The conditional access policy condition for token protection now extends to Microsoft Graph PowerShell SDK interactive sessions. Any account within the scope of a CA policy that requires token protection can use Web Account Manager (WAM) to sign in and check that everything is secure and ready to go. It’s a protection that might be of interest to administrators and developers that access sensitive data in Graph SDK sessions.
Recent problems with Microsoft 365 PowerShell modules afflicted the ability of Azure Automation runbooks to execute cmdlets Microsoft Graph PowerShell SDK and Exchange Online Management modules. The root cause is a decision to remove support for .NET6, but the worrying point is the lack of awareness within Microsoft engineering that Azure Automation is where many critical scripts run. Better pre-release testing is definitely needed.
Microsoft 365 tenants with Entra P1 or P2 licenses can use a custom banned password list to stop people using specific terms in their passwords. The idea is to prevent easily-guessed terms being used in passwords. You could also block words deemed to be objectionable. In any case, this article explains how to maintain the custom blocked password list with a PowerShell script.
Sometimes it’s hard to get a response back from running a Graph API request with the Invoke-MgGraphRequest cmdlet. Graph Explorer helps. So does reading Microsoft’s documentation for the cmdlet. In the end, everything works out and we can discover some valuable information that comes back in a response header. In this case, the response header helps us discover if a purge job works.
A user reported that a script didn’t list any details of hidden group memberships and asked why. The reason is that a separate Graph permission controls access to hidden group memberships. If an app doesn’t have the permission, the Graph returns null memberships, which is probably not all that helpful. Once the right permission is in place, everything works.
The June 2025 update for the Automating Microsoft 365 with PowerShell eBook is now available. Coding automation with Microsoft 365 PowerShell can be challenging, but not with this book beside you. It contains hundreds of examples of working with Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, Teams, and Planner using regular PowerShell cmdlets and the Graph APIs.
On May 10, 2025, Microsoft released V2.28 of the Microsoft Graph PowerShell SDK in the hope that the new version would fix a bunch of annoying problems that have dogged the SDK for several months. The first few days haven’t revealed any new problems and bug reports are being closed, so the signs are positive. But do test before deploying V2.28 into production.
Copilot usage data can be pretty sparse, but it’s easy to enhance the data to gain extra insight into how Microsoft 365 Copilot is used within a tenant. In this case, an administrator wanted to have department and job title information available for each Copilot license holder, so we combined the Copilot usage data with details of Entra ID user accounts with Copilot licenses to create the desired report.
Some new Graph APIs were announced on April 1 to close a feature gap with EWS. The new APIs permanently remove mailbox items and other objects, including folders, calendars, and calendar items. Permanent deletion means that items cannot be recovered through clients because they end up in the Purges folder in Recoverable Items. This article explains how the new APIs work, including a practical example.
V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next version to make it possible for the SDK to work with Azure Automation runbooks again and address many of the obvious problems that should never have appeared outside Microsoft. It will take time for customer confidence to be restored.
Any site member can create a SharePoint agent. There’s no out-of-the-box method to report the creation of agents, but agents are created like any other file, and SharePoint Online captures audit records for file creations. Some PowerShell retrieves the file creation events and extracts the necessary information about who is creating agents and what sites the agents are created in.
Neither Outlook nor Teams includes a transfer meeting ownership feature for user calendars. Moving meetings owned by an ex-employee to give someone else the ownership requires manual intervention to find and reschedule meetings. Administrators can cancel future meetings for a user. In this article, we explore how to generate a report of meetings that might need to be rescheduled.
Artificial Intelligence and PowerShell should be a good thing to help hard-pressed Microsoft 365 tenant administrators cope with common tasks. The early signs are there with Copilot in the Microsoft 365 admin center. However, the current state of the art depends on what’s gone before and can’t handle the kind of complex automation that tenants sometimes need, like generating a licensing report from Entra ID, product information, and license costs.
