Setting MS Teams Policies for Users using PowerShell


In my past two blogs I have shown you how to obtain all the users policies and output to a csv file, and how to create a new policy. In this blog post, I’m going to show you a couple of ways of setting users to new policies.

  • Change policy for an individual user
  • Change policy for a group of users
  • Change policies for group of users using a csv file

Change policy for an individual user

In this example I’m going to stick to just the messaging policy.

.\Set-IndivdualUserMessagingPolicy.ps1 -UserNameToSetPolicy:”Jeff.Hay@mytenant.onmicrosoft.com” -PolicyName:”NoGiphyOrStickersMessagePolicy”

param(
[Parameter(Mandatory)]
[string]
$UserNameToSetPolicy,
[Parameter(Mandatory)]
[string]
$PolicyName
)
Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession
Import-PSSession Session:$Session AllowClobber
if (-not $(Get-CsTeamsMessagingPolicy Identity:$PolicyName ErrorAction:SilentlyContinue)){
Write-warning "Unable to find Policy $PolicyName"
return
}
else{
Write-Information "Granting Message Policy $PolicyName for user $UserNameToSetPolicy"
Grant-CsTeamsMessagingPolicy PolicyName $PolicyName Identity $UserNameToSetPolicy
}
Remove-PSSession Session:$session
write-Information "Done"

It can take a while before the change is reflected in the Teams Administration.

Change policy for a group of users

There are a couple of ways you can do this. If you have your people data filled in correctly, such as Department, Office, City etc, you could assign all the people from one of these areas to a given policy. For example the following script grabs everyone from the sales department and assign them the sales policy for messaging:

Get-CsOnlineUser Filter {Department -eq 'sales'} | Grant-CsTeamsMessagingPolicy PolicyName "SalesPolicy"

Alternatively you could do it based on a AD Group, you first need to connect to grab the members of the given group, I would connect with AZ cli.

$GroupName = "SalesUsers"
$PolicyName = "SalesPolicy"
az login
az ad group member list group $GroupName query "[?userType == 'Member']" `
| ConvertFrom-Json `
| % { Grant-CsTeamsMessagingPolicy PolicyName $PolicyName Identity $_.userPrincipalName }

Change policies for a group of users using a csv file

In a previous blog post, I showed you how to obtain all the valid users from the tenant with their policies. We are going to use the csv it produces to change users policies.

The screen shot below shows my users with licenses, originally when I ran my script I only had DisplayName, UserPrincipalName and SipAddress showing, everything else was blank because my users were all in the global policies.

I have now filled in the CSV file with either SalesPolicy, HRPolicy, or NoGiphyOrStickersMessagePolicy. Left my account as global. These policy have already been created in my environment, help with doing that can be found in this blog post.

The following script requires your MS Teams Administrator username, and the path to the csv file. It loops through each item and then sets the polices for each user.

.\set-UserTeamPolicies.ps1 -UserName:admin@mytenant.onmicrosoft.com -Path:.\teamsuserpolicies.csv

param(
#Teams Administrator UserName
[Parameter(Mandatory)]
[string]
$Username,
#CSV File Path
[Parameter(Mandatory)]
[string]
$Path
)
$InformationPreference = 'Continue'
Write-Information MessageData "Obtaining Module, please connect when prompted…"
Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession UserName:$Username
Import-PSSession Session:$Session AllowClobber
@($(Import-csv Path:"$PSScriptRoot\$Path")).ForEach( {
$csv = $PSItem
$userPrincipalName = $csv.userPrincipalName
Write-Information MessageData:"Applying $($csv.DisplayName) Policies…"
#"TeamsMeetingPolicy",
Grant-CsTeamsMeetingPolicy PolicyName $($csv.TeamsMeetingPolicy) Identity $userPrincipalName
#"TeamsMessgingPolicy",
Grant-CsTeamsMessagingPolicy PolicyName $($csv.TeamsMessagingPolicy) Identity $userPrincipalName
#"TeamsMeetingBroadcastPolicy",
Grant-CsTeamsMeetingBroadcastPolicy PolicyName $($csv.TeamsMeetingBroadcastPolicy) Identity $userPrincipalName
#"TeamsAppPermissionPolicy",
Grant-CsTeamsAppPermissionPolicy PolicyName $($csv.TeamsAppPermissionPolicy) Identity $userPrincipalName
#"TeamsAppSetupPolicy",
Grant-CsTeamsAppSetupPolicy PolicyName $($csv.TeamsAppSetupPolicy) Identity $userPrincipalName
#"TeamsCallParkPolicy",
Grant-CsTeamsCallParkPolicy PolicyName $($csv.TeamsCallParkPolicy) Identity $userPrincipalName
#"TeamsCallingPolicy",
Grant-CsTeamsCallingPolicy PolicyName $($csv.TeamsCallingPolicy) Identity $userPrincipalName
#"CallerIDPolicy
Grant-CsCallingLineIdentity PolicyName $($csv.CallerIdPolicy) Identity $userPrincipalName
#"TeamsChannelsPolicy",
Grant-CsTeamsChannelsPolicy PolicyName $($csv.TeamsChannelsPolicy) Identity $userPrincipalName
#"TeamsEmergencyCallingPolicy",
Grant-CsTeamsEmergencyCallingPolicy PolicyName $($csv.TeamsEmergencyCallingPolicy) Identity $userPrincipalName
#"TeamsEmergencyCallRoutingPolicy",
Grant-CsTeamsEmergencyCallRoutingPolicy PolicyName $($csv.TeamsEmergencyCallRoutingPolicy) Identity $userPrincipalName
#"TenantDialPlan",
Grant-CsTenantDialPlan PolicyName $($csv.TenantDialPlan) Identity $userPrincipalName
#"TeamsUpgradePolicy"
Grant-CsTeamsUpgradePolicy PolicyName $($csv.TeamsUpgradePolicy) Identity $userPrincipalName
if ($Session.State -ne "Opened") {
Write-Warning "Session state closed, please reauthenticate"
Remove-PSSession Session:$Session
$Session = New-CsOnlineSession UserName:$Username
Import-PSSession Session:$Session AllowClobber
}
})
Write-Information "Complete"
Remove-PSSession Session:$Session

If you have a lot of users to update, the session might timeout. On line 52 – 57 there is a check to see if the session has timed out and then gets you to reauthenticate. If anyone else knows a better way to do this, please add a comment below, or get in touch.

Getting all MS Teams User Policies using PowerShell


With everyone working at home at the moment, you might need to grab a report of the User Policies for MS Teams. These few steps will show you how to grab all the users and display in a csv file.

To work with policies you first need to obtain the PowerShell module – SkypeOnlineConnector. Which you can download from this link https://www.microsoft.com/en-us/download/details.aspx?id=39366

Installing the SkypeOnlineConnector and creating a session

Once you have installed the PowerShell module you will need to import the module and create a PowerShell session.

Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession
Import-PSSession -Session:$Session -AllowClobber

You will be prompted for MS Teams administrator username and password, you can pass your credentials in with the -credential parameter at the end of New-CsOnlineSession, however this doesn’t work with MFA.

Once connected you will be able to grab all users using the Get-CsOnlineUser cmdlet, or grab one user by providing the users Identity.

Policies

If you call the above for a single user you will see that there are loads of policies that can be set. Not all are MS Teams related. The ones I will be focusing on are the same 12 policies you see when you view Assigned policies for a user in Teams Administration.

These policies are named slightly different in the results compared to the display name shown above.

Display Name Policy Name
Meeting policy TeamsMeetingPolicy
Messaging policy TeamsMessagingPoliy
Live events policy TeamsMeetingBroadcastPolicy
App permission policy TeamsAppPermissionPolicy
App setup policy TeamsAppSetupPolicy
Call park policy TeamsCallParkPolicy
Calling policy TeamsCallingPolicy
Caller ID policy CallerIdPolicy
Teams policy TeamsChannelsPolicy
Emergency calling policy TeamsEmergencyCallingPolicy
Emergency call routing policy TeamsEmergencyCallRoutingPolicy
Dial plan TenantDialPlan
Teams Upgrade TeamsUpgradePolicy

The following script will grab all users and their current policy for the above polices, with the provided path it will output to csv file.

Please note: Anything that is set to Global policy will be blank.

.\Get-UserTeamPolicies.ps1 -Path:.\AllTeamUsersPolicies.csv

param(
#OutPut CSV File Path
[Parameter(Mandatory)]
[string]
$Path
)
$InformationPreference = 'Continue'
Write-Information -MessageData "Obtaining Module, please connect when prompted..."
Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession
Import-PSSession -Session:$Session -AllowClobber
Write-Information -MessageData "Getting all enabled users"
$Users = Get-CsOnlineUser | Select-Object DisplayName, `
UserPrincipalName, `
SipAddress, `
TeamsMeetingPolicy, `
TeamsMessagingPolicy, `
TeamsMeetingBroadcastPolicy, `
TeamsAppPermissionPolicy, `
TeamsAppSetupPolicy, `
TeamsCallParkPolicy, `
TeamsCallingPolicy, `
CallerIdPolicy, `
TeamsChannelsPolicy, `
TeamsEmergencyCallingPolicy, `
TeamsEmergencyCallRoutingPolicy, `
TenantDialPlan, `
TeamsUpgradePolicy
$Users | Export-Csv -Path:$Path -NoTypeInformation
Write-Information "Complete"
Remove-PSSession -Session:$session

In a later blog, I will be using the csv file to update user policies.

Bonus: If you want to get all users for just a single policy you can perform a filter on the Get-CsOnlineUser

Write-host "Teams Meeting Policy"
Get-CsOnlineUser -Filter {TeamsMeetingPolicy -eq 'GivenPolicyNameBlankForGlobal'} | Select UserPrincipalName

Updating an expired Client Secret of a SharePoint Add-in using Azure-AD/Az Cli


Back in May 2016, I wrote a post to show you how to update the Client Secret of a SharePoint add-in. This used the PowerShell module MSOL. https://cann0nf0dder.wordpress.com/2016/05/18/updating-an-expired-client-secret-of-sharepoint-add-in/

The MSOL module is now (or going to be) deprecated. Therefore, I needed to find a different way of doing this, and ideally something that could be done with Azure Dev-ops pipelines. I originally started with AZ CLI. Although the Client Secret is tied to a Service Principal in Azure AD, I was unable to change the Key Credentials or Password Credentials for it.

Due to the issues I was getting with AZ CLI, I used Azure-AD module instead. See at end of blog post, how I got Az CLI to work with a workaround.

Updating Client Secret

Connect to Azure-AD

First you will need to connect to Azure-AD

#Install AzureAD
Write-Information -MessageData:"Getting if the AzureAD powershell module is available..."
if(-not (Get-Module AzureAD)) {
Write-Information -MessageData:"Installing the NuGet Package provider..."
Install-PackageProvider -Name:NuGet -Force -Scope:CurrentUser
Write-Information -MessageData:"Installing the AzureAD Powershell Module..."
Install-Module AzureAD -Scope:CurrentUser -Force
}
$Credential = Get-Credential
Connect-AzureAD -Credential $Credential
view raw Connect-AzureAD.ps1 hosted with ❤ by GitHub

The above code ensures that you have Azure AD installed on your machine, and logs you in.

Getting the Add-in as a Service Principal

Once you have logged in, you will be able to call back your SharePoint Add-in. The SharePoint Add-in is actually a Service Principal within Azure AD, and we will grab this using Get-AzureADServicePrincipal. You can do this by using the AppId, or the AppName. The AppId is fine to use, but when you want to use the same script across multiple environments, you will need to ensure you are passing in the different AppId for each environment. THis is why I have used the Name of the Add-In. (Assuming you have given your App the same name in each environment)

$serviceprincipal = Get-AzureADServicePrincipal -All:$true -Filter "DisplayName eq 'Demo App'"
#OR If using APP ID.
$serviceprincipalByID = Get-AzureADServicePrincipal -All:$true -Filter "AppId eq 'ab739749-827d-4437-90e5-bf181c5407e0'"

Create a new Secret

Next you need to be able to create a new secret. This is done by creating random bytes and converting to a Base64String. I ensure the password is valid for an additional 2 years.

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(2)
write-output $newClientSecret
view raw CreatingPassword.ps1 hosted with ❤ by GitHub

Create Key Credentials and Password Credential for the App

The SharePoint Add-In requires 2 Key Credentials (One Sign and one Verify) and 1 Password Credentials. The following script creates new ones, this allows both the old password and the new password to continue working at the same time, until you are able to update the code that uses the ClientID and ClientSecret.

Write-Information "Updating KeyCredential Usage Sign..."
New-AzureADServicePrincipalKeyCredential -ObjectId $serviceprincipal.ObjectId -Type:Symmetric -Usage:Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
Write-Information "Updating KeyCredential Usage Verify..."
New-AzureADServicePrincipalKeyCredential -ObjectId $serviceprincipal.ObjectId -Type:Symmetric -Usage:Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
Write-Information "Updating PasswordCredential..."
New-AzureADServicePrincipalPasswordCredential -ObjectId $serviceprincipal.ObjectId -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
view raw NewCredentials.ps1 hosted with ❤ by GitHub

Removing the original Key and Password Credential for the App

The following code shows how to loop round the Key and Password credentials and remove the original ones. It does this by looking for any Credentials that were created before the start date of the new ones. I would only run this part of my code, once I know I have updated my application to use the new password. Not in my example here, but where I’m using it in the real world, my Client Secret is stored within a Keyvault. I would update the keyvault value (ensuring to disable the previous version).

Write-Information "Remove all KeyCredential started before $(Get-Date $dtStart -Format 'O' )..."
$serviceprincipal = Get-AzureADServicePrincipal -All:$true -Filter "DisplayName eq '$SharePointAddInName'"
$serviceprincipal.KeyCredentials | ForEach-Object{
$credential = $PSItem
if($($credential.StartDate) -lt $dtStart)
{
Write-Information -MessageData:"Removing KeyCredential $($credential.KeyId)"
Remove-AzureADServicePrincipalKeyCredential -ObjectId:$serviceprincipal.ObjectId -KeyId:$credential.KeyId
}
}
Write-Information "Remove all PasswordCredential started before $(Get-Date $dtStart -Format 'O' )..."
$serviceprincipal.PasswordCredentials | ForEach-Object{
$credential = $PSItem
if($($credential.StartDate) -lt $dtStart)
{
Write-Information -MessageData:"Removing PasswordCredential $($credential.KeyId)"
Remove-AzureADServicePrincipalPasswordCredential -ObjectId:$serviceprincipal.ObjectId -KeyId:$credential.KeyId
}
}

Connecting with AZ Cli Workaround

Using Azure Dev-Ops Pipeline, I really wanted to use AZ cli to be able to update the Client Secret of a SharePoint Add-in. Due to the error messages when I attempted to update the Service Principal Key Credential and Password Credentials, I was forced to use Azure-AD instead. So how can I uses AZ Cli.

My Dev-Ops Pipeline uses a service account, and I have ensured this service account has permissions to update the directory.

Then I can connect from Az Cli to Azure-AD doing the following:

#Once signed into Azure CLI
$Token = az account get-access-token --resource-type "aad-graph" | ConvertFrom-Json
$AzAccount = az account show | ConvertFrom-Json
Connect-AzureAD -AadAccessToken $($Token.accessToken) -AccountId:$($AzAccount.User.Name) -TenantId:$($AZAccount.tenantId)
view raw AzCliToAzureAD.ps1 hosted with ❤ by GitHub

I add the above code in the full script just after the parameter, as the pipeline will already be signed in as the Pipeline Service Principal. It will then grab the Access token to sign in with Azure AD, and then able to run the rest of the script.

Full Script

<#
.SYNOPSIS
Updates the SharePoint Add-in Secret everytime.
It expects that you are already connected to Azure AD
.EXAMPLE
.\Update-SharePointAddIn.ps1 -SharePointAddInName "Demo App"
#>
param(
[Parameter(Manadatory)]
[string]
$SharePointAddInName
)
$ErrorActionPreference = 'Stop'
$InformationPreference = 'Continue'
#Call AzCliToAzureAD.ps1 here for Pipeline.
#Create Pasword
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(2)
Write-Information "Getting service principal named: $SharePointAddInName..."
$serviceprincipal = Get-AzureADServicePrincipal -All:$true -Filter "DisplayName eq '$SharePointAddInName'"
if($null -eq $serviceprincipal)
{
Write-Error "Unable to find service principal named: $SharePointAddInName"
}
Write-Information "Updating KeyCredential Usage Sign..."
New-AzureADServicePrincipalKeyCredential -ObjectId $serviceprincipal.ObjectId -Type:Symmetric -Usage:Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
Write-Information "Updating KeyCredential Usage Verify..."
New-AzureADServicePrincipalKeyCredential -ObjectId $serviceprincipal.ObjectId -Type:Symmetric -Usage:Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
Write-Information "Updating PasswordCredential..."
New-AzureADServicePrincipalPasswordCredential -ObjectId $serviceprincipal.ObjectId -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd | Out-Null
#Update the application here.
#For example add the secret to a key vault that the application is getting the secret from.
Write-Information "Remove all KeyCredential started before $(Get-Date $dtStart -Format 'O' )..."
$serviceprincipal = Get-AzureADServicePrincipal -All:$true -Filter "DisplayName eq '$SharePointAddInName'"
$serviceprincipal.KeyCredentials | ForEach-Object{
$credential = $PSItem
if($($credential.StartDate) -lt $dtStart)
{
Write-Information -MessageData:"Removing KeyCredential $($credential.KeyId)"
Remove-AzureADServicePrincipalKeyCredential -ObjectId:$serviceprincipal.ObjectId -KeyId:$credential.KeyId
}
}
Write-Information "Remove all PasswordCredential started before $(Get-Date $dtStart -Format 'O' )..."
$serviceprincipal.PasswordCredentials | ForEach-Object{
$credential = $PSItem
if($($credential.StartDate) -lt $dtStart)
{
Write-Information -MessageData:"Removing PasswordCredential $($credential.KeyId)"
Remove-AzureADServicePrincipalPasswordCredential -ObjectId:$serviceprincipal.ObjectId -KeyId:$credential.KeyId
}
}

Setting up a O365 Dev Tenant – Part 6 – Set up SharePoint Tenant


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Setting up the SharePoint Tenant

SharePoint Tenant has many different settings. Here my script is just calling the PNP powershell command Set-PnPTenant. More information about each setting can be found here. https://docs.microsoft.com/en-us/powershell/module/sharepoint-pnp/set-pnptenant?view=sharepoint-ps

If you already have a SharePoint tenant that you want to have exact same settings on your environment, you just need to go to that tenant, sign into the SharePoint admin URL with PNP, and then run

Get-PnPTenant | ConvertTo-Json > .\othertenant.json

This will output a json file that will read in with my script, but you will need to add the following to “PublicCdnOrigins” and sets PublicCdnEnabled to True. as it never reads this in with this command.

“PublicCdnEnabled”: true,
“PublicCdnOrigins”: [
   “*/MASTERPAGE”,
   “*/STYLE LIBRARY”,
   “*/CLIENTSIDEASSETS”
]

Inside the Settings folder, you will find a pre-configured SPTenantSettings.json file. I have put all the parameters in alphabetical order to make it easier to read. This is a typical setup I use, but it probably isn’t what you want. Especially around Sharing. I don’t allow sharing to anonymous users (SharingCapability). I also set Direct default sharing link (DefaultSharingLinkType).

To run this script you first need to connect to the admin site, using Connect-PnPOnline.

Connect-PnPOnline -url:https://[tenant]-admin.sharepoint.com -useweblogin

Now you are connected, you can call the Set-SharePointTenant.ps1 file.

.\Set-SharePointTenant.ps1 -SettingsPath:'.\settings\SPTenantSettings.json'

There are two settings that will require a confirmation that for some reason cannot be pre applied in PowerShell. These settings are OneDriveForGuestsEnabled and OrphanedPersonalSitesRetentionPeriod.



If you are running the template I provided, once the script has finished running your Public CDN will also be turned on.

Using PowerShell, type the following and you will see that the configuration is pending. This takes up to 15 minutes before it is fully enabled. You can keep calling the below command until it no longer says Configuration Pending.

Get-PnPTenantCdnOrigin –CdnType Public

Intune and Azure Directory Premium

In lines 84-86 of Set-SharePointTenant.ps1 there are 3 settings that I have commented out (ConditionalAccessPolicy, AllowDownloadingNonWebViewableFiles and AllowEditing). These settings require Intune and Azure Active Directory Premium subscription. As this is a development tenant, there is no need to set these settings.

I hope you have found this series useful and are able to setup within a couple of days due to Microsoft back end processes a SharePoint Development tenant that you can work with. I am more than happy for anyone to help expand/improve on my GitHub project.

Setting up a O365 Dev Tenant – Part 5 – Turning on O365 Auditing


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Turning on and setting permissions for Office 365 Auditing

At the URL https://protection.office.com you have access to the Security & Compliance Center. There is lots you can do in this area of O365, but I am just going to talk about Auditing in this post.

In the left hand navigation of Office 365 Security & Compliance, expand Search and select Audit Log Search. Yours should be like the screen shot above and has a yellow banner that states you need to turn auditing on. There is a button at the end, and this allows you to turn it on.

My script, Set-Office365Auditing.ps1 not only turns on the Auditing, but it assigns a group of users to have view-only access to the Audit logs.

Enable-OrganizationCustomization

Before you can run my script, the above command needs to be run first, and you need to wait a while before you can run my script below. Due to the time I was working on this blog, I ended up waiting 24 hours before I ran my next script. I’m not sure how long you have to wait.

You need to use the Microsoft Exchange Online PowerShell Module. If you haven’t already downloaded this from part 3 of this series, please follow my previous blog about how to do this correctly. https://cann0nf0dder.wordpress.com/2019/04/14/unable-to-download-the-exchange-online-powershell-module-deployment-and-application-do-not-have-matching-security-zones/

Open Microsoft Exchange Online PowerShell Module. You will need to connect first, before running the script. It allows you to control the signing in.

Connect-EXOPSSession -userPrincipalName [user.name]@[tenant].onmicrosoft.com

Now you can run

Enable-OrganizationCustomization 

Running Set-UserAccountsOnline.ps1

This script uses the Microsoft Exchange Online Powershell Module, and ViewAuditUsers.csv file. It will:

  • Create a new RoleGroup called “View Audits Only
  • Add Users from the CSV file to the RoleGroup
  • Lastly it will turn on Auditing for O365.

Before you run any code, you will need to replace [User.Name] on line 2 of the ViewAuditUsers.csv to your User Name.

Open Microsoft Exchange Online PowerShell Module. You will need to connect first, before running the script. It allows you to control the signing in.

Connect-EXOPSSession -userPrincipalName [user.name]@[tenant].onmicrosoft.com

Now you are connected, you can call the Set-Office365Auditing.ps1 file.

.\Set-Office365Auditing.ps1 -Path:'.\data\ViewAuditUsers.csv' -TenantDomain:'[mytenant].onmicrosoft.com' 

Replace [mytenant] with your tenant name.

If you now head to the Exchange admin center.

Viewing Audit Logs

At the URL https://protection.office.com you have access to the Security & Compliance Center. In the left hand navigation of Office 365 Security & Compliance, expand Search and select Audit Log Search. As you have just turned on Auditing, you might see the yellow/orange message that I have on my screen shot below.

Because you started recording user and admin activities within the last 24 hours, some activities might not show up in search results yet.

After a little while, (at least an hour) you will start receiving results when you click Search.

For a user that doesn’t have access, as you haven’t given them View Audits permission, they will get an error message when going directly to the URL.

In this blog post we have turned on the Office 365 Auditing and assigned a few users to have access. In my next and last blog post in this series, I will be setting up my SharePoint tenant admin properties and ensuring public CDN is turned on for SPFX.

Setting up a O365 Dev Tenant – Part 4 – Upload User Photos to SharePoint


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

In my previous post, I showed you how to import user photos into exchange. As we could only add 25 user pictures due to licensing constraints, this post will show you how to upload all the pictures into SharePoint.

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Running Set-UserPhotosInSharePoint.ps1

Before running this code, I wish to give a shout out to Christopher Walker, who had a PowerShell function for resizing images in a Gist. Thank you. https://gist.github.com/someshinyobject/617bf00556bc43af87cd

This script uses the AzureADUser.csv file and the UserImages profile pictures. It will:

  • Loop through the CSV
  • Create 3 different sized images for the user
  • Upload the 3 images to Root MySite.

To run the script, you need to install PNP PowerShell. Follow the instruction here how to install if you encounter issues. https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-pnp/sharepoint-pnp-cmdlets?view=sharepoint-ps

Basically, if you haven’t done this previously, run PowerShell as Administrator. Then type:

Install-Module SharePointPnPPowerShellOnline -SkipPublisherCheck -AllowClobber

You will need to connect first to your root MySite, before running the script. It allows you to control the signing in, for example if you didn’t make your account MFA, then you don’t need to use the command UseWebLogin and just sign in with your credentials.

Connect-PnPOnline -url:https://[tenant]-my.sharepoint.com -useweblogin

Now you are connected, you can call the Set-UserPhotosInSharePoint.ps1 file.

.\Set-UserPhotosInSharePoint.ps1 -Path:'.\data\AzureADUsers.csv' -TenantDomain:'[tenant].onmicrosoft.com' 

Replace [tenant] with your tenant name.

This script is idempotent, so you can run it again at any point if there was an issue.

Once the script is complete, if you go to the following URL you will find pictures imported into the library at the root of the mysites.

https://[tenant]-my.sharepoint.com/User%20Photos

When the code is running, you might have noticed, in the UserImages folder, there is a new subfolder called Resize. This is where all the images are copied and resized to before being uploaded to SharePoint.

Running Set-UserProfilePhotosInSharePoint.ps1

At this point, all you really have done is uploaded pictures to SharePoint, they are not tied to the user at all. The following script will update the SharePoint user profile to point to the correct image.

Firstly, before you can run this script, we need to ensure that SharePoint online has already found your users and added them to the user profile.

  • Navigate to https://[tenant]-admin.sharepoint.com
  • Click the link to the Classic SharePoint admin centre which can be found in the left-hand navigation
  • Click User Profiles from the left-hand navigation
  • Here you should be able to see the number of User Profiles registered.

As you can see from my screen shot above my SharePoint has only registered 3 user profile so far. As we have no control over this, I will need to wait until SharePoint Online has done is syncing. This can take up to 24 hours.

After checking back later I can now see that I have user profiles for all users within Azure AD.

This code sets the UserProfile property PictureURL to [tenant]-my.sharepoint.com/user photos/profile pictures/[firstname_lastname_tenant]onmicrosoft_com_LThumb.jpg and sets the UserProfile property SPS-PicturePlaceholderState
to 0. By setting the value to 0, it indicate that SharePoint online should show the uploaded picture for the user.

First you need to connect to the admin site.

Connect-PnPOnline -url:https://[tenant]-admin.sharepoint.com -useweblogin

Now you are connected, you can call the Set-UserProfilePhotosInSharePoint.ps1 file.

.\Set-UserProfilePhotosInSharePoint.ps1 -Path:'.\data\AzureADUsers.csv' -TenantDomain:'[tenant].onmicrosoft.com' 

Replace [tenant] with your tenant name.

Once the script has completed, and search has picked up your changes, you will find your people showing up in Search / Delve etc.

In this blog post we have imported user photos into SharePoint mysites, and updated the user profiles for these users. In the next post I will be showing you how to turn on 365 Auditing, and assigning only a couple of users to view these audit logs.

Setting up a O365 Dev Tenant – Part 3 – Set User Photos in Exchange Online


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

In my previous post, I walked you through creating users in AzureAD from a CSV file, set them up with MFA and a default password. Assigned the first 25 users a license, and uploaded their pictures into Azure AD

In this post I will be running you through the PowerShell script to import Pictures into Exchange. You might ask why we are doing this if we have previously uploaded the pictures into Azure AD, the reason is because your profile picture will sometimes show up in some places and not in others. E.g. Delve might show a picture, where SharePoint doesn’t. So, the next few posts are about uploading pictures to the tenant. These scripts upload to every possible location that have a separate place.

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Running Set-UserPhotosInExchange.ps1

This script uses the AzureADUser.csv file and the UserImages profile pictures. It will:

  • Find the user in Exchange
  • Check the photo exists in the script location for the user.
  • Uploads the picture.

To run the script, you need to use the Microsoft Exchange Online PowerShell Module. Please follow my previous blog about how to do this correctly. https://cann0nf0dder.wordpress.com/2019/04/14/unable-to-download-the-exchange-online-powershell-module-deployment-and-application-do-not-have-matching-security-zones/

Open Microsoft Exchange Online PowerShell Module. You will need to connect first, before running the script. It allows you to control the signing in.



Connect-EXOPSSession -userPrincipalName [user.name]@[tenant].onmicrosoft.com


Now you are connected, you can call the Set-UserPhotosInExchange.ps1 file.



.\Set-UserPhotosInExchange.ps1 -Path:'.\data\AzureADUsers.csv' -TenantDomain:'[mytenant].onmicrosoft.com' 


Replace [mytenant] with your tenant name.

This script is idempotent, so you can run it again at any point if there was an issue. NOTE: It will only work for the first 25 users that were assigned a license, as the others will not have an email account. (You can cancel the script after the first 25 user – Ctrl+ C)

The only part of this code that does the uploading is on line 46. Its coverts the jpg to bytes and then uploads it for the user.



Set-UserPhoto -Identity $UserCSV.UserPrincipalName -PictureData ([System.IO.File]::ReadAllBytes($pathtoPicture)) -Confirm:$false


Photos appearing in Delve

You will notice now that if you use Delve, the first 25 users in your CSV file will have pictures showing for them.

In this blog post we have imported user photos into exchange. As we could only add 25 user pictures in the next blog post I will be importing the pictures into SharePoint, so they can be used there.

Setting up a O365 Dev Tenant – Part 2 – Create Users from CSV file


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

In my previous post, I walked you through the step of joining the Office 365 Development program, and set yourself up with a Office 365 Development Tenant with 25 Developerpack Licenses. In this post we are going to add users to the tenant from a CSV file.

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Folders

  • Data – Contains the CSV files used within the scripts
  • Settings – Contains the JSON settings for the Set-SharePointTenant.ps1 script.
  • UserImages – Contains all the photos to all the users being added to the tenant.

Scripts

  • Set-Office365Auditing.ps1 – Turns on the Audit logs, and assign people to view them.
  • Set-SharePointTenant.ps1 – Update Tenant Parameters and enabling Public CDN
  • Set-UserAccountsOnline.ps1 – Add users and assign licenses and import pictures
  • Set-UserPhotosInExchange.ps1 – Add User photos to Exchange
  • Set-UserPhotosInSharePoint.ps1 – Add user photos to SharePoint.
  • Set-UserProfilePhotosInSharePoint.ps1 – Assigns the user picture to their SharePoint profile.

Creating the users from a CSV file.

In the Data folder there is a csv called AzureADUsers.csv. It is best to open this file in Excel.

Before you run any code, you will need to fix up a couple of columns in lines 2 & 3 of the csv file.

  • On line 2, replace UserPrincipleName, GivenName, Surname, MailNickName (Columns B, C, E, F, G) with the account details you gave yourself when creating the Subscription in part 1.
  • One line 3, add your name to the manager of Dan Jump.
  • Save the CSV file.
  • (optional) Put your profile picture in the UserImages folder, with the filename [firstname lastname].jpg

All the names/address/telephone numbers are all made up, converted by me. The names might seem familiar to you, as they are the “Microsoft Users” Microsoft uses in their demos.

We are going to use the powershell script Set-UserAcountsOnline.ps1. Note: None of my scripts will connect you to a service. This will need to be done first before running.

I’m not going to go through the code as the script is quite easy to follow and to understand. If there is anything you are unsure about that is in the script, please leave a comment at the bottom of the post.

Running Set-UserAccountsOnline.ps1

This script uses the AzureADUser.csv file and the UserImages profile pictures. It will:

  • Create/Update all users in Azure AD.
  • Assign them a license (If any are left)
  • If new user assigns them a password, to be changed at next login
  • Enable their account for Multi Factor Authentication. (This can be disabled in the CSV file, by changing the MFAEnabled to false for the user)
  • Upload their picture to Azure AD

To run the script your PowerShell environment will need to have the following modules installed.

  • AzureAD
  • MSOnline

If you haven’t done this previously, run Powershell as Administrator. Then type:

Install-Module -Name AzureAD
Install-Module -Name MSOnline

Unfortunately, the only way I could enable MFA for users was to use the MSOnline module. There doesn’t seem to be a way of doing it purely using AzureAD.

As stated previously, you will need to connect first, before running the script. It allows you to control the signing in.

Connect-AzureAD
Connect-MsolService

Now you are connected, you can call the Set-UserAccountOnline.ps1 file.

.\Set-UserAccountsOnline.ps1 -Path:'.\data\AzureADUsers.csv' -tenantDomain:'[mytenant].onmicrosoft.com' -tempPassword:'[Give A Password]'

Replace [mytenant] with your tenant name. You can either put a password in -tempPassword parameter, or you can remove this parameter. By removing this parameter, you will be setting all your users to have the password P@55w0rd.

This script is idempotent, so you can run it again at any point if there was an issue. When you run out of licenses, the script continues creating the accounts, they just don’t get a license assigned to them.

MFA Setup

After the script has run, and you go to your tenant, you will be asked to re-authenticate again, and provide details for MFA.

  • Click Next
  • I recommend using the Mobile App, and Receive notifications for verification. Click Set up
  • Follow the instructions to install the Microsoft authenticator app for your mobile.
  • Once set up, you need to provide a mobile number. Fill this in and click Next.
  • On the next page, you will be given an app password. Take note of this somewhere. These are useful if you need to run a script on this account, but want to skip MFA, you can just put this password in instead. Click Finished.

View Users in Admin portal

In the Admin portal https://admin.microsoft.com under users, you will see the users have been imported. Some with licenses and some without.

  • Any user you select, will give you their details and picture.

