How to Disable Office365 Integrated Apps for all Tenants (Powershell)
This very simple Powershell script is aimed at MSPs and Microsoft Partners that manage their clients Office365 environments. It will disable the ‘UsersPermissionToUserConsentToAppEnabled’ option within the clients Tenancy so that they are unable to give permission for third party Apps to access their Office365 Accounts.
It has been suggested that the next large ransomware attack may target cloud environments like Microsoft Office365. One of the ways that this could be accomplished is by end users granting permission for third party apps to access their Office365 accounts. For more information, see the link below.
One of the ways of protecting against this is to disable the end users ability to grant permission to the third party apps in the first place. This is what the script does within Office365.
–
The Script is designed for Office365 Admins who manage a reasonable number of Office365 Tenancies. Using the script will mean that the setting doesn’t need to be applied manually per tenant.– The Script requires you to be an Office365 Administrator with Delegation permissions over your clients environments
– You may want to check with your clients to make sure that they don’t need this feature.
– The script will presume that you have the correct execution policy configured.
– For those of you with fewer clients you can set this via the Office 365 Admin Center > Settings > Services & Add-ins > Integrated Apps (Refer to picture at the top of the page)
– I take no responsibility or liability for any unforeseen effects of the script. It is suggested that you read through any Powershell script before executing it.
#Show Prompt to user
[System.Windows.MessageBox]::Show('This Script will Disable the "UsersPermissionToUserConsentToAppEnabled" option for each Tenant linked to your Partner Account. Click OK to continue')
#Connect to Office365 Partner Tenancy
$Cred = Get-Credential
Connect-MsolService -Credential $Cred
#Get list of Tennant ID's
$Tenant = Get-MsolPartnerContract
foreach ($ID in $Tenant) {Set-MsolCompanySettings -TenantId $ID.TenantID -UsersPermissionToUserConsentToAppEnabled $False
Get-MsolCompanyInformation -TenantId $ID.TenantId | Select DisplayName, UsersPermissionToUserConsentToAppEnabled}
One Reply to “How to Disable Office365 Integrated Apps for all Tenants (Powershell)”
Nice script! I’m slowly working my way through a GUI->Powershell->Mass configuration across all tenants process for the many, many office365 tweaks that need to be made for tenants and this was a useful tip for the 3rd party access.
I recommend using Out-grid in the script so that you can select as many tenants as you like through a gui before running the commands (useful if you have tenants that can’t change.
Update the line to be –
$Tenant = (Get-MsolPartnerContract) | out-gridview -passthru