Category Archives: Office 365

O365Undo updated for O365 Groups

O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare.

These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.

This new version also protects Office 365 Groups.

Read more or download the script

Using Powershell to check a user’s tenant logon setting in Office 365 (without logging in)

I was interested in being able to see, for any given email, what type of authentication Microsoft requires for that user. This could be Office 365 (Azure AD) native, ADFS, etc.

Powershell can easily help you out:

Add-Type -AssemblyName System.Web
$uidEnc = [System.Web.HttpUtility]::HtmlEncode($uid)
$res = Invoke-WebRequest -Uri -SessionVariable cookies -Method Get -UseBasicParsing
$stsRequest = ($res.InputFields | where {$_.Name -eq "ctx"}).Value
$flowToken = ($res.InputFields | where {$_.Name -eq "flowToken"}).Value
$canary = ($res.InputFields | where {$_.Name -eq "canary"}).Value
$res = Invoke-WebRequest -Uri "$uidEnc&api-version=2.1&stsRequest=$stsRequest&checkForMicrosoftAccount=false" -WebSession $cookies -Method GET -UseBasicParsing

The response will contain a redirect to another authentication provider (ADFS) or Azure AD Native. This is an example JSON response:

{"NameSpaceType":"Managed","Login":"","DomainName":"","FederationBrandName":"Lieben Consultancy","TenantBrandingInfo":null,"cloud_instance_name":""}

If you also wish to include Microsoft accounts, set the checkForMicrosoftAccount parameter in the second request to true

AzureAD Connect SSO
If you’re using AzureAD Connect SSO, you can use the above to check if this is correctly set in Office 365. The JSON response will contain a propert is_dsso_enabled, which will be set to True

Copy local AD contacts to O365

Recently I needed a basic method to copy over contacts from a local AD to O365, and in cases where a read-write contact already exists; update it. The scenario made sense, as we were working with multiple source AD’s where some had contacts of each other’s mail users, causing adsync conflicts. Thus we decided to take contacts out of ADsync scope and just copy them once.

The logic of the attached script is as follows:









Note that the script ONLY imports the displayname, primary and all secondary email addresses, and sets an extra X500 address for the legacy exchangeDN to avoid outlook cache hit misses.

If you need it, here’s a download link:


New-DlpComplianceRule usage / example

I was messing around a little with Office 365 Compliance settings using Powershell, as I’d like to configure a large number of tenants with certain Data Loss Prevention (DLP) rules based on sensitive data in Sharepoint Online, Onedrive for Business and  Exchange Online.

I then noticed that it wasn’t possible to use New-DlpComplianceRule in conjunction with predefined or custom sensitive data types, my code + error:

New-DlpComplianceRule -Name "SocialSecurityRule" -Policy "JosLTest" -ContentContainsSensitiveInformatio
n @{Name="Credit Card Number"; minCount="2"} -BlockAccess $True
The value specified in sensitive information is invalid.
+ CategoryInfo : NotSpecified: (:) [New-DlpComplianceRule], InvalidContentC...mationException
+ FullyQualifiedErrorId : [Server=DB5EUR01WS007,RequestId=4a19a0bd-abea-4e06-9dc1-47fc35be9d63,TimeStamp=16-11-201
6 12:02:24] [FailureCategory=Cmdlet-InvalidContentContainsSensitiveInformationException] D7D004DA,Microsoft.Office
+ PSComputerName :

Fun thing is, this is actually exactly as Technet shows how it should be done.

So I called support, apparently this is a bug. So, for now, if you want to create a DLP compliance policy and rule, follow this example: Continue reading New-DlpComplianceRule usage / example

EMS Case: Running a Powershell Logonscript like OnedriveMapper on AzureAD joined machines through Intune

A second case, comparable to EMS case: distributing Office templates and macro’s to your users on Windows 10 mobile managed Azure AD Joined devices.

In this case I will show you how to package and distribute a Powershell script (OnedriveMapper in this case) through Intune to MDM enrolled Windows 10 devices.

Continue reading EMS Case: Running a Powershell Logonscript like OnedriveMapper on AzureAD joined machines through Intune

Removing and aliases from all groups, users and contacts in your Active Directory

My current customer had a little dabble in Office 365, they set up their Hybrid configuration and added their email alias to all their users and groups. This mostly happens automatically.

They then later decided to go with a new, different Office 365 tenant for production purposes, the old tenant was dismantled and the AADConnect server was deleted.

However, all AD objects still had their alias for the old Office 365 tenant, syncing that to the new tenant would be a bad idea and I cleaned that up just to be sure it wouldn’t cause trouble in the future, here’s how I did that:


O365GroupSync beta release

O365GroupSync is a tool that I am building for a large global NGO, because AADConnect creates Read-Only objects in Office 365.test

Read-Only objects cannot be edited in Office 365, thus users are unable to edit distribution lists in Office 365’s Outlook Web Accress (OWA) even if they are managers of said lists.

O365GroupSync was built to take over the synchronisation and initial seeding of all distribution lists, both ways, to allow users to edit distribution lists while in a hybrid Office 365 Exchange Online scenario, both on premises and in the cloud.

This beta version has been tested, but is not yet running in any production environments.

Get it here

New Azure Active Directory Powershell functions in v1.1.166.0 allow specifying global data location per service

The latest release offers three new commands:

Retrieves all the current allowed data locations of a company from Azure Active Directory.
The Get-MsolCompanyAllowedDataLocation cmdlet can be used to retrieve all
the current allowed data locations of a company from Azure Active
Directory. If a company has not opted in the multinational feature or has
no allowed data locations, then the cmdlet will return an empty list.


Enables the multinational feature for a service type for a company with Azure Active Directory.

The Set-MsolCompanyMultiNationalEnabled cmdlet will attempt to enable the multinational feature for a service type for a company in v1. Note that disabling/opting out from the multinational feature for a service type is not supported in v1. This cmdlet will return an error with the failure reason if the multinational feature for a service type cannot be enabled for a company.

Example: Set-MsolCompanyMultiNationalEnabled -ServiceType MicrosoftCommunicationsOnline -Enable $True


Sets an allowed data location for a service type for a company in Azure Active Directory.

The Set-MsolCompanyAllowedDataLocation cmdlet will attempt to set an allowed data location or update an existing allowed data location for a service type for a company in v1.

Example:  Set-MsolCompanyAllowedDataLocation -ServiceType
MicrosoftCommunicationsOnline -Location EUR