{ "schemaVersion": "1.0", "item": { "slug": "ms365-tenant-manager", "name": "Ms365 Tenant Manager", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/alirezarezvani/ms365-tenant-manager", "canonicalUrl": "https://clawhub.ai/alirezarezvani/ms365-tenant-manager", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/ms365-tenant-manager", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ms365-tenant-manager", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "expected_output.json", "references/powershell-templates.md", "references/security-policies.md", "references/troubleshooting.md", "sample_input.json" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ms365-tenant-manager" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/ms365-tenant-manager", "agentPageUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent", "manifestUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent.json", "briefUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Microsoft 365 Tenant Manager", "body": "Expert guidance and automation for Microsoft 365 Global Administrators managing tenant setup, user lifecycle, security policies, and organizational optimization." }, { "title": "Run a Security Audit", "body": "Connect-MgGraph -Scopes \"Directory.Read.All\",\"Policy.Read.All\",\"AuditLog.Read.All\"\nGet-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits, @{N=\"Total\";E={$_.PrepaidUnits.Enabled}}\nGet-MgPolicyAuthorizationPolicy | Select-Object AllowInvitesFrom, DefaultUserRolePermissions" }, { "title": "Bulk Provision Users from CSV", "body": "# CSV columns: DisplayName, UserPrincipalName, Department, LicenseSku\nImport-Csv .\\new_users.csv | ForEach-Object {\n $passwordProfile = @{ Password = (New-Guid).ToString().Substring(0,16) + \"!\"; ForceChangePasswordNextSignIn = $true }\n New-MgUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName `\n -Department $_.Department -AccountEnabled -PasswordProfile $passwordProfile\n}" }, { "title": "Create a Conditional Access Policy (MFA for Admins)", "body": "$adminRoles = (Get-MgDirectoryRole | Where-Object { $_.DisplayName -match \"Admin\" }).Id\n$policy = @{\n DisplayName = \"Require MFA for Admins\"\n State = \"enabledForReportingButNotEnforced\" # Start in report-only mode\n Conditions = @{ Users = @{ IncludeRoles = $adminRoles } }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"mfa\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy" }, { "title": "Workflow 1: New Tenant Setup", "body": "Step 1: Generate Setup Checklist\n\nConfirm prerequisites before provisioning:\n\nGlobal Admin account created and secured with MFA\nCustom domain purchased and accessible for DNS edits\nLicense SKUs confirmed (E3 vs E5 feature requirements noted)\n\nStep 2: Configure and Verify DNS Records\n\n# After adding the domain in the M365 admin center, verify propagation before proceeding\n$domain = \"company.com\"\nResolve-DnsName -Name \"_msdcs.$domain\" -Type NS -ErrorAction SilentlyContinue\n# Also run from a shell prompt:\n# nslookup -type=MX company.com\n# nslookup -type=TXT company.com # confirm SPF record\n\nWait for DNS propagation (up to 48 h) before bulk user creation.\n\nStep 3: Apply Security Baseline\n\n# Disable legacy authentication (blocks Basic Auth protocols)\n$policy = @{\n DisplayName = \"Block Legacy Authentication\"\n State = \"enabled\"\n Conditions = @{ ClientAppTypes = @(\"exchangeActiveSync\",\"other\") }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"block\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy\n\n# Enable unified audit log\nSet-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true\n\nStep 4: Provision Users\n\n$licenseSku = (Get-MgSubscribedSku | Where-Object { $_.SkuPartNumber -eq \"ENTERPRISEPACK\" }).SkuId\n\nImport-Csv .\\employees.csv | ForEach-Object {\n try {\n $user = New-MgUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName `\n -AccountEnabled -PasswordProfile @{ Password = (New-Guid).ToString().Substring(0,12)+\"!\"; ForceChangePasswordNextSignIn = $true }\n Set-MgUserLicense -UserId $user.Id -AddLicenses @(@{ SkuId = $licenseSku }) -RemoveLicenses @()\n Write-Host \"Provisioned: $($_.UserPrincipalName)\"\n } catch {\n Write-Warning \"Failed $($_.UserPrincipalName): $_\"\n }\n}\n\nValidation: Spot-check 3–5 accounts in the M365 admin portal; confirm licenses show \"Active.\"" }, { "title": "Workflow 2: Security Hardening", "body": "Step 1: Run Security Audit\n\nConnect-MgGraph -Scopes \"Directory.Read.All\",\"Policy.Read.All\",\"AuditLog.Read.All\",\"Reports.Read.All\"\n\n# Export Conditional Access policy inventory\nGet-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State |\n Export-Csv .\\ca_policies.csv -NoTypeInformation\n\n# Find accounts without MFA registered\n$report = Get-MgReportAuthenticationMethodUserRegistrationDetail\n$report | Where-Object { -not $_.IsMfaRegistered } |\n Select-Object UserPrincipalName, IsMfaRegistered |\n Export-Csv .\\no_mfa_users.csv -NoTypeInformation\n\nWrite-Host \"Audit complete. Review ca_policies.csv and no_mfa_users.csv.\"\n\nStep 2: Create MFA Policy (report-only first)\n\n$policy = @{\n DisplayName = \"Require MFA All Users\"\n State = \"enabledForReportingButNotEnforced\"\n Conditions = @{ Users = @{ IncludeUsers = @(\"All\") } }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"mfa\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy\n\nValidation: After 48 h, review Sign-in logs in Entra ID; confirm expected users would be challenged, then change State to \"enabled\".\n\nStep 3: Review Secure Score\n\n# Retrieve current Secure Score and top improvement actions\nGet-MgSecuritySecureScore -Top 1 | Select-Object CurrentScore, MaxScore, ActiveUserCount\nGet-MgSecuritySecureScoreControlProfile | Sort-Object -Property ActionType |\n Select-Object Title, ImplementationStatus, MaxScore | Format-Table -AutoSize" }, { "title": "Workflow 3: User Offboarding", "body": "Step 1: Block Sign-in and Revoke Sessions\n\n$upn = \"departing.user@company.com\"\n$user = Get-MgUser -Filter \"userPrincipalName eq '$upn'\"\n\n# Block sign-in immediately\nUpdate-MgUser -UserId $user.Id -AccountEnabled:$false\n\n# Revoke all active tokens\nInvoke-MgInvalidateAllUserRefreshToken -UserId $user.Id\nWrite-Host \"Sign-in blocked and sessions revoked for $upn\"\n\nStep 2: Preview with -WhatIf (license removal)\n\n# Identify assigned licenses\n$licenses = (Get-MgUserLicenseDetail -UserId $user.Id).SkuId\n\n# Dry-run: print what would be removed\n$licenses | ForEach-Object { Write-Host \"[WhatIf] Would remove SKU: $_\" }\n\nStep 3: Execute Offboarding\n\n# Remove licenses\nSet-MgUserLicense -UserId $user.Id -AddLicenses @() -RemoveLicenses $licenses\n\n# Convert mailbox to shared (requires ExchangeOnlineManagement module)\nSet-Mailbox -Identity $upn -Type Shared\n\n# Remove from all groups\nGet-MgUserMemberOf -UserId $user.Id | ForEach-Object {\n try { Remove-MgGroupMemberByRef -GroupId $_.Id -DirectoryObjectId $user.Id } catch {}\n}\nWrite-Host \"Offboarding complete for $upn\"\n\nValidation: Confirm in the M365 admin portal that the account shows \"Blocked,\" has no active licenses, and the mailbox type is \"Shared.