Listen to this Post
Introduction:
Manual Microsoft 365 administration through web portals is not only time‑consuming but also introduces security gaps due to human error and inconsistent processes. Leveraging PowerShell scripts to automate user lifecycle management, license audits, and compliance monitoring turns routine tasks into repeatable, verifiable security controls. With over 175 community‑maintained scripts now available, organizations can drastically reduce administrative overhead while hardening Entra ID, Exchange Online, and SharePoint against misconfigurations.
Learning Objectives:
- Automate end‑to‑end user onboarding and offboarding while enforcing least‑privilege access.
- Implement script‑based license auditing and anomaly detection to prevent cost and security bloat.
- Harden M365 security posture by automating Entra ID reports, mailbox permission reviews, and conditional access checks.
You Should Know:
- Connecting PowerShell to Your M365 Tenant – The Secure Foundation
Before running any automation, you must establish an authenticated, least‑privileged session. Microsoft now recommends using the Microsoft Graph PowerShell SDK instead of legacy modules for better security and API coverage.
Step‑by‑step guide:
- Install the required modules (works on Windows PowerShell 5.1+, PowerShell 7 cross‑platform, and even Linux/macOS with PowerShell Core).
- Use App‑only authentication with certificate‑based credentials for unattended scripts – avoids storing interactive sessions or plaintext passwords.
- Always request only the specific delegated or application permissions your script needs (e.g.,
User.Read.All,MailboxSettings.ReadWrite).
Commands (Windows / Linux / macOS PowerShell Core):
Install Microsoft Graph PowerShell SDK Install-Module Microsoft.Graph -Scope CurrentUser -Force Connect interactively (for initial testing) Connect-MgGraph -Scopes "User.ReadWrite.All", "Mail.Read", "Group.ReadWrite.All" For unattended automation (app-only with certificate) $Cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT" Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -Certificate $Cert
Security Tip: Always store certificates in Azure Key Vault or a hardware security module; never embed credentials in scripts. Use `Export-MgGraphRequest` to audit exactly which API calls your script makes.
- Automating User Onboarding – From HR Feed to Fully Provisioned Account
A scripted onboarding pipeline ensures every new employee gets the correct licenses, groups, and Exchange attributes without manual clicks. Integrate with your HR system’s CSV export for zero‑touch provisioning.
Step‑by‑step guide:
- Read a CSV with new user details (first name, last name, department, manager).
- Create Entra ID user with strong temporary password.
- Assign license based on department (e.g., E3 for engineering, F1 for frontline).
- Add to correct Microsoft 365 groups and Teams.
- Configure mailbox region and litigation hold settings.
Script snippet (using Microsoft Graph PowerShell):
$NewUsers = Import-Csv -Path "C:\HR\newhires.csv"
foreach ($User in $NewUsers) {
$UserParams = @{
DisplayName = "$($User.FirstName) $($User.LastName)"
UserPrincipalName = "$($User.EmailPrefix)@yourdomain.com"
PasswordProfile = @{ Password = "Temp@1234" -as SecureString }
AccountEnabled = $true
MailNickname = $User.EmailPrefix
}
$MgUser = New-MgUser -BodyParameter $UserParams
Assign license (example: E3 SKU ID)
Set-MgUserLicense -UserId $MgUser.Id -AddLicenses @{SkuId = "e5a2e5a3-..."]
}
Hardening Note: Add a step that forces password change at first interactive login and enrolls the user into Microsoft Entra ID Protection for risky sign‑in monitoring.
- License Auditing and Cleanup – Spot Orphaned and Over‑Assigned Licenses
Ghost licenses (assigned to disabled accounts or deleted users) waste budget and create security exposures. Automated weekly audits can reclaim licenses and alert on anomaly spikes.
Step‑by‑step guide:
- Retrieve all user license assignments using `Get-MgUser` with `-Select` and expand license details.
- Cross‑reference against active employee directory (e.g., HRIS).
- Generate a report with users who have licenses but have not signed in for 90+ days.
- Script can optionally remove licenses from disabled accounts after approval.
Command to list licenses and last sign‑in:
$AllUsers = Get-MgUser -All -Property Id, UserPrincipalName, SignInActivity, AssignedLicenses
$Report = foreach ($User in $AllUsers) {
[bash]@{
UPN = $User.UserPrincipalName
LastSignIn = $User.SignInActivity.LastSignInDateTime
LicenseCount = $User.AssignedLicenses.Count
}
}
$Report | Export-Csv -Path "LicenseAudit.csv"
Windows Scheduled Task Integration: Run this script weekly via Task Scheduler with a managed service account that has only `Directory.Read.All` and `User.Read.All` permissions.
- Mailbox Permission Reviews – Detect Hidden Data Exposure
Full Access and Send‑As permissions on mailboxes are a common vector for insider threats or lateral movement. Automating permission dumps helps spot violations of the principle of least privilege.
Step‑by‑step guide:
- Connect to Exchange Online v3 module (still needed for advanced mailbox permissions).
- Retrieve all mailboxes with custom recipient filters (e.g., executives, finance).
- For each, call `Get-EXOMailboxPermission` and filter for users who are not the owner.
- Flag any “Everyone” or external domain permissions.
Exchange Online PowerShell commands:
Connect-ExchangeOnline -UserPrincipalName [email protected] $Mailboxes = Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox foreach ($MBX in $Mailboxes) { $Perms = Get-EXOMailboxPermission -Identity $MBX.Identity | Where-Object { $<em>.User -1otlike "NT AUTHORITY\" -and $</em>.AccessRights -contains "FullAccess" -and $_.User -1e $MBX.UserPrincipalName } if ($Perms) { $Perms | Export-Csv -Append -Path "MailboxFullAccessViolations.csv" } }
Remediation: Automatically revoke Full Access from non‑owners flagged more than twice in consecutive audits by calling Remove-MailboxPermission.
- SharePoint and Teams Reporting – Uncover Overshared Sites
External sharing in Teams and SharePoint is often left too permissive. Use the PnP PowerShell module to enumerate sharing links and external users across all sites.
Step‑by‑step guide:
- Install PnP.PowerShell and connect to SharePoint Online Admin.
- Iterate through every site collection and retrieve “Anyone” links.
- Generate a report with site URL, link type (anonymous, specific external user), and expiration date.
- For Teams, also fetch guest users via Microsoft Graph and cross‑check against allowed domains.
Sample script:
Connect-PnPOnline -Url https://yourtenant-admin.sharepoint.com -Interactive
$Sites = Get-PnPTenantSite
foreach ($Site in $Sites) {
Connect-PnPOnline -Url $Site.Url -Interactive
$Links = Get-PnPSharingLink | Where-Object { $<em>.ShareType -eq "Anonymous" -and $</em>.ExpirationDate -lt (Get-Date).AddDays(30) }
$Links | Select-Object Url, ShareType, ExpirationDate, CreatedBy | Export-Csv -Append -Path "ExpiringAnonymousLinks.csv"
}
Hardening action: Use the script output to enforce a weekly review – or automatically convert anonymous links to “specific people” links after 30 days.
6. API Security and App Registration Hardening
Over‑privileged service principals are a silent backdoor. Automate the detection of apps with Graph API permissions like Mail.Read, Files.ReadWrite.All, or RoleManagement.ReadWrite.Directory.
Step‑by‑step guide:
- List all enterprise applications and service principals using
Get-MgServicePrincipal. - For each, retrieve the `AppRoleAssignments` and filter by permission type (Application vs Delegated).
- Flag any app with `Directory.ReadWrite.All` or `User.EnableDisable.All` that hasn’t been used in 60 days.
- Use conditional access policies to block legacy authentication for those apps.
Command to list high‑risk Graph permissions:
$Apps = Get-MgServicePrincipal -All
$HighRiskPermissions = @("Directory.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "MailboxSettings.ReadWrite")
foreach ($App in $Apps) {
$Perms = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $App.Id
$Matching = $Perms | Where-Object { $_.PrincipalId -in $HighRiskPermissions }
if ($Matching) { Write-Host "High-risk app: $($App.DisplayName) - $($Matching.AppRoleId)" }
}
Linux alternative: Using PowerShell Core on Ubuntu, the same commands work after installing `Microsoft.Graph` module – great for CI/CD pipelines.
- Offboarding and Data Retention – Secure Employee Exit
A forgotten account is a ticking time bomb. Full offboarding automation should: block sign‑in, remove all licenses, convert mailbox to shared (free), transfer OneDrive to manager, and remove from all distribution groups.
Step‑by‑step guide:
- Trigger script from HR termination feed (webhook or CSV).
- Block Entra ID sign‑in with
Update-MgUser -AccountEnabled:$false. - Run `Revoke-MgUserAllRefreshToken` to kill active sessions.
- Convert mailbox to shared using Exchange Online (
Set-Mailbox -Type Shared). - Grant manager access to OneDrive via
Set-SPOSite -Identity.
Consolidated offboarding snippet:
$TerminatedUser = "[email protected]" Update-MgUser -UserId $TerminatedUser -AccountEnabled:$false Revoke-MgUserAllRefreshToken -UserId $TerminatedUser Set-Mailbox -Identity $TerminatedUser -Type Shared Assign manager as secondary owner of OneDrive $Manager = "[email protected]" Set-SPOSite -Identity "https://yourtenant-my.sharepoint.com/personal/$($TerminatedUser -replace '@','_')" -Owner $Manager
What Undercode Say:
- Automation of M365 administration through PowerShell turns reactive toil into proactive security enforcement. The 175+ script collection on GitHub provides a battle‑tested starting point for even junior admins.
- However, insecure scripting (hardcoded credentials, excessive API scopes, lack of logging) can introduce more risk than manual clicks. Always implement certificate‑based authentication, version control, and scheduled reviews of script permissions.
Analysis (10 lines):
The real power of these scripts lies not in saving clicks but in creating an auditable, repeatable security baseline. For example, automated weekly license audits catch unauthorized E5 assignments (a common privilege escalation). Offboarding scripts eliminate the “forgotten account” gap that persists in many organisations for months. Yet, the biggest challenge remains API permission hygiene – many script examples ask for `Directory.ReadWrite.All` when `User.Read.All` suffices. Organizations should start by running scripts in `-WhatIf` mode, review Graph API logs, and progressively narrow scopes. Also, treat the scripts as code: store them in private repos, sign them, and enforce peer reviews. The GitHub collection is a fantastic resource, but always test in a staging tenant first. Finally, combine automation with Conditional Access policies – scripts can’t stop a compromised global admin account, but a well‑tuned CA policy can.
Prediction:
- +1 More than 70% of M365 security breaches in 2027 will be prevented or rapidly contained by automated PowerShell scripts that detect and revoke anomalous permissions within minutes.
- -1 As script adoption grows, attackers will increasingly target service principal credentials and CI/CD pipelines that host these automation scripts, leading to a new wave of supply‑chain style cloud compromises.
- +1 Microsoft will embed native “script recommendations” directly into Entra ID and Compliance Manager, offering one‑click deployment of hardened automation playbooks from the community.
- -1 The average M365 tenant will have over 300 outdated PowerShell scripts with excessive permissions, creating an “automation sprawl” that itself becomes a major audit finding.
- +1 Linux-based PowerShell Core will emerge as the preferred platform for M365 automation in hybrid environments, driving better cross‑platform security tooling and reducing Windows‑only dependencies.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Kavya A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
