Downloads — PowerShell Scripts
All scripts are ready-to-use PowerShell automation tools that correspond to the steps documented in this guide. Download individual scripts or browse by category.
Prerequisites: PowerShell 5.1 or later. Most scripts require the Microsoft Graph PowerShell SDK or legacy AzureAD / ExchangeOnlineManagement modules. Run Set-ExecutionPolicy RemoteSigned before running any script.
Table of Contents
Admin Monthly Report
Generate a comprehensive HTML report covering all key M365 health metrics in a single run.
| Script | Description |
|---|---|
| Get-M365MonthlyReport.ps1 | Main script — generates full HTML report (licenses, MFA, users, guests, CA, mailboxes, admin roles, sign-in failures) |
View full documentation and usage guide →
Setup Intune
The core Intune deployment scripts. Start with Setup-Intune.ps1 to import all baseline policies in one step.
| Script | Description |
|---|---|
| Setup-Intune.ps1 | Main script — imports all Intune baseline policies into the tenant |
| Import-AppConfiguration.ps1 | Import App Configuration profiles |
| Import-AppProtection.ps1 | Import App Protection (MAM) policies |
| Import-Applications.ps1 | Import Applications |
| Import-Compliance.ps1 | Import Compliance policies |
| Import-DeviceConfiguration.ps1 | Import Device Configuration profiles |
| Import-EndpointSecurity.ps1 | Import Endpoint Security policies |
| Install-BYODMobileDeviceProfiles.ps1 | Install BYOD mobile device profiles |
| Set-MDMAuthority.ps1 | Set MDM authority to Intune |
| Set-DeviceEnrollmentRestrictions.ps1 | Configure device enrollment restrictions |
| Get-DeviceEnrollmentRestrictions.ps1 | Export current enrollment restrictions |
Export Scripts (Backup)
Use these to back up existing Intune configurations before making changes.
| Script | Description |
|---|---|
| Export-AppConfiguration.ps1 | Export App Configuration profiles |
| Export-AppProtection.ps1 | Export App Protection (MAM) policies |
| Export-Applications.ps1 | Export Applications |
| Export-Compliance.ps1 | Export Compliance policies |
| Export-DeviceConfiguration.ps1 | Export Device Configuration profiles |
| Export-EndpointSecurity.ps1 | Export Endpoint Security policies |
| Export-ADMX.ps1 | Export ADMX (Administrative Template) profiles |
Azure AD
Scripts for Conditional Access, MFA, and Group management automation.
| Script | Description |
|---|---|
| Install-BaselineCAPolicies.ps1 | Install baseline Conditional Access policies (Block legacy auth + Require MFA) |
| Install-DataProtectionCAPolicies.ps1 | Install data protection Conditional Access policies |
| Install-GuestCAPolicies.ps1 | Install guest-specific Conditional Access policies |
| Install-ITPMBaselineCAPolicies.ps1 | Install ITPM baseline Conditional Access policies |
| Baseline-ConditionalAccessPolicies.ps1 | Baseline CA policy definitions reference |
| Enable-MfaForLicensedUsers.ps1 | Enable per-user MFA for all licensed users |
| Disable-MfaForLicensedUsers.ps1 | Disable per-user MFA (when migrating to Conditional Access) |
| Set-GroupExpirationPolicy.ps1 | Configure Microsoft 365 Groups expiration policy |
| Limit-GroupsCreation.ps1 | Restrict Groups/Teams creation to a specific security group |
| Enable-GroupsCreationForAllUsers.ps1 | Re-enable Groups/Teams creation for all users |
| Enable-SensitivityLabelsForGroups.ps1 | Enable sensitivity labels for Microsoft 365 Groups |
Compliance
Scripts for deploying retention policies and sensitivity labels.
| Script | Description |
|---|---|
| Install-SensitivityLabels.ps1 | Deploy default sensitivity labels to the tenant |
| Install-DataRetentionPolicies.ps1 | Install baseline data retention policies |
| Install-EmailRetentionPolicy.ps1 | Install Exchange Online email retention policy |
| Install-TeamsRetentionPolicies.ps1 | Install Teams retention policies |
| Limit-GroupsCreation.ps1 | Limit Groups creation (compliance variant) |
Exchange Online
Scripts for hardening Exchange Online and configuring email security.
| Script | Description |
|---|---|
| Install-EXOStandardProtection.ps1 | Apply standard Exchange Online Protection baseline |
| Setup-DKIM.ps1 | Enable and configure DKIM signing |
| Setup-OME.ps1 | Configure Office Message Encryption (OME) |
| Advanced-TenantConfig.ps1 | Advanced tenant configuration for Exchange Online |
| Configure-Auditing.ps1 | Enable and configure mailbox auditing |
| Disable-Forwarding.ps1 | Block automatic external email forwarding |
| Disable-SharedMbxSignOn.ps1 | Disable sign-in for shared mailbox accounts |
| Block-ConsumerStorageOWA.ps1 | Block consumer storage (Dropbox, Google Drive) in OWA |
| Block-UnmanagedDownload.ps1 | Block downloads on unmanaged devices via OWA |
| Setup-ArchiveLegalHold.ps1 | Configure archive mailbox and litigation hold |
| Set-DeletedItemsRetention.ps1 | Set deleted items retention period |
Incident Response
Scripts for investigating security incidents, exporting audit logs, and remediating compromised accounts.
These scripts are intended for use by security administrators during active investigations. Use with care in production environments.
| Script | Description |
|---|---|
| Remediate-CompromisedUser.ps1 | Remediate a compromised user account (revoke sessions, reset password) |
| Install-AzureADProtectionAlerts.ps1 | Install Azure AD Identity Protection alert rules |
| Start-AzureADIRCollection.ps1 | Collect Azure AD IR forensic data |
| Start-UnifiedAuditLogIRCollection.ps1 | Collect Unified Audit Log data for IR |
| Export-ActivityByUser.ps1 | Export all activity for a specific user |
| Export-ActivityByIPAddress.ps1 | Export all activity from a specific IP address |
| Export-SignInByUser.ps1 | Export sign-in logs for a specific user |
| Export-SignInByIPAddress.ps1 | Export sign-in logs from a specific IP address |
| Export-PrivilegedUserActions.ps1 | Export admin/privileged user actions from audit log |
| Export-PrivilegedUserSignIn.ps1 | Export sign-in logs for privileged accounts |
Windows 10
Scripts for deploying Intune device configuration and security profiles for Windows 10/11 devices.
| Script | Description |
|---|---|
| Install-WindowsSecurityProfiles.ps1 | Install Windows security baseline profiles |
| Install-Windows10SecurityProfiles.ps1 | Install Windows 10 specific security profiles |
| Install-OneDriveProfile.ps1 | Deploy OneDrive Known Folder Move configuration profile |
| Install-LegacyProfiles.ps1 | Install legacy device configuration profiles |