Category: Exchange Online

How to Disable Office365 Integrated Apps for all Tenants (Powershell)

How to Disable Office365 Integrated Apps for all Tenants (Powershell)

Disable integrated Apps

What is it?

This very simple Powershell script is aimed at MSPs and Microsoft Partners that manage their clients Office365 environments. It will disable the ‘UsersPermissionToUserConsentToAppEnabled’ option within the clients Tenancy so that they are unable to give permission for third party Apps to access their Office365 Accounts.

Why would you want to do this?

It has been suggested that the next large ransomware attack may target cloud environments like Microsoft Office365. One of the ways that this could be accomplished is by end users granting permission for third party apps to access their Office365 accounts. For more information, see the link below.

Spiceworks – Cloud Ransomware

One of the ways of protecting against this is to disable the end users ability to grant permission to the third party apps in the first place. This is what the script does within Office365.

Things to consider:

 The Script is designed for Office365 Admins who manage a reasonable number of Office365 Tenancies. Using the script will mean that the setting doesn’t need to be applied manually per tenant.

– The Script requires you to be an Office365 Administrator with Delegation permissions over your clients environments

– You may want to check with your clients to make sure that they don’t need this feature.

– The script will presume that you have the correct execution policy configured.

– For those of you with fewer clients you can set this via the Office 365 Admin Center > Settings > Services & Add-ins > Integrated Apps (Refer to picture at the top of the page)

– I take no responsibility or liability for any unforeseen effects of the script. It is suggested that you read through any Powershell script before executing it.

The Script:

#Show Prompt to user
[System.Windows.MessageBox]::Show('This Script will Disable the "UsersPermissionToUserConsentToAppEnabled" option for each Tenant linked to your Partner Account. Click OK to continue')
#Connect to Office365 Partner Tenancy
$Cred = Get-Credential
Connect-MsolService -Credential $Cred
#Get list of Tennant ID's
$Tenant = Get-MsolPartnerContract
foreach ($ID in $Tenant) {Set-MsolCompanySettings -TenantId $ID.TenantID -UsersPermissionToUserConsentToAppEnabled $False
Get-MsolCompanyInformation -TenantId $ID.TenantId | Select DisplayName, UsersPermissionToUserConsentToAppEnabled}

Powershell Script Download:

Disable-UsersPermissionToUserConsentToAppEnabled (Partner)

PowerShell Script to connect to Microsoft Online Services (Office365)

PowerShell Script to connect to Microsoft Online Services (Office365)

Below is a simple PowerShell Script to connect to the following Microsoft Online Services:

Office365 Admin Center
Exchange Online
Sharepoint Online
Skype for Business
Security and Compliance Center

The Script has a simple Menu build in so that you can connect to the services that you need. You’re prompted for your Office365 Credentials prior to being put into the menu. Once you’re done connecting to the services, you can quit the menu (via option 6/Q) and use PowerShell as normal.

You can Dowload the script as a ZIP file from here:
Connect to all Microsoft Online Services

The Script will not set your execution policy. It’s presumed that you have the correct execution policy setup already.

Screenshot of the Simple Menu:

Connect to Office365

The Script:

Write-Host "Please Type in your Office365 Global Admin Credentials"
$cred = Get-Credential

function Show-Menu
{
param (
[string]$Title = 'Which Microsoft Online Service would you like to connect to?'
)
cls
Write-Host "================ $Title ================"

Write-Host "1: Type '1' to connect to Exchange Online."
Write-Host "2: Type '2' to connect to the Office365 Admin Center"
Write-Host "3: Type '3' to connect to Sharepoint Online."
Write-Host "4: Type '4' to connect to the Security and Compliance Center."
Write-Host "5: Type '5' to connect to Skype for Business Online"
Write-Host "Q: Press 'Q' to quit, or when you have connected to all required services."
}
do
{
Show-Menu
$input = Read-Host "Please make a selection"
switch ($input)
{
'1' {
cls
$session1 = New-Pssession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential $cred
Import-PSSession $session1
} '2' {
cls
$session2 = Connect-MsolService -Credential $cred
$session2
} '3'
{
cls
$orgName= Read-Host "What is the tennant Name?"
$session3 = Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $cred
$session3
} '4'
{
cls
$session4 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential $cred
Import-PSSession $session4
} '5'
{
cls
$session5 = New-CsOnlineSession -Credential $cred
Import-PSSession $session5
} 'q' {
return
}
}
pause
}
until ($input -eq 'q')