In this blog post we have created users from a CSV file, set them up with MFA and a default password. Assigned the first 25 users a license. In the next blog post I will be showing you the PowerShell script to import Pictures into Exchange.

Setting up a O365 Dev Tenant – Part 1 – Getting the Tenant


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

Join Office 365 Development Program.

Microsoft allows anyone with a Microsoft account to get a development Office 365 Subscription by joining the Office 365 developer program.

https://developer.microsoft.com/en-us/office/dev-program

  • Click Join Now
  • Sign in with your Microsoft Account. (Hotmail, live, outlook etc)
  • Select your Country/Region and enter your Company name. Tick the terms and conditions and then click Next
  • Fill out the next page and then click JOIN.

Get an Office 365 Subscription

After you have joined the Development program, you will be present with a screen to allow you to set up a subscription.

  • Click Set Up Subscription
  • Fill out the form and click Continue:
    • Country/Region
    • Create UserName
    • Create Domain
    • Password
    • ConfirmPassword
  • Add your phone number on the next screen, then click Set-up
  • Once created, you can then click Go to Subscription
  • After you have signed in the link takes you to https://www.office.com.

  • Click on Admin takes you to the admin centre. Expanding … Show all in the left hand navigation and then expanding Admin Centers you can see you have a full E3 license tenant.

Assign yourself a license.

This is going to be a manual step, and can skip this if you wish, as my next blog will show you how to do this via code.

  • Expand Users, and select Active Users. You will see one user in the tenant. You. Currently this account doesn’t have a license. Select the user.
  • The panel that appears on the right, click the link Edit for Product licenses.
  • Select the Location and turn On the Office 365 E3 Developer Licenses. Click Save.
  • Your user now has a production assigned to them. Click Close.

How long is my Office 365 Subscription valid for?

You may have noticed when you created your subscription it states there are 91/92 days left. Microsoft use to give their members a subscription for 1 year. They have now reduced this to 90 days, however, there is a new clause that states:

As a program member, you can get a free Office 365 developer subscription with 25 user licenses to use to build your solutions. This subscription will remain active for as long as you’re actively developing and deploying solutions.’

I’m not sure how often you need to be deploying and developing on the subscription to keep it open. All the FAQ are found in the link below.

https://docs.microsoft.com/en-us/office/developer-program/office-365-developer-program-faq

In this blog post we have set up an O365 Development Tenant with 25 “DEVELOPERPACK” Licenses and assigned one license to ourselves. In the next blog post I will be showing you the PowerShell scripts I have written to help quickly set up my tenant.

 

SharePoint Online site keeps refreshing on Microsoft Edge


A weird thing started happening on my Microsoft SharePoint site yesterday. Every time I hit a page/site the browser continuously refreshed over and over. I had no problems if I did this in Chrome, or even Internet Explorer, only in Microsoft Edge. Originally I thought it was a problem with the site, because if I went to a different tenant I didn’t encounter the same issue.

So, I then booted up another pc that had Microsoft Edge on it, and viewed my site expecting it to refresh over and over, but it didn’t. Therefore, it seemed to be a problem with my Edge explorer.

I first tried to clear all settings. Clicking on the 3 ellipses and then select Settings > Clear browsing data. I ticked everything to be cleared, and then clicked Clear. Unfortunately, this didn’t work for me, and made my Edge explorer crash on opening.

Extreme measures were required. I needed to complete reset Microsoft Edge. Now if you are following these steps, I must warn you, you might lose your favourites, history and settings. I recommend that you create a full backup or create a system restore point. Although I didn’t bother with a system restore or backup. My favourites were still there afterwards, I’m not sure if this is a syncing thing between my devices though, as I’ve just noticed that my favourites are the same on two machines.

Fixing Microsoft Edge

  • Close all open Microsoft Edge browsers.
  • Open file explorer and navigate to the following location (You will need to show hidden files):
    • C:\users\<YourUserName>\AppData\Local\Packages
  • The folder called Microsoft.MicrosoftEdge_8wekyb3d8bbwe first right click it and select Properties, and remove the check from the Read-Only option, click Apply and then OK
  • Now try and delete the folder. If you get Access Denied prompts, just select Continue. Any files you cannot delete just skip for now.
  • Go inside the Microsoft.MicrosoftEdge_8wekyb3d8bbwe folder and try deleting any remaining folders, you might be not able to delete the AC folder.
  • Restart your computer.
  • Now we are going to obtain the Microsoft Edge package and reregister it. Open Windows PowerShell by right clicking it
    and Run as administrator
  • Type the following to get to your user cd c:\Users\<YourUserName> press enter.
  • Now type
Get-AppXPackage -AllUsers -Name Microsoft.MicrosoftEdge | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" -Verbose}
  • If successfully you will not see any red message in the powershell window, just a yellow one saying operation complete for C:\Windows\SystemApps\Micorosft.MirosoftEdge.8wekyb3d8bbwe\AppXManifest.xml”
  • Reboot your machine on more time. Afterwards Microsoft Edge will be restored and I found that I didn’t have a refreshing issue with my SharePoint online site anymore.