Microsoft has announced that the SharePoint Online PowerShell module will be upgraded from the very old and now obsolete IDCRL protocol to use modern (OAuth) authentication in versions released from March 28, 2025. The update to OAuth should not affect scripts, but it’s always wise to test in case your use of the module is an edge case that Microsoft doesn’t test.
The developers rushed out Version 2.26.1 of the Microsoft Graph PowerShell SDK to fix some obvious issues. Alas, problems persist in PowerShell SDK cmdlets, including licensing failures and an issue that prevents the Connect-MgGraph cmdlet from being able to obtain an access token from Entra ID. My advice is to stay with V2.25 until Microsoft resolves the problems and generates a new stable version of the SDK.
Many examples are available online to explain how to add a single attachment to messages using the Microsoft Graph PowerShell SDK. Here we look at the principles behind how to add attachments (one or many) to messages before sending them with the Send-MgUserMail cmdlet. Get the principles right and you’ll never go wrong!
The Microsoft Graph PowerShell SDK offers developers easy access to data across the Microsoft 365 ecosystem and that’s good. However, there’s a problem with Graph SDK plain text passwords that must be fixed. In today’s threat climate, passwords should be passed as secure strings. It’s a small but important step to improve overall security.
In this primer, we cover how to create and execute Azure Automation Exchange Online runbooks (scripts) using cmdlets from the Exchange Online management module. Some setup is necessary before runbooks can process Exchange cmdlets, but once the necessary resources and permissions are in place, it’s all plain sailing. The next challenge is how to output data created in a runbook…
After creating a runbook to process Microsoft 365 data, registering the runbook with an automation schedule means that the runbook will execute on a reliable basis. This article discusses how to publish and register a runbook so that an automation schedule takes over the burden of running the job. In addition to describing the necessary steps in the Azure portal, we also give you the PowerShell commands.
The second part of the Azure Automation runbook primer brings us to output, specifically how to create items generated by a runbook in a SharePoint Online list. Once in the lists, items can be processed using Power Automate, Power Apps, or Power BI or exported to Excel. It’s a great way of capturing information generated by background jobs.
A reader asked why it seems so difficult to use Azure Automation runbooks to process Microsoft 365 data. In fact, it’s not so hard, and here’s a primer to help you understand how to create the necessary Azure Automation environment to develop and execute runbooks. Once modules and permissions are in place, everything falls into place.
Deleting an Entra ID user account can result in ownerless groups if the account being removed is the only group owner. Before deleting accounts, it’s a good idea to proactively replace group owners. This article explains how to replace group owners in the fastest and most scalable manner using the Microsoft Graph PowerShell SDK.
After many twists and turns since August 2021, the MSOnline module retirement will happen in April 2025. The AzureAD module will then retire in the 3rd quarter. It’s way past time to upgrade PowerShell scripts. The question is whether to use the Entra module or the Microsoft Graph PowerShell SDK. I know which option is best and say why in this article.
Microsoft released the SharePoint Pages API in mid-2024. This article describes how to create and publish a news item using cmdlets from the Microsoft Graph PowerShell SDK based on the API. The net result is that the API appears to work well but some problems are evident in the cmdlets. Or maybe it’s just my lack of knowledge!
The Office365ITPros GitHub repository holds over 300 PowerShell scripts showing how to interact with Microsoft 365 and Entra ID. Anyone can contribute to Office365ITPros by forking the code to a copy of the repository and making changes to scripts there. If you want, you can push the changes back to us so that we can consider their inclusion in Office365ITPros. It’s a great example of community in action.
Two types of retention labels are in use: Microsoft 365 retention labels and MRM retention tags. Clients hide the difference, but the Microsoft Graph PowerShell SDK cmdlets can only process Microsoft 365 retention labels for files stored in SharePoint Online and OneDrive for Business. EWS can manage MRM retention tags, but it’s on a fast path to retirement in 2026…
This article describes how to report the audit events for a user over a single day. The task seems simple, but inconsistency in audit payloads makes it harder. Workloads don’t help by the variations in audit events. In any case, persistence and knowledge about what the audit event captured for an action helps to decode the data, as illustrated by the script detailed here.
Service principal sign-in activity is a new insight available in the Entra admin center. As explained here, it’s also possible to use PowerShell to fetch and analyze the data to derive new insights into what apps create service principals in a tenant and what organizations own the apps. Some detective work is needed to fully understand the data. That might be an ongoing task, but at least we have the data.
The unified audit log is full of interesting information about who did what and when they did it. In this article, I describe how to use file operations audit events to find the last accessed date for documents in a SharePoint Online site. It’s data that isn’t available in the Microsoft Graph, but it is in the unified audit log.
This article describes how to create eligible and active PIM role assignment requests using cmdlets from the Microsoft Graph PowerShell SDK. Although the PowerShell code is straightforward, Microsoft recommends using the Entra admin center for Privileged Identity Management. But you can automate the management of role assignment requests if you want to.
Group-based licensing is a mechanism to make it easier to assign and manage product licenses for large sets of user accounts. In this article, we discuss how to use Microsoft Graph PowerShell SDK cmdlets to manage group-based license assignments in a Microsoft 365 tenant. Assigning licenses to groups is very much like direct assignments, but some differences exist.
Many articles describe how to disable a service plan for a product license assigned to a Microsoft 365 account, but few cover how to enable service plans should the need arise afterward. This article covers the basics of disabling and enabling service plans for Microsoft 365 licenses using PowerShell, including the very important step of finding existing disabled plans. Everything’s easy once you know how.
The question of how best to write PowerShell for Microsoft 365 was asked during a TEC 2024 PowerShell workshop. There are many variables, and one has the right answer. To start the ball rolling, this article describes how I write PowerShell for Microsoft 365 using a variety of modules such as Exchange, SharePoint, Teams, and the Microsoft Graph PowerShell SDK.
Unsurprisingly, Microsoft announced the deprecation of the Revoke-SPOUserSession cmdlet for November 2024. The cmdlet is replaced by the Revoke-MgUserSignInSession cmdlet, which works across Microsoft 365 rather than just SharePoint Online. All of this happened while the 2nd annual PowerShell Script-Off happened at TEC 2024 and competitors struggled with what to do to secure a user account for an ex-employee.
An article described some benefits that could be gained from not installing the complete Microsoft Graph PowerShell SDK. The question is whether the claimed benefits are more theoretical than actual. It’s hard to say because it all depends on how someone uses the SDK for development or to run scripts. Anyway, it’s a topic worth discussing.
A recent script demonstrated how to import contacts into user mailboxes using a list in a SharePoint site as the source. With a quick change, a CSV file becomes the source. This is a great example of how adaptable PowerShell is and how to update code found in articles to meet your needs. If you do ask an author to change their code, remember to try to make the change yourself first, and if you fail, explain to the author why the change should be made.
People often need to transfer objects or code between Microsoft 365 tenants. When it comes to dealing with objects, the Microsoft Graph PowerShell SDK’s ToJsonString method is very useful. The method outputs a string containing JSON content, but only for object properties that have a value. This makes the much easier to use the output as the basis for a template object or as the payload body to create an object in another tenant.
On August 21, 2024, news emerged that the PnP PowerShell module will transition from using a multi-tenant Entra ID app to a tenant-specific app. The change is scheduled for September 9, 2024, which doesn’t leave a lot of time available for developers to review, update, and test PowerShell scripts based on PnP PowerShell. Some extra warning would have been nice.
The AuditLog Query Graph API remains in beta status but cmdlets are now available in the Microsoft Graph PowerShell SDK. This led to some oddities in results when the number of audit events found by a search didn’t match those reported by the Purview compliance portal. It all worked out in the end. In other news, the Set-MgRequestContext helped sort out some retry problems.
The task to find manager for Entra ID accounts seems simple until you find the bunch of utility accounts created by Exchange Online that should be ignored. This makes the task more “interesting” when the time comes to find user accounts that don’t have assigned managers. Eventually, all the filters work, and you have a result, but the task is more complicated than it should be.
