Apr 21
Office 365 – Script to automate Office 365 Role membership

UPDATE: script update to enable Azure MFA and correct a bug in the Office 365 role update function

Office 365 Role membership management is one of the few workload you can not manage using groups.

To automate the membership of these roles I have created a script.

The script is comparing Active Directory group membership with the corresponding Office 365 Role, excluding online account added to the Office 365 role. If there is any difference, the script will automatically grant or revoke role membership based on the AD group.



To take advantage of this script you need the following requirements:

NOTE the script will only work with existing AD group matching the Office 365 role

  • Active Directory user accounts used to manage the role permission are synchronized
  • All accounts have a routable UPN – i.e. not using @domain.local. If not you will got the error “Access Denied. You do not have permissions to call this cmdlet.” when updating Office 365 role
  • Use an account with Office 365 Global Administrator; it will be needed to update Office 365 role membership.If you plan to use the script with a scheduled task you need to use a service account with the password set to never expire
  • A service mailbox you can authenticate with to send email notifications after completion

Script Usage

The script can be executed manually or used with a scheduled task; if you use it with a schedule task, you have to manually run it once to generate all the required credentials to connect to Office 365.

Script Variables

There are few variables you have to update to match your environment

  • $ScriptFolder defines the folder location where the script is saved; set by default to C:\Scripts. It is optional to update. All encrypted credentials files and log files will be saved in this directory
  • $GroupOU defines the organizational unit where the AD groups used for Office 365 Role management are located; this OU does not need to be synchronized with Office 365. For example, $GroupOU = "Office 365 Roles Management"
  • $MFAEnabled defines if you want to enable Azure MFA; the script will ask if you want to enable or not Azure MFA – if you do not answer within 20 seconds it will apply the default (MFA enabled); this helps the script to detect if it is running interactively or with a scheduled task
  • $SMTPServer to define the SMTP server to use for sending email notification. For example, $SMTPServer = "smtp.domain.com"
  • $SMTPPort to define the communication port to use to connect to the SMTP server – usually 25 or 587
  • $From defines the FROM field of the email notification; it does not need to be an existing email address
  • $To defines the recipient for the notification. If you want to define multiple recipients, separate each recipient with a coma. For example, $To = "recipient1@domain.com","recipient2@domain.com"


Manual Execution

After updating the above variables, just run the script.

You will be prompted if you want to save the credentials to connect to Office 365 and the SMTP server.

Whatever your decision you will be prompted for your credentials but if you choose to save them, 3 or 6 encrypted files will be generated to save the account, the password and the encryption/decryption key. 3 files are used for each credentials.


Use with a scheduled task

If you plan to use the script with a schedule task you need to manually run the script once and choose to the save the credentials.

NOTE if at any time you hit the cancel button during the authentication requests, the script will stop


Saved credentials

If you choose to save the credentials, 3 files are generated for this credential.

  • <credential>_account.txt is the encrypted file containing the user account
  • <credential>_password.txt is the encrypted file containing the password
  • <credential>_key.key is the encryption/decryption key

Where <credential> is the service you are going to authenticate against; like office365 for Office 365 or smtp for the SMTP server.

You will not be prompted if the 3 required files for the credential already exist; if you want to ‘overwrite’, just delete one of the file


User Interface

The following screenshots show the different UI you have

Prompt to save credential Credentials not being saved Credential being save  
    User account prompt Password prompt
image image image image
image image image image
Prompt to enable Azure MFA      
image This pop up is “time bombed”; if you do not answer within 20 seconds the default settings (MFA enabled) is applied.
This allows the script to detect if it is running interactively or with a scheduled task


Log file and notification

All actions executed by the script are logged.

If any error occurs during the execution, the error’s details are captured and saved in the log file. The notification email will show there has been an error during the execution of one step

Below a sample of the notification email and an extract of a sample log file (attached to the notification email)



Getting the script

You can download the script from the TechNet Script Gallery here https://gallery.technet.microsoft.com/Automatic-Office-365-Role-433d5120

Please provide any feedback or question there, thanks.

Apr 15
Yammer – It is now possible to edit a post

It has been a long awaited and requested feature. Now it is finally possible to edit a post on Yammer.

This will be first available when using a web browser, and then will also come to the iOS or Android app.

With this feature, each time you edit a post, a new version is being created. If you need (as an administrator) to export the content, all version will be exported.

It is important to note that editing attachments or external group post is not yet available.

The Edit button will appear just beneath your post; it will be also available for your previous post


Once your post has been edited once, a Edited tag will be displayed and will allow to view the version history


Apr 11
Office 365 – It is time to move on: end of support for DirSync and Azure AD Sync

If you are still using these old versions of the directory synchronization tool – DirSync and Azure AD Sync, it is time to move on and deploy Azure AD Connect to take advantage of the many improvements.

On April 13, 2017 DirSync and Azure AD Sync will not be supported anymore.

Go check what Azure AD Connect has to offer here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history and download the latest version here http://go.microsoft.com/fwlink/?LinkId=615771

Apr 09
Office 365 – Azure AD Connect now support managed service account

The latest version of Azure AD Connect (1.1.484.0 available at http://go.microsoft.com/fwlink/?LinkId=615771) now supports managed service account to connect/synchronize your Active Directory.

NOTE to take advantage of this new feature you need to perform a clean install; you can not upgrade your existing instance.


When using the custom installation mode, you need to first create the managed service account using the PowerShell command New-ADServiceAccount

New-ADServiceAccount –Name <service account name> -Path "CN=Managed Service Accounts,DC=<domain>,DC=<extension>" –DNSHostName <FQDN Azure AD Connect server> –PrincipalsAllowedToRetrieveManagedPassword <Azure AD Connect server>$ (do not forget to end the server name with the $ sign)

Don’t forget when using a managed service account you need to end with $ (like domain\managedaccount$)

Apr 07
SharePoint Online – Speed up the authentication process

When a user is accessing a SharePoint Online, he is first redirected to Azure AD for authentication.

If the company is using ADFS to manage authentication, Azure AD then redirected to the ADFS server for authentication.

This can lead to slow authentication process for end-user (external users when sharing content with them).

With SharePoint Online you can speed up the process by activating the use Azure Active Directory home realm discovery page.

Enable the acceleration

To enable this acceleration feature, you need to connect with PowerShell to your tenant

  • Start a SharePoint Online PowerShell command prompt and connect to your tenant (Connect-SPOService -Url https://<your Office 365 Tenant>-admin.sharepoint.com –Credential (Get-Credential))


  • Then you need to define the domain for which you want to enable the acceleration using the command Set-SPOTenant –SignInAccelerationDomain <domain>; if you need to add multiple domains use the following format {domain1;domain2;domain3}


  • Finally you can enable the acceleration feature with this command Set-SPOTenant -EnableGuestSignInAcceleration $trueNOTE you must have first defined at least one domain previously



Disable the acceleration

To disable the acceleration, just set the EnableGuestSignInAcceleration to $false and the SignInAccelerationDomain to “”

Apr 07
SharePoint Online – Support for # and % characters is going to be rolled out

We all know (or should know) the restrictions with SharePoint and SharePoint Online when it comes to supported characters in folders or files name.

Microsoft is releasing the pressure by rolling out an update which will allow the use of # and % characters in file and folder names – not yet for document library.

All tenant created after June 2017 will automatically have this update while others will get it gradually.

If you want to enable this support you can do it using PowerShell

  • Open a SharePoint Online PowerShell command prompt and connect to your tenant (Connect-SPOService -Url <your tenant - https://<your Office 365 tenant>-admin.sharepoint.com> –Credential (Get-Credential))


  • Then run the following command to enable the update Set-SPOTenant –SpecialCharactersStateInFileFolderNames Allowed

This parameter accepts 3 values: Allowed, Disallowed or NoPreference; the NoPreference set the default state of this update (ie not allowed for tenant created before June 2017, enabled for tenant created after June 2017)


You can check if your tenant is ready for the configuration by using the Get-SPOTenant to check if the parameter is available.

Apr 07
Office 365 – You can now set retention policy on Office 365 Groups

You can now set a retention policy on Office 365 Groups to comply with your retention policies; as you can already do it on Exchange mailboxes or SharePoint sites.

NOTE it can take up to 1 day to get the policy applied

To set a retention policy on Office 365 Groups, logon to the Security and Compliance administration portal – either from the Office 365 Administration portal from the Admin Centers shortcut or using the URL https://protection.office.com


Then go to the Data governance\Retention section and create a new policy (or update the existing ones if you want); I would recommend to have retention policy for each workload individually but it depends on your context


Then follow the policy creation wizard by

  • Naming the policy (mandatory) and a description (optional)
  • Then set your policy settings; you can use predefined configuration or create a custom one
  • Set the content location – by default all location (except Skype for Business) are enabled; targeting either all mailboxes, all SharePoint or One Drive site or all Office 365 Groups. This means you can set different policy depending of the Office 365 Groups usage (private, public…)
  • Finally turn on or off the preservation lock which basically will lock policy deletion


From there your Office 365 Groups (existing and new [if you choose to apply to all groups]) will automatically get the retention policy applied and you will be able to get reports and/or recover content.

Apr 06
Windows 10 – Windows Assessment and Deployment Kit (ADK) for Windows 10 1703 Creator Update is now available

The Windows ADK for Windows 10 Creator Update (build 1703) is now available for download at https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit\

Mar 29
Exchange Online – Copy Sent Items to both principal and delegate

Microsoft is currently deploying an update which will copy all sent items sent as/on behalf of user principal to the principal Sent Items folder as it is the case for some time for shared mailbox.

To manage this feature, you need to use PowerShell to connect to Exchange Online and update the MessageCopyForSentAsEnabled or MessageCopyForSendOnBehalfEnabled on the principal (or delegator) mailbox.

$ExcOnlineSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365Cred -Authentication Basic –AllowRedirection

Import-PSSession $ExcOnlineSession -AllowClobber -WarningAction SilentlyContinue -ErrorAction Stop

Set-Mailbox <mailbox> –MessageCopyForSentAsEnabled $true/$false –MessageCopyForSendOnBehalfEnabled $true/$false

Management option for this feature is not (yet?) available through the Office 365 Admin portal as it is for the shared mailboxes.

Mar 29
Office 365 – You can now recover deleted Office 365 Groups

If you have an Office 365 Groups being deleted – either by admin actions or group owner – you can recover the deleted group for a 30 days period.

To recover a deleted Office 365 Groups, you need to use Azure Active Directory PowerShell v2 Preview (available here https://www.powershellgallery.com/packages/AzureAD/

Install AAD PowerShell v2 Preview

Open a PowerShell command prompt and run the command and once the new module is installed close the PS command prompt to restart it – if you do not restart the PS command prompt, the required commands to get the delete Office 365 Groups will not be available

Install-Module -Name AzureAD


NOTE 1 You may got a request to update a component called NuGet; accept the request otherwise AAD PowerShell will not be updated


NOTE 2 you may got a second request because the updated modules going to be installed are not coming from a trusted location


Connect to Azure AD

To take advantage of the updated module with new commands, you need to connect to your tenant using the command



Get deleted Office 365 Groups

To search for deleted Office 365 Groups use the command



Recover deleted Office 365 Groups

To recover the deleted group,run the command

Restore-AzureADMSDeletedDirectoryObject –Id <ID returned by the previous command>


You can then check using the PS command Get-AzureADGroup –ObjectId <ID returned by the previous command> or using Office 365 Admin portal to see your recovered Office 365 Group

1 - 10Next

 ‭(Hidden)‬ Blog Tools


Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint, Lync/Skype for Business) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.


​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data


Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010