\"" }, { "title": "Tenant Setup", "body": "Enable MFA before adding users\nConfigure named locations for Conditional Access\nUse separate admin accounts with PIM\nVerify custom domains (and DNS propagation) before bulk user creation\nApply Microsoft Secure Score recommendations" }, { "title": "Security Operations", "body": "Start Conditional Access policies in report-only mode\nReview Sign-in logs for 48 h before enforcing a new policy\nNever hardcode credentials in scripts — use Azure Key Vault or Get-Credential\nEnable unified audit logging for all operations\nConduct quarterly security reviews and Secure Score check-ins" }, { "title": "PowerShell Automation", "body": "Prefer Microsoft Graph (Microsoft.Graph module) over legacy MSOnline\nInclude try/catch blocks for error handling\nImplement Write-Host/Write-Warning logging for audit trails\nUse -WhatIf or dry-run output before bulk destructive operations\nTest in a non-production tenant first" }, { "title": "Reference Guides", "body": "references/powershell-templates.md\n\nReady-to-use script templates\nConditional Access policy examples\nBulk user provisioning scripts\nSecurity audit scripts\n\nreferences/security-policies.md\n\nConditional Access configuration\nMFA enforcement strategies\nDLP and retention policies\nSecurity baseline settings\n\nreferences/troubleshooting.md\n\nCommon error resolutions\nPowerShell module issues\nPermission troubleshooting\nDNS propagation problems" }, { "title": "Limitations", "body": "ConstraintImpactGlobal Admin requiredFull tenant setup needs highest privilegeAPI rate limitsBulk operations may be throttledLicense dependenciesE3/E5 required for advanced featuresHybrid scenariosOn-premises AD needs additional configurationPowerShell prerequisitesMicrosoft.Graph module required" }, { "title": "Required PowerShell Modules", "body": "Install-Module Microsoft.Graph -Scope CurrentUser\nInstall-Module ExchangeOnlineManagement -Scope CurrentUser\nInstall-Module MicrosoftTeams -Scope CurrentUser" }, { "title": "Required Permissions", "body": "Global Administrator — Full tenant setup\nUser Administrator — User management\nSecurity Administrator — Security policies\nExchange Administrator — Mailbox management" } ], "body": "Microsoft 365 Tenant Manager\n\nExpert guidance and automation for Microsoft 365 Global Administrators managing tenant setup, user lifecycle, security policies, and organizational optimization.\n\nQuick Start\nRun a Security Audit\nConnect-MgGraph -Scopes \"Directory.Read.All\",\"Policy.Read.All\",\"AuditLog.Read.All\"\nGet-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits, @{N=\"Total\";E={$_.PrepaidUnits.Enabled}}\nGet-MgPolicyAuthorizationPolicy | Select-Object AllowInvitesFrom, DefaultUserRolePermissions\n\nBulk Provision Users from CSV\n# CSV columns: DisplayName, UserPrincipalName, Department, LicenseSku\nImport-Csv .\\new_users.csv | ForEach-Object {\n $passwordProfile = @{ Password = (New-Guid).ToString().Substring(0,16) + \"!\"; ForceChangePasswordNextSignIn = $true }\n New-MgUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName `\n -Department $_.Department -AccountEnabled -PasswordProfile $passwordProfile\n}\n\nCreate a Conditional Access Policy (MFA for Admins)\n$adminRoles = (Get-MgDirectoryRole | Where-Object { $_.DisplayName -match \"Admin\" }).Id\n$policy = @{\n DisplayName = \"Require MFA for Admins\"\n State = \"enabledForReportingButNotEnforced\" # Start in report-only mode\n Conditions = @{ Users = @{ IncludeRoles = $adminRoles } }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"mfa\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy\n\nWorkflows\nWorkflow 1: New Tenant Setup\n\nStep 1: Generate Setup Checklist\n\nConfirm prerequisites before provisioning:\n\nGlobal Admin account created and secured with MFA\nCustom domain purchased and accessible for DNS edits\nLicense SKUs confirmed (E3 vs E5 feature requirements noted)\n\nStep 2: Configure and Verify DNS Records\n\n# After adding the domain in the M365 admin center, verify propagation before proceeding\n$domain = \"company.com\"\nResolve-DnsName -Name \"_msdcs.$domain\" -Type NS -ErrorAction SilentlyContinue\n# Also run from a shell prompt:\n# nslookup -type=MX company.com\n# nslookup -type=TXT company.com # confirm SPF record\n\n\nWait for DNS propagation (up to 48 h) before bulk user creation.\n\nStep 3: Apply Security Baseline\n\n# Disable legacy authentication (blocks Basic Auth protocols)\n$policy = @{\n DisplayName = \"Block Legacy Authentication\"\n State = \"enabled\"\n Conditions = @{ ClientAppTypes = @(\"exchangeActiveSync\",\"other\") }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"block\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy\n\n# Enable unified audit log\nSet-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true\n\n\nStep 4: Provision Users\n\n$licenseSku = (Get-MgSubscribedSku | Where-Object { $_.SkuPartNumber -eq \"ENTERPRISEPACK\" }).SkuId\n\nImport-Csv .\\employees.csv | ForEach-Object {\n try {\n $user = New-MgUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName `\n -AccountEnabled -PasswordProfile @{ Password = (New-Guid).ToString().Substring(0,12)+\"!\"; ForceChangePasswordNextSignIn = $true }\n Set-MgUserLicense -UserId $user.Id -AddLicenses @(@{ SkuId = $licenseSku }) -RemoveLicenses @()\n Write-Host \"Provisioned: $($_.UserPrincipalName)\"\n } catch {\n Write-Warning \"Failed $($_.UserPrincipalName): $_\"\n }\n}\n\n\nValidation: Spot-check 3–5 accounts in the M365 admin portal; confirm licenses show \"Active.\"\n\nWorkflow 2: Security Hardening\n\nStep 1: Run Security Audit\n\nConnect-MgGraph -Scopes \"Directory.Read.All\",\"Policy.Read.All\",\"AuditLog.Read.All\",\"Reports.Read.All\"\n\n# Export Conditional Access policy inventory\nGet-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State |\n Export-Csv .\\ca_policies.csv -NoTypeInformation\n\n# Find accounts without MFA registered\n$report = Get-MgReportAuthenticationMethodUserRegistrationDetail\n$report | Where-Object { -not $_.IsMfaRegistered } |\n Select-Object UserPrincipalName, IsMfaRegistered |\n Export-Csv .\\no_mfa_users.csv -NoTypeInformation\n\nWrite-Host \"Audit complete. Review ca_policies.csv and no_mfa_users.csv.\"\n\n\nStep 2: Create MFA Policy (report-only first)\n\n$policy = @{\n DisplayName = \"Require MFA All Users\"\n State = \"enabledForReportingButNotEnforced\"\n Conditions = @{ Users = @{ IncludeUsers = @(\"All\") } }\n GrantControls = @{ Operator = \"OR\"; BuiltInControls = @(\"mfa\") }\n}\nNew-MgIdentityConditionalAccessPolicy -BodyParameter $policy\n\n\nValidation: After 48 h, review Sign-in logs in Entra ID; confirm expected users would be challenged, then change State to \"enabled\".\n\nStep 3: Review Secure Score\n\n# Retrieve current Secure Score and top improvement actions\nGet-MgSecuritySecureScore -Top 1 | Select-Object CurrentScore, MaxScore, ActiveUserCount\nGet-MgSecuritySecureScoreControlProfile | Sort-Object -Property ActionType |\n Select-Object Title, ImplementationStatus, MaxScore | Format-Table -AutoSize\n\nWorkflow 3: User Offboarding\n\nStep 1: Block Sign-in and Revoke Sessions\n\n$upn = \"departing.user@company.com\"\n$user = Get-MgUser -Filter \"userPrincipalName eq '$upn'\"\n\n# Block sign-in immediately\nUpdate-MgUser -UserId $user.Id -AccountEnabled:$false\n\n# Revoke all active tokens\nInvoke-MgInvalidateAllUserRefreshToken -UserId $user.Id\nWrite-Host \"Sign-in blocked and sessions revoked for $upn\"\n\n\nStep 2: Preview with -WhatIf (license removal)\n\n# Identify assigned licenses\n$licenses = (Get-MgUserLicenseDetail -UserId $user.Id).SkuId\n\n# Dry-run: print what would be removed\n$licenses | ForEach-Object { Write-Host \"[WhatIf] Would remove SKU: $_\" }\n\n\nStep 3: Execute Offboarding\n\n# Remove licenses\nSet-MgUserLicense -UserId $user.Id -AddLicenses @() -RemoveLicenses $licenses\n\n# Convert mailbox to shared (requires ExchangeOnlineManagement module)\nSet-Mailbox -Identity $upn -Type Shared\n\n# Remove from all groups\nGet-MgUserMemberOf -UserId $user.Id | ForEach-Object {\n try { Remove-MgGroupMemberByRef -GroupId $_.Id -DirectoryObjectId $user.Id } catch {}\n}\nWrite-Host \"Offboarding complete for $upn\"\n\n\nValidation: Confirm in the M365 admin portal that the account shows \"Blocked,\" has no active licenses, and the mailbox type is \"Shared.\"\n\nBest Practices\nTenant Setup\nEnable MFA before adding users\nConfigure named locations for Conditional Access\nUse separate admin accounts with PIM\nVerify custom domains (and DNS propagation) before bulk user creation\nApply Microsoft Secure Score recommendations\nSecurity Operations\nStart Conditional Access policies in report-only mode\nReview Sign-in logs for 48 h before enforcing a new policy\nNever hardcode credentials in scripts — use Azure Key Vault or Get-Credential\nEnable unified audit logging for all operations\nConduct quarterly security reviews and Secure Score check-ins\nPowerShell Automation\nPrefer Microsoft Graph (Microsoft.Graph module) over legacy MSOnline\nInclude try/catch blocks for error handling\nImplement Write-Host/Write-Warning logging for audit trails\nUse -WhatIf or dry-run output before bulk destructive operations\nTest in a non-production tenant first\nReference Guides\n\nreferences/powershell-templates.md\n\nReady-to-use script templates\nConditional Access policy examples\nBulk user provisioning scripts\nSecurity audit scripts\n\nreferences/security-policies.md\n\nConditional Access configuration\nMFA enforcement strategies\nDLP and retention policies\nSecurity baseline settings\n\nreferences/troubleshooting.md\n\nCommon error resolutions\nPowerShell module issues\nPermission troubleshooting\nDNS propagation problems\nLimitations\nConstraint\tImpact\nGlobal Admin required\tFull tenant setup needs highest privilege\nAPI rate limits\tBulk operations may be throttled\nLicense dependencies\tE3/E5 required for advanced features\nHybrid scenarios\tOn-premises AD needs additional configuration\nPowerShell prerequisites\tMicrosoft.Graph module required\nRequired PowerShell Modules\nInstall-Module Microsoft.Graph -Scope CurrentUser\nInstall-Module ExchangeOnlineManagement -Scope CurrentUser\nInstall-Module MicrosoftTeams -Scope CurrentUser\n\nRequired Permissions\nGlobal Administrator — Full tenant setup\nUser Administrator — User management\nSecurity Administrator — Security policies\nExchange Administrator — Mailbox management" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/alirezarezvani/ms365-tenant-manager", "publisherUrl": "https://clawhub.ai/alirezarezvani/ms365-tenant-manager", "owner": "alirezarezvani", "version": "2.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/ms365-tenant-manager", "downloadUrl": "https://openagent3.xyz/downloads/ms365-tenant-manager", "agentUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent", "manifestUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent.json", "briefUrl": "https://openagent3.xyz/skills/ms365-tenant-manager/agent.md" } }