Scripting

365Explorer is now available as a PowerShell module designed to make Microsoft 365 security investigations faster, simpler, and far less painful than the usual Entra admin workflow. It runs a local web server and gives you a browser-based interface that feels closer to a security console than a traditional PowerShell script.

At its core, 365Explorer is built around application-based authentication using Microsoft Graph and Exchange Online, giving administrators a level of access that normally takes a lot of manual setup or higher-tier licensing to achieve.

SharePoint storage is one of the most underestimated cost drivers in a Microsoft 365 environment. Microsoft gives every tenant 1TB of base storage plus 1GB per licensed user, but once you start hitting those limits, adding more storage costs money. And the storage you’re paying for is often largely wasted.

Duplicate files get copied across sites instead of linked. Version history grows unbounded — some files have 50+ revisions. Older file versions that no one will ever need keep consuming quota. Without active cleanup, these problems compound silently.

Here are the three cleanup operations I run on every tenant, and the PowerShell behind each one.

SYSVOL replication failures are one of the domain controller problems that keep IT teams up at night. When SYSVOL stops replicating correctly, Group Policy Objects (GPOs) stop updating, logon scripts fall out of sync, and domain controllers begin serving inconsistent policy data.

It’s important to separate this from Active Directory replication issues:

AD replication (NTDS) handles users, groups, password changes, and directory objects

DFSR (Distributed File System Replication) handles SYSVOL contents like GPO files and scripts

If passwords aren’t replicating, that’s an AD replication problem. If GPOs aren’t applying consistently, that’s usually a SYSVOL/DFSR problem.

This guide focuses on the most common DFS Replication failure scenarios and the safest ways to fix them.

A user reports their workstation keeps going to sleep “on its own.” Or someone claims they never left their desk, yet the session clearly disconnected. Answering these questions means digging through the Windows event log and correlating events across Security and System logs into one timeline.

This script pulls seven distinct event IDs from two different logs, merges them chronologically, and outputs a readable sequence of what happened and when.

Windows Update breaks. Everyone knows this. Stuck update loops, error codes that don’t make sense, a client machine that hasn’t successfully installed patches in months. Microsoft’s official KB article for fixing Windows Update is a wall of 30+ manual steps. You have to stop services, rename folders, reset security descriptors, register DLLs, and restart everything in the correct order.

I wrote a script that does all of it in one shot, and I’ve run it on hundreds of machines with consistent results. Here’s how it works and why each step matters.

External sharing is a compliance nightmare. Your 365 tenant has dozens of SharePoint sites, each with document libraries, and files are shared via links or direct invitations. The SharePoint admin center shows you a high-level sharing policy per site, but it won’t tell you which specific files are shared externally or with whom.

I wrote a script that walks every site, every drive, and every file in your tenant using the Microsoft Graph API, then exports a CSV of every externally shared file with who it’s shared with.

Microsoft’s System Center Configuration Manager (SCCM) seems to usually work pretty well for 95-97% of the computers at the environments I’ve worked in. Unfortunately for the remaining few percentage points of computers that SCCM is *not* working pretty well for when SCCM does break it does so spectacularly with style and pizzazz.

This guide will show you how to use PowerShell to remove all traces from the computer so you can perform a clean reinstall!

Microsoft recently added a feature called MDM coexistence into SCCM. Basically this makes SCCM shut off most of it’s functionality when a third party MDM is detected on the machine. You will see errors such as “You don’t have permission to install this software” when coexistence mode is enabled.

This post will outline a way I found to turn SCCM back on (with a caveat).