Do not forget to enable the Unified Audit Log

Office 365 and all related services have various forms of auditing options, it’s a pain to monitor and configure them all.

A while back, Microsoft unified these auditing logs into the Unified Audit Log. The Unified Audit Log for Office 365 is super easy to configure.

For all my customers I always enable this free feature, it is pretty much the only way you can have a RPO of 0 when you need to undo changes / deletes or restore data, and gives you a very nice and compliant audit log of everything your users and admins do in your environment.

In addition, it allows me to help you automatically reverse nasty CryptoLocker actions like mass file and folder renames and restore previous versions in bulk.

edit: you can also enable the audit log programatically

OneDriveMapper v2.35 released!

Version 2.35 of OneDriveMapper has been released.

Just a few minor changes:

  • Support for MFA authenticator app in Office 365
  • Fixed a minor bug where a username prompt could appear twice
  • Reports maximum file size upload from WebDav regkey
  • Checks for an @ in the login name

Get the new version here

Auditing your Sharepoint Online site collections

As, generally, we want to know what goes on in our environment, I like to enable Auditing wherever I can. Sharepoint is a more and more important resource where we store our data. Auditing can be very useful if files dissapear, auditors need specific information, or worse, cryptolockers rename all your files.

As setting audit logging through the interface is well documented, I wanted to share the Powershell way of doing this, assuming you’ve already installed the Sharepoint Client Components:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null

$Context = New-Object Microsoft.SharePoint.Client.ClientContext("INSERT YOUR SITE URL HERE")
$secPassword = ConvertTo-SecureString "YOUR PASSWORD" -AsPlainText -force
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials("YOUR LOGIN",$secpassword)
$Context.RequestTimeout = 16384000
$Context.Credentials = $Credentials

#set audit logging for the site collection to ALL
$Context.Site.Audit.AuditFlags = "All"

OnedriveMapper v2.34 released!

Version 2.34 of OneDriveMapper has been released.

  • Now attempts to automatically add the required trusted site entries
  • Attempts to automatically start the WebDav service if not running and user is local admin
  • A number of small checks and automatic corrections for user faulty input / setup
  • from now on all versions will be released as .ps1 instead of .zip

Get the new version here

Quick overview of all unique email domains in use under a certain OU

We wanted an overview of which domains our users were using in a certain country (Netherlands in this case). So, a simple Powershell snippet that counts all unique domains it encounters in the ProxyAddresses field of all users under a certain OU.

Note that if you have set contacts / forwarders, some domains that appear may not actually be accepted domains in your exchange organization.

#Author: Jos Lieben (OGD)
#Date: 13-06-2016
#Script help:
#Purpose: retrieve all unique domains in use under a specific OU and count them
#active directory PS module

ipmo activedirectory

$users = get-aduser -Filter * -Properties * -SearchBase "OU=Netherlands,OU=Countries,DC=lieben,DC=nu" -SearchScope SubTree

$domains = @{}
foreach($user in $users){

$emails = $user.ProxyAddresses
foreach($email in $emails){
$domain = $email.Split("@")[1]
$domains[$domain] += 1


Write-Output $domains

O365AntiCryptoLocker, restores the previous version of your files in Sharepoint Online or Onedrive for Business

Note: O365Undo is also free and can probably help you fix your crytolocker problem more precisely as it is the next version of O365AntiCryptoLocker


At OGD we sometimes have to deal with users that got infected with CryptoLockers and have both automated and controlled systems in place to prevent damage or restore data to any fileshares. An infection on Sharepoint Online or Onedrive has not yet happened, but eventually it of course will and I like to fix things before they break.

As Sharepoint Online and Onedrive for Business natively use versioning on files, you basically have no real risk of losing data to Cryptolockers, your RPO (Restore Point Objective) is 0. However, restoring the previous versions of files is quite a lot of work if done manually, so your RTO (Restore Time Objective) could be weeks or more.

Unless of course, you use Powershell. I’ve written a script that will restore the most current previous version of any file in a given Document Library.

Download: O365AntiCryptoLocker

Example usage for a Onedrive site:

.\O365AntiCryptoLocker.ps1 -siteURL "" -login "mylogin" -password "mypassword" -libraryTitle "Documents"

Or for a Sharepoint Online Site:

.\O365AntiCryptoLocker.ps1 -siteURL "" -login "mylogin" -password "mypassword" -libraryTitle "Documents"

You’ll need the Sharepoint Client Components installed, and you’ll have to have sufficient permissions on the library and its files.


Exporting shared mailbox permissions to a CSV

A demonstration of one way to get shared mailbox permissions exported to a CSV file. We needed both users, groups and users in groups (so, a recursive search). Only Shared mailboxes had to be included, we could identity these by a simple rule:

the first portion of the primary email address does not contain a dot

See line 126 and 127 for this rule if you need a different method.

This export excludes Deny permissions and looks for users in groups up to 2 levels deep. Credits to Piotrek for his Get-ADNestedGroupMember function.

Script source: Continue reading Exporting shared mailbox permissions to a CSV