Claude-Skills ms365-tenant-manager

install

source · Clone the upstream repo

git clone https://github.com/borghei/Claude-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/engineering/ms365-tenant-manager" ~/.claude/skills/borghei-claude-skills-ms365-tenant-manager && rm -rf "$T"

manifest: engineering/ms365-tenant-manager/SKILL.md

source content

Microsoft 365 Tenant Manager

The agent generates production-ready PowerShell scripts for M365 tenant setup, bulk user provisioning, Conditional Access policies, security audits, and license management. It automates user lifecycle operations (onboarding, offboarding), recommends license SKUs by role, and produces 7-category security audit reports via Microsoft Graph.

Quick Start

Generate Security Audit Script

python scripts/powershell_generator.py --action audit --output audit_script.ps1

Create Bulk User Provisioning Script

python scripts/user_management.py --action provision --csv users.csv --license E3

Configure Conditional Access Policy

python scripts/powershell_generator.py --action conditional-access --require-mfa --include-admins

Tools

powershell_generator.py

Generates ready-to-use PowerShell scripts for Microsoft 365 administration.

Usage:

# Generate security audit script
python scripts/powershell_generator.py --action audit

# Generate Conditional Access policy script
python scripts/powershell_generator.py --action conditional-access \
  --policy-name "Require MFA for Admins" \
  --require-mfa \
  --include-users "All"

# Generate bulk license assignment script
python scripts/powershell_generator.py --action license \
  --csv users.csv \
  --sku "ENTERPRISEPACK"

Parameters:

Parameter	Required	Description
`--action`	Yes	Script type: `audit` , `conditional-access` , `license` , `users`
`--policy-name`	No	Name for Conditional Access policy
`--require-mfa`	No	Require MFA in policy
`--include-users`	No	Users to include: `All` or specific UPNs
`--csv`	No	CSV file path for bulk operations
`--sku`	No	License SKU for assignment
`--output`	No	Output file path (default: stdout)

Output: Complete PowerShell scripts with error handling, logging, and best practices.

user_management.py

Automates user lifecycle operations and bulk provisioning.

Usage:

# Provision users from CSV
python scripts/user_management.py --action provision --csv new_users.csv

# Offboard user securely
python scripts/user_management.py --action offboard --user john.doe@company.com

# Generate inactive users report
python scripts/user_management.py --action report-inactive --days 90

Parameters:

Parameter	Required	Description
`--action`	Yes	Operation: `provision` , `offboard` , `report-inactive` , `sync`
`--csv`	No	CSV file for bulk operations
`--user`	No	Single user UPN
`--days`	No	Days for inactivity threshold (default: 90)
`--license`	No	License SKU to assign

tenant_setup.py

Initial tenant configuration and service provisioning automation.

Usage:

# Generate tenant setup checklist
python scripts/tenant_setup.py --action checklist --company "Acme Inc" --users 50

# Generate DNS records configuration
python scripts/tenant_setup.py --action dns --domain acme.com

# Generate security baseline script
python scripts/tenant_setup.py --action security-baseline

Workflows

Workflow 1: New Tenant Setup

Step 1: Generate Setup Checklist

python scripts/tenant_setup.py --action checklist --company "Company Name" --users 100

Step 2: Configure DNS Records

python scripts/tenant_setup.py --action dns --domain company.com

Step 3: Apply Security Baseline

python scripts/powershell_generator.py --action audit > initial_audit.ps1

Step 4: Provision Users

python scripts/user_management.py --action provision --csv employees.csv --license E3

Workflow 2: Security Hardening

Step 1: Run Security Audit

python scripts/powershell_generator.py --action audit --output security_audit.ps1

Step 2: Create MFA Policy

python scripts/powershell_generator.py --action conditional-access \
  --policy-name "Require MFA All Users" \
  --require-mfa \
  --include-users "All"

Step 3: Review Results

Execute generated scripts and review CSV reports in output directory.

Workflow 3: User Offboarding

Step 1: Generate Offboarding Script

python scripts/user_management.py --action offboard --user departing.user@company.com

Step 2: Execute Script with -WhatIf

.\offboard_user.ps1 -WhatIf

Step 3: Execute for Real

.\offboard_user.ps1 -Confirm:$false

Best Practices

Tenant Setup

Enable MFA before adding users
Configure named locations for Conditional Access
Use separate admin accounts with PIM
Verify custom domains before bulk user creation
Apply Microsoft Secure Score recommendations

Security Operations

Start Conditional Access policies in report-only mode
Use
```
-WhatIf
```
parameter before executing scripts
Never hardcode credentials in scripts
Enable audit logging for all operations
Regular quarterly security reviews

PowerShell Automation

Prefer Microsoft Graph over legacy MSOnline modules
Include try/catch blocks for error handling
Implement logging for audit trails
Use Azure Key Vault for credential management
Test in non-production tenant first

Reference Guides

When to Use Each Reference

references/powershell-templates.md

Ready-to-use script templates
Conditional Access policy examples
Bulk user provisioning scripts
Security audit scripts

references/security-policies.md

Conditional Access configuration
MFA enforcement strategies
DLP and retention policies
Security baseline settings

references/troubleshooting.md

Common error resolutions
PowerShell module issues
Permission troubleshooting
DNS propagation problems

Limitations

Constraint	Impact
Global Admin required	Full tenant setup needs highest privilege
API rate limits	Bulk operations may be throttled
License dependencies	E3/E5 required for advanced features
Hybrid scenarios	On-premises AD needs additional configuration
PowerShell prerequisites	Microsoft.Graph module required

Required PowerShell Modules

Install-Module Microsoft.Graph -Scope CurrentUser
Install-Module ExchangeOnlineManagement -Scope CurrentUser
Install-Module MicrosoftTeams -Scope CurrentUser

Required Permissions

Global Administrator - Full tenant setup
User Administrator - User management
Security Administrator - Security policies
Exchange Administrator - Mailbox management

Anti-Patterns

Using admin accounts for daily work -- Global Admin accounts should use PIM (Privileged Identity Management) with JIT activation; use separate accounts for daily tasks
Skipping report-only mode -- deploying Conditional Access policies directly to enforcement blocks legitimate users; always validate in report-only mode first
Hardcoding credentials in scripts -- PowerShell scripts with embedded passwords are security incidents waiting to happen; use Azure Key Vault or environment variables
Using legacy MSOnline module -- MSOnline is deprecated; all new scripts should use Microsoft Graph (
```
Connect-MgGraph
```
)
No break-glass account -- excluding zero accounts from CA policies means a misconfiguration can lock out all admins; maintain at least one excluded emergency access account
Bulk operations without -WhatIf -- running bulk user creation or license assignment without dry-run risks mass misconfiguration; always test with
```
-WhatIf
```
first

Troubleshooting

Problem	Cause	Solution
`Connect-MgGraph` fails with "Insufficient privileges"	App registration missing required API permissions	Grant `Directory.ReadWrite.All` , `User.ReadWrite.All` , and `Policy.ReadWrite.ConditionalAccess` in Azure AD > App Registrations > API Permissions, then admin-consent
Bulk user creation silently skips users	CSV `UserPrincipalName` column missing or domain not verified in tenant	Verify custom domain is added and set as default; ensure CSV header matches exactly `UserPrincipalName`
License assignment returns "No available licenses"	All purchased seats consumed or SKU part number misspelled	Run `Get-MgSubscribedSku -All` to confirm `SkuPartNumber` and check `PrepaidUnits.Enabled - ConsumedUnits > 0`
Conditional Access policy created but not enforcing MFA	Policy state defaults to `enabledForReportingButNotEnforced` (report-only)	After validating sign-in logs, update policy state to `enabled` in Azure AD > Security > Conditional Access
Offboarding script fails at mailbox conversion	Exchange Online Management module not connected or mailbox already shared	Run `Connect-ExchangeOnline` before executing; check mailbox type with `Get-Mailbox -Identity user@domain.com`
DNS records configured but mail not flowing	MX record DNS propagation incomplete or SPF record missing `-all` suffix	Wait up to 48 hours for propagation; validate with `nslookup -type=MX domain.com` and confirm SPF ends with `-all`
Security audit reports empty CSV files	Microsoft Graph scopes not consented or audit log ingestion not enabled	Run `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true` and re-consent scopes with `Connect-MgGraph -Scopes "AuditLog.Read.All"`

Success Criteria

100% of provisioned users have correct license SKU assigned matching their role and department
Zero orphaned accounts: every disabled user has licenses removed, mailbox converted to shared, and sessions revoked within 24 hours of offboarding
MFA enforcement covers 100% of enabled user accounts, verified by security audit script output showing zero users without MFA
DNS records pass validation for all five service types (MX, SPF, DKIM, autodiscover, device registration) with zero propagation errors
Conditional Access policies achieve report-only validation with less than 1% false-positive block rate before enforcement
License utilization stays above 90% across all SKUs, with unused licenses identified and reclaimed quarterly
Security audit generates complete CSV reports for all 7 audit categories (MFA, admin roles, inactive users, guests, licenses, mailbox delegations, Conditional Access) with zero script errors

Scope & Limitations

What This Skill Covers

Tenant lifecycle management -- initial setup, domain verification, DNS configuration, security baseline, and service provisioning for Exchange Online, SharePoint, Teams, and OneDrive
User lifecycle automation -- bulk provisioning from CSV, license assignment by role/department, group membership recommendations, secure offboarding with mailbox preservation
Security and compliance -- Conditional Access policy generation, MFA enforcement, comprehensive 7-category security audits, and audit log enablement
PowerShell script generation -- production-ready scripts with error handling, logging,
```
-WhatIf
```
support, and Microsoft Graph best practices

What This Skill Does NOT Cover

Hybrid identity (AD Connect) -- on-premises Active Directory synchronization and pass-through authentication require the
```
senior-devops
```
skill and Microsoft AD Connect tooling
Intune device management -- endpoint compliance policies, app deployment, and mobile device management are outside scope; see
```
senior-secops
```
for device security posture
Power Platform administration -- Power Apps, Power Automate, and Power BI tenant-level governance fall under separate platform administration
Third-party SSO and SCIM provisioning -- integration with non-Microsoft identity providers (Okta, Ping, Auth0) requires dedicated identity engineering

Integration Points

Skill	Integration	Data Flow
`senior-secops`	Security audit findings feed into SecOps incident response and threat remediation workflows	Audit CSV reports (MFA status, admin roles, inactive users) → SecOps triage and hardening actions
`senior-devops`	Tenant setup scripts integrate with infrastructure-as-code pipelines for repeatable deployments	Generated PowerShell scripts → CI/CD pipeline execution → tenant configuration state
`senior-architect`	License distribution recommendations and tenant topology inform enterprise architecture decisions	License cost analysis and user count projections → architecture capacity planning
`code-reviewer`	Generated PowerShell scripts can be reviewed for security anti-patterns and credential handling	PowerShell script output → code review for hardcoded secrets, missing error handling
`aws-solution-architect`	Multi-cloud identity federation between Azure AD and AWS IAM for organizations using both platforms	Azure AD tenant configuration → cross-cloud SSO and role mapping
`senior-security`	Conditional Access policies and MFA enforcement align with broader organizational security posture	CA policy configurations and security audit results → security policy compliance validation

Tool Reference

powershell_generator.py

Purpose: Generates production-ready PowerShell scripts for Microsoft 365 administration including security audits, Conditional Access policies, and bulk license assignment.

Module:

PowerShellScriptGenerator

class (import and instantiate, not a CLI tool)

Initialization:

from powershell_generator import PowerShellScriptGenerator

generator = PowerShellScriptGenerator(tenant_domain="company.com")

Methods:

generate_security_audit_script()

Generates a comprehensive 7-category security audit PowerShell script that checks MFA status, admin role assignments, inactive users, guest users, license usage, mailbox delegations, and Conditional Access policies.

Parameter	Required	Type	Description
(none)	--	--	Uses `tenant_domain` from constructor

Example:

generator = PowerShellScriptGenerator("company.com")
script = generator.generate_security_audit_script()
print(script)  # Complete PowerShell script with Connect-MgGraph, 7 audit checks, CSV export

Output: PowerShell script string that produces CSV reports in a timestamped

SecurityAudit_

directory:

MFA_Status.csv

Admin_Roles.csv

Inactive_Users.csv

Guest_Users.csv

License_Usage.csv

Mailbox_Delegations.csv

ConditionalAccess_Policies.csv

generate_conditional_access_policy_script(policy_config)

Generates a PowerShell script to create a Conditional Access policy in report-only mode.

Parameter	Required	Type	Description
`policy_config`	Yes	`Dict[str, Any]`	Policy configuration dictionary
`policy_config["name"]`	No	`str`	Policy display name (default: `"MFA Policy"` )
`policy_config["require_mfa"]`	No	`bool`	Whether to require MFA (default: `True` )
`policy_config["include_users"]`	No	`str`	Users to include (default: `"All"` )
`policy_config["exclude_users"]`	No	`List[str]`	UPNs to exclude (default: `[]` )

Example:

script = generator.generate_conditional_access_policy_script({
    "name": "Require MFA for Admins",
    "require_mfa": True,
    "include_users": "All",
    "exclude_users": ["breakglass@company.com"]
})

Output: PowerShell script string that creates a Conditional Access policy via

New-MgIdentityConditionalAccessPolicy

enabledForReportingButNotEnforced

state.

generate_bulk_license_assignment_script(users_csv_path, license_sku)

Generates a PowerShell script for assigning a license SKU to users listed in a CSV file.

Parameter	Required	Type	Description
`users_csv_path`	Yes	`str`	Path to CSV file (must contain `UserPrincipalName` column)
`license_sku`	Yes	`str`	License SKU part number (e.g., `"ENTERPRISEPACK"` for E3)

Example:

script = generator.generate_bulk_license_assignment_script("users.csv", "ENTERPRISEPACK")

Output: PowerShell script string that imports the CSV, checks for existing licenses, assigns the specified SKU, and exports results to

LicenseAssignment_Results_<timestamp>.csv

with

Status

and

Message

columns.

user_management.py

Purpose: Manages user lifecycle operations including bulk provisioning, secure offboarding, license recommendations, group membership, and data validation.

Module:

UserLifecycleManager

class (import and instantiate, not a CLI tool)

Initialization:

from user_management import UserLifecycleManager

manager = UserLifecycleManager(domain="company.com")

Methods:

generate_user_creation_script(users)

Generates a PowerShell script for bulk user provisioning with license assignment.

Parameter	Required	Type	Description
`users`	Yes	`List[Dict[str, Any]]`	List of user dictionaries
`users[].username`	Yes	`str`	Username (without domain)
`users[].display_name`	Yes	`str`	Full display name
`users[].first_name`	Yes	`str`	Given name
`users[].last_name`	Yes	`str`	Surname
`users[].job_title`	No	`str`	Job title
`users[].department`	No	`str`	Department name
`users[].license_sku`	No	`str`	License SKU (default: `"Microsoft_365_Business_Standard"` )

Example:

script = manager.generate_user_creation_script([
    {"username": "jdoe", "display_name": "Jane Doe", "first_name": "Jane",
     "last_name": "Doe", "job_title": "Engineer", "department": "Engineering",
     "license_sku": "ENTERPRISEPACK"}
])

Output: PowerShell script string that creates users via

New-MgUser

, assigns licenses, and exports results to

UserCreation_Results_<timestamp>.csv

generate_user_offboarding_script(user_email)

Generates a comprehensive 11-step secure offboarding PowerShell script.

Parameter	Required	Type	Description
`user_email`	Yes	`str`	UPN of the user to offboard

Example:

script = manager.generate_user_offboarding_script("john.doe@company.com")

Output: PowerShell script string that disables sign-in, revokes sessions, removes group memberships, removes devices, converts mailbox to shared, sets auto-reply, removes licenses, hides from GAL, and exports an offboarding report CSV.

generate_license_assignment_recommendations(user_role, department)

Returns license recommendation based on role and department matching.

Parameter	Required	Type	Description
`user_role`	Yes	`str`	Job title or role (matched against keywords: CEO, CTO, admin, manager, contractor, etc.)
`department`	Yes	`str`	Department name (matched against: legal, finance, hr, accounting)

Example:

rec = manager.generate_license_assignment_recommendations("Security Analyst", "IT")
# Returns: {"recommended_license": "Microsoft 365 E5", "justification": "...", "features_needed": [...], "monthly_cost": 57.00}

Output: Dictionary with

recommended_license

justification

features_needed

(list), and

monthly_cost

(float).

generate_group_membership_recommendations(user)

Recommends security and distribution groups based on user attributes.

Parameter Required Type Description

user

Yes

Dict[str, Any]

User dictionary with

department

location

job_title

needs_sharepoint_access

needs_project_access

Example:

groups = manager.generate_group_membership_recommendations({
    "department": "Engineering", "location": "NYC", "job_title": "Director of Engineering"
})
# Returns: ["DL-Engineering", "SG-Engineering", "SG-Location-Nyc", "SG-Management"]

Output: List of recommended group name strings using naming conventions

DL-

(distribution list),

SG-

(security group).

validate_user_data(user_data)

Validates user data before provisioning, checking required fields, username format, and email format.

Parameter Required Type Description

user_data

Yes

Dict[str, Any]

Dictionary with

first_name

last_name

username

(required);

email

display_name

license_sku

(optional)

Example:

result = manager.validate_user_data({"first_name": "Jane", "last_name": "Doe", "username": "jdoe"})
# Returns: {"is_valid": True, "errors": [], "warnings": ["Display name not provided, will use: Jane Doe", ...]}

Output: Dictionary with

is_valid

(bool),

errors

(list of strings), and

warnings

(list of strings).

tenant_setup.py

Purpose: Manages initial Microsoft 365 tenant configuration including setup checklists, DNS record generation, PowerShell setup scripts, and license distribution recommendations.

Module:

TenantSetupManager

class (import and instantiate, not a CLI tool)

Initialization:

from tenant_setup import TenantSetupManager

manager = TenantSetupManager(tenant_config={
    "company_name": "Acme Inc",
    "domain_name": "acme.com",
    "user_count": 50,
    "industry": "technology",
    "compliance_requirements": ["GDPR"],  # optional: "GDPR", "HIPAA"
    "licenses": {}
})

Config Key	Required	Type	Description
`company_name`	Yes	`str`	Organization display name
`domain_name`	Yes	`str`	Primary custom domain
`user_count`	Yes	`int`	Total expected user count
`industry`	No	`str`	Industry vertical (default: `"general"` )
`compliance_requirements`	No	`List[str]`	Compliance frameworks: `"GDPR"` , `"HIPAA"`
`licenses`	No	`Dict`	Existing license inventory

Methods:

generate_setup_checklist()

Generates a phased tenant setup checklist (4-5 phases depending on compliance requirements).

Parameter	Required	Type	Description
(none)	--	--	Uses constructor config

Example:

checklist = manager.generate_setup_checklist()
# Returns list of phase dicts, each with "phase", "name", "priority", "tasks"

Output: List of dictionaries. Each phase contains

phase

(int),

name

(str),

priority

(

"critical"

"high"

), and

tasks

(list of dicts with

task

details

estimated_time

). Phases: Initial Configuration, Custom Domain, Security Baseline, Service Configuration, and optionally Compliance Configuration.

generate_dns_records()

Generates all required DNS records for Microsoft 365 services.

Parameter	Required	Type	Description
(none)	--	--	Uses `domain_name` from constructor

Example:

records = manager.generate_dns_records()
# Keys: "mx_records", "txt_records", "cname_records", "srv_records"

Output: Dictionary with four keys, each containing a list of record dictionaries with

type

name

value

ttl

purpose

, and record-type-specific fields (

priority

for MX/SRV,

port

weight

for SRV).

generate_powershell_setup_script()

Generates a complete PowerShell script for initial tenant configuration covering Graph, Exchange Online, SharePoint, and Teams.

Parameter	Required	Type	Description
(none)	--	--	Uses constructor config

Example:

script = manager.generate_powershell_setup_script()
print(script)  # PowerShell script connecting to Graph, Exchange, Teams with 7 setup steps

Output: PowerShell script string that connects to Microsoft Graph, Exchange Online, and Teams; configures organization settings, security defaults, audit logging, Exchange policies, and Teams messaging policies.

get_license_recommendations()

Calculates license distribution recommendations and cost estimates based on user count and compliance requirements.

Parameter Required Type Description

(none)

Uses

user_count

and

compliance_requirements

from constructor

Example:

recs = manager.get_license_recommendations()
# Returns: {"recommendations": {...}, "suggested_distribution": {"E5": 5, "E3": 10, ...},
#           "estimated_monthly_cost": 1234.50, "estimated_annual_cost": 14814.00}

Output: Dictionary with

recommendations

(license tier details),

suggested_distribution

(dict mapping SKU tier to user count),

estimated_monthly_cost

(float), and

estimated_annual_cost

(float). Distribution adjusts automatically when compliance requirements are specified.