Sys. Admin. wiki
Sometime we need to gain a list of all users and their managers so the managers can get a review of “their” staff!
An easy oneliner within PowerShell using AzureAD ps module is this one. this takes the first 4000 users and export them to CSV
Get-AzureADUser -Top 4000 | select UserPrincipalName,@{n="Manager";e={(Get-AzureADUser -ObjectId (Get-AzureADUserManager -ObjectId $_.ObjectId).ObjectId).UserPrincipalName}} | Export-Csv C:\Temp\YOURUSERS_usr_with_manager.csv -Encoding UTF8
More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?
You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.
So let`s dig into the materials for a second or two.
First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)
If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.
So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.
Connect-MsolService
Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridViewAnd now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂
Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE
If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.
Have checking status on your users! 🙂
To install, update og uninstall the SharePoint Online PowerShell module there are some few simple PowerShell commands you can use.
First of all, set your Execution policy to restricted
Get-ExecutionPolicy #for checking the current ExecutionPolicy setting
Set-ExecutionPolicy -ExecutionPolicy UnrestrictedInstall
Install-Module -Name Microsoft.Online.SharePoint.PowerShellCheck current version
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,VersionUpdate
Update-Module -Name Microsoft.Online.SharePoint.PowerShellUninstall
Uninstall-Module -Name Microsoft.Online.SharePoint.PowerShellTo block users from creating trial and adhoc subscriptions for Office 365 services or even PowerPlatform services you can turn a switch and block it.
Set-MsolCompanySettings -AllowAdhocSubscriptions $falseTo check if this is set to “False” for your tenant you can run this
Get-MsolCompanyInformation |fl AllowAdhocSubscriptions To change the Language for a Office 365 mailbox (Exchange Online), run the following commands:
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Set-MailboxRegionalConfiguration -Identity “USER” -Language nb-no -LocalizeDefaultFolderName
For full list of cultureinfo classes (Languages) see:
https://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo(VS.71).aspx
From time to time i run into a little problem with the Office 365 Admin Center when trying to convert user mailboxes into shared mailboxes.
when this occours i usualy just use Powershell to convert the mailbox into shared mailbox.
To do this you have to connect your Powershell to the Office 365 tenant and run a oneliner for converting the mailbox.
Here is how to connect to Office 365:
Import-Module MSOnline
$O365Cred = Get-Credential “adminuser@YOURTENANT.onmicrosoft.com”
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService -Credential $O365Cred
When connected then use this single line to convert the mailbox:
Set-Mailbox “Your@mailbox.no” -Type shared
There seem to be a broken patch KB3159398 which was released this Tuesday, it breaks GPO processing which can cause a lot of headache!
Source: https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398
I’ve made a script which lets you check if this hotfix is installed and also let’s you uninstall it. Replace the KBxxxxxxx with the KB number and run from elevated Powershell to see if it is installed. If you want the script to uninstall the hotfix silently, set $uninstall to $true.
$uninstall = $false # change to $true to uninstall hotfix
$hotfixID = ‘KBxxxxxxx’ #Hotfix KB-number to check, use ‘ quotation marks
Get-HotFix $hotfixID
if ($uninstall -eq $true)
{
Invoke-Command -ScriptBlock {wusa.exe /uninstall /KB:($hotfixID -replace ‘KB’,”) /quiet /norestart} #Uninstall quietly and does not prompt for reboot
}
I was asked today how you can disable and enable individual features included in an Office 365 license (like Exchange Online, Yammer.. etc) from Powershell
Launch Powershell and log on to your tenant (connect-msolservice)
To see which features which is included in a license use the following code:
$lic = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to look up”
$lic.ServiceStatus
This will show a list of features and their status
Next, if you want to disable Exchange online for one specific user:
$skuid = Get-MsolAccountSku | Out-GridView -OutputMode Single -Title “Select SKU to edit”
$user = Get-MsolUser | ? {$_.isLicensed -EQ $true} | Out-GridView -title “Select user to modify” -OutputMode Single
$Disable_ExchangeOnine = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans “EXCHANGE_S_ENTERPRISE”
$Enable_ExchangeOnline = New-MsolLicenseOptions -AccountSkuId $skuid.AccountSkuId -DisabledPlans $null
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Disable_ExchangeOnine
The sku must match the sku assigned to the user you want to change.
Then run this line in the same script to re-enable Exchange Online
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $Enable_ExchangeOnline
If a Clients Local site public IP changes the VPN tunel betwen Azure and the Local Site will disconnect. To fix this do the following:
Connect to Azure using powershell and run the following command:
New-AzureRmLocalNetworkGateway -Name LocalSite -ResourceGroupName [ClientRG] -Location ‘northeurope’ -GatewayIpAddress ‘[Public wan IP 2.4.6.8]’ -AddressPrefix ‘[LAN IP Net 192.168.1.0/24’
(Change the RG and Public wan IP and the LAN IP Net to the correct settings)
To add permissions on a Exchange Object in Office 365 using PowerShell the cmdlet set-MailboxFolderPermission or add-MailboxFolderPermission can be used.
In this example we add editor permissions for user2 to user1’s calendar. This will enable user2 to edit, add or delete content of user1’s calendar.
set-MailboxFolderPermission -Identity user1@domain.no:\calendar -user user2@domain.no -AccessRights Editor
Note: kalender is the Norwegian Word for Calendar
To bulk add all users in a Tennant as Reviewer to user1@domain.no’s calendar run the following cmdlet.
$Users = Get-Mailbox | Select-Object -ExpandProperty userprincipalname
ForEach ($user in $Users )
{
Add-MailboxFolderPermission -Identity “user1@domain.no:\calendar” -User $User -AccessRights Reviewer
}
For full details of this cmdlet:
https://technet.microsoft.com/en-us/library/dd298062(v=exchg.160).aspx
And for my original Source: