Legacy modules ( MSOnline , AzureAD , ExchangeOnlineManagement older versions) are as of 2024–2026. 3. Interesting Active Commands (Live Examples) 3.1 User Reconnaissance – Find "Hidden" Accounts List all users who have never logged in (inactive security risk):
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All" Get-MgUser -All | Where-Object $_.SignInActivity -eq $null Uncovers service accounts, terminated employees not disabled, or shared mailboxes being used for illicit access. 3.2 License Audit – Who’s Wasting Money? Get-MgUser -All -Property Id,DisplayName,AssignedLicenses | Select-Object DisplayName, @N="Licenses";E=$_.AssignedLicenses.SkuId -join ", " | Where-Object $_.Licenses -ne "" Output: Every user with their assigned product SKUs. Run this weekly to catch ghost licenses. 3.3 Bulk Mailbox Actions (Like Old cmd but Powerful) Add "Legal Hold – Project X" to all members of a distribution group: active office 365 cmd
| Component | Role | |-----------|------| | | Cross-platform shell | | Microsoft Graph PowerShell SDK | Modern API-based commands | | Exchange Online V3 module | Mailbox-specific controls | | SharePoint Online Management Shell | SPO site management | AssignedLicenses | Select-Object DisplayName
The "CMD" of yesterday has evolved into a programmable, powerful interface that gives you complete control over your tenant. Final command to try right now: Connect-MgGraph -Scopes "User.Read.All" Get-MgUser -Top 10 | Format-List DisplayName, UserPrincipalName End of Report E=$_.AssignedLicenses.SkuId -join "
@echo off curl -X GET "https://graph.microsoft.com/v1.0/users" -H "Authorization: Bearer %ACCESS_TOKEN%" You can get %ACCESS_TOKEN% via az account get-access-token (Azure CLI) or Connect-MgGraph then extract token. | GUI | Active CMD | |-----|-------------| | Slow navigation | Instant execution | | Error-prone clicks | Scriptable, repeatable | | Hidden properties visible only via UI | Full object properties exposed | | Manual audit | Scheduled automation |
This mimics top or htop but for your tenant. 5.1 Find All Admin Role Assignments (Who can wreck your tenant) Get-MgRoleManagementDirectoryRoleAssignment | Where-Object $_.RoleDefinitionId -eq "Global Administrator" | Select-Object PrincipalId, RoleDefinitionId 5.2 Detect Mailbox Forwarding (Common data exfiltration) Get-Mailbox -ResultSize Unlimited | Where-Object $_.ForwardingSmtpAddress -ne $null | Select-Object DisplayName, ForwardingSmtpAddress, DeliverToMailboxAndForward Interesting finding: Many attackers set DeliverToMailboxAndForward = $true to keep the user unaware. 6. Automation Script – "Office 365 Daily Health Check" Save as O365-Health.ps1 and run daily via Task Scheduler or cron: