ProvisionAndGetFiles()
21 | {
22 | var testfiles = new[]
23 | {
24 | new SourceFile
25 | {
26 | Filename = "test.txt",
27 | LastModified = DateTime.Now,
28 | Contents = Encoding.UTF8.GetBytes("Hi, this is a test text-file"),
29 | Title = "Title of file 1"
30 | },
31 | new SourceFile
32 | {
33 | Filename = "test2.txt",
34 | LastModified = DateTime.Now.AddDays(-1),
35 | Contents = Encoding.UTF8.GetBytes("Tesfile2"),
36 | Title = "Second title"
37 | }
38 | };
39 |
40 | _log.Debug("Removing all existing files on test blob...");
41 | _azureBlob.RemoveAllFiles();
42 |
43 | _log.Debug($"Uploading {testfiles.Length} files on test blob...");
44 | foreach (var testfile in testfiles)
45 | _azureBlob.UploadFile(testfile.Filename, testfile.Contents);
46 |
47 | return testfiles;
48 | }
49 |
50 | public Uri GetBlobUri()
51 | {
52 | return _azureBlob.GetUri(SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.List);
53 | }
54 | }
55 | }
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateExport/UpdateMessage.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DistributeTemplates
4 | {
5 | public class UpdateMessage
6 | {
7 | public string Event { get; set; }
8 | public Guid JobId { get; set; }
9 | public DateTime? Time { get; set; }
10 | public string SiteId { get; set; }
11 | public string WebId { get; set; }
12 | public string DbId { get; set; }
13 | public string FarmId { get; set; }
14 | public string ServerId { get; set; }
15 | public string CorrelationId { get; set; }
16 | public string ErrorCode { get; set; }
17 | public string ErrorType { get; set; }
18 | public string Message { get; set; }
19 | public int? FilesCreated { get; set; }
20 | public int? BytesProcessed { get; set; }
21 | public string ObjectsProcessed { get; set; }
22 | public int? TotalErrors { get; set; }
23 | public int? TotalWarnings { get; set; }
24 | public string LastSpObjectId { get; set; }
25 | public string TotalExpectedSpObjects { get; set; }
26 | }
27 | }
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateExport/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateExport/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/.gitkeep:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("TeamTemplateDistribution")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("TeamTemplateDistribution")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ecc1369a-6a0a-46c1-89f4-ead3b9d2ba39")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/TeamsTemplates.Database.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/TeamsTemplates.Database.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Courses.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Courses.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Logs.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Logs.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateChannels.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateChannels.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateClassFiles.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateClassFiles.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateFiles.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.TemplateFiles.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Templates.Table.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/CustomSolutions/TeamTemplateImport/SQL Scripts/dbo.Templates.Table.sql
--------------------------------------------------------------------------------
/CustomSolutions/TeamTemplateImport/TeamTemplateImport.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {ECC1369A-6A0A-46C1-89F4-EAD3B9D2BA39}
8 | Exe
9 | TeamTemplateDistribution
10 | TeamTemplateDistribution
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 | 2.1.1
56 |
57 |
58 | 3.25.0
59 |
60 |
61 | 1.0.0-preview.6
62 |
63 |
64 | 7.0.0
65 |
66 |
67 | 5.2.8
68 |
69 |
70 | 4.3.0
71 |
72 |
73 | 9.3.3
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/CustomSolutions/readme:
--------------------------------------------------------------------------------
1 |
2 | Under Custom Solutions, we enter solutions created for customers that could benefit more Education Organizations.
3 | These solution are to be used as your own solutions and not as Microsoft services. Source code is available under the umbrella agreement of the O365-EDU-Tools.
4 |
5 | Solution TeamTemplateImport, this is the first part of the total solution for Team Templates.
6 | This part will take your source Team templates and download the files on a Azure Storage Account and store the structure into a SQL Azure.
7 | Please read the readme of the project more detailed instructions.
8 |
9 | Solution TeamTemplateExport, this is the second part of the total solution for Team Templates.
10 | This part will take your source Team templates that you downloaded into Azure blog and SQL and distribute the content into the target teams.
11 | Please read the readme of the project more detailed instructions.
12 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | The MIT License
2 |
3 | Copyright (c) 2017 - Microsoft Corporation
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
6 |
7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/LTI Scripts/IdentifyingClassTeams.md:
--------------------------------------------------------------------------------
1 | # Identify Teams visualized by the Teams Classes LTI
2 | Teams created through the Canvas Teams sync, Blackboard Ultra Teams sync, D2L Course Connector for Class Teams, or connected to an LMS course using the Connect Teams UX have a specific extension property set that other Teams and underlying M365 Groups do not have. These special extension properties can be found on Group entity in Graph.
3 |
4 | ## Find 'Groups' visualized by the Teams LTI
5 | We will be using the [groups](https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http) endpoint. A underlying M365 Group object exists for each Team, and when created by the LMS sync mechanisms the schemaExtension of _microsoft_EducationClassLmsExt_ is populated and the [LTI Context ID](https://www.imsglobal.org/spec/lti/v1p3/#lti-context-variable) that the LMS uses to identfy the course or section associated with the team is written in the ltiContextId property of that extension.
6 |
7 | _Microsoft_EducationClassLmsExt_ has several properties, not all of which are used, depending on your LMS:
8 | - ltiContextId (required)
9 | - lmsCourseId
10 | - lmsSectionId
11 | - lmsCourseName
12 | - lmsSectionName
13 | - lmsCourseSubject
14 | - lmsCourseDescription
15 |
16 | To identify groups created via LTI, we will filter looking for groups where ltiContextId is not blank.
17 |
18 | **Graph API Request**:
19 | GET https://graph.microsoft.com/v1.0/groups?$count=true&$filter=microsoft_EducationClassLmsExt/ltiContextId ne null&$select=id,displayname,mail,microsoft_EducationClassLmsExt
20 |
21 | **Graph API Request headers** (_required_): `ConsistencyLevel:eventual` ([more info](https://docs.microsoft.com/en-us/graph/aad-advanced-queries?view=graph-rest-1.0&tabs=http))
22 |
23 | **Graph Permissions Required**: `Directory.Read.All`, `Group.Read.All`
24 |
25 | **User/Application Context**: If using delegated permissions with a particular user context, the query will only return Groups that the user is a member of. If run as a Global Administrator, or with Admin consented context then all Groups meeting the criteria can be viewed.
26 |
27 |
28 | This will return the total count, and a list of all LMS associated groups including _id_, _displayName_, _mail_ (upn), and the _microsoft_EducationClassLmsExt_ extension properties. To see [more properties](https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties), add them to the select statement in the request.
29 |
30 | More than likely, you will see an `@odata.nextLink` property at the beginning of the response. This means you are not getting a full list, and you will need to [page the data](https://docs.microsoft.com/en-us/graph/paging).
31 |
32 |
--------------------------------------------------------------------------------
/LTI Scripts/IdentifyingOneDriveGroups.md:
--------------------------------------------------------------------------------
1 | Groups created to support the OneDrive LTI have a few specific property values that other Groups do not have.
2 |
3 | ## Find M365 Groups created by the OneDrive LTI
4 | We will be using the [groups](https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http) endpoint.
5 |
6 | To identify groups created via the OneDrive LTI, we will filter looking for groups where the displayName starts with 'Course:' and the description contains the issuerName tag matching the name of the LMS.
7 |
8 | **Graph API Request**:
9 | GET https://graph.microsoft.com/v1.0/groups?$count=true&$filter=startsWith(displayName,'Course:')&$search="description:issuerName: Canvas"&$select=id,displayName,email,description
10 |
11 | In the above API call you must replace **Canvas** with the issuerName of your LMS in the $search expression. Possible values for issuerName are: **Canvas**, **Schoology**, **Blackboard**, and **Generic**. These values are case sensitive.
12 |
13 | **Graph API Request headers** (_required_): `ConsistencyLevel:eventual` ([more info](https://docs.microsoft.com/en-us/graph/aad-advanced-queries?view=graph-rest-1.0&tabs=http))
14 |
15 | **Graph Permissions Required**: `Directory.Read.All`, `Group.Read.All`
16 |
17 | **User/Application Context**: If using delegated permissions with a particular user context, the query will only return Groups that the user is a member of. If run as a Global Administrator, or with Admin consented context then all Groups meeting the criteria can be viewed.
18 |
19 |
20 | This will return the total count, and a list of all OneDrive LTI groups including _id_, _displayName_, _mail_ (upn), and _description_ properties. To return [additional property values](https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties), add them to the comma delimited $select statement in the request.
21 |
22 | More than likely, you will see an `@odata.nextLink` property at the beginning of the response. This means you are not getting a full list, and you will need to [page the data](https://docs.microsoft.com/en-us/graph/paging).
23 |
24 | ### Powershell script example
25 | A [Powershell script example to log Groups](Get-OneDriveLTI-Groups.ps1) created by the OneDrive LTI is also available.
26 |
27 |
--------------------------------------------------------------------------------
/LTI Scripts/README.md:
--------------------------------------------------------------------------------
1 | # Microsoft LMS Integration Resources
2 |
3 | All official LMS Integration documentation is located at https://docs.microsoft.com/en-us/microsoft-365/lti/
4 | Anything in this repository is considered unofficial and should be used at your own risk.
5 |
6 | ## Graph API Resources
7 | Most guidance in this repository will involve calling the Microsoft Graph API. Graph API is how the Teams Meetings and Teams Classes LTIs work to create or modify meetings and Class Teams. It is usually necessary to use the Graph API to look up this same information.
8 |
9 | It is highly recommended that you familiarize yourself with the Microsoft Graph before reading the guidance in this repository. Please use the below resources:
10 |
11 | - [Microsoft Graph Overview](https://docs.microsoft.com/en-us/graph/overview)
12 | - [Using the Microsoft Graph API](https://docs.microsoft.com/en-us/graph/use-the-api)
13 | - [Explore Microsoft Graph - Microsoft Learn Course](https://docs.microsoft.com/en-us/learn/modules/microsoft-graph/)
14 | - [Graph Explorer - Test/Try Graph APIs](https://developer.microsoft.com/en-us/graph/graph-explorer)
15 |
16 | ## [Identify Class Teams visualized by the Teams Classes LTI](IdentifyingClassTeams.md)
17 | ## [Identify M365 Groups created by the Microsoft OneDrive LTI](IdentifyingOneDriveGroups.md)
18 |
19 |
--------------------------------------------------------------------------------
/O365-EDU-Tools.yml:
--------------------------------------------------------------------------------
1 | page_type: sample
2 | products:
3 | - office-365
4 | languages:
5 | - powershell
6 | extensions:
7 | contentType: tools
8 | createdDate: '10/10/2016 3:12:09 PM'
9 | title: O365-EDU-Tools
10 | description: O365 Education tools and scripts repository
11 |
--------------------------------------------------------------------------------
/OneRosterTools/PostmanCollection/OneRoster-CredentialsTemplate.postman_environment.json:
--------------------------------------------------------------------------------
1 | {
2 | "id": "57276c4f-c7cf-4ae9-a70c-901d8d64b58d",
3 | "name": "SDS-OneRoster--Template",
4 | "values": [
5 | {
6 | "key": "OneRosterHost",
7 | "value": "Input Required",
8 | "enabled": true
9 | },
10 | {
11 | "key": "Oauth2TokenAddress",
12 | "value": "Input Required for OAuth2",
13 | "enabled": true
14 | },
15 | {
16 | "key": "OneRosterConsumerKey",
17 | "value": "Input Required",
18 | "enabled": true
19 | },
20 | {
21 | "key": "OneRosterConsumerSecret",
22 | "value": "Input Required",
23 | "enabled": true
24 | },
25 | {
26 | "key": "SchoolYear",
27 | "value": "Input Required",
28 | "enabled": true
29 | },
30 | {
31 | "key": "DeltaDateTime",
32 | "value": "2020-01-01T01:00:00.000Z",
33 | "enabled": true
34 | },
35 | {
36 | "key": "Scopes",
37 | "value": "Optional if using Scopes",
38 | "enabled": true
39 | },
40 | {
41 | "key": "OAuth2AccessToken",
42 | "value": "Auto Generated",
43 | "enabled": true
44 | },
45 | {
46 | "key": "OAuth2RefreshToken",
47 | "value": "Auto Generated",
48 | "enabled": true
49 | },
50 | {
51 | "key": "school_id",
52 | "value": "Auto Generated",
53 | "enabled": true
54 | },
55 | {
56 | "key": "class_id",
57 | "value": "Auto Generated",
58 | "enabled": true
59 | },
60 | {
61 | "key": "student_id",
62 | "value": "Auto Generated",
63 | "enabled": true
64 | },
65 | {
66 | "key": "teacher_id",
67 | "value": "Auto Generated",
68 | "enabled": true
69 | },
70 | {
71 | "key": "term_id",
72 | "value": "Auto Generated",
73 | "enabled": true
74 | }
75 | ],
76 | "_postman_variable_scope": "environment",
77 | "_postman_exported_at": "2021-01-13T17:06:33.805Z",
78 | "_postman_exported_using": "Postman/7.36.1"
79 | }
--------------------------------------------------------------------------------
/OneRosterTools/PostmanCollection/readme.md:
--------------------------------------------------------------------------------
1 | ## How to use the files in this directory?
2 |
3 | 1. Download and Install Postman tool if you don't already have it (https://www.getpostman.com)
4 | 2. Import the collection JSON file
5 | 3. Import the environment JSON file - This is a template environment for providing credetials required for connecting to OneRoster server.
6 | 4. Edit the environment file and provide required connection values to point to your OneRoster server.
7 | 5. Run the collection against the environment that you have setup in the previous step and ensure that all the tests have passed.
8 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # O365-EDU-Tools
2 | O365 Education tools and scripts repository
3 |
4 |
5 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
6 |
--------------------------------------------------------------------------------
/SDS Scripts/Archived/Add-Intune_Licenses.ps1:
--------------------------------------------------------------------------------
1 |
2 | <#
3 | Script Name:
4 | Add-Intune_Licenses.ps1
5 |
6 | Synopsis:
7 | This script is designed to get all users who don't have Intune for Education licenses currently, and adds them. No parameters are needed with this script, and you will see an output displayed on the screen for each user where the add is being attempted and subsequently processed.
8 |
9 | Syntax Examples and Options:
10 | .\Add-Intune_Licenses.ps1
11 |
12 | Written By:
13 | Bill Sluss
14 |
15 | Change Log:
16 | Version 1.0, 05/05/2017 - First Draft
17 |
18 | #>
19 |
20 | #Get the Intnue sku and set a string variable
21 | $sku = (get-msolaccountsku | ? {$_.accountskuid -match "INTUNE_EDU"}).accountskuid
22 | $sku2 = $sku.tostring()
23 |
24 | #Get all users that have the INTUNE_EDU sku applied
25 | $Users = Get-MsolUser -All | ? {$_.Licenses.AccountSkuId -notmatch "INTUNE_EDU"}
26 |
27 | #Add the Intune License for any users that dont currently have it
28 | Foreach ($User in $Users) {
29 | $upn = $User.UserPrincipalName
30 | Write-host -foregroundcolor green "Adding the Intune EDU license to $upn"
31 | Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $sku2
32 | }
33 |
34 | write-host -foregroundcolor green "script complete"
35 |
--------------------------------------------------------------------------------
/SDS Scripts/Archived/Get-All_Users_With_and_Without_Classroom.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Get-All_Users_With_and_Without_Classroom.ps1
4 |
5 | Synopsis:
6 | This script is designed to export all users within an O365 tenant, and break them into 2 lists. Users with Classroom and User without Classroom. The result of this script will be 2 CSV files in the C:\temp directory. The first file is called users_with_classroom.csv, and a second file called users_without_classroom.csv. This script requires a powershell connection to Azure AD, before running this script.
7 |
8 | Syntax Examples and Options:
9 | .\Get-All_Users_With_and_Without_Classroom.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/05/2016 - First Draft
16 | #>
17 |
18 | #Create the arrays
19 | $HasClassroom = @()
20 | $NoClassroom = @()
21 |
22 | #Get All users in the tenant
23 | $Users = Get-Msoluser -all
24 |
25 | #Start the Foreach loop
26 | Foreach ($User in $Users) {
27 |
28 | #Set variables for each individual user
29 | $DN = $user.displayname
30 | $sku = (Get-msoluser -userprincipalname $user.userprincipalname).licenses.accountskuid
31 |
32 | #Get the user details if they have Classroom and add them to the HasClassroom export
33 | If ($sku -like "*CLASSDASH_Preview*"){
34 | write-host -foregroundcolor green "$DN has the Classroom license"
35 | $HasClassroom += New-Object PsObject -Property @{
36 | "Username"="$($User.DisplayName)";
37 | "UPN"="$($User.UserPrincipalName)";
38 | }
39 | }
40 |
41 | #Get the user details if they dont have Classroom and add them to the NoClassroom Export
42 | If ($sku -notlike "*CLASSDASH_Preview*"){
43 | write-host -foregroundcolor red "$DN does not have the Classroom license"
44 | $NoClassroom += New-Object PsObject -Property @{
45 | "Username"="$($User.DisplayName)";
46 | "UPN"="$($User.UserPrincipalName)";
47 | }
48 | }
49 | }
50 |
51 | #Export the results
52 | $HasClassroom | Export-CSV C:\temp\Users_with_classroom.csv -NoTypeInformation
53 | $NoClassroom | Export-CSV C:\temp\Users_without_classroom.csv -NoTypeInformation
54 |
--------------------------------------------------------------------------------
/SDS Scripts/Archived/Remove-Intune_Licenses.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Remove-Intune_Licenses.ps1
4 |
5 | Synopsis:
6 | This script is designed to get all users who have Intune for Education licenses currently, and remove them. No parameters are needed with this script, and you will see an output displayed on the screen for each user where the removal is being attempted and subsequently processed.
7 |
8 | Syntax Examples and Options:
9 | .\Remove-Intune_Licenses.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 05/05/2017 - First Draft
16 |
17 | #>
18 |
19 | #Get the Intnue Sku and set a variable
20 | $sku = (get-msolaccountsku | ? {$_.accountskuid -match "INTUNE_EDU"}).accountskuid
21 | $sku2 = $sku.tostring()
22 |
23 | #Get all users that have the INTUNE_EDU sku applied
24 | $Users = Get-MsolUser -All | ? {$_.Licenses.AccountSkuId -match "INTUNE_EDU"}
25 |
26 | #Remove all Intune licenses from users that have them currently
27 | Foreach ($User in $Users) {
28 | $upn = $User.UserPrincipalName
29 | Write-host -foregroundcolor green "Removing the Intune EDU license from $upn"
30 | Set-MsolUserLicense -UserPrincipalName $upn -RemoveLicenses $sku2
31 | }
32 |
33 | write-host -foregroundcolor green "script complete"
34 |
--------------------------------------------------------------------------------
/SDS Scripts/Archived/Set-Classroom_License_for_All_Users.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-Classroom_License_for_All_Users.ps1
4 |
5 | Synopsis:
6 | This script imports a list of users, and adds the Class Dashboard Preview license to each account in the csv. The users.csv must reside in the c:\temp directory, and be formatted as shown below. Only one column is needed, and should be populated with the UPN of the users you want to add license for. There are no switches or parameters needed to run this script.
7 |
8 | CSV Format:
9 | Userprincipalname
10 | user1@contoso.com
11 | user2@contoso.com
12 | user3@contoso.com
13 |
14 | Syntax Examples:
15 | .\Set-Classroom_License_for_All_Users.ps1
16 |
17 | Written By:
18 | Bill Sluss
19 |
20 | Change Log:
21 | Version 1.0, 12/06/2016 - First Draft
22 |
23 | #>
24 |
25 | #Get All Users
26 | $Users = Get-msoluser -all
27 |
28 | #Start a foreach loop
29 | Foreach ($User in $Users) {
30 |
31 | #Set UPN as a variable
32 | $upn = $user.userprincipalname
33 |
34 | #Set AccountSku as a variable
35 | $sku = (get-msolaccountsku | ? {$_.accountskuid -like "*CLASSDASH*"}).accountskuid
36 |
37 | #Set Usage Location
38 | Set-MsolUser -UserPrincipalName $upn -UsageLocation US
39 |
40 | #Write progress to the screen
41 | Write-Host -Foregroundcolor green "Adding Class Dashboard License to $upn"
42 |
43 | #Add the Classroom license
44 | Set-MsolUserLicense -UserPrincipalName $upn -addlicenses $sku -warningaction:silentlycontinue
45 | }
46 |
47 | write-host -foregroundcolor green "Script is Complete"
48 | write-host -foregroundcolor green "Below is a summary of the licenses applied. The Classroom license is the CLASSDASH_PREVIEW license listed"
49 | Get-MsolAccountSku
50 |
--------------------------------------------------------------------------------
/SDS Scripts/Archived/Set-Classroom_License_for_Some_Users.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-Classroom_License_for_Some_Users.ps1
4 |
5 | Synopsis:
6 | This script imports a list of users, and adds the Class Dashboard Preview license to each account in the csv. The users.csv must reside in the c:\temp directory, be called Users.csv, and be formatted as shown below. Only one column is needed in the file. The header should be "UserPrincipalName" and each cell beneath it should be populated with the UPN of the users you want to add license for. There are no switches or parameters needed to run this script.
7 |
8 | CSV Format:
9 | Userprincipalname
10 | user1@contoso.com
11 | user2@contoso.com
12 | user3@contoso.com
13 |
14 | Syntax Examples:
15 | .\Set-Classroom_License_for_Some_Users.ps1
16 |
17 | Written By:
18 | Bill Sluss
19 |
20 | Change Log:
21 | Version 1.0, 12/06/2016 - First Draft
22 |
23 | #>
24 |
25 | #Import the List of Users
26 | $Users = Import-Csv c:\temp\Users.csv
27 |
28 | #Start a foreach loop
29 | Foreach ($User in $Users) {
30 |
31 | #Set UPN as a variable
32 | $upn = $user.userprincipalname
33 |
34 | #Set AccountSku as a variable
35 | $sku = (get-msolaccountsku | ? {$_.accountskuid -like "*CLASSDASH*"}).accountskuid
36 |
37 | #Set Usage Location
38 | Set-MsolUser -UserPrincipalName $upn -UsageLocation US
39 |
40 | #Write progress to the screen
41 | Write-Host -Foregroundcolor green "Adding Class Dashboard License to $upn"
42 |
43 | #Add the Classroom license
44 | Set-MsolUserLicense -UserPrincipalName $upn -addlicenses $sku -warningaction:silentlycontinue
45 | }
46 |
47 | write-host -foregroundcolor green "Script is Complete"
48 | write-host -foregroundcolor green "Below is a summary of the licenses applied. The Classroom license is the CLASSDASH_PREVIEW license listed"
49 | Get-MsolAccountSku
50 |
51 |
--------------------------------------------------------------------------------
/SDS Scripts/Block Azure AD Portal/Block-AzureADPortal_for_everyone_except_a_list_of_admins.ps1:
--------------------------------------------------------------------------------
1 | #Connect to Azure AD and establish a session
2 | $session = Connect-AzureAD
3 |
4 | #set the ADIbizaUX App ID as a variable
5 | $appId = "74658136-14ec-4630-ad9b-26e160ff0fc6"
6 |
7 | #Ensure the service principal is present in the tenant, and if not add it
8 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
9 | if (-not $sp) {
10 | $sp = New-AzureADServicePrincipal -AppId $appId
11 | }
12 |
13 | #Require user assignment for the PowerShell app
14 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
15 |
16 | # Assign the default app role to each of the users in the CSV
17 | $admins = import-csv c:\temp\IntuneforEducationAdmins.csv
18 | Foreach ($admin in $admins) {
19 | $user = Get-AzureADUser -objectId $admin.userprincipalname
20 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
21 | }
22 |
23 |
24 | Write-host "Script Complete. Azure AD portal is now restricted."
--------------------------------------------------------------------------------
/SDS Scripts/Block Azure AD Portal/Block-AzureADPortal_for_everyone_except_me.ps1:
--------------------------------------------------------------------------------
1 | #Connect to Azure AD and establish a session
2 | $session = Connect-AzureAD
3 |
4 | #set the ADIbizaUX App ID as a variable
5 | $appId = "74658136-14ec-4630-ad9b-26e160ff0fc6"
6 |
7 | #Ensure the service principal is present in the tenant, and if not add it
8 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
9 | if (-not $sp) {
10 | $sp = New-AzureADServicePrincipal -AppId $appId
11 | }
12 |
13 | #Require an App Role Assignment for the Service Principal
14 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
15 |
16 | # Assign the app role to the current user
17 | $me = Get-AzureADUser -ObjectId $session.Account.Id
18 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $me.ObjectId
19 |
20 | Write-host "Script Complete. Azure AD Portal is now restricted."
--------------------------------------------------------------------------------
/SDS Scripts/Block Azure AD Portal/IntuneforEducationAdmins.csv:
--------------------------------------------------------------------------------
1 | userprincipalname
2 | john.smith@cdsync31.onmicrosoft.com
3 | cbeane@classrmtest31.org
4 |
--------------------------------------------------------------------------------
/SDS Scripts/Block PowerShell/Block-MS_Graph_module_for_everyone_except_a_list_of_admins.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script is designed block use of Microsoft Graph PowerShell for all users except those included in an input csv file.
4 |
5 | .PARAMETER csvFilePath
6 | Location of the csv file with the UPNs of users to be excluded from being blocked from using the Microsoft Graph PowerShell. The header should be userprincipalname. See psadmins.csv in the current folder in the GitHub repo for an example.
7 | #>
8 |
9 | Param (
10 | [Parameter(Mandatory=$true)]
11 | [string] $csvFilePath
12 | )
13 |
14 | # Connect to Azure AD and establish a session
15 | $session = Connect-AzureAD
16 |
17 | # Set the 'Microsoft Graph PowerShell' Graph App ID as a variable
18 | $appId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
19 |
20 | # Ensure the service principal is present in the tenant, and if not add it
21 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
22 | if (-not $sp) {
23 | $sp = New-AzureADServicePrincipal -AppId $appId
24 | }
25 |
26 | # Require user assignment for the Graph app
27 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
28 |
29 | # Assign the default permissions to all admins in the CSV file list
30 | $admins = Import-Csv $csvFilePath
31 | Foreach ($admin in $admins) {
32 | $user = Get-AzureADUser -objectId $admin.userprincipalname
33 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
34 | }
35 |
36 | Write-host "Script Complete. PowerShell is now restricted."
37 |
--------------------------------------------------------------------------------
/SDS Scripts/Block PowerShell/Block-MS_Graph_module_for_everyone_except_me.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script is designed block use of Microsoft Graph PowerShell for all users except who is running the script.
4 | #>
5 |
6 | # Connect to Azure AD and establish a session
7 | $session = Connect-AzureAD
8 |
9 | # Set the 'Microsoft Graph PowerShell' Graph App ID as a variable
10 | $appId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
11 |
12 | # Ensure the service principal is present in the tenant, and if not add it
13 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
14 | if (-not $sp) {
15 | $sp = New-AzureADServicePrincipal -AppId $appId
16 | }
17 |
18 | # Require user assignment for the Graph app
19 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
20 |
21 | # Assign the default app role (0-Guid) to the current user
22 | $me = Get-AzureADUser -ObjectId $session.Account.Id
23 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $me.ObjectId
24 |
25 | Write-host "Script Complete. PowerShell is now restricted."
26 |
--------------------------------------------------------------------------------
/SDS Scripts/Block PowerShell/Block-PowerShell_for_everyone_except_a_list_of_admins.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script is designed block use of Azure Active Directory PowerShell for all users except those included in an input csv file.
4 |
5 | .PARAMETER csvFilePath
6 | Location of the csv file with the UPNs of users to be excluded from being blocked from using the Azure Active Directory PowerShell. The header should be userprincipalname. See psadmins.csv in the current folder in the GitHub repo for an example.
7 | #>
8 |
9 | Param (
10 | [Parameter(Mandatory=$true)]
11 | [string] $csvFilePath
12 | )
13 |
14 | # Connect to Azure AD and establish a session
15 | $session = Connect-AzureAD
16 |
17 | # Set the 'Azure Active Directory PowerShell' Graph App ID as a variable
18 | $appId = "1b730954-1685-4b74-9bfd-dac224a7b894"
19 |
20 | # Ensure the service principal is present in the tenant, and if not add it
21 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
22 | if (-not $sp) {
23 | $sp = New-AzureADServicePrincipal -AppId $appId
24 | }
25 |
26 | # Require user assignment for the Graph app
27 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
28 |
29 | # Assign the default permissions to all admins in the CSV file list
30 | $admins = import-csv $csvFilePath
31 | Foreach ($admin in $admins) {
32 | $user = Get-AzureADUser -objectId $admin.userprincipalname
33 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
34 | }
35 |
36 | Write-host "Script Complete. PowerShell is now restricted."
37 |
--------------------------------------------------------------------------------
/SDS Scripts/Block PowerShell/Block-PowerShell_for_everyone_except_me.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script is designed block use of Azure Active Directory PowerShell for all users except who is running the script.
4 | #>
5 |
6 | # Connect to Azure AD and establish a session
7 | $session = Connect-AzureAD
8 |
9 | # Set the 'Azure Active Directory PowerShell' Graph App ID as a variable
10 | $appId = "1b730954-1685-4b74-9bfd-dac224a7b894"
11 |
12 | # Ensure the service principal is present in the tenant, and if not add it
13 | $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
14 | if (-not $sp) {
15 | $sp = New-AzureADServicePrincipal -AppId $appId
16 | }
17 |
18 | # Assign the default app role (0-Guid) to the current user
19 | $me = Get-AzureADUser -ObjectId $session.Account.Id
20 | New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $me.ObjectId
21 |
22 | # Require user assignment for the Graph app
23 | Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
24 |
25 | Write-host "Script Complete. PowerShell is now restricted."
26 |
--------------------------------------------------------------------------------
/SDS Scripts/Block PowerShell/psadmins.csv:
--------------------------------------------------------------------------------
1 | userprincipalname
2 | billsluss@cdsync31.onmicrosoft.com
3 | cbeane@classrmtest31.org
4 |
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Connect-Azure_AD_V1.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Connect-Azure_AD_V2.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect your PowerShell client to Azure AD using the V1 MSOnline module. This script requires you have already installed the Azure AD module for PowerShell. If you haven't, run the Install-AAD_Module_and_Sign_in_Assistant.ps1 included in this script repository.
7 |
8 | Syntax Examples:
9 | .\Connect-Azure_AD_V1.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 09/24/2018 - First Draft
16 | #>
17 |
18 | #Connect to AAD and ExO
19 | Write-Host -Foregroundcolor green "Enter your Office 365 Global Admin credentials in the authentication prompt!"
20 | $Cred = Get-Credential
21 | Connect-MsolService -credential $cred
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Connect-Azure_AD_V1_and_Exchange_Online.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Connect-Azure_AD_V1_and_Exchange_Online.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect your PowerShell client to Azure AD and Exchange Online. This script requires you have already installed the Azure AD module for PowerShell. If you haven't, run the Install-AAD_Module_and_Sign_in_Assistant.ps1 included in this script repository.
7 |
8 | Syntax Examples:
9 | .\Connect-Azure_AD_V1_and_Exchange_Online.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/09/2016 - First Draft
16 |
17 | #>
18 |
19 | #Connect to AAD and ExO
20 | Write-Host -Foregroundcolor green "Enter your Office 365 Global Admin credentials in the authentication prompt!"
21 | $Cred = Get-Credential
22 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
23 | Import-PSSession $Session -allowclobber
24 | Connect-MsolService -credential $cred
25 |
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Connect-Azure_AD_V2.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Connect-Azure_AD_V2.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect your PowerShell client to Azure AD using the V1 MSOnline module. This script requires you have already installed the Azure AD module for PowerShell. If you haven't, run the Install-AzureADModule.ps1 included in this script repository.
7 |
8 | Syntax Examples:
9 | .\Connect-Azure_AD_V2.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 09/24/2018 - First Draft
16 | #>
17 |
18 | #Connect to AAD and ExO
19 | Write-Host -Foregroundcolor green "Enter your Office 365 Global Admin credentials in the authentication prompt!"
20 | $Cred = Get-Credential
21 | Connect-AzureAD -credential $cred
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Connect-Exchange_Online.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Connect-Exchange_Online.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect your PowerShell client to Exchange Online.
7 |
8 | Syntax Examples:
9 | .\Connect-Exchange_Online.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/09/2016 - First Draft
16 | #>
17 |
18 | #Connect to AAD and ExO
19 | Write-Host -Foregroundcolor green "Enter your Exchange Admin credentials in the authentication prompt!"
20 | $Cred = Get-Credential
21 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
22 | Import-PSSession $Session -allowclobber
23 |
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Connect-Microsoft_Teams.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Connect-MicrosoftTeams.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect your PowerShell client to Azure AD using the V1 MSOnline module. This script requires you have already installed the Azure AD module for PowerShell. If you haven't, run the Install-AzureADModule.ps1 included in this script repository.
7 |
8 | Syntax Examples:
9 | .\Connect-Microsoft_Teams.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 09/24/2018 - First Draft
16 | #>
17 |
18 | #Connect to Microsoft Teams
19 | Write-Host -Foregroundcolor green "Enter your Office 365 Global Admin credentials in the authentication prompt!"
20 | $Cred = Get-Credential
21 | Connect-MicrosoftTeams -credential $cred
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Install-Azure_AD_V2.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Install-Azure_AD_V2.ps1
4 |
5 | Synopsis:
6 | This script is designed to install the Azure AD Preview Module for PowerShell.
7 |
8 | Syntax Examples:
9 | .\Install-Azure_AD_V2.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 09/24/2018 - First Draft
16 | #>
17 |
18 | #Connect to AAD and ExO
19 | Write-Host -Foregroundcolor green "Installing the AzureADPreview Module for PowerShell"
20 | Install-Module -Name AzureADPreview
21 |
--------------------------------------------------------------------------------
/SDS Scripts/Connection Scripts/Install-Teams_Module.txt:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Install-Teams_Module.ps1
4 |
5 | Synopsis:
6 | This script is designed to install the Azure AD Preview Module for PowerShell.
7 |
8 | Syntax Examples:
9 | .\Install-Teams_Module.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 09/24/2018 - First Draft
16 | #>
17 |
18 | #Connect to AAD and ExO
19 | Write-Host -Foregroundcolor green "Installing the AzureADPreview Module for PowerShell"
20 | Install-Module -Name MicrosoftTeams
21 |
--------------------------------------------------------------------------------
/SDS Scripts/Consent Scripts/Get-StudentsByLicense.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Get-StudentsByLicense.ps1
4 |
5 | Synopsis:
6 | This script is designed to export all stuents and their assigned licenses within an O365 tenant, to identify students from teachers based on the license assignment. The result of this script will be a CSV file exported to the c:\temp directory of the local machine, called students.csv. The output of this file can then be used to run the Set-MinorConsent.ps1 script. This script requires the AzureAD powershell module be installed and loaded, before running the script.
7 |
8 | Syntax Examples and Options:
9 | .\Get-StudentsByLicense.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 05/18/2018 - First Draft
16 | #>
17 |
18 |
19 | #Connect to Azure AD
20 | Write-Host "`n"
21 | Write-Host -ForegroundColor Green "Please enter your Global Administrator Username and Password"
22 | Write-Host "`n"
23 | Connect-AzureAD
24 |
25 |
26 | #Build the Assignments Array
27 | $Assignments = @()
28 |
29 |
30 | #Build the Student Sku Array
31 | $StudentSkus = @()
32 | $AllSkus = Get-AzureADSubscribedSku
33 | $StudentSkuIDs = ($AllSkus | ? {$_.skupartnumber -like "*student*"}).skuid
34 | Write-Host -ForegroundColor Green "The Student Skus identified are listed below:"
35 | Foreach ($Element in $StudentSkuIDs) {
36 | $SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
37 | Write-Host -ForegroundColor Green "SkuID ${Element} for License $SkuPart"
38 | }
39 | Write-Host "`n"
40 |
41 |
42 | #Get All User in AAD
43 | Write-Host -ForegroundColor Green "Getting All Users in Azure Active Directory with an assigned license"
44 | Write-Host "`n"
45 | $AllUsers = Get-AzureADUser -All $true | ? {$_.AssignedLicenses -ne $null}
46 |
47 |
48 | #Start foreach loop for all users with licenses
49 | Foreach ($User in $AllUsers) {
50 | $ObjectID = $User.ObjectID
51 | Write-host "`n"
52 | Write-Host -ForegroundColor Green "Getting Assigned Licenses for $DN"
53 | $GetUser = Get-AzureADUser -objectid $user.objectid
54 | $AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
55 |
56 |
57 | #Set Variables
58 | $UPN = $User.userprincipalname
59 | $DN = $User.Displayname
60 | $OBJ = $User.ObjectID
61 | $Age = $User.AgeGroup
62 | $Consent = $User.ConsentProvidedForMinor
63 | $Legal = $User.LegalAgeGroupClassification
64 |
65 |
66 | #Start foreach loop for all assigned skus
67 | Foreach ($License in $AssignedLicenses) {
68 | Write-host "$DN is assigned the SkuID $License"
69 |
70 |
71 | #Creating new PS Object for each Sku and adding to the array
72 | If ($StudentSkuIDs -contains $License) {
73 | $StudentObj = New-Object PSObject
74 | $StudentObj | Add-Member NoteProperty -Name UserPrincipalName -Value $UPN
75 | $StudentObj | Add-Member NoteProperty -Name DisplayName -Value $DN
76 | $StudentObj | Add-Member NoteProperty -Name ObjectID -Value $OBJ
77 | $StudentObj | Add-Member NoteProperty -Name SkuID -Value $License
78 | $StudentObj | Add-Member NoteProperty -Name AgeGroup -Value $Age
79 | $StudentObj | Add-Member NoteProperty -Name ConsentProvidedForMinor -Value $Consent
80 | $StudentObj | Add-Member NoteProperty -Name LegalAgeGroupClassification -Value $Legal
81 | $Assignments += $StudentObj
82 | }
83 | }
84 | }
85 |
86 |
87 | #Exporting the Assignments Array to CSV
88 | Write-Host "`n"
89 | Write-Host -ForegroundColor Green "Exporting the License Assignments to the c:\temp\Assignments.csv file"
90 | $Assignments | Export-CSV c:\temp\Students.csv -notype
91 | Write-Host "`n"
92 | Write-Host -ForegroundColor Green "Script is complete"
93 | Write-Host "`n"
94 |
95 |
96 | Write-Host -ForegroundColor Green "Confirm each SkuID listed in the csv file matches the Student SkuIDs shown below:"
97 | Foreach ($Element in $StudentSkuIDs) {
98 | $SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
99 | Write-Host -ForegroundColor Green "SkuID ${Element} for License $SkuPart"
100 | }
101 | Write-Host "`n"
102 |
103 |
--------------------------------------------------------------------------------
/SDS Scripts/Consent Scripts/Set-MinorWithParentalConsent.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-MinorWithParentalConsent.ps1
4 |
5 | Synopsis:
6 | This script is designed to import the students listed in the students.csv which was exported from the Get-StudentsByLicense.ps1 script. Once imported, this script will set the AgeGroup and ConsentProvidedForMinor attributes. The net result of setting those two attributes is the attribute of LegalAgeGroupClassification set to MinorWithParentalConsent. This script requires the Azure AD V2 module for powershell be installed and loaded, before running this script.
7 |
8 | Syntax Examples and Options:
9 | .\Set-MinorWithParentalConsent.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 05/18/2018 - First Draft
16 | #>
17 |
18 |
19 | #Connect to Azure AD
20 | Write-Host -ForegroundColor Green "Please enter your Global Administrator Username and Password"
21 | Write-Host "`n"
22 | Connect-AzureAD
23 |
24 |
25 | #import the student.csv you just exported
26 | $Students = import-csv "c:\temp\students.csv"
27 |
28 |
29 | Foreach ($Student in $Students) {
30 | $OBJ = $Student.ObjectID
31 | $DN = $Student.DisplayName
32 | Write-Host -ForegroundColor Green "Setting attributes for $DN"
33 | Set-AzureADUser -objectID $OBJ -AgeGroup minor -ConsentProvidedForMinor granted
34 | }
35 |
36 | Write-Host "`n"
37 | Write-Host -ForegroundColor Green "Script Complete"
38 |
39 | Write-Host "`n"
40 | Write-Host -ForegroundColor Green "You can rerun the Get-StudentsByLicense.ps1 to confirm the attributes were set correctly."
41 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-DDL_for_All_Admins.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-DDL_for_All_Admins.ps1
4 |
5 | Synopsis:
6 | This script is designed to create a Dynamic Distribution Group which includes all admins in the org. This DDL may be added to students mailboxes who implement the acceptance permissions, to allow these admins to email each of the respective students. This script assumes the Department attribute for admins contains the string "admin", and uses this attribute to populate and keep the DDL up to date.
7 |
8 | Syntax Examples and Options:
9 | .\New-DDL_for_All_Admins.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-DynamicDistributionGroup -Name All_Admins -IncludedRecipients AllRecipients -ConditionalDepartment Admin
20 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-DDL_for_All_Students.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-DDL_for_All_Students.ps1
4 |
5 | Synopsis:
6 | This script is designed to create a Dynamic Distribution Group which includes all students in the org. This DDL may be added to students mailboxes who implement the acceptance permissions, to allow all students to email each other. This script assumes the Department attribute for students contains the string "Student", and uses this attribute to populate and keep the DDL up to date.
7 |
8 | Syntax Examples and Options:
9 | .\New-DDL_for_All_Students.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-DynamicDistributionGroup -Name All_Students -IncludedRecipients AllRecipients -ConditionalDepartment Student
20 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-DDL_for_All_Teachers.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-DDL_for_All_Teachers.ps1
4 |
5 | Synopsis:
6 | This script is designed to create a Dynamic Distribution Group which includes all teachers in the org. This DDL may be added to students mailboxes who implement the acceptance permissions, to allow all students to email each other. This script assumes the Department attribute for teachers contains the string "Teacher", and uses this attribute to populate and keep the DDL up to date.
7 |
8 | Syntax Examples and Options:
9 | .\New-DDL_for_All_Teachers.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-DynamicDistributionGroup -Name All_Teachers -IncludedRecipients AllRecipients -ConditionalDepartment Teacher
20 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-DDL_for_Students_by_Grade.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-DDL_for_Students_by_Grade.ps1
4 |
5 | Synopsis:
6 | This script is designed to create a Dynamic Distribution Group for each grade, which includes all students in that grade. These DDL's may be added to students mailboxes who implement the acceptance permissions, to allow a subset of students to email each other. This script assumes the Department attribute for admins contains the string associated to their individual grade (students in 1st grade will have a 1, student in second grade will have a 2, etc.), and uses this attribute to populate and keep each of the grade based DDL's up to date.
7 |
8 | Syntax Examples and Options:
9 | .\New-DDL_for_Students_by_Grade.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-DynamicDistributionGroup -Name Grade_1 -IncludedRecipients AllRecipients -ConditionalDepartment 1
20 | New-DynamicDistributionGroup -Name Grade_2 -IncludedRecipients AllRecipients -ConditionalDepartment 2
21 | New-DynamicDistributionGroup -Name Grade_3 -IncludedRecipients AllRecipients -ConditionalDepartment 3
22 | New-DynamicDistributionGroup -Name Grade_4 -IncludedRecipients AllRecipients -ConditionalDepartment 4
23 | New-DynamicDistributionGroup -Name Grade_5 -IncludedRecipients AllRecipients -ConditionalDepartment 5
24 | New-DynamicDistributionGroup -Name Grade_6 -IncludedRecipients AllRecipients -ConditionalDepartment 6
25 | New-DynamicDistributionGroup -Name Grade_7 -IncludedRecipients AllRecipients -ConditionalDepartment 7
26 | New-DynamicDistributionGroup -Name Grade_8 -IncludedRecipients AllRecipients -ConditionalDepartment 8
27 | New-DynamicDistributionGroup -Name Grade_9 -IncludedRecipients AllRecipients -ConditionalDepartment 9
28 | New-DynamicDistributionGroup -Name Grade_10 -IncludedRecipients AllRecipients -ConditionalDepartment 10
29 | New-DynamicDistributionGroup -Name Grade_11 -IncludedRecipients AllRecipients -ConditionalDepartment 11
30 | New-DynamicDistributionGroup -Name Grade_12 -IncludedRecipients AllRecipients -ConditionalDepartment 12
31 | New-DynamicDistributionGroup -Name Grade_K -IncludedRecipients AllRecipients -ConditionalDepartment k
32 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-Transport_Rule_Inbound.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-Transport_Rule_Inbound.ps1
4 |
5 | Synopsis:
6 | This script is designed to create an inbound transport rule, to restrict all inbound email for a group or students from any sender outside of the O365 tenant.
7 |
8 | Syntax Examples and Options:
9 | .\New-Transport_Rule_Inbound.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-TransportRule -Name "Inbound Student Restrictions" -Enabled $true -FromScope NotInOrganization AnyOfToCcHeaderMemberOf All_Students -RejectMessageReasonText "Students are not allowed to receive messages from senders outside of the school district."
20 |
--------------------------------------------------------------------------------
/SDS Scripts/Email Restrictions/New-Transport_Rule_Outbound.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | New-Transport_Rule_Outbound.ps1
4 |
5 | Synopsis:
6 | This script is designed to create an outbound transport rule, to restrict a set of students ability to send email outside of their respective O365 tenant.
7 |
8 | Syntax Examples and Options:
9 | .\New-Transport_Rule_Outbound.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/14/2016 - First Draft
16 |
17 | #>
18 |
19 | New-TransportRule -Name "Outbount Student Restrictions" -Enabled $true -FromMemberOF All_Students -SentToScope NotInOrganization -RejectMessageReasonText "Students are not allowed to send messages to recipients outside of the organization."
20 |
--------------------------------------------------------------------------------
/SDS Scripts/Get-All_Sections.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script is designed to get all SDS sections, and export the default Azure AD attributes to a CSV files called Get-All_Sections.csv, into the c:\temp directory. No other object types are exported with this script.
4 |
5 | .EXAMPLE
6 | .\Get-All_Sections.ps1
7 |
8 | .NOTES
9 | ========================
10 | Required Prerequisites
11 | ========================
12 |
13 | 1. Install AzureAD Powershell Module with the command 'Install-Module AzureAD' (Recommend Windows PowerShell 5.x Module to be used for Azure AD powershell operations)
14 |
15 | 2. Check that you can connect to your tenant directory from the PowerShell module to make sure everything is set up correctly.
16 |
17 | a. Open a separate PowerShell session
18 |
19 | b. Execute: "Connect-AzureAD to bring up a sign-in UI.
20 |
21 | c. Sign in with any tenant administrator credentials
22 |
23 | d. If you are returned to the PowerShell session without error, you are correctly set up.
24 |
25 | 3. Retry this script. If you still get an error about failing to load the AzureAD module, troubleshoot why "Import-Module AzureAD" isn't working.
26 | #>
27 |
28 | Param(
29 | [string] $outFolder = ".\SDSSectionsExport"
30 | )
31 |
32 | try
33 | {
34 | Import-Module AzureAD | Out-Null
35 | }
36 | catch
37 | {
38 | Write-Error "Failed to load AzureAD"
39 | Get-Help -Name .\Get-All_Sections.ps1 -Full | Out-String | Write-Error
40 | throw
41 | }
42 |
43 | Connect-AzureAD | Out-Null
44 |
45 | $fileName = "Get-All_Sections.csv"
46 | $csvFilePath = Join-Path $outFolder $fileName
47 |
48 | #Create output folder if it does not exist
49 | if ((Test-Path $outFolder) -eq 0)
50 | {
51 | mkdir $outFolder | Out-Null;
52 | }
53 |
54 | Remove-Item -Path $csvFilePath -Force -ErrorAction Ignore
55 |
56 | $output = @()
57 |
58 | Write-Progress -Activity "Reading AAD" -Status "Fetching SDS section groups"
59 |
60 | $groups = Get-AzureADGroup -All:$true | Select-Object -Property DisplayName, Mail, ObjectId, ProvisioningErrors | Where-Object {$_.Mail -like "Section_*"}
61 |
62 | $grpCtr = 0
63 |
64 | Foreach ($group in $groups) {
65 |
66 | #Grabbing error collection and joining into single column
67 | $grpErrs = $group | Select-Object -ExpandProperty ProvisioningErrors
68 | $grpErrJoin = $grpErrs -join ","
69 |
70 | #Create the PS Object
71 | $groupObj = New-Object PSObject
72 |
73 | #Add Members for Group Attributes
74 | $groupObj | Add-Member NoteProperty -Name DisplayName -Value $group.DisplayName
75 | $groupObj | Add-Member NoteProperty -Name EmailAddress -Value $group.Mail
76 | $groupObj | Add-Member NoteProperty -Name ObjectID -Value $group.ObjectId
77 | $groupObj | Add-Member NoteProperty -Name Errors -Value $grpErrJoin
78 |
79 | #Add All Member Attributes to PS Object
80 | $output += $groupObj
81 |
82 | $grpCtr++
83 | Write-Progress -Activity "`nReading SDS section groups properties.." -Status "Progress ->" -PercentComplete ($grpCtr/$groups.count*100)
84 | }
85 |
86 | #Export the output array to CSV
87 | $output | Export-Csv $csvFilePath -NoTypeInformation
88 |
89 | Disconnect-AzureAD
90 |
91 | Write-host -ForegroundColor Green "Exported data to $csvFilePath. `nScript Complete."
92 |
--------------------------------------------------------------------------------
/SDS Scripts/Get-User_Information_Barrier_Segments.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 |
4 | Creates a csv with information barriers and organization segments for users in the tenant.
5 |
6 | .DESCRIPTION
7 |
8 | The script will connect to Exchange Online using Connect-IPPSSession and Connect-ExchangeOnline to get retrieve information barriers and corresponding organization segments for all users of the tenant.
9 |
10 | .INPUTS
11 |
12 | Folder location for csv output. $outFolder
13 |
14 | .OUTPUTS
15 |
16 | A folder location defined as an input will include a csv files of all outputs.
17 |
18 | .EXAMPLE
19 |
20 | PS> .\Get-User_Information_Barrier_Segments.ps1
21 |
22 | .NOTES
23 |
24 | The sequence of loading both modules is significant. Load the IPPSSession before ExchangeOnline modules
25 |
26 | ========================
27 | Required Prerequisites
28 | ========================
29 |
30 | 1. Install current PowerShell version.
31 |
32 | 2. Install the Exchange Online Management Module with command 'Install-Module ExchangeOnlineManagement'
33 |
34 | 2. Check that you can connect to your tenant directory from the PowerShell module to make sure everything is set up correctly.
35 |
36 | a. Open a separate PowerShell session
37 |
38 | c. Type "Connect-IPPSSession"; "Connect-ExchangeOnline"
39 |
40 | d. Sign in with any tenant administrator credentials.
41 |
42 | d. If you are returned to the PowerShell session without error, you are correctly set up
43 |
44 | 3. Retry this script. If you still get an error about failing to load the Exchange Online Management module, troubleshoot why 'Install-Module ExchangeOnlineManagement' isn't working.
45 | #>
46 |
47 | $outFolder = "C:\temp\"
48 | $csvFilePath = "$outFolder\UserInformationBarrierSegments.csv"
49 |
50 | #Create the output array
51 | $outputArray = @()
52 |
53 | #Check to see if outFolder exists, and if not create it
54 | if(!(Test-Path $outFolder)) {
55 | New-Item -ItemType Directory -Force -Path $outFolder
56 | }
57 |
58 | #Remove temp csv file
59 | if ((Test-Path $csvFilePath))
60 | {
61 | Remove-Item $csvFilePath;
62 | }
63 |
64 | #Connection to IB info
65 | Connect-IPPSSession
66 |
67 | $orgSegments = Get-OrganizationSegment | Select-Object Name, Guid, ExoSegmentId
68 |
69 | Disconnect-ExchangeOnline -Confirm:$false | Out-Null
70 |
71 | #Connection to fetch user info
72 | Connect-ExchangeOnline
73 |
74 | #Note: Even though Connect-IPPSSession shares the Get-User cmdlet, InformationBarrierSegments is returned when using Connect-ExchangeOnline
75 | $users = Get-User -ResultSize Unlimited -Filter 'InformationBarrierSegments -ne $null' | Select-Object DisplayName, UserPrincipalName, InformationBarrierSegments, Guid
76 |
77 | $userCtr = 0
78 |
79 | #Start foreach loop
80 | foreach($user in $users) {
81 |
82 | #Set variables
83 | $dn = $user.DisplayName
84 | $upn = $user.UserPrincipalName
85 | $ibs = $user.InformationBarrierSegments
86 | $guid = $user.Guid
87 | $segmentNames = @()
88 |
89 | foreach($segment in $ibs){
90 | $segmentNames += ($orgSegments | Where-Object{$_.ExoSegmentId -eq $segment}).Name
91 | }
92 |
93 | #Create the PS Object
94 | $userObj = New-Object PSObject
95 |
96 | #Add each member attribute to the person's PS Object
97 | $userObj | Add-Member NoteProperty -Name DisplayName -Value $dn
98 | $userObj | Add-Member NoteProperty -Name UPN -Value $upn
99 | $userObj | Add-Member NoteProperty -Name ObjectID -Value $guid
100 | $userObj | Add-Member NoteProperty -Name InformationBarriers -Value (Join-String -Separator ", " -InputObject $ibs)
101 | $userObj | Add-Member NoteProperty -Name IBNames -Value (Join-String -Separator ", " -InputObject $segmentNames)
102 |
103 | #Add this persons PS Object to the output array
104 | $outputArray += $userObj
105 | $userCtr++
106 |
107 | Write-Progress -Activity "`nGetting information barrier segments for users" -Status "Progress ->" -PercentComplete ($userCtr/$users.count*100)
108 | }
109 |
110 | #Export the output array to a CSV file in local outFolder directory
111 | $outputArray | Export-csv $csvFilePath -NoTypeInformation
112 |
113 | Write-Host -ForegroundColor Green "`n`nDone. Please run and 'Disconnect-ExchangeOnline' and disconnect from both sessions if you are finished`n"
--------------------------------------------------------------------------------
/SDS Scripts/Remove-All_Sections.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Remove-All_Sections.ps1
4 |
5 | Synopsis:
6 | This script is designed to Remove all Sections created by SDS from an O365 tenant.
7 | This script requires a PowerShell connection to Azure AD using Connect-AzureAd cmdlet.
8 | Help: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0#connect-to-azure-ad
9 |
10 | Syntax Examples and Options:
11 | .\Remove-All_Sections.ps1
12 |
13 | Written By:
14 | Bill Sluss
15 |
16 | Change Log:
17 | Version 1.0, 12/12/2016 - First Draft
18 | Version 1.1, 08/01/2017 - Update to Soft Delete groups (Varun Menasina Chidananda)
19 | #>
20 |
21 | $logFilePath = "./remove-all-sections.log"
22 | $softDeletePrefix = "SoftDeleted_"
23 | Echo "Starting script to remove all groups at $([System.DateTime]::UtcNow)" | Out-File $logFilePath -Append
24 |
25 | #Get all O365 Groups in a tenant with mail nickname starting with "Section_"
26 | $Groups = Get-AzureADGroup -All $true | ? {$_.MailNickName -like "*Section_*"}
27 |
28 | Foreach ($Group in $Groups) {
29 | #Update group properties and delete
30 | $DifferentiatorSuffix = Get-Random -Minimum 100 -Maximum 999
31 | $NewDisplayName = $softDeletePrefix + $Group.DisplayName
32 | $NewMailNickName = $softDeletePrefix + $Group.MailNickName + $DifferentiatorSuffix
33 |
34 | $Log = "Soft deleting group $($Group.ObjectID) - [$($Group.MailNickName) / $($NewMailNickName)] - [$($Group.DisplayName) / $NewDisplayName]"
35 | Echo $Log | Out-File $logFilePath -Append
36 | Write-Host -ForegroundColor green "Removing Group $($Group.DisplayName)"
37 |
38 | Set-AzureADGroup -ObjectId $Group.ObjectID -MailNickName $NewMailNickName -DisplayName $NewDisplayName -ErrorAction Stop
39 | Remove-AzureADGroup -ObjectId $Group.ObjectID -ErrorAction Stop
40 | }
41 |
42 | Echo "Finished removing $($Groups.Count) Sections at $([System.DateTime]::UtcNow)" | Out-File $logFilePath -Append
43 | Write-host -ForegroundColor Green "Script Complete. Log: $logFilePath `n"
44 |
--------------------------------------------------------------------------------
/SDS Scripts/Remove-Expired_Section_Memberships.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Remove-Expired_Section_Memberships.ps1
4 |
5 | Synopsis:
6 | This script is designed to get all SDS classes that have been marked Expired, and remove their members. All Expired classes and removals are displayed on screen.
7 |
8 | Syntax Examples and Options:
9 | .\Remove-Expired_Section_Memberships.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 8/08/206 - First Draft
16 | #>
17 |
18 | Connect-AzureAD
19 | $Groups = Get-AzureADGroup -All:$true | Where-Object {$_.DisplayName -match '^Exp[0-9]{4}'}
20 | $Count = $Groups.count
21 | Write-host -ForegroundColor Green "Found $Count Classes Marked Expired. Starting Cleanup - Remove Members"
22 |
23 | Foreach ($Group in $Groups) {
24 | $Obj = $Group.objectID
25 | $DN = $Group.DisplayName
26 | Write-host "Removing Members of $DN"
27 | $Members = Get-AzureADGroupMember -ObjectID $Obj
28 |
29 | Foreach ($Member in $Members) {
30 | $MemID = $Member.ObjectID
31 | $MemName = $member.DisplayName
32 | Write-host -ForegroundColor Green "Removing $MemName from $DN"
33 | Remove-AzureADGroupMember -MemberId $MemID -ObjectId $Obj
34 | }
35 | }
36 |
37 | #Export the output array to CSV
38 | Write-host -ForegroundColor Green "Script Complete"
39 |
--------------------------------------------------------------------------------
/SDS Scripts/Remove-Expired_Sections.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Remove-Expired_Sections.ps1
4 |
5 | Synopsis:
6 | This script is designed to get all SDS classes that have been marked Expired, and remove them from AAD. All Expired class removals are displayed on screen.
7 |
8 | Syntax Examples and Options:
9 | .\Remove-Expired_Sections.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 8/9/2018 - First Draft
16 | #>
17 |
18 | Connect-AzureAD
19 | $Groups = Get-AzureADGroup -All:$true | ? {$_.DisplayName -like "Exp*"}
20 | $Count = $Groups.count
21 | Write-host -ForegroundColor Green "Found $Count Classes Marked Expired. Starting Cleanup - Remove Sections"
22 |
23 | Foreach ($Group in $Groups) {
24 | $Obj = $Group.objectID
25 | $DN = $Group.DisplayName
26 | Write-host -ForegroundColor Green "Removing $DN"
27 | Remove-AzureADGroup -ObjectID $Obj
28 | }
29 |
30 | #Export the output array to CSV
31 | Write-host -ForegroundColor Green "Script Complete"
32 |
--------------------------------------------------------------------------------
/SDS Scripts/Remove-Student_Attributes.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .Synopsis
3 | This script is designed to get all SDS students, and removes all recently deprecated student attributes. No other object types or attributes are modified with this script.
4 |
5 | .Example
6 | .\Remove-Student_Attributes.ps1
7 | #>
8 |
9 | #Connect to Azure AD
10 | Connect-AzureAD
11 |
12 | $ExtID = "73eb1ff2-0bb6-4d2f-9944-3414b1906869"
13 |
14 | #Get all users in the tenant
15 | $Users = Get-AzureADUser -All:$true
16 |
17 | #Start Foreach Loop
18 | ForEach ($User in $Users) {
19 | #Set Variables
20 | $DN = $User.DisplayName
21 | $Ext = $User | Select-Object -ExpandProperty ExtensionProperty
22 |
23 | #Determine if Student
24 | if ($Ext.extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType -like "Student") {
25 |
26 | #Let the Admin know Student was found for processing
27 | write-host -ForegroundColor green "Removing Sensitive Attributes for $DN"
28 |
29 | #Remove each of the deprecated attributes
30 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_Gender
31 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_ResidenceCountry
32 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_ResidenceZip
33 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_ResidenceState
34 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_ResidenceCity
35 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_ResidenceAddress
36 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_MailingCountry
37 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_MailingZip
38 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_MailingState
39 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_MailingCity
40 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_MailingAddress
41 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_FederalRace
42 | Remove-AzureADUserExtension -ObjectId $ExtID -ExtensionName extension_fe2174665583431c953114ff7268b7b3_Education_EnglishLanguageLearnersStatus
43 | }
44 | }
45 |
46 | write-host -ForegroundColor green "Script Complete"
--------------------------------------------------------------------------------
/SDS Scripts/Remove-Unused_Sections.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | Script Name:
4 | Remove-Sections.ps1
5 |
6 | Synopsis:
7 | This script is designed to Remove unused Sections created by SDS from an O365 tenant, based on the usage report SDS generates. This script requires a PowerShell connection to Azure AD before executing.
8 | Required PowerShell Module: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
9 |
10 | Syntax Examples and Options:
11 | .\Remove-Sections.ps1 -SectionUsageReport "C:\SectionUsage.csv"
12 |
13 | Written By:
14 | Mihir Patel
15 |
16 | Change Log:
17 | Version 1.0, 06/19/2017 - First Draft
18 | Version 1.1, 08/01/2017 - Update to Soft Delete groups (Varun Menasina Chidananda)
19 | #>
20 |
21 | [CmdletBinding()]
22 |
23 | Param ([Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string]$SectionUsageReport)
24 |
25 | #Connect
26 | Connect-AzureAD
27 |
28 | #Read Section Ids from the CSV file
29 | $SectionInfo = Import-Csv $SectionUsageReport
30 | $GroupIds = $SectionInfo | ? { $_."Usage.HasFiles" -eq "FALSE" } | % { $_.GraphId }
31 |
32 | $logFilePath = "./remove-unused-sections.log"
33 | $softDeletePrefix = "SoftDeleted_"
34 | Echo "Starting script to remove all groups at $([System.DateTime]::UtcNow)" | Out-File $logFilePath -Append
35 |
36 | #Start Foreach loop
37 | Foreach ($GroupId in $GroupIds) {
38 | #Get the O365 Group
39 | $Group = Get-AzureADGroup -ObjectId $GroupId
40 |
41 | #Update group properties and delete
42 | $DifferentiatorSuffix = Get-Random -Minimum 100 -Maximum 999
43 | $NewDisplayName = $softDeletePrefix + $Group.DisplayName
44 | $NewMailNickName = $softDeletePrefix + $Group.MailNickName + $DifferentiatorSuffix
45 |
46 | $Log = "Soft deleting group $($Group.ObjectID) - [$($Group.MailNickName) / $($NewMailNickName)] - [$($Group.DisplayName) / $NewDisplayName]"
47 | Echo $Log | Out-File $logFilePath -Append
48 | Write-Host -ForegroundColor green "Removing Group $($Group.DisplayName)"
49 |
50 | Set-AzureADGroup -ObjectId $Group.ObjectID -MailNickName $NewMailNickName -DisplayName $NewDisplayName -ErrorAction Stop
51 | Remove-AzureADGroup -ObjectId $Group.ObjectID -ErrorAction Stop
52 | }
53 |
54 | #Script is complete
55 | Echo "Finished removing $($GroupIds.Count) Sections at $([System.DateTime]::UtcNow)" | Out-File $logFilePath -Append
56 | Write-host -ForegroundColor Green "Script Complete. Log: $logFilePath `n"
57 |
--------------------------------------------------------------------------------
/SDS Scripts/Set-All_Sections_as_Hidden.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-All_Sections_as_Hidden.ps1
4 |
5 | Synopsis:
6 | This script is designed to connect to Azure AD and Exchange Online, get all SDS sections potentially in the GAL, and sets the Hidden From Address Lists parameter to true.
7 |
8 | Syntax Examples and Options:
9 | .\Set-All_Sections_as_Hidden.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 12/08/2016 - First Draft
16 |
17 | #>
18 |
19 | #Connect to Azure and Exchange Online
20 | $Cred = Get-Credential
21 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
22 | Import-PSSession $Session
23 | Connect-MsolService -credential $cred
24 |
25 | #Get All Sections potentially in the GAL
26 | $Sections = Get-UnifiedGroup –ResultSize Unlimited | ? {$_.Name –like “Section_*”}
27 |
28 | #Run Foreach loop against each section
29 | Foreach ($Section in $Sections) {
30 |
31 | #Tag the variable for use in the set cmd
32 | $Addr = $Section.PrimarySmtpAddress
33 | $DN = $Section.Displayname
34 |
35 | #Write Progress
36 | Write-Host -foregroundcolor green "Setting hidden attribute on group $DN"
37 |
38 | #Set the group as hidden
39 | Set-UnifiedGroup -Identity $Addr -HiddenFromAddressListsEnabled $true -warningaction:silentlycontinue
40 | }
41 |
42 | Write-Host -foregroundcolor green "Script Complete"
43 |
--------------------------------------------------------------------------------
/SDS Scripts/Set-Email_Addresses_Expired.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | Script Name:
4 | Set-Email_Addresses_Expired.ps1
5 |
6 | Synopsis:
7 | This script is designed to get all classes in Exchange Online which have been Marked Expired by SDS. Each of these classes will have their primarySMTPAddress updated with the mailnickname attribute, which is appended with "Expmmyy_". Once the update is complete, PowerShell will generate a report in the c:\temp directory which details every expired class, and the currently set displayname and primary email address.
8 |
9 | Syntax Examples and Options:
10 | .\Set-Email_Addresses_Expired.ps1
11 |
12 | Written By:
13 | Bill Sluss
14 |
15 | Change Log:
16 | Version 1.0, 8/6/2018 - First Draft
17 |
18 | #>
19 |
20 | #Connect to ExO
21 | $Cred = Get-Credential
22 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
23 | Import-PSSession $Session
24 |
25 | #Get all Exp Groups
26 | $ExpGroups = Get-UnifiedGroup -ResultSize unlimited | ? {$_.alias -like "Exp*"}
27 |
28 | #Start Foreach Loop
29 | Foreach ($Group in $ExpGroups) {
30 |
31 | #Document the Group Being Processed, incase of errors
32 | $DN = $Group.DisplayName
33 | Write-Host -ForegroundColor Green “Updating Email Address for $DN”
34 |
35 | #Set Variables
36 | $Alias = $Group.Alias
37 | $Current = ($Group.primarysmtpaddress).toString()
38 | $Domain = $Current.Split("@")[1]
39 | $New = (“$Alias” + “@” + “$Domain”).ToString()
40 |
41 | #Update the PrimarySMTPAddress
42 | Set-UnifiedGroup $Alias -PrimarySMTPAddress $New
43 | }
44 |
45 | #Export the Expired Group with the updated addresses
46 | Write-Host " "
47 | Write-Host -ForegroundColor Red “Generating a report to show all Exp Groups and their new PrimarySMTPAddresses”
48 | $ExpGroups = Get-UnifiedGroup -ResultSize unlimited | ? {$_.alias -like "Exp*"} | select DisplayName, Alias, PrimarySmtpAddress
49 | $ExpGroups | Export-CSV c:\temp\Expired_Groups.csv -notype
50 |
--------------------------------------------------------------------------------
/SDS Scripts/Set-Expired_Sections_Hidden.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-Expired_Sections_as_Hidden.ps1
4 |
5 | Synopsis:
6 | This script is designed to Set all expired sections as hidden.
7 |
8 | Syntax Examples and Options:
9 | .\Set-Expired_Sections_as_Hidden.ps1
10 |
11 | Written By:
12 | Bill Sluss
13 |
14 | Change Log:
15 | Version 1.0, 8/9/2018 - First Draft
16 | #>
17 |
18 | #Connect to Azure and Exchange Online
19 | $Cred = Get-Credential
20 |
21 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
22 | Import-PSSession $Session
23 |
24 | #Get All Sections potentially in the GAL
25 | $Sections = get-UnifiedGroup | ? {$_.alias -like "Exp*"}
26 |
27 | #Run Foreach loop against each section
28 | Foreach ($Section in $Sections) {
29 | #Set the variable
30 | $DN = $Section.DisplayName
31 | $Addr = $Section.PrimarySmtpAddress
32 |
33 | #Write Progress
34 | Write-Host -foregroundcolor green "Setting Class Hidden - $DN"
35 |
36 | #Set the group as hidden
37 | Set-UnifiedGroup -Identity $Addr -HiddenFromAddressListsEnabled $true -warningaction:silentlycontinue
38 | }
39 |
40 | Write-Host -foregroundcolor green "Script Complete"
--------------------------------------------------------------------------------
/SDS Scripts/Set-SDS_Attributes_For_All_Teachers_Security_Group.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-SDS_Attributes_For_All_Teachers_Security_Group.ps1
4 |
5 | .Synopsis
6 | This script is designed to add the AllTeachersSecurityGroup SDS extension attributes to a group not created by SDS.
7 |
8 | .Description
9 | This script will use Graph to check the group then update it with the SDS extension attribute for the 'All Teachers' security group.
10 |
11 | .Example
12 | .\Set-SDS_Attributes_For_All_Teachers_Security_Group.ps1 -groupId
13 |
14 | .Notes
15 | This script is only supposed to be used for a group that contains all teachers.
16 | #>
17 |
18 | Param (
19 | [Parameter(Mandatory=$true)]
20 | [string] $groupId,
21 | [Parameter(Mandatory=$false)]
22 | [string] $graphVersion = "beta",
23 | [Parameter(Mandatory=$false)]
24 | [switch] $PPE = $false
25 | )
26 |
27 | $GraphEndpointProd = "https://graph.microsoft.com"
28 | $GraphEndpointPPE = "https://graph.microsoft-ppe.com"
29 |
30 | function Get-PrerequisiteHelp
31 | {
32 | Write-Output @"
33 | ========================
34 | Required Prerequisites
35 | ========================
36 |
37 | 1. Install Microsoft Graph Powershell Module with the command 'Install-Module Microsoft.Graph'
38 |
39 | 2. Check that you can connect to your tenant directory from the PowerShell module to make sure everything is set up correctly.
40 |
41 | a. Open a separate PowerShell session
42 |
43 | b. Execute: "Connect-Graph" to bring up a sign-in UI.
44 |
45 | c. Sign in with any tenant administrator credentials.
46 |
47 | d. If you are returned to the PowerShell session without error, you are correctly set up.
48 |
49 | 3. Ensure that you have access to the following permission scopes: Group.ReadWrite.All
50 |
51 | 4. Retry this script. If you still get an error about failing to load the Microsoft Graph module, troubleshoot why "Import-Module Microsoft.Graph.Authentication" isn't working.
52 |
53 | (END)
54 | ========================
55 | "@
56 | }
57 |
58 | # Main
59 |
60 | $graphEndPoint = $GraphEndpointProd
61 |
62 | if ($PPE)
63 | {
64 | $graphEndPoint = $GraphEndpointPPE
65 | }
66 |
67 | try
68 | {
69 | Import-Module Microsoft.Graph.Authentication | Out-Null
70 | }
71 | catch
72 | {
73 | Write-Error "Failed to load Microsoft Graph PowerShell Module."
74 | Get-PrerequisiteHelp | Out-String | Write-Error
75 | throw
76 | }
77 |
78 | # Connecting to resources
79 | Connect-Graph -scope "Group.ReadWrite.All" | Out-Null
80 |
81 | #preparing uri string
82 | $grpSelectClause = "?`$select=id,displayName,extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType"
83 | $grpUri = "$graphEndPoint/$graphVersion/groups/$groupId/$grpSelectClause"
84 |
85 | try {
86 | $graphResponse = Invoke-GraphRequest -Method GET -Uri $grpUri -ContentType "application/json"
87 | $grp = $graphResponse
88 | }
89 | catch{
90 | throw "Could not retrieve group."
91 | }
92 |
93 | if ( !($grp.extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType) ) { # Filtering out group already with SDS attribute
94 | $uri = "$graphEndPoint/$graphVersion/groups/" + $groupId
95 | $requestBody = '{
96 | "extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType": "AllTeachersSecurityGroup"
97 | }'
98 |
99 | $result = Invoke-GraphRequest -Method Patch -Uri $uri -body $requestBody -ContentType "application/json" -SkipHttpErrorCheck
100 | }
101 | else {
102 | Write-Host "`nCannot update this group because it already has SDS attributes." -ForegroundColor Yellow
103 | $grp
104 | }
105 |
106 | Write-Output "`n`nDone. Please run 'Disconnect-Graph' if you are finished.`n"
107 |
--------------------------------------------------------------------------------
/SDS Scripts/Set-Some_Sections_as_Hidden.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | Set-Some_Sections_as_Hidden.ps1
4 |
5 | Synopsis:
6 | This script is designed to import a CSV file that contains sections in the simple format noted below. The CSV should reside in the c:\temp directory, and be called Section.CSV file. Once imported, this script will hide any section from the GAL contained the CSV file.
7 |
8 | CSV Format: Section.csv Example:
9 |
10 | HeaderRow PrimarySmtpAddress
11 | -------------- ------------------
12 | group1@contoso.com
13 | group2@contoso.com
14 | group3@contoso.com
15 |
16 |
17 | Syntax Examples and Options:
18 | .\Set-Some_Sections_as_Hidden.ps1
19 |
20 | Written By:
21 | Bill Sluss
22 |
23 | Change Log:
24 | Version 1.0, 12/06/2016 - First Draft
25 | #>
26 |
27 | #Connect to Azure and Exchange Online
28 | $Cred = Get-Credential
29 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
30 | Import-PSSession $Session
31 | Connect-MsolService -credential $cred
32 |
33 | #Get All Sections potentially in the GAL
34 | $Sections = Import-CSV C:\temp\Section.csv
35 |
36 | #Run Foreach loop against each section
37 | Foreach ($Section in $Sections) {
38 |
39 | #Tag the variable for use in the set cmd
40 | $Addr = $Section.PrimarySmtpAddress
41 |
42 | #Get the DisplayName of the group for the progress display
43 | $Group2 = Get-UnifiedGroup -Identity $Addr
44 | $DN = $Section.Displayname
45 |
46 | #Write Progress
47 | Write-Host -foregroundcolor green "Setting hidden attribute on group $DN"
48 |
49 | #Set the group as hidden
50 | Set-UnifiedGroup -Identity $Addr -HiddenFromAddressListsEnabled $true -warningaction:silentlycontinue
51 | }
52 |
53 | Write-Host -foregroundcolor green "Script Complete"
54 |
--------------------------------------------------------------------------------
/SDS Scripts/common.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | Script Name:
3 | common.ps1
4 |
5 | Synopsis:
6 | Contains functions common to SDS Scripts. Must be downloaded into same folder where the scripts are run.
7 |
8 | Written By:
9 | Ayron Johnson
10 |
11 | Change Log:
12 | Version 1.0, 07/26/2021 - First Draft
13 | #>
14 |
15 | function Initialize($graphscopes) {
16 | import-module Microsoft.Graph.Authentication -MinimumVersion 0.9.1
17 | $null = Write-Output "If prompted, please use a tenant admin-account to grant access to $graphscopes privileges"
18 | $firstToken = Refresh-Token $null $graphscopes
19 | return $firstToken
20 | }
21 | function Refresh-Token($lastRefreshed, $graphscopes) {
22 | $currentDT = get-date
23 | if ($lastRefreshed -eq $null -or (New-TimeSpan -Start $currentDT -End $lastRefreshed).Minutes -gt 10) {
24 | connect-graph -scopes $graphscopes | Out-Null
25 | $lastRefreshed = get-date
26 | }
27 | return $lastRefreshed
28 | }
29 |
30 | # Gets data from all pages
31 | function PageAll-GraphRequest($initialUri, $refreshToken, $method, $graphscopes, $logFilePath) {
32 |
33 | $result = @()
34 |
35 | $currentUrl = $initialUri
36 |
37 | while ($currentUrl -ne $null) {
38 | Refresh-Token $refreshToken $graphscopes
39 | $response = invoke-graphrequest -Method $method -Uri $currentUrl -ContentType "application/json"
40 | $result += $response.value
41 | $currentUrl = $response.'@odata.nextLink'
42 | }
43 | $global:nextLink = $response.'@odata.nextLink'
44 | return $result
45 | }
46 |
47 | function PageAll-GraphRequest-WriteToFile($initialUri, $refreshToken, $method, $graphscopes, $logFilePath, $filePath, $objectProperties, $eduObjectType) {
48 |
49 | Remove-ExistingFile $filePath
50 |
51 | $currentUrl = $initialUri
52 | $recordCount = 0
53 |
54 | while ($currentUrl -ne $null) {
55 | Refresh-Token $refreshToken $graphscopes
56 | $response = invoke-graphrequest -Method $method -Uri $currentUrl -ContentType "application/json"
57 | $response.value | select-object -property $objectProperties | where-object {$_.Id -ne $null} | export-csv -Path "$filePath" -Append -NoTypeInformation -Encoding utf8
58 |
59 | $currentUrl = $response.'@odata.nextLink'
60 | $recordCount += $response.value.Count
61 | }
62 | $global:nextLink = $response.'@odata.nextLink'
63 | Write-Output "[$(get-date -Format G)] Retrieve $($recordCount) $($eduObjectType)s." | out-file $logFilePath -Append -Encoding utf8
64 | }
65 |
66 | function TokenSkipCheck ($uriToCheck, $logFilePath)
67 | {
68 | if ($skipToken -eq "." ) {
69 | $checkedUri = $uriToCheck
70 | }
71 | else {
72 | $checkedUri = $skipToken
73 | }
74 |
75 | return $checkedUri
76 | }
77 |
78 | function Remove-ExistingFile ($filePath)
79 | {
80 | if (Test-Path $filePath) {
81 | Remove-Item $filePath
82 | }
83 | }
--------------------------------------------------------------------------------
/SDSDataLakeTroubleshooting/TroubleshootSDSDataLake.pbit:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/SDSDataLakeTroubleshooting/TroubleshootSDSDataLake.pbit
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/README.md:
--------------------------------------------------------------------------------
1 | # School Data Sync Profile Management Preview : Introduction
2 | This document provides information on setting up automated sync and profile management using the Preview version of School Data Sync APIs.
3 |
4 | [School Data Sync](https://sds.microsoft.com/) helps to automate the process of importing and synchronizing roster data from student information systems around the world with Azure AAD and Office 365. To setup the sync, school IT can chose to login to the SDS portal and create a sync profile and chose a deployment method – either using a CSV file or a supported SIS API connector. In addition to enabling sync from the SDS portal you can also setup one using the APIs described in this document.
5 |
6 | Here are some helpful links to get started:
7 |
8 | Getting Started:
9 |
10 | - [Introduction to Automated Sync and Profile Management APIs](./scenarios/SDSProfileAPIIntroduction.md)
11 |
12 | Profile Management Scenarios:
13 | - [Create Profile using CSV Files](./scenarios/create-synchronization-profile.md)
14 | - [Create Profile using an API Connector](./scenarios/create-api-synchronization-profile.md)
15 | - [Update operations on SDS Sync Profiles](./scenarios/update-synchronization-profile.md)
16 | - [Troubleshooting Sync failures](./scenarios/troubleshooting-sync-failures.md)
17 |
18 | Profile Management APIs:
19 | - [CreateProfile](./api/educationsynchronizationprofile_post.md)
20 | - [DeleteProfile](./api/educationsynchronizationprofile_delete.md)
21 | - [GetErrors](./api/educationsynchronizationerrors_get.md)
22 | - [GetStatus](./api/educationsynchronizationprofilestatus_get.md)
23 | - [GetUploadURL](./api/educationsynchronizationprofile_uploadurl.md)
24 | - [GetProfile](./api/educationsynchronizationprofile_get.md)
25 | - [ListProfile](./api/educationsynchronizationprofile_list.md)
26 | - [PauseProfileSync](./api/educationsynchronizationprofile_pause.md)
27 | - [ResetProfile](./api/educationsynchronizationprofile_reset.md)
28 | - [ResumeProfile](./api/educationsynchronizationprofile_resume.md)
29 | - [UpdateProfile](./api/educationsynchronizationprofile_put.md)
30 | - [Start](./api/educationsynchronizationprofile_start.md)
31 |
32 | ## Contribute
33 | Send a pull request out to contribute.
34 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationerrors_get.md:
--------------------------------------------------------------------------------
1 | # Get educationSynchronizationErrors
2 |
3 | Get the errors generated during a sync of a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant.
4 |
5 | ## Permissions
6 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
7 |
8 | | Permission type | Permissions (from least to most privileged) |
9 | |:-----------|:------|
10 | | Delegated (work or school account) | EduAdministration.Read, EduAdministration.ReadWrite |
11 | |Delegated (personal Microsoft account|Not supported.|
12 | |Application|Not supported.|
13 |
14 | ## HTTP request
15 |
16 | ```http
17 | GET /synchronizationProfiles/{id}/errors
18 | ```
19 | ## Optional query parameters
20 | This method supports the following [OData Query Parameters](http://developer.microsoft.com/en-us/graph/docs/overview/query_parameters) to help customize the response: $filter, $orderby, $top, $skip, and $count.
21 |
22 | ## Request headers
23 | | Name | Type | Description|
24 | |:-----------|:------|:----------|
25 | | Authorization | string | Bearer {token}. Required. |
26 |
27 | ## Request body
28 | Do not supply a request body for this method.
29 | ## Response
30 | If successful, this method returns a `200 OK` response code and a collection of [synchronization error](../resources/educationsynchronizationerror.md) objects in the response body.
31 |
32 | ## Example
33 | ##### Request
34 | The following is an example of the request.
35 |
39 | ```http
40 | GET https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/error
41 | ```
42 |
43 | ##### Response
44 | The following is an example of the response.
45 |
46 | >**Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
47 |
48 |
53 | ```http
54 | {
55 | "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/synchronizationProfiles('{id}')/errors",
56 | "@odata.count": 14,
57 | "value": [
58 | {
59 | "entryType": "Student",
60 | "errorCode": "UnsynchronizableChange",
61 | "errorMessage": "Student cannot be updated as no matching entry in Active Directory was found for Student. Verify the identity matching criteria for the profile.",
62 | "joiningValue": "richard.2wilson@testschool.edu",
63 | "recordedDateTime": "2017-07-05T00:52:45Z",
64 | "reportableIdentifier": "richard.2wilson"
65 | },
66 | {
67 | "entryType": "Teacher",
68 | "errorCode": "UnsynchronizableChange",
69 | "errorMessage": "Teacher cannot be updated as no matching entry in Active Directory was found for Teacher. Verify the identity matching criteria for the profile.",
70 | "joiningValue": "alberto2.dorsey@testschool.edu",
71 | "recordedDateTime": "2017-07-05T00:52:57Z",
72 | "reportableIdentifier": "alberto2.dorsey"
73 | },
74 | {
75 | "entryType": "Teacher",
76 | "errorCode": "UnsynchronizableChange",
77 | "errorMessage": "Teacher cannot be updated as no matching entry in Active Directory was found for Teacher. Verify the identity matching criteria for the profile.",
78 | "joiningValue": "madeline2.bullock@testschool.edu",
79 | "recordedDateTime": "2017-07-05T00:52:57Z",
80 | "reportableIdentifier": "madeline2.bullock"
81 | }
82 | ]
83 | }
84 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofile_delete.md:
--------------------------------------------------------------------------------
1 | # Delete a educationSynchronizationProfile
2 |
3 | Delete a school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant based on the identifier.
4 |
5 | ## Permissions
6 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
7 |
8 | | Permission type | Permissions |
9 | |:-----------|:----------|
10 | | Delegated (work or school account) | EduAdministration.ReadWrite |
11 |
12 | ## HTTP request
13 |
14 | ```http
15 | DELETE /synchronizationProfiles/{id}
16 | ```
17 |
18 | ## Request headers
19 | | Name | Type | Description|
20 | |:-----------|:------|:----------|
21 | | Authorization | string | Bearer {token}. Required. |
22 | |Delegated (personal Microsoft account|Not supported.|
23 | |Application|Not supported.|
24 |
25 | ## Request body
26 | Do not supply a request body for this method.
27 | ## Response
28 | If successful, this method returns a `202 Accepted` response code and no response body.
29 |
30 | ## Example
31 | ##### Request
32 | Here is an example of the request.
33 |
37 | ```http
38 | DELETE https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}
39 | ```
40 |
41 | ##### Response
42 | Here is an example of the response.
43 |
47 | ```http
48 | HTTP/1.1 202 Accepted
49 | ```
50 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofile_pause.md:
--------------------------------------------------------------------------------
1 | # Pause sync on an educationSynchronizationProfile
2 |
3 | Pause the sync of a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant.
4 |
5 | ## Permissions
6 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
7 |
8 | | Permission type | Permissions |
9 | |:-----------|:----------|
10 | | Delegated (work or school account) | EduAdministration.ReadWrite |
11 | |Delegated (personal Microsoft account|Not supported.|
12 | |Application|Not supported.|
13 |
14 | ## HTTP request
15 |
16 | ```http
17 | POST /synchronizationProfiles/{id}/pause
18 | ```
19 |
20 | ## Request headers
21 | | Name | Type | Description|
22 | |:-----------|:------|:----------|
23 | | Authorization | string | Bearer {token}. Required. |
24 |
25 | ## Request body
26 | Do not supply a request body for this method.
27 | ## Response
28 | If successful, this method returns a `200 OK` response code.
29 |
30 | ## Example
31 | ##### Request
32 | The following is an example of the request.
33 |
37 | ```http
38 | POST https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/pause
39 | ```
40 |
41 | ##### Response
42 |
43 | There is no response body.
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofile_reset.md:
--------------------------------------------------------------------------------
1 | # Reset sync on an educationSynchronizationProfile
2 |
3 | Reset the sync of a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant.
4 |
5 | > **Note:** This operation will cause synchronization to restart. Any errors encountered will be deleted. No data will be deleted from Azure Active Directory (Azure AD).
6 |
7 | ## Permissions
8 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
9 |
10 | | Permission type | Permissions |
11 | |:-----------|:----------|
12 | | Delegated (work or school account) | EduAdministration.ReadWrite |
13 | |Delegated (personal Microsoft account|Not supported.|
14 | |Application|Not supported.|
15 |
16 | ## HTTP request
17 |
18 | ```http
19 | POST /synchronizationProfiles/{id}/reset
20 | ```
21 |
22 | ## Request headers
23 | | Name | Type | Description|
24 | |:-----------|:------|:----------|
25 | | Authorization | string | Bearer {token}. Required. |
26 |
27 | ## Request body
28 | Do not supply a request body for this method.
29 | ## Response
30 | If successful, this method returns a `200 OK` response code.
31 |
32 | ## Example
33 | ##### Request
34 | The following is an example of the request.
35 |
39 | ```http
40 | POST https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/reset
41 | ```
42 |
43 | ##### Response
44 |
45 | There is no response body.
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofile_resume.md:
--------------------------------------------------------------------------------
1 | # Resume sync on an educationSynchronizationProfile
2 |
3 | Resume the sync of a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant.
4 |
5 | ## Permissions
6 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
7 |
8 | | Permission type | Permissions |
9 | |:-----------|:----------|
10 | | Delegated (work or school account) | EduAdministration.ReadWrite |
11 | |Delegated (personal Microsoft account|Not supported.|
12 | |Application|Not supported.|
13 |
14 | ## HTTP request
15 |
16 | ```http
17 | POST /synchronizationProfiles/{id}/resume
18 | ```
19 |
20 | ## Request headers
21 | | Name | Type | Description|
22 | |:-----------|:------|:----------|
23 | | Authorization | string | Bearer {token}. Required. |
24 |
25 | ## Request body
26 | Do not supply a request body for this method.
27 | ## Response
28 | If successful, this method returns a `200 OK` response code.
29 |
30 | ## Example
31 | ##### Request
32 | The following is an example of the request.
33 |
37 | ```http
38 | POST https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/resume
39 | ```
40 |
41 | ##### Response
42 |
43 | There is no response body.
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofile_uploadurl.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationProfile: uploadUrl
2 |
3 | Retrieve a shared access signature (SAS) for uploading source files to Azure blob storage for a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant. The SAS token has a validity of one hour.
4 |
5 | > **Note:** To access the blob storage with the SAS token, use the [Azure storage SDKs](https://github.com/search?q=org%3AAzure+azure-storage) or [AzCopy](https://docs.microsoft.com/en-us/azure/storage/storage-use-azcopy).
6 |
7 | ## Permissions
8 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
9 |
10 | | Permission type | Permissions |
11 | |:-----------|:----------|
12 | | Delegated (work or school account) | EduAdministration.ReadWrite |
13 | |Delegated (personal Microsoft account|Not supported.|
14 | |Application|Not supported.|
15 |
16 | ## HTTP request
17 |
18 | ```http
19 | GET /synchronizationProfiles/{id}/uploadUrl
20 | ```
21 |
22 | ## Request headers
23 | | Name | Type | Description|
24 | |:-----------|:------|:----------|
25 | | Authorization | string | Bearer {token}. Required. |
26 |
27 | ## Request body
28 | Do not supply a request body for this method.
29 | ## Response
30 | If successful, this method returns a `200 OK` response code and a SAS URL for the [educationSynchronizationProfile](../resources/educationsynchronizationprofile.md) in the response body.
31 |
32 | ## Example
33 | ##### Request
34 | The following is an example of the request.
35 |
39 | ```http
40 | GET https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/uploadUrl
41 | ```
42 |
43 | ##### Response
44 | The following is an example of the response.
45 |
46 | >**Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
47 |
48 |
52 | ```http
53 | {
54 | "@odata.context": "https://graph.microsoft.com/beta/$metadata#String",
55 | "value": "https://sdsstorage.blob.core.windows.net/86904b1e-c7d0-4ead-b13a-98f11fc400ee?sv=2015-07-08&sr=c&si=SharedAccessPolicy_20170704044441&sig=CH65vxxqXETCkQNH0Lfsu31cUo0s0XcEEo0OE2YiL6Q%3D&se=2017-07-04T08%3A43%3A01Z&sp=w"
56 | }
57 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/api/educationsynchronizationprofilestatus_get.md:
--------------------------------------------------------------------------------
1 | # Get the status of an educationSynchronizationProfile
2 |
3 | Get the status of a specific school data [synchronization profile](../resources/educationsynchronizationprofile.md) in the tenant. The response will indicate the status of the sync.
4 |
5 | ## Permissions
6 | One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](../../../concepts/permissions_reference.md).
7 |
8 | | Permission type | Permissions (from least to most privileged) |
9 | |:-----------|:----------|
10 | | Delegated (work or school account) | EduAdministration.Read, EduAdministration.ReadWrite |
11 | |Delegated (personal Microsoft account|Not supported.|
12 | |Application|Not supported.|
13 |
14 | ## HTTP request
15 |
16 | ```http
17 | GET /synchronizationProfiles/{id}/profileStatus
18 | ```
19 |
20 | ## Request headers
21 | | Name | Type | Description|
22 | |:-----------|:------|:----------|
23 | | Authorization | string | Bearer {token}. Required. |
24 |
25 | ## Request body
26 | Do not supply a request body for this method.
27 | ## Response
28 | If successful, this method returns a `200 OK` response code and an [educationsynchronizationprofilestatus](../resources/educationsynchronizationprofilestatus.md) object in the response body.
29 |
30 | ## Example
31 | ##### Request
32 | The following is an example of the request.
33 |
37 | ```http
38 | GET https://graph.microsoft.com/beta/education/synchronizationProfiles/{id}/profileStatus
39 | ```
40 |
41 | ##### Response
42 | The following is an example of the response.
43 |
44 | >**Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
45 |
46 |
50 | ```http
51 | {
52 | "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/synchronizationProfiles('{id}')/profileStatus/$entity",
53 | "status": "inProgress",
54 | "lastSynchronizationDateTime": "2017-07-04T22:06:37.6472621Z"
55 | }
56 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationSynchronizationConnectionSettings.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationConnectionSettings resource type
2 |
3 | Represents the provider connection settings. This allows the system to know how to connect to the provider APIs.
4 |
5 | > **Note:** This complex type is abstract. Refer to the specific types of connection settings listed.
6 |
7 | ## Derived types
8 | | Type | Description |
9 | |:-|:-|
10 | | [**educationSynchronizationOAuth1ConnectionSettings**](educationSynchronizationOAuth1ConnectionSettings.md) | Use this type to provide OAuth1 connection settings |
11 | | [**educationSynchronizationOAuth2ClientCredentialsConnectionSettings**](educationSynchronizationOAuth2ClientCredentialsConnectionSettings.md) | Use this type to provide OAuth2 Client Credentials Grant connection settings |
12 |
13 | ## Properties
14 |
15 | | Property | Type | Description |
16 | |:-|:-|:-|
17 | | **clientId** | String | Client id used to connect to the provider |
18 | | **clientSecret** | String | Client secret to authenticate connection to the provider |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationSynchronizationOAuth1ConnectionSettings.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationOAuth1ConnectionSettings resource
2 |
3 | When OAuth1 is to be used to connect to the data provider, this connection settings type should be used to setup the profile.
4 |
5 | Derived from [educationSynchronizationConnectionSettings](educationSynchronizationConnectionSettings.md)
6 |
7 | ## Properties
8 |
9 | No additional properties are exposed by this type
10 |
11 | ## JSON
12 |
13 | ```json
14 | "connectionSettings": {
15 | "@odata.type": "#microsoft.graph.educationSynchronizationOAuth1ConnectionSettings",
16 | "clientId": "String",
17 | "clientSecret": "String"
18 | }
19 | ```
20 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationSynchronizationOAuth2ClientCredentialsConnectionSettings.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationOAuth2ClientCredentialsConnectionSettings resource
2 |
3 | When [OAuth2 Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4) is to be used to connect to the data provider, this connection settings type should be used to setup the profile.
4 |
5 | Derived from [educationSynchronizationConnectionSettings](educationSynchronizationConnectionSettings.md)
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **tokenUrl** | String | The URL to get access tokens for the data provider |
12 | | **scope** | String | [The scope of the access request](https://tools.ietf.org/html/rfc6749#section-3.3) |
13 |
14 | ## JSON
15 |
16 | ```json
17 | "connectionSettings": {
18 | "@odata.type": "#microsoft.graph.educationSynchronizationOAuth2ClientCredentialsConnectionSettings",
19 | "clientId": "String",
20 | "clientSecret": "String",
21 | "tokenUrl": "String",
22 | "scope": "String"
23 | }
24 | ```
25 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationcsvdataprovider.md:
--------------------------------------------------------------------------------
1 | # educationCsvDataProvider resource type
2 |
3 | Used to set up the school data synchronization profile when CSV files are the input source.
4 |
5 | Derived from [educationSynchronizationDataProvider](educationsynchronizationdataprovider.md).
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **customizations** | [educationSynchronizationCustomizations](educationsynchronizationcustomizations.md) | Optional customizations to be applied to the synchronization profile.|
12 |
13 | ## JSON representation
14 |
15 |
22 |
23 |
24 | ```json
25 | "dataProvider":{
26 | "@odata.type": "#microsoft.graph.educationCsvDataProvider",
27 | "customizations": { "@odata.type": "microsoft.graph.educationSynchronizationCustomizations" }
28 | }
29 | }
30 | ```
31 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationfilesynchronizationverificationmessage.md:
--------------------------------------------------------------------------------
1 | # educationFileSynchronizationVerificationMessage resource type
2 |
3 | Represents an error returned to the client in response to a request to [start synchronization](../api/educationsynchronizationprofile_start.md) for CSV-based school data profiles. The resource will contain errors that result from the verification. Users must fix the source data before you restart the request to synchronize with Azure Active Directory (Azure AD).
4 |
5 | ## Properties
6 |
7 | | Property | Type | Description |
8 | |:-|:-|:-|
9 | | **type** | string | Type of the message. Possible values are: `error`, `warning`, `information`. |
10 | | **filename** | string | Source file that contains the error. |
11 | | **description** | string | Detailed information about the message type. |
12 |
13 | ## JSON representation
14 |
15 |
22 |
23 | ```json
24 | {
25 | "type": "String",
26 | "fileName": "String",
27 | "description": "String"
28 | }
29 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationidentitycreationconfiguration.md:
--------------------------------------------------------------------------------
1 | ## educationIdentityCreationConfiguration resource type
2 |
3 | Defines the settings on creation of school data profile identities. These identities include students and teachers. Based on these settings, the users will be created in the directory.
4 |
5 | > **Note:** If you have directory sync turned on to sync between on-premises Active Directory and Azure Active Directory (Azure AD), use the [educationIdentityMatchingConfiguration](educationidentitymatchingconfiguration.md) resource instead.
6 |
7 | Derived from [identitySyncConfiguration](identitySyncConfiguration.md).
8 |
9 | ## Properties
10 |
11 | | Property | Type | Description |
12 | |:-|:-|:-|
13 | | **userDomains** | [educationIdentityDomain](educationidentitydomain.md) collection | Sets the list of domains to use per user type. |
14 |
15 |
16 | ## JSON representation
17 |
24 |
25 | ```json
26 | "identitySynchronizationConfiguration": {
27 | "@odata.type": "#microsoft.graph.educationIdentityCreationConfiguration",
28 | "userDomains": [
29 | {
30 | "@odata.type": "#microsoft.graph.educationIdentityDomain",
31 | }
32 | ]
33 | }
34 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationidentitydomain.md:
--------------------------------------------------------------------------------
1 | # educationIdentityDomain resource type
2 |
3 | Represents the mapping between an education user type and the domain the user's account belongs to. The domain resource is part of the [identity creation configuration](educationidentitycreationconfiguration.md).
4 |
5 | ## Properties
6 |
7 | | Property | Type | Description |
8 | |:-|:-|:-|
9 | | **appliesTo** | string | The user role type to assign to license. Possible values are: `student`, `teacher`. |
10 | | **name** | string | Represents the domain for the user account. |
11 |
12 | ## JSON representation
13 |
20 |
21 | ```json
22 | {
23 | "appliesTo": {"@odata.type": "#microsoft.graph.educationUserRole"},
24 | "name": "String"
25 | }
26 | ```
27 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationidentitymatchingconfiguration.md:
--------------------------------------------------------------------------------
1 | ## educationIdentityMatchingConfiguration resource type
2 |
3 | Defines the settings for matching school data profile identities. These identities include students and teachers. Based on these settings, the users will be updated in the directory.
4 |
5 | > **Note:** No users are created when this resource is selected.
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **matchingOptions** | [educationIdentityMatchingOptions](educationidentitymatchingoptions.md) collection | Mapping between the user account and the options to use to uniquely identify the user to update. |
12 |
13 | ## JSON representation
14 |
21 |
22 | ```json
23 | "identitySynchronizationConfiguration": {
24 | "@odata.type": "#microsoft.graph.educationIdentityMatchingConfiguration",
25 | "matchingOptions": [
26 | {
27 | "appliesTo": {"@odata.type": "#microsoft.graph.educationUserRole"},
28 | "sourcePropertyName": "String",
29 | "targetPropertyName": "String",
30 | "targetDomain": "String"
31 | }
32 | ]
33 | }
34 | ```
35 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationidentitymatchingoptions.md:
--------------------------------------------------------------------------------
1 | # educationIdentityMatchingOptions resource type
2 |
3 | Provides a mapping between a source property and a target property for matching user accounts. The source property should exist in the source data. The target property should be a valid property in Azure Active Directory (Azure AD).
4 |
5 | ## Properties
6 |
7 | | Property | Type | Description |
8 | |:-|:-|:-|
9 | | **appliesTo** | string | The user role type to assign to the license. Possible values are: `student`, `teacher`. |
10 | | **sourcePropertyName** | string | The name of the source property, which should be a field name in the source data. This property is case-sensitive. |
11 | | **targetPropertyName** | string | The name of the target property, which should be a valid property in Azure AD. This property is case-sensitive. |
12 | | **targetDomain** | string | The domain to suffix with the source property to match on the target. If provided as null, the source property will be used to match with the target property. |
13 |
14 | ## JSON representation
15 |
22 |
23 | ```json
24 | {
25 | "appliesTo": {"@odata.type": "#microsoft.graph.educationUserRole"},
26 | "sourcePropertyName": "String",
27 | "targetPropertyName": "String",
28 | "targetDomain": "String"
29 | }
30 | ```
31 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationidentitysynchronizationconfiguration.md:
--------------------------------------------------------------------------------
1 | # educationIdentitySynchronizationConfiguration resource type
2 |
3 | Abstract base class for all school data profile identity synchronization configurations. The derived classes define the behavior for synchronizing identities. The following are the derived types.
4 |
5 | ## Derived types
6 | | Type | Description |
7 | |:-|:-|
8 | | [**educationIdentityMatchingConfiguration**](educationidentitymatchingconfiguration.md) | Use this type to match existing user accounts in Azure Active Directory (Azure AD). |
9 | | [**educationIdentityCreationConfiguration**](educationidentitycreationconfiguration.md) | Use this type to create new user accounts in Azure AD. |
10 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationonerosterapidataprovider.md:
--------------------------------------------------------------------------------
1 | # educationOneRosterApiDataProvider resource
2 |
3 | Used to set up the school data synchronization profile when the [OneRoster API](https://www.imsglobal.org/activity/onerosterlis) is used as the input source.
4 |
5 | Derived from [educationSynchronizationDataProvider](educationsynchronizationdataprovider.md).
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **connectionUrl** | String | The connection URL to the OneRoster instance. |
12 | | **schoolsIds** | String collection | The list of school sourcedIds to sync. |
13 | | **providerName** | String | The OneRoster Service Provider name as defined by the [OneRoster specification](https://www.imsglobal.org/oneroster-v11-final-best-practice-and-implementation-guide#AppA). |
14 | | **connectionSettings** | [educationSynchronizationConnectionSettings](educationSynchronizationConnectionSettings.md) | Connection settings for the OneRoster instance. Should be of type [educationSynchronizationOAuth1ConnectionSettings](educationSynchronizationOAuth1ConnectionSettings.md) or [educationSynchronizationOAuth2ClientCredentialsConnectionSettings](educationSynchronizationOAuth2ClientCredentialsConnectionSettings.md) |
15 | | **customizations** | [educationSynchronizationCustomizations](educationsynchronizationcustomizations.md) | Optional customization to be applied to the synchronization profile.|
16 |
17 | ## JSON representation
18 |
25 |
26 | ```json
27 | "dataProvider": {
28 | "@odata.type": "#microsoft.graph.educationoneRosterApiDataProvider",
29 | "connectionUrl": "String",
30 | "providerName": "String"
31 | "schoolsIds": [
32 | "String"
33 | ]
34 | "connectionSettings": {
35 | "@odata.type": "#microsoft.graph.educationSynchronizationOAuth1ConnectionSettings",
36 | "clientId": "String",
37 | "clientSecret": "String",
38 | "clientSecret": "String"
39 | },
40 | "customizations": { "@odata.type": "microsoft.graph.educationSynchronizationCustomizations" }
41 | }
42 | ```
43 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationpowerschooldataprovider.md:
--------------------------------------------------------------------------------
1 | # educationPowerSchoolDataProvider resource
2 |
3 | Used to set up the school data synchronization profile when [PowerSchool](https://www.powerschool.com/solutions/student-information-system-sis/) is used as the input source.
4 |
5 | Derived from [educationSynchronizationDataProvider](educationsynchronizationdataprovider.md).
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **connectionUrl** | String | The connection URL to the PowerSchool instance. |
12 | | **clientId** | String | The client ID used to connect to PowerSchool. |
13 | | **clientSecret** | String | The client secret to authenticate the connection to the PowerSchool instance. |
14 | | **schoolsIds** | String collection | The list of schools to sync. |
15 | | **schoolYear** | String | The school year to sync. |
16 | | **allowTeachersInMultipleSchools** | Boolean | Indicates whether the source has multiple identifiers for a single student or teacher. |
17 | | **customizations** | [educationSynchronizationCustomizations](educationsynchronizationcustomizations.md) | Optional customization to be applied to the synchronization profile.|
18 |
19 | ## JSON representation
20 |
27 |
28 | ```json
29 | "dataProvider": {
30 | "@odata.type": "#microsoft.graph.educationPowerSchoolDataProvider",
31 | "connectionUrl": "String",
32 | "clientId": "String",
33 | "clientSecret": "String",
34 | "schoolsids": ["String"],
35 | "schoolYear": "String",
36 | "allowTeachersInMultipleSchools": "Boolean",
37 | "customizations": { "@odata.type": "microsoft.graph.educationSynchronizationCustomizations" }
38 | }
39 | ```
40 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationcustomization.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationCustomization resource type
2 |
3 | Provides settings for customizing the school data profile synchronization of the resource entities. The customization can be applied to all the entities being synchronized.
4 |
5 | >**Note:** The **synchronizationStartDate** property only applies to the **StudentEnrollment** entity.
6 |
7 | ## Properties
8 |
9 | | Property | Type | Description |
10 | |:-|:-|:-|
11 | | **optionalPropertiesToSync** | collection of string | The collection of property names to sync. If set to null, all properties will be synchronized. |
12 | | **synchronizationStartDate** | DateTime | The date that the synchronization should start. This value should be set to a future date. If set to null, the resource will be synchronized when the profile setup completes. **Note:** This only applies to the **StudentEnrollment** property. |
13 | |**isSyncDeferred** |Boolean | Indicates whether synchronization of the parent entity is deferred to a later date. |
14 | | **allowDisplayNameUpdate** | Boolean | Indicates whether the display name of the resource can be overwritten by the sync. |
15 |
16 |
17 | ## JSON representation
18 |
25 |
26 | ```json
27 | {
28 | "optionalPropertiesToSync":["String"],
29 | "synchronizationStartDate": "DateTimeOffset",
30 | "isSyncDeferred": "Boolean",
31 | "allowDisplayNameUpdate": "Boolean"
32 | }
33 | ```
34 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationcustomizations.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationCustomizations resource type
2 |
3 | Contains the list of entities to sync and their [customizations](educationsynchronizationcustomization.md), if any.
4 |
5 | > **Note:** Customization of properties to sync does not apply to the **studentEnrollment** and **teacherRoster** entities.
6 |
7 | This resource is member of the following data providers:
8 |
9 | * [educationCsvDataProvider](educationcsvdataprovider.md)
10 | * [educationPowerSchoolDataProvider](educationpowerschooldataprovider.md)
11 |
12 | ## Properties
13 |
14 | | Property | Type | Description |
15 | |:-|:-|:-|
16 | | **school** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for a school entity. |
17 | | **section** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for a section entity. |
18 | | **student** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for a student entity. |
19 | | **teacher** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for a teacher entity. |
20 | | **studentEnrollment** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for student enrollment. |
21 | | **teacherRoster** | [educationSynchronizationCustomization](educationsynchronizationcustomization.md) | Customization for a teacher roster. |
22 |
23 | ## JSON representation
24 |
31 |
32 | ```json
33 | "customizations": {
34 | "school": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"},
35 | "section": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"},
36 | "student": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"},
37 | "teacher": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"},
38 | "studentEnrollment": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"},
39 | "teacherRoster": {"@odata.type": "microsoft.graph.educationSynchronizationCustomization"}
40 | }
41 | }
42 | ```
43 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationdataprovider.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationDataProvider resource type
2 |
3 | Represents the source SIS schema. This allows the system to know how to map the incoming data to the Azure Active Directory (Azure AD) schema.
4 |
5 | > **Note:** This complex type is abstract. Refer to the specific types of data providers listed.
6 |
7 | ## Derived types
8 | | Type | Description |
9 | |:-|:-|:-|
10 | | [educationcsvdataprovider](educationCsvDataProvider.md) | Used with CSV files as the input source. |
11 | | [educationpowerschooldataprovider](educationPowerSchoolDataProvider.md) | Used with PowerSchool as the input source. |
12 | | [educationonerosterapidataprovider](educationOneRosterApiDataProvider.md) | Used with OneRoster API as the input source. |
13 |
14 | ## Properties
15 |
16 | No properties are exposed by this type.
17 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationerror.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationError resource type
2 |
3 | Represents an error during school data profile sync. An unique error will be generated for every entry that fails to synchronize with Azure Active Directory (Azure AD).
4 |
5 | ## Methods
6 |
7 | | Method | Return Type | Description |
8 | |:-|:-|:-|
9 | | [Get synchronization errors](../api/educationsynchronizationerrors_get.md) | **educationSynchronizationError** collection| Returns the list of synchronization errors associated with a profile. |
10 |
11 | ## Properties
12 |
13 | | Property | Type | Description |
14 | |:-|:-|:-|
15 | | **entryType** | string | represents the sync entity (school, section, student, teacher) |
16 | | **errorCode** | string | represents the error code for this error |
17 | | **errorMessage** | string | contains a description of the error |
18 | | **joiningValue** | string | the unique identifier for the entry |
19 | | **recordedDateTime** | DateTimeOffset | the time of occurrence of this error |
20 |
21 | ## JSON representation
22 |
29 |
30 | ```json
31 | {
32 | "entryType": "String",
33 | "errorCode": "String",
34 | "errorMessage": "String",
35 | "joiningValue": "String",
36 | "recordedDateTime": "DateTimeOffset",
37 | "reportableIdentifier": "String"
38 | }
39 | ```
40 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationlicenseassignment.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationLicenseAssignment resource type
2 |
3 | Represents the license information to assign to user accounts. The resource will be used to set up license assignments when creating new user accounts.
4 |
5 | ## Properties
6 |
7 | | Property | Type | Description |
8 | |:-|:-|:-|
9 | | **appliesTo** | string | The user role type to assign to license. Possible values are: `student`, `teacher`. |
10 | | **skuIds** | collection of strings | Represents the SKU identifiers of the licenses to assign. |
11 |
12 | ## JSON representation
13 |
20 |
21 | ```json
22 | {
23 | "appliesTo": {"@odata.type": "#microsoft.graph.educationUserRole"},
24 | "skuIds": ["String"]
25 | }
26 | ```
27 |
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/resources/educationsynchronizationprofilestatus.md:
--------------------------------------------------------------------------------
1 | # educationSynchronizationProfileStatus resource type
2 |
3 | Represents the synchronization status of a school data [synchronization profile](educationsynchronizationprofile.md).
4 |
5 | > **Note:** Updates to the **educationSynchronizationProfileStatus** might be delayed due to the asynchronous nature of background sync processing.
6 |
7 | ## Methods
8 |
9 | | Method | Return Type | Description |
10 | |:-|:-|:-|
11 | | [Get status of a sync](../api/educationsynchronizationprofilestatus_get.md) | **educationSynchronizationProfileStatus** | Return the status of a specific synchronization profile. |
12 |
13 | ## Properties
14 |
15 | | Property | Type | Description |
16 | |:-|:-|:-|
17 | | **status** | string | The status of a sync. Possible values are: `paused`, `inProgress`, `success`, `error`, `quarantined`, `validationError`. |
18 | | **lastSynchronizationDateTime** | DateTimeOffset | Represents the time when most recent changes have been observed in the directory. |
19 |
20 | ## JSON representation
21 |
28 |
29 | ```json
30 | {
31 | "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/synchronizationProfiles('{id}')/profileStatus/$entity",
32 | "status": {"@odata.type":"microsoft.graph.educationSynchronizationStatus"},
33 | "lastSynchronizationDateTime": "DateTimeOffset"
34 | }
35 | ```
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/scenarios/Images/AddGraphAPI.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/SDSProfileManagementDocs/scenarios/Images/AddGraphAPI.PNG
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/scenarios/Images/AddPermissions.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/SDSProfileManagementDocs/scenarios/Images/AddPermissions.PNG
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/scenarios/Images/Settings.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OfficeDev/O365-EDU-Tools/1121bf849b6308c8727b657c78fd331ec4157b6e/SDSProfileManagementDocs/scenarios/Images/Settings.PNG
--------------------------------------------------------------------------------
/SDSProfileManagementDocs/scenarios/synchronization-profile-api-introduction.md:
--------------------------------------------------------------------------------
1 | # School Data Sync Profile APIs Preview
2 |
3 | **This document provides information on setting up automated sync and profile management using the Preview version of [School Data Sync Profile Management APIs](../api/synchronizationprofile_post.md)**
4 |
5 | Background: [School Data Sync](https://sds.microsoft.com/) helps to automate the process of importing and synchronizing roster and account data from student information systems around the world with Azure AAD and Office 365. A synchronization profile is a representation of a configuration that is used for syncing the data. To setup the sync, school IT can chose to login to the SDS portal and create a sync profile and chose a deployment method – either using CSV files or one of the supported SIS connectors or a OneRoster compliant. In addition to enabling sync from the portal you can also use School Data Sync APIs to manage the sync process. This document describes how SDS Management APIs can be used to fully automate SDS profile and sync management without using the SDS Management portal.
6 |
7 | Explore School Data Sync profile management APIs:
8 | - [Create an SDS Profile for SDS Sync using CSV files](create-synchronization-profile.md)
9 | - [Create an SDS Profile for SDS Sync using OneRoster or a supported SIS API Provider](create-api-synchronization-profile.md)
10 | - [Updating an existing sync profile](update-synchronization-profile.md)
11 | - [Troubleshooting sync failures](troubleshooting-sync-failures.md)
12 |
13 | ## Prerequisites:
14 |
15 | ### Prerequisites for developing the Sync Profile App:
16 | School Data Sync Profile APIs can be integrated with a 3rd party app or a student information system (SIS) solution. To enable this integration, the app must meet the
17 | the following prerequisites:
18 |
19 | 1. The Client App is registered with Azure Active Directory.
20 |
21 | To create an app that can be used by multiple EDU tenants, the recommendation is to build a multi-tenant SaaS web application using Azure AD and OpenId Connect. Following the guidelines and a sample app published [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview) to register this app with Azure AD.
22 |
23 |
24 |
25 | 2.. Request permissions in the app to manage synchronization profiles.
26 |
27 | To enable the app to create and manage synchronization profiles, the app needs to request permissions mentioned below in Azure AAD. The school IT admin will be responsible for granting these permissions.
28 |
29 | - Navigate to the newly registered app in Azure portal, go to app settings and select 'Required Permissions'
30 |
31 | 
32 |
33 | - Select 'Add' and chose 'Graph API'
34 |
35 | 
36 |
37 | - Select one of the following 'delegated' permissions:
38 | - 'Manage education app settings' - For scenarios that require read-write permissions
39 | - 'Read education app settings' - For scenarios that require read-only permissions.
40 |
41 | Please refer to the API documentation to identify the scopes for the corresponding APIs.
42 |
43 | 
44 |
45 | 3. Authorization token needed to call the SDS APIs needs to be acquired in the user context. The resource the token is requested for should be "https://graph.microsoft.com".
46 |
47 | ### Prerequisites for running the App
48 |
49 | Once the app is deployed, School IT can setup automated sync profiles. Here are the prerequisites for running the app.
50 |
51 | 1. Access to EDU Tenant Admin subscription: Ensure the IT admin has access to the Admin account of the EDU subscription. The IT admin needs to login to Azure portal (from Office admin center).
52 |
53 | 2. Grant the consent for permissions requested by the app : Login to the grant the permissions that are requested by the app to create and manage sync profiles.
54 |
55 | Once you have successfully met the prerequisites for creating an app, you are ready to explore the scenarios supported the Sync Profile APIs.
56 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Security
4 |
5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
6 |
7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
8 |
9 | ## Reporting Security Issues
10 |
11 | **Please do not report security vulnerabilities through public GitHub issues.**
12 |
13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
14 |
15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
16 |
17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
18 |
19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
20 |
21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
22 | * Full paths of source file(s) related to the manifestation of the issue
23 | * The location of the affected source code (tag/branch/commit or direct URL)
24 | * Any special configuration required to reproduce the issue
25 | * Step-by-step instructions to reproduce the issue
26 | * Proof-of-concept or exploit code (if possible)
27 | * Impact of the issue, including how an attacker might exploit the issue
28 |
29 | This information will help us triage your report more quickly.
30 |
31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
32 |
33 | ## Preferred Languages
34 |
35 | We prefer all communications to be in English.
36 |
37 | ## Policy
38 |
39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
40 |
41 |
42 |
--------------------------------------------------------------------------------