Downloads — PowerShell Scripts

All scripts are ready-to-use PowerShell automation tools that correspond to the steps documented in this guide. Download individual scripts or browse by category.

Prerequisites: PowerShell 5.1 or later. Most scripts require the Microsoft Graph PowerShell SDK or legacy AzureAD / ExchangeOnlineManagement modules. Run Set-ExecutionPolicy RemoteSigned before running any script.


Table of Contents

  1. Admin Monthly Report
  2. Setup Intune
    1. Export Scripts (Backup)
  3. Azure AD
  4. Compliance
  5. Exchange Online
  6. Incident Response
  7. Windows 10

Admin Monthly Report

Generate a comprehensive HTML report covering all key M365 health metrics in a single run.

Script Description
Get-M365MonthlyReport.ps1 Main script — generates full HTML report (licenses, MFA, users, guests, CA, mailboxes, admin roles, sign-in failures)

View full documentation and usage guide →


Setup Intune

The core Intune deployment scripts. Start with Setup-Intune.ps1 to import all baseline policies in one step.

Script Description
Setup-Intune.ps1 Main script — imports all Intune baseline policies into the tenant
Import-AppConfiguration.ps1 Import App Configuration profiles
Import-AppProtection.ps1 Import App Protection (MAM) policies
Import-Applications.ps1 Import Applications
Import-Compliance.ps1 Import Compliance policies
Import-DeviceConfiguration.ps1 Import Device Configuration profiles
Import-EndpointSecurity.ps1 Import Endpoint Security policies
Install-BYODMobileDeviceProfiles.ps1 Install BYOD mobile device profiles
Set-MDMAuthority.ps1 Set MDM authority to Intune
Set-DeviceEnrollmentRestrictions.ps1 Configure device enrollment restrictions
Get-DeviceEnrollmentRestrictions.ps1 Export current enrollment restrictions

Export Scripts (Backup)

Use these to back up existing Intune configurations before making changes.

Script Description
Export-AppConfiguration.ps1 Export App Configuration profiles
Export-AppProtection.ps1 Export App Protection (MAM) policies
Export-Applications.ps1 Export Applications
Export-Compliance.ps1 Export Compliance policies
Export-DeviceConfiguration.ps1 Export Device Configuration profiles
Export-EndpointSecurity.ps1 Export Endpoint Security policies
Export-ADMX.ps1 Export ADMX (Administrative Template) profiles

Azure AD

Scripts for Conditional Access, MFA, and Group management automation.

Script Description
Install-BaselineCAPolicies.ps1 Install baseline Conditional Access policies (Block legacy auth + Require MFA)
Install-DataProtectionCAPolicies.ps1 Install data protection Conditional Access policies
Install-GuestCAPolicies.ps1 Install guest-specific Conditional Access policies
Install-ITPMBaselineCAPolicies.ps1 Install ITPM baseline Conditional Access policies
Baseline-ConditionalAccessPolicies.ps1 Baseline CA policy definitions reference
Enable-MfaForLicensedUsers.ps1 Enable per-user MFA for all licensed users
Disable-MfaForLicensedUsers.ps1 Disable per-user MFA (when migrating to Conditional Access)
Set-GroupExpirationPolicy.ps1 Configure Microsoft 365 Groups expiration policy
Limit-GroupsCreation.ps1 Restrict Groups/Teams creation to a specific security group
Enable-GroupsCreationForAllUsers.ps1 Re-enable Groups/Teams creation for all users
Enable-SensitivityLabelsForGroups.ps1 Enable sensitivity labels for Microsoft 365 Groups

Compliance

Scripts for deploying retention policies and sensitivity labels.

Script Description
Install-SensitivityLabels.ps1 Deploy default sensitivity labels to the tenant
Install-DataRetentionPolicies.ps1 Install baseline data retention policies
Install-EmailRetentionPolicy.ps1 Install Exchange Online email retention policy
Install-TeamsRetentionPolicies.ps1 Install Teams retention policies
Limit-GroupsCreation.ps1 Limit Groups creation (compliance variant)

Exchange Online

Scripts for hardening Exchange Online and configuring email security.

Script Description
Install-EXOStandardProtection.ps1 Apply standard Exchange Online Protection baseline
Setup-DKIM.ps1 Enable and configure DKIM signing
Setup-OME.ps1 Configure Office Message Encryption (OME)
Advanced-TenantConfig.ps1 Advanced tenant configuration for Exchange Online
Configure-Auditing.ps1 Enable and configure mailbox auditing
Disable-Forwarding.ps1 Block automatic external email forwarding
Disable-SharedMbxSignOn.ps1 Disable sign-in for shared mailbox accounts
Block-ConsumerStorageOWA.ps1 Block consumer storage (Dropbox, Google Drive) in OWA
Block-UnmanagedDownload.ps1 Block downloads on unmanaged devices via OWA
Setup-ArchiveLegalHold.ps1 Configure archive mailbox and litigation hold
Set-DeletedItemsRetention.ps1 Set deleted items retention period

Incident Response

Scripts for investigating security incidents, exporting audit logs, and remediating compromised accounts.

These scripts are intended for use by security administrators during active investigations. Use with care in production environments.

Script Description
Remediate-CompromisedUser.ps1 Remediate a compromised user account (revoke sessions, reset password)
Install-AzureADProtectionAlerts.ps1 Install Azure AD Identity Protection alert rules
Start-AzureADIRCollection.ps1 Collect Azure AD IR forensic data
Start-UnifiedAuditLogIRCollection.ps1 Collect Unified Audit Log data for IR
Export-ActivityByUser.ps1 Export all activity for a specific user
Export-ActivityByIPAddress.ps1 Export all activity from a specific IP address
Export-SignInByUser.ps1 Export sign-in logs for a specific user
Export-SignInByIPAddress.ps1 Export sign-in logs from a specific IP address
Export-PrivilegedUserActions.ps1 Export admin/privileged user actions from audit log
Export-PrivilegedUserSignIn.ps1 Export sign-in logs for privileged accounts

Windows 10

Scripts for deploying Intune device configuration and security profiles for Windows 10/11 devices.

Script Description
Install-WindowsSecurityProfiles.ps1 Install Windows security baseline profiles
Install-Windows10SecurityProfiles.ps1 Install Windows 10 specific security profiles
Install-OneDriveProfile.ps1 Deploy OneDrive Known Folder Move configuration profile
Install-LegacyProfiles.ps1 Install legacy device configuration profiles