A Cloud Guy – Page 5 – Azure, M365, AWS and IT in general

Azure AD – Manage stale devices

May 22, 2022July 3, 2021 by Kumaran

A device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe is stale device. In a perfect world, Azure AD registered devices should be unregistered when they aren’t needed anymore..well..duh!

In the environments I manage, most of the times devices are lost, broken, forgotten in trains and taxis or have their OS reinstalled. These numbers grow fairly quickly if a process is not put in place. I had to live and learn this.

Beyond interfering with the device’s general lifecycle, these stale devices can make it hard for identifying the devices associated with the user. Plus it’s ideal to have a clean state of devices to meet various compliance requirements.

Table of Contents

Define a policy

Similar to having policies for on-premise AD objects, it is better to define a policy of Azure AD objects.

Define a timeframe – It is better to pick a timeframe that follows your on-premise AD inactive objects
Categorize to better understand your stale device management
- MDM-controlled devices – Retire devices in Intune or other MDM solutions before disabling or deleting it
- System-managed devices – Don’t delete. These devices are generally devices such as Autopilot. Once deleted, these devices can’t be re-provisioned
- Hybrid Azure AD joined devices
  - Windows 10 – Disable or delete in on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD
  - Windows 7/8 – Disable or delete in on-premises AD, Azure AD Connect can’t be used disable or delete these devices in Azure AD. Instead, these devices must be disabled/deleted in Azure AD.
- Azure AD joined devices – Disable or delete in Azure AD
- Azure AD registered devices – Disable or delete in Azure AD

What happens when a device is disabled?

Any authentication where a device is being used to authenticate to Azure AD are denied.

Hybrid Azure AD joined device – Users might be able to use the device to sign-in to their on-premises domain. However, they can’t access Azure AD resources such as Microsoft 365
Azure AD joined device – Users can’t use the device to sign in
Mobile devices – Users can’t access Azure AD resources such as Microsoft 365

How to remove a registration on the client?

Even after a device is disabled or deleted in the Azure portal or by using Windows PowerShell, the local state on the device will say that it’s still registered.

This operation is by design. In this case, the device doesn’t have access to resources in the cloud. Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity.

To remove Windows 10 device registration – Go to Settings > Accounts > Access Work or School. Select your account and select Disconnect. Device registration is per user profile

For iOS and Android, Open Microsoft Authenticator, Settings > Device Registration and select Unregister device

Detecting stale devices

The ApproximateLastLogonTimestamp or activity timestamp property in Azure AD comes in handy to detect stale devices. If the difference between now and the value of the activity timestamp exceeds the defined timeframe for active devices, a device is considered to be stale. The evaluation of the activity timestamp is triggered by an authentication attempt of a device.

Cleanup stale devices

The Azure AD portal does allow you to remove stale devices but it is better to use PowerShell. Typical steps are as follows,

Connect to Azure AD using Connect-AzureAD cmdlet
Get list of devices using Get-AzureADDevice (Get-AzureADDevice cmdlet excludes system-managed devices by default)
Disable device using Set-AzureADDevice cmdlet (disable by using -AccountEnabled option)
Define and wait for grace period depending on your environment before deleting devices
Remove device using Remove-AzureADDevice cmdlet

The account updating devices in Azure AD will need one of the following roles assigned:

Global Administrator
Cloud Device Administrator
Intune Service Administrator

To get all devices and store the returned data in a CSV file:

Get-AzureADDevice -All:$true | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv stale-devicelist.csv -NoTypeInformation

To get all devices that haven’t logged on in 120 days and return data in a CSV file:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd} | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-120days.csv -NoTypeInformation

Disable devices that haven’t logged on in the past 120 days:

$sd = (Get-Date).AddDays(-120)
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $sd}
foreach ($Device in $Devices) {
Set-AzureADDevice -ObjectId $Device.ObjectId -AccountEnabled $false
}

Delete disabled devices that have been inactive the past 120 days. Remove-AzureADDevice will delete devices without prompting. There is no way to recover deleted devices.

$sd = (Get-Date).AddDays(-120)
$Devices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $sd) -and ($_.AccountEnabled -eq $false)}
foreach ($Device in $Devices) {
Remove-AzureADDevice -ObjectId $Device.ObjectId
}

Remember that when configured, BitLocker keys for Windows 10 devices are stored on the device object in Azure AD. If you delete a stale device, you also delete the BitLocker keys that are stored on the device. Confirm that your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device.

Thank you for stopping by.✌

Azure – Integrate Azure AD B2C with ServiceNow

July 17, 2022June 2, 2021 by Kumaran

If you aren’t familiar with Azure AD B2C, it is a customer identity access management (CIAM) solution and is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign up into those applications with no restrictions on user account. Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML.

In an earlier post, I detailed steps on how to configure ServiceNow with Azure AD SSO. In this post, I will go through steps on how to integrate Azure AD B2C with ServiceNow.

Below is a diagram show the high level implementation steps on how to do this integration,

OpenID Connect (OIDC) is an identity layer built on top of the OAuth protocol, which provides a modern and intuitive Single Sign-on (SSO) experience. ServiceNow supports OIDC to authenticate users in Azure B2C.

I will not cover the Azure AD B2C tenant creation steps in this post.

Table of Contents

Create new user flow

A user flow lets us determine how users interact with our application when they do things like sign-in, sign-up, edit a profile, or reset a password.

Sign in to the Azure portal
Make sure you’re using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar
On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch
In the Azure portal, search for and select Azure AD B2C
Under Policies, select User flows, and then select New user flow

On the Create a user flow page, select the Sign up and sign in user flow
Under version, select Recommended, and then select Create

Enter a Name for the user flow. For example, su_si-1
For Identity providers, select Email signup
Under User attributes and token claims, choose the claims and attributes to collect and send from the user during sign-up. Select Show more, and then choose attributes and claims. Click OK. Below screenshot shows the attributes I’m collecting but it is up to you. These attributes can be modified in the user flow at any time

Click Create to add the user flow. A prefix of B2C_1_ is automatically prefixed to the name

Create App Registration

Stay logged into the Azure portal
Make sure you are in the B2C directory
In the left navigation menu, under Manage, Click App registrations, and then select New registration
Enter a Name for the application. For example, ServiceNow
Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows)
Under Redirect URI, select Web then enter your ServiceNow instance with /navpage.do in the URL text box
Under Permissions, select the Grant admin consent to openid and offline_access permissions check box
Click Register

Create a client secret

The client secret is also known as an application password. The secret will be used by ServiceNow to exchange an authorization code for an access token

In the left menu, under Manage, select Certificates & secrets
Click New client secret
Enter a description for the client secret in the Description box. For example, SnowSecret
Under Expires, select a duration for which the secret is valid, and then select Add
- Note down the secret’s Value for use in ServiceNow. This value is never displayed again after you leave this page

Information needed to configure ServiceNow instance

Click on the Overview, copy the Application (client) ID
Next Click Endpoints
Copy the value in Azure AD B2C OpenID Connect metadata document
Replace with the User flow name we created earlier e.g. B2C_1_su_si-1. Browse to the URL in a Web browser to confirm you have the right URL
You should have these 3 values,
- Application (client) ID
- Client Secret Value
- OIDC well-known endpoint

Configure ServiceNow Instance

Hopefully, you already have SSO enabled in your ServiceNow instance. If not, please refer to this earlier post of mine

Search for multi-provider sso and click Properties
Enable multiple provider SSO
- You’ll be asked to setup a recovery account

Under Multi-Provider SSO and click Identity Providers
Click New
Click OpenID Connect
In the Import OpenID Connect Well Known Configuration window, provide following information
- Name = Name of the IdP you wish. Example, B2C
- Client ID = Application (client) ID from Azure B2C application
- Client Secret = Client Secret Value we created earlier in the application
- Well Known Configuration URL = URL we constructed earlier with the policy name
Click Import

Make sure the new IdP is marked Active and Show as Login option is checked

Click on the OIDC Entity tab and click to open the OIDC Entity
Click on OAuth Entity Scopes, double-click on OAuth scope and replace openid with the below value
- Use your Application (client) ID from B2C app registration

<Application (client) ID> openid offline_access profile email

This OAuth Scope value is required to generate an access token and without that ServiceNow will error out with a missing parameter. I realized this later on based on my research. I initially left it at openid and searching with the error, lead me to this.

Click Update to save changes
Click on OIDC Provider Configuration
Click on OIDC provider value

Update the User Claim to emails

Click Update
To keep things simple, I’m not enabling the Automatic user provisioning option
- You can choose to enable automatic user provisioning during user login. When automatic user provisioning is enabled, a user record is automatically created in the ServiceNow instance if that user record does not exist.
Back in the Identity provider window, Click Update to save the OIDC Identity Provider values
Navigate to the login page of the instance to verify that IdP appears as a login option

Create a test user in ServiceNow and login with the credentials to test if the IdP configuration works
Optionally you can browse to the login page with the URL in following format,
- To determine the sys_id, open the OIDC Identity provider we created, right-click on the grey bar and click Copy sys_id
- Replace this sys_id in the URL below
- This URL will take you directly to the sign-in page

https://<yourinstance>/login_with_sso.do?glide_sso_id=<sys_id>

Hope this post helped you in setting up your ServiceNow instance with Azure AD B2C.

Thank you for stopping by. ✌

Office 365 – Plus Addressing – Updated

June 8, 2022May 20, 2021 by Kumaran

Table of Contents

What is Plus addressing?

Plus addressing or subaddressing is available in Exchange Online. Plus addressing is using a unique, dynamically created receive-only email addresses for mailboxes.

Basic syntax of an SMTP email address: @. Example, JohnD@domain.com
Plus addressing syntax: +@. Example, JohnD+statements@domain.com

The original email address must be valid one. The +tag value is arbitrary, although regular character restrictions for SMTP email addresses apply.

Here is a scenario, Let’s say the users’ email address is JohnD@domain.com. User can use plus addresses as unique addresses for services that you sign up for, right after the local part (JohnD) and add (string) of choice. So for instance, to receive all bank statement, the user can end up with something like this: JohnD+statements@domain.com

Plus addressing Limitations

When using plus addressing, there are a few things to keep in mind:

Plus addresses aren’t aliases in Exchange Online
- Hence, it can be used only to receive messages and not send them
- It does not resolve to a user’s name in Outlook clients, so it is easily identifiable in the To and CC fields
In a Hybrid environment, plus addressing won’t work for on-premises mailboxes that do not resolve in Exchange Online
Web Developers are aware of plus addresses and some online forms/services won’t accept a plus sign in the email field
Some subscription services require the user use the original email address that they subscribed with
- Can’t unsubscribe with plus email address

Enabling the feature

Enable using the Exchange admin center

Login to the new Exchange admin center (https://admin.exchange.microsoft.com)
In the left navigation menu Settings > Mail flow
Select Turn on plus addressing for your organization, and then select Save

Note: After the plus addressing is turned on by default in April 2022, you will see the option Turn off plus addressing for your organization if you are following the above steps. Which will be unchecked meaning it is turned on. So placing a checkmark will turn off plus addressing. See screenshot below.

Enable using Exchange Online PowerShell

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

The cmdlet uses below syntax:

Set-OrganizationConfig -AllowPlusAddressInRecipients $true

Disable using Exchange Online PowerShell

This setting will be effective only after plus addressing is turned on by default in all organizations starting in late April 2022. Before that happens, plus addressing can be disabled in the O365 tenant by using the AllowPlusAddressInRecipients parameter I described earlier with the value $false value. This can also be proactively set, you don’t have to wait for it to be turned on by default.

To disable plus addressing in the O365 tenant:

Set-OrganizationConfig -DisablePlusAddressInRecipients $true

Determine settings with PowerShell

To determine plus address related settings in the exchange organization:

Get-OrganizationConfig | Select *PlusAddress* | fl

Hope this helped you in understanding the plus address settings in O365.

Thank you for stopping by. ✌

Azure AD – Create Dynamic Groups

May 22, 2022May 16, 2021 by Kumaran

In Azure AD you can create dynamic groups based on user or device properties. Users or devices can be automatically added or removed based on the group’s definition, so you don’t have to maintain the list of users in this group manually.

Whenever any property of a user or device changes, all dynamic group rules in your Azure AD tenant are reevaluated to determine if the user or device should still remain in the group. If a user or device satisfies a rule on a group, they are added as a member and If they no longer satisfy the rule, they are removed.

Manually adding or removing users from dynamic groups is not allowed.

Table of Contents

Why use Dynamic Groups?

Simply put, dynamic groups have query-based memberships. This helps in maintaining group membership and application access depending on the query defined. For example, A dynamic group can be defined for all Marketing department users based on the value filled in the ‘department’ attribute. The conditions can also be combined. Following the same example above, a dynamic group of all Marketing department users from New York or a dynamic group with a list of users who report to a specific manager and need access to an application.

In a scenario where you are maintaining user access to applications based on the department, location, this comes in handy.

Note: You need Azure AD P1 and above to be able to create dynamic groups.

Dynamic Groups in Azure AD

Azure AD admin center provides a rule builder to create and/or update the dynamic group rules.

In the below steps I’ll create a dynamic group in my tenant with users who are in the Marketing department,

Sign in to the Azure AD admin center portal (https://aad.portal.azure.com/) as global administrator
Select Azure Active Directory –> Click on the Groups tab –> New group
In New Group:
- Select Security as the group type
- Enter ‘Marketing Department Users’ as the name and description for the group
- Change Membership type to Dynamic User
Select Owners and in the Add Owners blade search for any desired owners. Click on the desired owners to add to the selection
Click Select to close the Add Owners blade
Click Add dynamic query in the Dynamic user members

On the Dynamic membership rules blade:
- In the Property field, click on the existing value and select department
- The Operator field as Equals
- Select the Value field and type ‘Marketing Department Users’

Azure AD now provides an option to validate dynamic group rules. On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. This feature is now in public preview.

The rule builder supports the construction of up to 5 expressions. You also need to use the text editor for setting operator precedence, and for writing more complex rules. The rule builder can’t be used to reproduce every rule.

*‘Add Expression’ disabled after 5 expressions defined*

If the rule builder doesn’t support the rule you want to create, the text box can be used. And below are some of the scenarios to use the text box,

Rule with more than 5 expressions
Direct reports rule
- For the rule to work, make sure the Manager property is set correctly for users. If you are syncing from your on-premise AD, make sure the Manager attribute is filled
- When the manager’s direct reports change in the future, the group’s membership is adjusted automatically
- This rule can’t be combined with any other membership rules
Setting operator precedence
- All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal precedence:
  1. -eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
  2. -not
  3. -and
  4. -or
  5. -any -all
Rules with complex expressions
- Property consists of a collection of values; specifically, multi-valued properties
  - assignedPlans
  - proxyAddresses
- Expressions use the -any and -all operators
  - -any (At least one item in the collection matches the condition)
  - -all (All items in the collection match the condition)
- Value of the expression can itself be one or more expressions

Constructing a membership rule

Three parts of a simple rule are Property, Operator and Value

Supported properties

Three types of properties that can be used to construct a rule are Boolean, String and String collection.

The following are the user properties that can be used to create a single expression.

Boolean

Properties	Allowed values	Usage
accountEnabled	true false	user.accountEnabled -eq true
dirSyncEnabled	true false	user.dirSyncEnabled -eq true

String

Properties	Allowed values	Usage
city	Any string value or null	(user.city -eq “value”)
country	Any string value or null	(user.country -eq “value”)
companyName	Any string value or null	(user.companyName -eq “value”)
department	Any string value or null	(user.department -eq “value”)
displayName	Any string value	(user.displayName -eq “value”)
employeeId	Any string value	(user.employeeId -eq “value”) (user.employeeId -ne null)
facsimileTelephoneNumber	Any string value or null	(user.facsimileTelephoneNumber -eq “value”)
givenName	Any string value or null	(user.givenName -eq “value”)
jobTitle	Any string value or null	(user.jobTitle -eq “value”)
mail	Any string value or null (SMTP address of the user)	(user.mail -eq “value”)
mailNickName	Any string value (mail alias of the user)	(user.mailNickName -eq “value”)
mobile	Any string value or null	(user.mobile -eq “value”)
objectId	GUID of the user object	(user.objectId -eq “11111111-eeee-1111-aaaa-111111111111”)
onPremisesSecurityIdentifier	On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud.	(user.onPremisesSecurityIdentifier -eq “S-1-1-11-1111111111-1111111111-1111111111-1111111”)
passwordPolicies	None DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPassword	(user.passwordPolicies -eq “DisableStrongPassword”)
physicalDeliveryOfficeName	Any string value or null	(user.physicalDeliveryOfficeName -eq “value”)
postalCode	Any string value or null	(user.postalCode -eq “value”)
preferredLanguage	ISO 639-1 code	(user.preferredLanguage -eq “en-US”)
sipProxyAddress	Any string value or null	(user.sipProxyAddress -eq “value”)
state	Any string value or null	(user.state -eq “value”)
streetAddress	Any string value or null	(user.streetAddress -eq “value”)
surname	Any string value or null	(user.surname -eq “value”)
telephoneNumber	Any string value or null	(user.telephoneNumber -eq “value”)
usageLocation	Two lettered country/region code	(user.usageLocation -eq “US”)
userPrincipalName	Any string value	(user.userPrincipalName -eq “alias@domain”)
userType	member guest null	(user.userType -eq “Member”)

String Collection

Properties	Allowed values	Usage
otherMails	Any string value	(user.otherMails -contains “alias@domain”)
proxyAddresses	SMTP: alias@domain smtp: alias@domain	(user.proxyAddresses -contains “SMTP: alias@domain”)

Supported expression operators

Operators can be used with or without the hyphen (-) prefix. Contains operator does partial string matches but not item in a collection matches. Following are the supported operators and their syntax for a single expression,

Syntax	Operator
-ne	Not Equals
-eq	Equals
-notStartsWith	Not Starts With
-startsWith	Starts With
-notContains	Not Contains
-contains	Contains
-notMatch	Not Match
-match	Match
-in	In
-notIn	Not In

Supported values

Values used in an expression can consist of several types, including:

Strings
Boolean = true or false
Numbers
Arrays = number array, string array

To specify a null value in a rule, you can use the null value. The -not operator can’t be used as a comparative operator for null.

Common rules in a typical environment

Below, I will go over some of the rules that are typically used in production environments

“Direct reports” rule

This rule supports only the manager’s direct reports. A group consisting of manager’s direct reports and their reports can’t be created.

Use below syntax. Object ID can be found in the user’s(in this case, the user who is the manager) profile in Azure AD.

Direct Reports for "{objectID_of_manager}"

“All users” rule

Include only members of your organization and exclude guest users.

(user.objectId -ne null) -and (user.userType -eq "Member")

Device Rules

A rule to select devices objects can also be created for membership in a group. Both users and devices as group members is not allowed.

Below are the device attributes,

Device attribute	Values	Example(s)
accountEnabled	true false	(device.accountEnabled -eq true)
displayName	any string value	(device.displayName -eq “Bob iPhone”) (device.deviceOSType -eq “iPad”) -or (device.deviceOSType -eq “iPhone”) (device.deviceOSType -contains “AndroidEnterprise”) (device.deviceOSType -eq “AndroidForWork”) (device.deviceOSType -eq “Windows”)
deviceOSVersion	any string value	(device.deviceOSVersion -eq “9.1”) (device.deviceOSVersion -startsWith “10.0.1”)
deviceCategory	a valid device category name	(device.deviceCategory -eq “BYOD”)
deviceManufacturer	any string value	(device.deviceManufacturer -eq “Samsung”)
deviceModel	any string value	(device.deviceModel -eq “iPad Air”)
deviceOwnership	Personal, Company, Unknown	(device.deviceOwnership -eq “Company”)
enrollmentProfileName	Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name	(device.enrollmentProfileName -eq “DEP iPhones”)
isRooted	true false	(device.isRooted -eq true)
managementType	MDM (for mobile devices)	(device.managementType -eq “MDM”)
deviceId	a valid Azure AD device ID	(device.deviceId -eq “d4fe7726-5966-431c-b3b8-cddc8fdb717d”)
objectId	a valid Azure AD object ID	(device.objectId -eq “76ad43c9-32c5-45e8-a272-7b58b58f596d”)
devicePhysicalIds	any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID	(device.devicePhysicalIDs -any _ -contains “[ZTDId]”) (device.devicePhysicalIds -any _ -eq “[OrderID]:179887111881”) (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:76222342342”)
systemLabels	any string matching the Intune device property for tagging Modern Workplace devices	(device.systemLabels -contains “M365Managed”)

Update an existing rule

Sign in to the Azure AD admin center portal (https://aad.portal.azure.com/) as global administrator
Select Azure Active Directory –> Click on the Groups tab –> All groups
Select a group to open it
On the profile page for the group, select Dynamic membership rules

After updating the rule, select Save

Dynamic Groups with PowerShell

To create dynamic groups

Use the New-AzureADMSGroup cmdlet,

New-AzureADMSGroup -DisplayName "Sales Department Users" -Description "Sales Department Users" -MailEnabled $false -MailNickname "SalesDepartmentUsers" -SecurityEnabled $true -GroupTypes "DynamicMembership" -MembershipRule "(User.department -eq ""Sales"")" -MembershipRuleProcessingState "On"

To update dynamic groups

Use the Set-AzureADMSGroup cmdlet,

Set-AzureADMSGroup -Id '23c2768b-6cef-4006-a052-d9b288b4d17c' -MembershipRule "(User.department -eq ""Sales"") and (user.city -eq ""Tulsa"")"

PowerShell: Set-AzureADMSGroup

Another interesting part I came across when I was exploring dynamic groups is, I was trying to create a dynamic group of administrators to whom I can assign an Azure AD role. And it turns out, the membership type for role-assignable groups must be Assigned and can’t be an dynamic group. This makes sense as automated population of groups could lead to unwanted access being granted.

Thank you for stopping by. ✌

Teams – Reports with PowerShell – Updated

September 12, 2022May 2, 2021 by Kumaran

It is important to know about the current state of your Teams rollout and this is one of those which can easily get out of control in a blink of an eye. I wanted to understand and determine the current Teams state in a tenant I manage and I had to create reports to present.

The portal does give a few options to export the data but I decided to take a look at the option the Teams PowerShell module offers. I spent some time on creating a script that will output these five reports,

All Teams data with Channel type, Channel count, Channel count with types, Teams member count and owners count
Teams users data with role information
Channel information for each Teams with Channel types
Channel user information with user information and role
Permissions on each Teams

This report can also be scheduled to run if you already use a mechanism to store your credentials securely and pass it on to your PS scripts.

I use the ImportExcel PowerShell module for this script,

Install-Module -Name ImportExcel

Before proceeding further, make sure you have the Teams PowerShell module installed. You’ll need to run this script with Teams Administrator role.

$TeamsCred = Get-Credential
Connect-MicrosoftTeams -credential $TeamsCred

$xlsxPath = ".\Teams-Report_$((Get-Date).ToString("MMddyyyy")).xlsx"

Get-Team | Select GroupId,DisplayName,MailNickName,Archived,Visibility,Description | foreach {
        $ID = $_.GroupId
        $TeamName = $_.DisplayName
        $NickName = $_.MailNickName
        $Archived = $_.Archived
        $visibility = $_.Visibility
        $Description = $_.Description
        $ch = Get-TeamChannel -GroupId $ID
        $ChannelCount = $ch.count
        $TeamUser = Get-TeamUser -GroupId $ID
        $TeamMemberCount = $TeamUser.Count
        $TeamOwnerCount = ($TeamUser | ?{$_.role -eq "owner"}).count
        $stdchannelCount = ($ch | ?{$_.MembershipType -eq "Standard"}).count
        $privchannelCount = ($ch | ?{$_.MembershipType -eq "Private"}).count

        [PSCustomObject]@{
                  'Teams Name'=$TeamName;
                  'Teams MailNickName'=$NickName;
                  'Teams Type'=$Visibility;
                  'Description'=$Description;
                  'Archived?'=$Archived;
                  'Channel Count'=$ChannelCount;
                  'Standard Channel Count'=$stdchannelCount;
                  'Private Channel Count'=$privchannelCount;
                  'Team Members Count'=$TeamMemberCount;
                  'Team Owners Count'=$TeamOwnerCount} | Export-Excel -Path $xlsxPath -WorksheetName "All Teams Report" -TableStyle Medium16 -AutoSize -Append
}

Get-Team | foreach {
    $ID = $_.GroupId;
    $TeamName = $_.DisplayName;
    $NickName = $_.MailNickName;
    Get-TeamUser -GroupId $ID | Select User,Name,Role |
    Foreach {
		[PSCustomObject]@{
			'Teams ID' = $ID;
			'Teams Name' = $TeamName;
			'Teams MailNickName' = $NickName;
                        'User UPN' = $_.User;
			'User DisplayName' = $_.Name;
			'Role' = $_.Role
		}
    }
} | Export-Excel -Path $xlsxPath -WorksheetName "Teams_users" -TableStyle Medium16 -AutoSize

Get-Team | Foreach {
    $ID = $_.GroupId;
    $TeamName = $_.DisplayName;
    $NickName = $_.MailNickName;
    Get-TeamChannel -GroupId $ID | Select Id, DisplayName, MembershipType |
    Foreach {
		[PSCustomObject]@{
			'Teams ID' = $ID;
			'Teams Name' = $TeamName;
			'Teams MailNickName' = $NickName;
			'Channel Name' = $_.DisplayName;
			'Channel Type' = $_.MembershipType
		}
	}
} | Export-Excel -Path $xlsxPath -WorksheetName "Channels" -TableStyle Medium16  -AutoSize

Get-Team | Foreach {
    $ID = $_.GroupId;
    $TeamName = $_.DisplayName;
    $NickName = $_.MailNickName;
    Get-TeamChannel -GroupId $ID | Select DisplayName | 
            Foreach {
            $chName = $_.DisplayName;
                Get-TeamChannelUser -GroupId $ID -DisplayName $chName | Select User,Name,Role |
                    Foreach {
		                [PSCustomObject]@{
			                'Teams Name' = $TeamName;
			                'Channel Name' = $chName;
                                        'User UPN' = $_.User;
                                        'User DisplayName' = $_.Name;
                                        'User Role' = $_.Role
		    }
        }
    }
} | Export-Excel -Path $xlsxPath -WorksheetName "Channel_Users" -TableStyle Medium16  -AutoSize

Get-Team | foreach {
   $nickName = $_.MailNickName
   Get-Team -MailNickName $nickName | Select -Property * |
	Foreach {
		[PSCustomObject]@{
			'Teams ID' = $_.GroupId;
			'Teams Display Name' = $_.DisplayName;
                        'Teams MailNickName' = $nickName;
                        'Giphy Allowed?' = $_.AllowGiphy;
                        'Giphy Content Rating' = $_.GiphyContentRating;
                        'Allow Stickers And Memes' = $_.AllowStickersAndMemes;
                        'Allow Custom Memes' = $_.AllowCustomMemes;
                        'Allow Guest to Create & Update Channels' = $_.AllowGuestCreateUpdateChannels;
                        'Allow Guest to Delete Channels' = $_.AllowGuestDeleteChannels;
                        'Allow Members to Create & Update Channels' = $_.AllowCreateUpdateChannels;
                        'Allow Members to Create Private Channels' = $_.AllowCreatePrivateChannels;
                        'Allow Members to Delete Channels' = $_.AllowDeleteChannels;
                        'Allow Members to Add & Remove Apps'= $_.AllowAddRemoveApps;
                        'Allow Members to Create Update Remove tabs' = $_.AllowCreateUpdateRemoveTabs;
                        'Allow Members to Create Update Remove Connectors' = $_.AllowCreateUpdateRemoveConnectors;
                        'Allow Members to Edit Messages' = $_.AllowUserEditMessages;
                        'Allow Members to Delete Messages' = $_.AllowUserDeleteMessages;
                        'Allow Owner to Delete Messages' = $_.AllowOwnerDeleteMessages;
                        'Allow Team Mentions' = $_.AllowTeamMentions;
                        'Allow Channel Mentions' = $_.AllowChannelMentions;
                        'Show In Teams Search & Suggestions' = $_.ShowInTeamsSearchAndSuggestions
		}
    }
} | Export-Excel -Path $xlsxPath -WorksheetName "Teams_permissions" -TableStyle Medium16 -AutoSize

Hope this script was helpful in determining the current state of your Teams deployment.

Thank you for stopping by. ✌