoing basis.

rooms are used, which is why we have the room mailbox report script. In the second version of the script, we include code to figure out the daily usage pattern of individual rooms and for all rooms across the organization. The graphics in our bar chart are crude, but the chart is generated with a few lines of PowerShell, so feel free to improve the script.

now available and many Purview solutions support administrative units. In this article, we explain how to use Microsoft Graph PowerShell SDK cmdlets to create a report about administrative units, role assignments for their management, and their membership.

usually involved some gyrations. Then Microsoft updated the Get-SPOSite cmdlet with the IncludePersonalSite switch and things became easier. For instance, a reader asked if it was possible to generate a report listing all the OneDrive for Business sites in a tenant with the storage allocated and used for each site. No problem, we thought, as we scanned the internet to see if people had already solved the problem. As it happens, several example scripts are available, but we ended up writing our own because it was possible to simplify the code . We also store the output in a CSV file as it's a very flexible format for reporting or further analysis (like importing into Power BI).

influence of Teams, most SharePoint Online external users are guest accounts, created when external people join the membership of Microsoft 365 Groups (teams). If the organization uses the SharePoint Online integration with Azure AD B2B collaboration, SharePoint also creates guest accounts when people share files or folders with external people.

channels. Fortunately, it's relatively easy to create a report with PowerShell and just a little Graph magic.

licensing or workspace storage. MC678308 announces that Loop workspace storage will count against the tenant SharePoint Online storage quota. This article explains how to use the Get-SPOContainer cmdlet to fetch information about Loop workspaces and the storage they consume.

isn't particularly difficult, if you know where to look. Our script uses the Graph SDK to check service principals, filters out the apps to check, and extracts the user and group assignments before reporting what it finds.

administrative tasks within Microsoft 365. Among the recent factors causing me to consider using Graph APIs with PowerShell are:

compose and send Teams urgent messages to a set of recipients using Microsoft Graph PowerShell SDK cmdlets. The conversation with each recipient is a one-to-one chat that Teams either creates from scratch or reuses (if a suitable one-on-one chat exists).

Graph APIs. This article looks at how to use the Send-MgUserMail cmdlet and compares it to the Send-MgUserMessage cmdlet (covered in depth in a previous article). Our conclusion is that you'll probably end up using Send-MgUserMail because it's easier to use.

it turns out, Microsoft would prefer if developers use the Revoke-MgUserSignInSession cmdlet instead of Invoke-MgInvalidateUserRefreshToken, but who would have known if we hadn't asked the question?

joining an Office 365 tenant forced me to think about the best solution. The issue isn't finding a script to do the job because there's plenty of scripts published in places like the TechNet Gallery

purposes. In this article, we explore how to use the Microsoft Graph PowerShell SDK to update extension attributes for registered devices, and even better, access the content in the extension attributes afterward.

some of the modernized cmdlets available in the Teams PowerShell module. Not everything worked as smoothly as we'd like, but like most PowerShell scenarios, there's usually a workaround available to get the job done. It just needs to be found.

Exchange Online PowerShell modules. Now its code uses only cmdlets from the Microsoft Graph PowerShell SDK. It's an example of the kind of update that many organizations are going through due to the upcoming deprecation of the Azure AD and MSOL modules.

come from and if they are internal or external, PowerShell developers can use online web-based geolocation services. It's important not to overuse the services because you could be throttled.

SharePoint Online site and Teams channel. At the time, I used a stored credential to authenticate and access SharePoint and Teams. Azure Key Vault offers another way to store secrets (bits of information) securely. This article explores how to store secrets in Azure Key Vault and retrieve and use the secrets in a runbook script and interactive PowerShell.

However, that doesn't mean the two can't work together. In this article we explore how to use Exchange Online PowerShell with Azure Automation while waiting for Microsoft to deliver a full solution.

this article, we do the same with cmdlets from the Microsoft Graph PowerShell SDK. The results achieved with the Graph SDK aren't as good as those gained with PnP.PowerShell. Some of the SDK cmdlets don't function as expected and the resulting list is not as functional as the one generated by PnP. Oh well...

and tooltip for labels so that they appear in the language chosen by a user. Most people don't both because it's painfully slow to insert the translated strings for multiple languages. However, when you apply a mixture of PowerShell and the Microsoft Translator service, the task becomes so much easier.

processing, which is how the app filter for conditional access policies works. It's nice to be able to interact with data through PowerShell and the Microsoft Graph PowerShell SDK cmdlets support setting, updating, and retrieval of Azure AD custom security attributes. Everything works, but it's a pity that it's a little clunky.

name implies, the cmdlet returns details of all channels in a team (regular, private, and shared). To see what it does, we wrote a script to report all the channels in teams in a tenant.

management PowerShell module, in that article, I also explained how to use Graph API queries in a PowerShell script executed in a runbook.

PowerShell SDK. However, a serious bug in V2.14 means that this (and perhaps V2.13.1) should be avoided until Microsoft fixes a problem that causes spurious output to be included when cmdlets like Get-MgUser and Get-MgGroup are run.

2016 (not all the time). Some recent Graph hiccups meant that I had to apply some fixes and workarounds. At the same time, some users hit the infamous 'not recognized as a valid datetime' problem, so another update was needed. All good, clean fun.

modules (all with their own kinks) are used. However, PowerShell is very approachable and it's surprising what you can do with just a couple of lines of code. Working examples are great learning tools to help PowerShell newcomers (and maybe experienced coders) come up with solutions to problems. A couple of years ago, we created the Office 365 for IT Pros GitHub repository. Since then, we've been populating the repository with PowerShell scripts created to illustrate new features or to demonstrate how to approach solving an administrative problem in an Office 365 tenant. The repository currently holds a collection of 81 scripts.

PowerShell Gallery. Welcome as any update is, the publication was unaccompanied by any announcement or notification, and Microsoft didn't up date the release notes for the module until late on May 3. Even with the release notes, we don't know exactly what V2.3.0 contains, so it's time for inspired interpre...

PowerShell with the unified audit log to deliver a solution. The idea is that you can check audit log entries to see when specific user accounts join the membership of Teams. Once you've found that data, it's a simple matter of creating email to share the results. All done with a few lines of PowerShell...

Export-MsIdAppConsentGrantReport cmdlet to generate a report of OAuth app permissions. Allied with the ImportExcel module, the cmdlet can produce a very nice workbook containing lots of information about permissions held by the apps in a tenant. But even better, you can export the data to PowerShell and use it in your scripts.

Microsoft Graph PowerShell SDK. Although options exist in the Microsoft 365 admin center and Azure AD admin center to restore deleted groups, it's nice to have the option to do the same with PowerShell.

the cmdlets from the SharePoint Online management module. But accessing OneDrive usage data via the Graph is much faster. And you can include information from other sources, such as user properties, to build out the report. All explained here.

center. PowerShell does the trick, once you know how. The key thing is to find the right cmdlet to use. Once you know that, the rest is pretty easy as we explain in this article.

registration occurs. Although this information changes over time and isn't updated by Azure AD, it might be of some interest and use to tenant administrators, so we show how to report it here. If you want accurate information, you'll need to use Intune.

private channels). Support for PowerShell access to private channels is not yet available in the publicly available version of the Teams PowerShell module. Instead, if you want to work with private channels through PowerShell, you must install the latest version of the Teams module from the PowerShell test gallery. You need to run version 1.0.18 or better to manage private channels.

data from workloads like Exchange Online, SharePoint Online, and Teams. Some of this data is available via PowerShell cmdlets like Get-ExoMailboxStatistics and Get-SPOSite, but using the Graph is usually faster.

if you want to know which domains are sending most mail, you need to do some work. In this article, we cover how to use cmdlets from the Microsoft Graph PowerShell SDK to create reports about user mail activity over time and the traffic sent by different domains.

have our own approach. This article lays out a simple three-step method to write scripts to interact with Microsoft 365 objects.

coding at The Experts Conference in Atlanta on September 19, 2023. Competitors will need a working knowledge of Microsoft 365 PowerShell, including Exchange Online, Teams, and Azure AD. Being able to think on your feet and come up with working solutions to problems is possibly a more important attribute than coding genius.