For a customer case/project, we wanted to move only recently synced/modified Sharepoint Online data from Tenant A to the user’s Desktop on the device itself.
The Desktop was synced to Onedrive for Business in Tenant B.
After copying, files from Tenant A should become read-only on the local device, and the link in Explorer to Tenant A’s sharepoint should be removed, including the actual onedrive sync relationship to prevent further ul/dl’s.
When a user leaves the organization, their Onedrive folders/files remain until either the user is permanently deleted or the retention policy covering their data expires.
Many organizations have set up a retention policy in Office 365 to retain data in Onedrive for several years, sometimes even indefinitely.
Few know, that as long as you retain a user’s onedrive, the files and folders that were shared, by default, remain shared and accessible by those they were shared with, including externals.
Azure AD’s sign in logs also only go back 30 days, which makes it highly recommended to stream Azure AD’s sign in logs to a Log Analytics workspace (Azure Monitor). You just need one single P1 license in your tenant to be able to enable this.
My script gets the last sign in data of all guest accounts in your tenant, without any dependencies other than the Az PS module.
If a guest user has never signed in, the creationDate is used to determine inactivity. Otherwise either the last interactive or last non interactive sign in is used (whichever is most recent).
Additionally, the script can also be configured to automatically clean up any guest accounts that have been inactive for a given number of days by using the -removeInactiveGuests switch.
Even in large environments, processing only takes a few minutes at most.
Microsoft started using these properties in april 2020, so accounts active before that will seem like they have never been active.
Scheduling
This script supports running non-interactive as a runbook in Azure Automation if you supply the -nonInteractive switch. Before this will work, you’ll have to enable Managed Identity on your automation account and run a small script to assign graph permissions to the Managed Identity: AuditLog.Read.All and Organization.Read.All
Reports
If you wish, you can also let the script mail you a report in CSV format. Add the Mail.Send graph permissions like you did with device permissions and give the MailFrom and MailTo parameters a value.
Disclaimer
As always this script is provided as-is and should be reviewed and then used at your own risk.
With the introduction of Onedrive Sync Heath in the Office portal, we have a much improved view on sync errors of our users. Errors they may not even be aware of.
However, there is no remediation option, so I am sharing a framework based on previous work in Proactive Remediations that can report on the Onedrive client status and trigger a remediation, which looks like this:
Currently, the only remediation method is to restart the Onedrive client, but the script is easily adjusted for additional remediation actions or conditions the community deems useful.
When Paused or Disabled are detected, there is no remediation as this is not technically an error but something the user manually set. This can be adjusted to your local needs easily.
You can find the Proactive Remediation script on Gitlab: