Various scripts and knowledge base articles that I have worked on throughout the years, covering Microsoft Entra ID (formerly Azure AD) and Microsoft 365 services.
- Groups
- Scripts for managing Entra ID (Azure AD) groups — copy, export, manage, and remove group members, and configure Unified Group welcome messages.
- Licensing
- Scripts for generating Office 365 user license reports.
- Users
- Scripts for inviting guest users individually or in bulk via CSV.
- REST API request files for querying Microsoft Graph, including DLP alert queries via the Security API.
- Project Online
- JavaScript plugins for the Project Online People Picker.
- SharePoint Online
- Scripts for managing SharePoint Online site property bags, custom permission levels, and restricted access control.
- MDCA — Microsoft Defender for Cloud Apps
- Advanced Hunting — KQL queries for cloud app events, anonymous proxy detection, impersonation auditing, and suppression rule monitoring.
- API Examples — Postman collection for the MDCA API.
- MDI — Microsoft Defender for Identity
- Advanced Hunting — KQL queries for identity-based threats, sensitive group changes, brute force detection, Kerberos attacks, and LDAP reconnaissance.
- MDO — Microsoft Defender for Office 365
- Advanced Hunting — KQL queries for email threats including phishing campaigns, executable/ISO/macro attachments, typosquatting, Safe Links, and post-delivery events.
- Alerts — Scripts for exporting M365 Defender activity and alert policies.
- Anti-Phishing — Scripts for exporting anti-phishing policies and rules.
- Safe Links and Safe Attachments — Scripts for configuring and exporting Safe Links, Safe Attachments, and O365 threat protection policies. Includes demo files.
- Defender XDR — Microsoft Defender XDR
- Advanced Hunting — KQL queries for auditing Defender XDR custom detections, RBAC changes, alert suppression, and device isolation events.
- Power BI
- Power Query (
.pq) source files for connecting Power BI to Microsoft 365 Defender Advanced Hunting.
- Power Query (
- Audit
- SharePoint Online audit log query templates.
- DLP
- Scripts for creating and managing Data Loss Prevention policies and rules, testing DLP policies against files, and troubleshooting DLP character proximity.
- MIP
- Microsoft Information Protection scripts organized by category: Admin Actions, Auditing, Configuration, Export Settings, and Troubleshooting.
- OME
- Scripts for exporting Office Message Encryption service configurations, RMS templates, and IRM configuration.
- Retention
- eDiscovery
- Scripts for managing eDiscovery holds, generating hold reports, and searching holds by custodian or SharePoint site.
- Scripts and utilities for Microsoft Sentinel, including exporting Sentinel functions.
| Script | Description |
|---|---|
| Copy-AADGroupMembers.ps1 | Copies members from one Entra ID group to another. |
| Export-AADGroupMembers.ps1 | Exports members of an Entra ID group to a CSV file. |
| Manage-AADGroupMembers.ps1 | Imports or exports members and owners of Entra ID groups via CSV. |
| Remove-AADGroupMembers.ps1 | Removes specified users from multiple Entra ID groups. |
| Set-UnifiedGroupWelcomeMessage.ps1 | Enables or disables the welcome message for Office 365 Unified Groups. |
| Generate-O365UserLicenseReport.ps1 | Generates a detailed report of all O365 user licenses and service statuses. |
| Invite-GuestUser.ps1 | Invites a single guest user to the Entra ID environment. |
| Bulk-InviteGuestUsers.ps1 | Bulk-invites guest users from a CSV file using Microsoft Graph. |
| Script | Description |
|---|---|
| Create-NoDeletePermissionLevel.ps1 | Creates a custom SPO permission level based on Full Control but without delete permissions. |
| Enable-SPORestrictedAccessControl.ps1 | Enables restricted access control for a SharePoint Online tenant. |
| Get-SitePropertyBag.ps1 | Retrieves site property bag keys and values from a SharePoint Online site. |
| Update-SitePropertyBag.ps1 | Adds or updates site property bag keys and values on a SharePoint Online site. |
| Remove-SitePropertyBag.ps1 | Removes site property bag keys from a SharePoint Online site. |
| Script | Description |
|---|---|
| Export-M365DefenderAlertPolicies.ps1 | Exports all Activity and Alert policies from the Security Portal to CSV. |
| Export-AntiPhishingPolicies.ps1 | Exports all anti-phishing policies and rules to CSV files. |
| Configure-SafeAttachmentsForSPO_OD_Teams.ps1 | Configures Safe Attachments for SharePoint Online, OneDrive, and Teams. |
| Export-O365ThreatProtectionPolicies.ps1 | Exports global Safe Attachments and Safe Links configurations to CSV. |
| Export-SafeAttachmentsPolicies.ps1 | Exports all Safe Attachment policies and rules to CSV files. |
| Export-SafeLinksPolicies.ps1 | Exports all Safe Links policies and rules to CSV files. |
| Query | Product | Description |
|---|---|---|
| ExecutableAttachmentReceived.kql | MDO | Detects inbound emails with executable file attachments. |
| ISOAttachmentReceived.kql | MDO | Detects inbound emails with ISO disk image attachments. |
| PotentialPhishingCampaign.kql | MDO | Identifies potential phishing campaigns via EmailClusterId analysis. |
| TyposquattedEmailReceived.kql | MDO | Detects inbound emails from typosquatted domains using Jaccard similarity. |
| MacroAttachmentFromRareSender.kql | MDO | Detects macro-enabled attachments opened from rare senders. |
| SafeLinksBlockedClicks.kql | MDO | Lists Safe Links URL block events with email context. |
| RareFileExtensionsReceived.kql | MDO | Lists the 20 rarest file extensions received as email attachments. |
| PostDeliveryEvents.kql | MDO | Summarizes post-delivery email actions (ZAP, remediation) by day. |
| AnonymousProxyEvents.kql | MDCA | Identifies activities performed through anonymous proxies. |
| ImpersonatedActions.kql | MDCA | Lists the top accounts with impersonated actions. |
| SuppressionRuleCreations.kql | MDCA | Lists alert suppression rule creations. |
| MaliciousEmailDeliveredInMailbox.kql | MDCA | Detects malicious email delivery events from cloud app logs. |
| UserAddedToSensitiveGroup.kql | MDI | Detects user additions to sensitive AD groups. |
| PasswordChangeAfterBruteForce.kql | MDI | Detects password changes following brute force attacks. |
| KerberosEncryptionDowngrade.kql | MDI | Detects Kerberos encryption type downgrade changes. |
| AnomalousLDAPTraffic.kql | MDI | Identifies anomalous high-volume LDAP query activity. |
| CustomDetectionDisabled.kql | Defender XDR | Detects when a custom detection rule is disabled. |
| RBACChanges.kql | Defender XDR | Audits RBAC role changes in Defender XDR. |
| AlertSuppressionAdded.kql | Defender XDR | Lists alert suppression rules added to Defender XDR. |
| DeviceIsolationEvents.kql | Defender XDR | Detects device isolation and unisolation actions. |
| Script | Description |
|---|---|
| Manage-DLPRulesAndPolicies.ps1 | Creates and manages DLP policies and rules in Exchange Online. |
| Test-DLPPolicyAgainstFile.ps1 | Tests a DLP policy against a specified file. |
| Analyze-DLPCharacterProximity.ps1 | Extracts and classifies text from a file to analyze DLP character proximity. |
| Script | Description |
|---|---|
| Manage-MIPLabels.ps1 | Applies or removes MIP sensitivity labels on files in a directory. |
| Revoke-AIPDocumentAccess.ps1 | Revokes access to an AIP-protected document by content name. |
| Export-AIPAdminLogs.ps1 | Exports filtered AIP admin logs to a file based on date range and text filter. |
| Enable-MIPFeatures.ps1 | Enables various MIP features: document tracking, PDF encryption, SPO/OD integration, and container labels. |
| Enable-PDFLabeling.ps1 | Enables PDF labeling and encryption via Exchange Online IRM configuration. |
| Enable-SensitivityLabelsForSPO_OD_Teams_Groups.ps1 | Enables sensitivity labels for SharePoint Online, OneDrive, Teams, and M365 Groups. |
| Manage-MIPSuperUsers.ps1 | Manages MIP/AIP super users — enable, disable, add/remove users and groups. |
| Export-AIPServiceAdminLog.ps1 | Exports the full AIP service admin log to a file. |
| Export-MIPConfigurations.ps1 | Exports AIP service config, IRM config, MIP labels, label policies, and document tracking status. |
| Retry-LabelPolicyDistribution.ps1 | Retries the distribution of a MIP label policy in Exchange Online. |
| Sync-MIPLabels.ps1 | Syncs MIP labels from Entra ID to the Security & Compliance Center. |
| Script | Description |
|---|---|
| Export-OMEServiceConfiguration.ps1 | Exports the current Office Message Encryption service configuration. |
| Export-RMSTemplates.ps1 | Exports all RMS templates in the environment. |
| Get-IRMConfiguration.ps1 | Retrieves the active IRM configuration, useful for troubleshooting MIP. |
| Script | Description |
|---|---|
| Generate-MailboxRetentionReport.ps1 | Generates a detailed retention report for a specified mailbox. |
| Get-RetentionLabelPolicyPublishingStatus.ps1 | Retrieves the publishing status of a retention label policy. |
| New-AdaptiveScopes.ps1 | Creates new Purview adaptive scopes from a CSV file. |
| New-RetentionPolicy.ps1 | Creates new retention policies in Purview from a CSV file. |
| New-RetentionPolicyRule.ps1 | Creates retention policy rules from a CSV file. |
| Update-RetentionPolicy.ps1 | Updates existing retention policies in Purview from a CSV file. |
| Update-TeamsChannelLocation.ps1 | Updates Teams channel locations in retention policies from a CSV file. |
| Script | Description |
|---|---|
| Remove-SPOFromeDiscoveryHold.ps1 | Removes specified SharePoint sites from an eDiscovery hold. |
| Generate-eDiscoveryHoldsReport.ps1 | Generates a CSV report of all eDiscovery cases and holds. |
| Search-eDiscoveryCustodianHolds.ps1 | Searches eDiscovery holds by custodian hold ID and outputs SharePoint locations. |
| Search-eDiscoverySPOSites.ps1 | Searches an eDiscovery hold for matching SharePoint site patterns. |