Microsoft 365 – Self-service purchase

Self-service purchase gives users a chance to try out new technologies and develop solutions that ultimately benefit their larger organizations. Central procurement and IT teams have visibility to all users who buy and deploy self-service purchase solutions through the Microsoft 365 admin center. Admins can turn off self-service purchasing on a per product basis via PowerShell..

To read more about the Self-service purchase option, go to: Self-service purchase FAQ | Microsoft Docs

To disable the AllowSelfServicePurchase do the following:

#Install module
Install-Module -Name MSCommerce

#Import module
Import-Module -Name MSCommerce

#Connect
Connect-MSCommerce

#Get details
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase

#Disable ProductID (or $True to enable)
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False

The following table shows the ProductID needed to enable or disable

ProductProductId
Power Apps per userCFQ7TTC0KP0P
Power Automate per userCFQ7TTC0KP0N
Power Automate RPACFQ7TTC0KXG6
Power BI Premium (standalone)CFQ7TTC0KXG7
Power BI ProCFQ7TTC0L3PB
Project Plan 1CFQ7TTC0KXND
Project Plan 3CFQ7TTC0KXNC
Visio Plan 1CFQ7TTC0KXN9
Visio Plan 2CFQ7TTC0KXN8

source: Use AllowSelfServicePurchase for the MSCommerce PowerShell module | Microsoft Docs

Cannot Tenant to Teams Only upgrade mode in Teams Admin Center

When changing the coexistence mode to Teams only you get the following error: Please see the unsaved sections higlighted in red below:

We cannot see what the problem is when switching to teams only. With powershell it has better error messages. Use the following powershell to connect to teams and change the tennant

#Connect with the SkypeOnlineConnector
Import-Module SkypeOnlineConnector
$sfbSession = New-CsOnlineSession
Import-PSSession $sfbSession

#Change the tennant to TeamsOnly
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Global

The following message appears:

This organization cannot be upgraded to TeamsOnly at the tenant level because there is an on-premise deployment of Skyp
e for Business detected in 1 or more of it sip domains

To change this use the following command:

Disable-CsOnlineSipDomain -Domain domainname

After all domains have been altered, you can change the tenant to TeamsOnly with Powershell or the GUI:

sources:

Error upgrading organization to TeamsOnly – TechNut

Chris Webb’s 365 Blog: Cannot set users or Tenant to Teams Only upgrade mode in Teams Admin Center (webbtech.org)

Office 365 Hide mailboxes from the GAL

Export all mailboxes who are shown in the GAL

Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false}| select UserPrincipalname, HiddenFromAddressListsEnabled | Export-Csv "c:\temp\gal.csv" -NoTypeInformation -Encoding UTF8

Show all private groups which are shown in the GAL (Teams groups are default hidden)

Get-UnifiedGroup | Where-Object {$_.AccessType -eq 'Private'} | select Displayname, PrimarySMTPAddress

To hide a single mailbox use the following command:

Set-Mailbox -Identity username@domain.com -HiddenFromAddressListsEnabled $true

To hide multiple mailboxes from the GAL, create a CSV file and use that as input to hide the mailboxes:

Import-Csv 'C:\Hide_Mailboxes.csv' | ForEach-Object {
$upn = $_."UserPrincipalName"
Set-Mailbox -Identity $upn -HiddenFromAddressListsEnabled $true
}

To hide a single group use the following command:

Set-UnifiedGroup <group> -HiddenFromAddressListsEnabled $true

Or hide all private groups at once:

Get-UnifiedGroup | Where-Object {$_.AccessType -eq 'Private'} | Set-UnifiedGroup -HiddenFromAddressListsEnabled $true

Sources:

Find mailboxes hidden from the GAL using Powershell – MorganTechSpace

Hide Office 365 Group from GAL using Powershell – MorganTechSpace

Failed To Disable The Mailbox Due To a Conflict In Directory Settings

If you have a conflict in directory settings between Microsoft 365 and your on premise location use the next procedure to solve this

Check if the affected mailbox in Exchange Online is an usermailbox

get-recipient user | fl recipient*

If not already, disable the user account in the on-premise environment.

disable-mailbox user

Wait (or force) until the changes replicate to Microsoft 365. Once it is synced, enable the on-premise object as an remote user mailbox

Enable-RemoteMailbox user -RemoteRoutingAddress user@domain.onmicrosoft.com

Wait (or force) until the sync to Microsoft 365 has been completed and then check the user. The error message should be gone and a license can be added

Microsoft Teams – Welcome Message

Microsoft teams can send welcome messages when a user is added to the teams. This behavior can be altered with powershell

The current setting for the team can be checked with powershell. To run this, you need to be connected to Microsoft 365. For Microsoft 365 management you can install the “Microsoft Exchange Online Powershell Module” from Microsoft 365.

Get-UnifiedGroup -Identity 'Group Name' | fl WelcomeMessageEnabled

The outcome should be True or False. When it is set to True, welcome messages will be send. To change this setting, so welcome messages are not send, change the value to false

set-UnifiedGroup -Identity 'Group Name' -UnifiedGroupWelcomeMessageEnabled:$False

Last Logon Date AD Users

source: https://gallery.technet.microsoft.com/scriptcenter/Get-Last-Logon-for-Users-c8e3eab2

The “lastLogon” Active Directory attribute is a property that is not replicated throughout the Domain Controllers.  This attribute is stored on the domain controller that received the authentication request and updated its property accordingly.  Because of this behavior, you have have experienced issues where Domain Controllers in other sites have old or empty lastLogon information.  This makes it difficult to be sure an account is truly inactive without verifying on each Domain Controller.  This can be a problem for environments that have tens or hundreds of Domain Controllers across its enterprise.

I was faced with a problem of writing a script, and like many, developed a seemingly simple solution.  The problem was the runtime was very long for the amount of Domain Controllers / User accounts for the environment.  I sought out to find the solution to this exceedingly long runtime, and I finally did.

This PowerShell will query each of your Domain Controllers only once and produce the most recent logon date/time.

To protect the informaiton about my directory, lets say my environment is between 5 and 10 Domain Controllers, with between 15 – 25k user accounts.  My runtime is between 4-5 minutes for the entire directory!  Which is a far cry faster than the hours other methods produce.

By default, this script will return the entire directory ($Username=*) and save to a CSV ($FileName).  You may call the function with a -Username to return a single account, and this will output on screen instead of a file.

<########################################################################### 
    The purpose of this PowerShell script is to collect the last logon  
    for user accounts on each DC in the domain, evaluate, and return the 
    most recent logon value. 
 
        Author:   Jeremy Reeves 
        Modified: 02/14/2018 
        Notes:    Must have RSAT Tools if running on a workstation 
 
Note: Added enabled true/false to output
###########################################################################> 
 
 
Import-Module ActiveDirectory 
 
function Get-ADUsersLastLogon($Username="*") { 
 
    $FilePath_Prefix = "C:\temp\UserLastLogon-" 
 
    function Msg ($Txt="") { 
        Write-Host "$([DateTime]::Now)    $Txt" 
    } 
 
    #Cycle each DC and gather user account lastlogon attributes 
     
    $List = @() #Define Array 
    (Get-ADDomain).ReplicaDirectoryServers | Sort | % { 
 
        $DC = $_ 
        Msg "Reading $DC" 
        $List += Get-ADUser -Server $_ -Filter "samaccountname -like '$Username'" -Properties LastLogon | Select samaccountname,lastlogon,enabled,@{n='DC';e={$DC}} 
 
    } 
 
    Msg "Sorting for most recent lastlogon" 
     
    $LatestLogOn = @() #Define Array 
    $List | Group-Object -Property samaccountname | % { 
 
        $LatestLogOn += ($_.Group | Sort -prop lastlogon -Descending)[0] 
 
    } 
     
    $List.Clear() 
 
    if ($Username -eq "*") { #$Username variable was not set.    Running against all user accounts and exporting to a file. 
 
        $FileName = "$FilePath_Prefix$([DateTime]::Now.ToString("yyyyMMdd-HHmmss")).csv" 
         
        try { 
 
            $LatestLogOn | Select samaccountname, lastlogon, @{n='lastlogondatetime';e={[datetime]::FromFileTime($_.lastlogon)}}, Enabled, DC | Export-CSV -Path $FileName -NoTypeInformation -Force 
            Msg "Exported results. $FileName" 
 
        } catch { 
 
            Msg "Export Failed. $FileName" 
 
        } 
 
    } else { #$Username variable was set, and may refer to a single user account. 
 
        if ($LatestLogOn) { $LatestLogOn | Select samaccountname, @{n='lastlogon';e={[datetime]::FromFileTime($_.lastlogon)}}, Enabled, DC | FT } else { Msg "$Username not found." } 
 
    } 
 
    $LatestLogon.Clear() 
 
} 

Get Office 365 users with a specific license type via Powershell

It can sometimes be useful to get a list of Office 365 users with a specific license type via PowerShell. Instead of logging into the Office 365 portal and using a filtered view in the admin center, you can do it straight from the command line.

  • Connect to Office 365 via Powershell. If this cmdlet doesn’t work for you, follow this quick guide for instructions on installing the required PowerShell module.

Connect-MsolService

  • Run Get-MsolAccountSku to get a list of the current licenses in your Office 365 tenant. Make a note of the AccountSkuId value for the license you want to filter on.

Get-MsolAccountSku

Get-MsolAccountSku Information
  • Now you can edit this short script to get the users matching that license. In this case, we’re getting users with the EnterprisePremium license.

Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"}

Replace EnterprisePremium with the AccountSkuID you’re trying to filter by. Since we’re using the -match operator we don’t need to type the entire AccountSkuID, we can just type enough of it to ensure that we’re only retrieving that specific one.

The script can be tweaked for specific use

Get-MsolUser -MaxResults 100000 | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"} | ft UserPrincipalName, IsLicensed | Out-File c:\temp\E3.csv

Get-MsolUser With Specific Office 365 License

Export these users to a text document

You can export these users to a text document using the Out-File cmdlet.

Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "EnterprisePremium"} | Out-file C:\temp\EnterprisePremiumUsers.csv

Source: https://gcits.com/knowledge-base/get-office-365-users-specific-license-type-via-powershell/

Quickly list all mailboxes to which a particular user has access

From Vasil Michev

source: http://www.michev.info/Blog/Post/77/Quickly-list-all-mailboxes-to-which-a-particular-user-has-access

 

  • List all mailboxes to which a particular user has Full Access permissions:

PS C:\> Get-Mailbox | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

——–             —-                 ————

HuKu                 Vasil Michev         {FullAccess}

retail               Vasil Michev         {FullAccess}

sharednew            Vasil Michev         {FullAccess}

testplan2            Vasil Michev         {FullAccess}

WC                   Vasil Michev         {FullAccess}

  • List all shared/user/room/whatever mailboxes to which particular user has Full Access permissions:

PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil

Identity             User                 AccessRights

——–             —-                 ————

HuKu                 Vasil Michev         {FullAccess}

retail               Vasil Michev         {FullAccess}

sharednew            Vasil Michev         {FullAccess}

testplan2            Vasil Michev         {FullAccess}

  • List all mailboxes to which members of a particular security group have access:

PS C:\> Get-Mailbox | Get-MailboxPermission -User secgrp

Identity             User                 AccessRights

——–             —-                 ————

Bathroom             secgrp               {FullAccess}

  • List all mailboxes to which a user has Send As permissions:

PS C:\> Get-Mailbox | Get-RecipientPermission -Trustee vasil

Identity                            Trustee                             AccessControlType                   AccessRights

——–                            ——-                             —————–                   ————

sharednew                           Vasil Michev                        Allow                               {SendAs}

  • List all user mailboxes to which members of a particular security group have access:

PS C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-RecipientPermission -Trustee secgrp

Identity                            Trustee                             AccessControlType                   AccessRights

——–                            ——-                             —————–                   ————

HuKu                                secgrp                              Allow                               {SendAs}

  •  List all mailboxes to which a particular security principal has Send on behalf of permissions:

PS C:\> Get-Mailbox | ? {$_.GrantSendOnBehalfTo -match “vasil”}

Name                      Alias                ServerName       ProhibitSendQuota

—-                      —–                ———-       —————–

Bathroom                  bathroom             amspr03mb084     49.5 GB (53,150,220,288 bytes)

WC                        WC                   dbxpr03mb096     9.5 GB (10,200,547,328 bytes)

Find Mailbox and Online Archive size

Script to connect to Office 365 and collect the last logged on date/time, mailbox size and item count for each mailbox and archive mailbox for every user within your organization.

The following script was specifically written for a client recently which I thought would be good to share with the wider community. This will connect to Office 365 and collect the last logged on date/time, mailbox size and item count for each mailbox and archive mailbox for every user within your organization.

 

Those users without an archive mailbox will be returned as ‘No Archive’

 

For more information about this script please see the source at: https://gallery.technet.microsoft.com/scriptcenter/Find-Mailbox-and-Archive-2859b540

$Office365Credentials = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $Office365Credentials -Authentication Basic -AllowRedirection
Import-PSSession $session
 
Write-Host "Gathering Stats, Please Wait.."
 
$Mailboxes = Get-Mailbox -ResultSize Unlimited | Select UserPrincipalName, identity, ArchiveStatus
 
$MailboxSizes = @()
 
foreach ($Mailbox in $Mailboxes) {
 
                $ObjProperties = New-Object PSObject
               
                $MailboxStats = Get-MailboxStatistics $Mailbox.UserPrincipalname | Select LastLogonTime, TotalItemSize, ItemCount
               
                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $Mailbox.UserPrincipalName
                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Last Logged In" -Value $MailboxStats.LastLogonTime
                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Mailbox Size" -Value $MailboxStats.TotalItemSize
                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Mailbox Item Count" -Value $MailboxStats.ItemCount
               
                if ($Mailbox.ArchiveStatus -eq "Active") {
               
                                $ArchiveStats = Get-MailboxStatistics $Mailbox.UserPrincipalname -Archive | Select TotalItemSize, ItemCount
                               
                                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Archive Size" -Value $ArchiveStats.TotalItemSize
                                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Archive Item Count" -Value $ArchiveStats.ItemCount
 
                }
                else {
               
                                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Archive Size" -Value "No Archive"
                                Add-Member -InputObject $ObjProperties -MemberType NoteProperty -Name "Archive Item Count" -Value "No Archive"
                               
                }
               
                $MailboxSizes += $ObjProperties
 
}             
               
$MailboxSizes | Out-GridView -Title "Mailbox and Archive Sizes"
 
Get-PSSession | Remove-PSSession