Automating with PowerShell: Deploying External e-mail markers

A while back I’ve blogged about deploying e-mail spoofing warnings. These warns inject a little bit of HTML into e-mails to let people know a e-mail is external or not trusted. For a while now Microsoft has a native option for this. You do need a somewhat recent version of Outlook but the native version works a little better than just injecting HTML.

A lot of bad actors these days understand we’re injecting HTML and have started adding CSS/HTML to their spoofed e-mails to hide this warning. Using Microsoft’s native warnings this cannot happen. These native warnings are actually a part of the client instead of just some injected code.

Deploying it is pretty easy; Microsoft has created a new cmdlet called “Set ExternalInOutlook”. Of course as Microsoft Partners we get to execute this for all of our partners using the Secure Application Model.

I’d really recommend to just set this up for all tenants, as it’s a nice and unobtrusive method of showing these warnings.

All Tenants Script

$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
$ENV:ExchangeRefreshToken = 'YourExchangeRefreshToken'
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | ConvertTo-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes '' -ServicePrincipal
Write-Host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }  
$Customers = (Invoke-RestMethod -Uri "`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
    try {
        $upn = ""
        $uri = "$($customer.customerid)/oauth2/token"
        $body = "resource=a0c73c16-a7e3-4564-9a95-2bdf47383716&grant_type=refresh_token&refresh_token=$($ENV:ExchangeRefreshToken)"
        $token = (Invoke-RestMethod $uri -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue -Method post).accesstoken | ConvertTo-SecureString -Force -AsPlainText
        $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
        $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "$($customer.customerid)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection -ErrorAction Continue
        Import-PSSession $session -ea Silentlycontinue -AllowClobber -CommandName "Set-ExternalInOutlook"
        Set-ExternalInOutlook -Enabled $true
        Get-PSSession | Remove-PSSession

    catch {
write-host "Failed to set for $($customer.customerid)"    }


And that’s it! as always, Happy PowerShelling. 🙂


  1. Adam Jones January 13, 2022 at 10:44 pm

    Is this something that could be automated via CIPP by chance?

    1. Kelvin Tegelaar January 18, 2022 at 3:03 pm

      Using CIPP you can apply this as a standard 🙂

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.