Microsoft 365 / PowerShell

Top Ten PowerShell tips for Microsoft 365 Management: Part One

Avatar photo
Post author:Written By

Introduction

With over 350+ million Office 365 users and with organizations focused on the cloud more than ever, administrators need to keep their skills up and when dealing with Microsoft 365, this means PowerShell.  While PowerShell is not a cloud-only technology, its modularity allows it to manage and connect any workload that has a connection point exposed for PowerShell.  In this two-part series, we’ll review ten PowerShell tips to help Microsoft 365 administrators automate daily management tasks.  Covered in this article are some tips for PowerShell and Microsoft 365. In the second part, I give some more specific tips for PowerShell.   

One: Learn PowerShell Basics

Learning PowerShell is like learning any language, one needs a purpose to learn and a good teacher/resource of learning to succeed.  For the author, Exchange 2007 marked PowerShell’s first appearance, and using PowerShell was a necessity for Exchange management that drove the next fifteen years of learning. Fast forward to today and administrators now utilize PowerShell with various Microsoft 365 workloads. So how would an administrator go about learning this new language?

  • Learn the basics via PowerShell books and online resources such as blogs (Practical365.com), YouTube videos, and online courses to learn basic concepts for the language.  Make sure to cover base concepts like variables (and variable types), functions, commenting, verbs/noun importance in PowerShell, and more.  PowerShell Quick References are also free and handy to have.
  • Practice the basics in a safe environment (i.e., create and use a test tenant) to get a better understanding of how the cmdlets work and concentrate on Get-Command cmdlets which provide feedback and do not make changes.
  • Utilize free tools to help learn code / analyze the code you create, such as ExplainPowerShell, Pester, and PS Script Analyzer.
  • Use -WhatIf switch for cmdlets that support this facility. This will help dry run your code and catch mistakes before running the code for real.
  • Utilize Get-Help within the shell itself or use Microsoft Docs to look-up cmdlets / concepts of PowerShell.  Study the ‘about_xx’ concepts within the Online PowerShell documentation as well.
  • Peruse PowerShell Forums for expert advice or ideas: PowerShell.Org,
  • Utilize Practical365.com’s vast resources to access example code and PowerShell scenarios.

Most importantly, find a use case for PowerShell.  Learning the PowerShell language is greatly improved when there is a purpose or desired task that needs to be performed, such as managing Exchange Online Mailboxes, removing items from OneDrive, or managing Conditional Access Policies.  Above all, practice, practice, practice, as with any other language, human or computer code.

To make connecting to Microsoft 365 a breeze, make sure to check out this script by Microsoft MVP Michel de Rooij.

Two: PowerShell Modules for Microsoft 365

PowerShell modules provide administrators with the tools to manage their workloads in Microsoft 365. Installing modules and keeping them up to date is an important task.  First, here are some common Microsoft 365 PowerShell modules:

Don’t forget to keep your modules up to date periodically with the Update-Module cmdlet.  Use Preview versions of modules with care and with test machines/environments to reduce any production issues.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Learn More

Three: Documenting Microsoft 365 Workloads

As systems move to the cloud, it is still important to update and document as cloud systems often have a myriad of configurable options and settings that administrators should keep track of. Documenting systems can take a combination of tools to extract useful data. Some reports are available within the Microsoft 365 management portals, while PowerShell scripts run on a periodic basis and can create ad-hoc or focused reports that Microsoft doesn’t deliver.

Accurate and detailed documentation for Microsoft 365 workloads ensures supportability and enhances any future troubleshooting efforts.  It also helps support personnel understand the configuration and its capabilities. With proper documentation, run books can be created for Help Desk and other support personnel.  Also, proper documentation could make audits less painful as security settings would be easier to share and validate.

Tips

  • Do not rely on the default output of the Get cmdlets as it may not reveal information that is interesting or necessary for documentation.  For example, Get-EXOMailbox | ft only reveals ExternalDirectoryObjectID, UserPrincipalName, and Alias, which is uninformative.
  • Do create reports/tables from Get cmdlet output, and make sure to use formatting and property selection to gather meaningful data and process for proper output.
  • Make sure to update these reports at least once every quarter, if not more often, using Azure Automation.
  • Make it accessible. Once completed, share it with your team, as well as the PowerShell code used for supportability.  Post it to a Microsoft Team and post code to GitHub for team contributions.
  • Use PSWriteHTML, a powerful Module that enables the creation of complex and consumable HTML reports. Example usage here.

A good example of creating practical, useable documentation with PowerShell: Strengthening your Microsoft 365 Tenant-to-Tenant Migration PowerShell Script

Four: Example Code and Scripts

Reusing code is always advisable when dealing with repeatable tasks. Typically, this means building your own code base of scripts and cmdlets/one-liners you use to complete tasks. Beyond this, using code or scripts that others have created can be extremely useful and time-saving. Scripts of this nature could come from colleagues, respected coders (such as Microsoft MVPs), and Microsoft engineers who write scripts to help administrators. Some example scripts are listed below:

Examples of Microsoft Scripts

  • ORCA: Defender for Office 365 Best Practices analysis, providing insights into better mail hygiene settings for a tenant.
  • CAMP: Configuration Analyzer for Microsoft Purview and is useful for auditing for compliance best practices.
  • Mailbox permissions: Moving mailboxes to Exchange Online requires knowledge of interlinked mailbox permissions and this script exposes permission interlinks.  Mailbox batches are created to ensure a better user experience.

Examples of Third-Party Scripts

Tip: Open these scripts in your favorite PowerShell editing tool (such as Visual Code Studio) and review the code provided. Learning how others code can help open your coding abilities and grow your skills in using PowerShell to manage Microsoft 365.

Five: Microsoft Graph PowerShell Module

Introduced in January of 2020, the Microsoft Graph PowerShell module provides access to the array of endpoints in Microsoft 365, including Exchange, SharePoint, and more; there are literally thousands of endpoints the module has access to. Access to these endpoints is spread out through dozens of sub-modules with over 4500 commands included all combined.  To work only with cmdlets that are from a particular subset, like Planner, for example, we can list them like so:

Get-Command -Module Microsoft.Graph* *Planner*

The output of this one-liner provides a limited/more manageable subset of the Graph cmdlets to review, making it easier to find a cmdlet for a task.

Why Use It?

Power and flexibility:  Simply put, the Graph module is powerful in terms of the

Note: Microsoft is deprecating the Azure AD and MSOL modules. Many organizations use these modules to manage Azure AD objects like user accounts and groups. These operations should now be performed using cmdlets from the Microsoft Graph PowerShell SDK.

Graph Permissions

When connecting to Graph, PowerShell needs an access token in order to access information in the tenant.  For example, if Read/Write access to Users and Groups was needed, these two permissions would be defined in the connection string: “User.ReadWrite.All” and “Group.ReadWrite.All”.  A complete list of permissions available can be found here:

Find-MgGraphPermission -PermissionType Any

You will be asked to consent for permissions for the Graph SDK app if you have not used the SDK previously.

Invoke-MgGraphRequest

Get to know this cmdlet as it can replace the *-Mg cmdlets and make direct changes / queries in a tenant, however this also means knowing connection points as these are necessary to access objects.

Good Resources

Make sure to review the Getting Started Guide and the M365 Developer Blog for some good starter tips on Graph PowerShell.

Example usage for the Microsoft Graph PowerShell SDK can be found throughout the Practical365 blog: Sending Email with Graph, External Teams Access Configuration, and License Management, to name a few good articles.

Summary

These five tips are just some of the many things that administrators can do to improve not only their management of their Microsoft 365 tenant, but also to help deepen their own knowledge of PowerShell and become more familiar with it. Make the effort and spend time to make these tips an effective part of your toolbox.

PowerShell as a tool is useful in many ways as we have seen in this article. In part two, we will cover five more tips that can be used by administrators in Microsoft 365.

Tags: ,

About the Author

Damian Scoles

Damian Scoles is an eight-time Microsoft MVP, specializing in Exchange, Office 365 and PowerShell. He is currently based out of the Chicago area and started out managing Exchange 5.5 and Windows NT. He has worked with Office 365 since BPOS and has experience with Azure AD, Security and Compliance Admin Centers, and Exchange Online. Contributions to the community include helping on TechNet forums, creating PowerShell scripts that are located in the TechNet Gallery, writing detailed PowerShell / Office365 / Exchange blog articles (https://www.powershellgeek.com), tweets (https://twitter.com/PPowerShell) and creating PowerShell videos on YouTube (https://www.youtube.com/channel/UClxHtLF0c_VAkjw5rzsV1Vg). He has written five PowerShell books and is actively working on the Microsoft 365 Security for IT Pros book as well.

Leave a Reply