Featured image of post Automating with PowerShell: Disabling anonymous reports for Office365

Automating with PowerShell: Disabling anonymous reports for Office365

It’s been a while since I’ve blogged! I’ve been super busy with a secret project I am hoping to release soon. This blog is dedicated to a friend of mine.

His question was “Can we disable the anonymous report functionality in M365?” This functionality gives users a pseudo-anonymous ID in the M365 portal when reporting on Onedrive usage, but also when extracting this information via APIs. That can get annoying if you use the reports for monitoring functionality.

To change this function you can go to the portal and make the change, or you can use Evotec’s scripts here if you administer a single tenant. For multitenant situations, such as partners use, you can use the script below.

In this script, we use our Secure Application Model Exchange token to connect to the old admin portal resource API. We’re using this token because the Exchange Online application ID, and thus, the token is allowed to connect to all sorts of resources. The old admin portal API, but also the Azure AD API. All you have to change is the “Resource” ID in the request. There’s a bunch of available APIs with this so the trick to to just experiment 🙂

The script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
$ExchangeRefreshToken = 'YourExchangeRefreshToken'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal

write-host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
    $uri = "https://login.microsoftonline.com/$($Customer.tenant)/oauth2/token"
    $body = "resource=https://admin.microsoft.com&grant_type=refresh_token&refresh_token=$($ExchangeRefreshToken)"
    $token = Invoke-RestMethod $uri -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue -method post
    $sspr = Invoke-RestMethod -contenttype "application/json;charset=UTF-8" -uri 'https://admin.microsoft.com/admin/api/reports/config/SetTenantConfiguration' -body '{"PrivacyEnabled":false,"PowerBiEnabled":true}' -method POST -Headers @{
        Authorization            = "Bearer $($token.access_token)";
        "x-ms-client-request-id" = [guid]::NewGuid().ToString();
        "x-ms-client-session-id" = [guid]::NewGuid().ToString()
        'x-ms-correlation-id'    = [guid]::NewGuid()
        'X-Requested-With'       = 'XMLHttpRequest'
    }
}

And that’s it! as always, Happy PowerShelling. 🙂

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy