PowerShell Scripts Every Microsoft 365 Admin Needs for Tenant Health Checks

PowerShell remains one of the most powerful tools in a Microsoft 365 administrator’s toolkit. While the Admin Center has improved dramatically, nothing beats scripting for repeatable health checks, reporting, and automation.

Here are the scripts and commands our team at Accred Consulting uses and recommends most often.

Prerequisites

Before running these scripts: ```powershell

Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All", "Organization.Read.All"

Connect-ExchangeOnline Connect-MsolService ```

Always use least-privilege permissions and consider certificate-based authentication for automation accounts.

1. License Inventory & Usage Report

```powershell

Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits, @{N="Available";E={$_.PrepaidUnits.Enabled - $_.ConsumedUnits}} | Sort-Object SkuPartNumber ```

Extend this to show users with specific licenses or identify unused licenses.

2. Entra ID Connect / Azure AD Connect Sync Health

```powershell

Get-MgOrganization | Select-Object OnPremisesLastSyncDateTime, OnPremisesSyncEnabled ```

Monitor for sync failures and stale objects.

3. Mailbox Statistics & Archive Status

```powershell Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxStatistics | Select-Object DisplayName, TotalItemSize, ItemCount, ArchiveStatus | Export-Csv "MailboxStats.csv" -NoTypeInformation ```

Identify large mailboxes, users without archives, and growth trends.

4. Conditional Access Policy Audit

```powershell Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, CreatedDateTime, ModifiedDateTime | Format-Table ```

Review policy count, state (Enabled/Disabled/Report-only), and last modified dates.

5. Stale User & Guest Account Report

```powershell

$inactive = Get-MgUser -Filter "signInActivity/lastSignInDateTime le $(Get-Date).AddDays(-90).ToString('yyyy-MM-ddTHH:mm:ssZ')" -Property DisplayName, UserPrincipalName, signInActivity $inactive | Select-Object DisplayName, UserPrincipalName, @{N="LastSignIn";E={$_.signInActivity.lastSignInDateTime}} ```

Regularly clean up inactive accounts to reduce risk and license waste.

6. Teams Usage & Governance Snapshot

```powershell Get-CsTeam | Measure-Object Get-CsOnlineUser | Where-Object {$_.TeamsCallingPolicy -eq $null} | Measure-Object ```

Track team sprawl and policy compliance.

7. OneDrive Storage Usage Report

```powershell Get-EXOMailbox -RecipientTypeDetails UserMailbox | Get-EXOMailboxStatistics | Where-Object {$_.TotalItemSize -gt 50GB} | Select DisplayName, TotalItemSize ```

OneDrive storage is tied to the user’s Exchange mailbox quota in many cases — useful for identifying heavy consumers.

8. Security Defaults & Identity Protection Status

Check if security defaults are enabled and review risky sign-ins via Microsoft Graph or the Security Center.

Best Practices for Running These Scripts

• Schedule them using Azure Automation, Power Automate, or a management server with certificate authentication.
• Export to CSV/Excel or push results to a SharePoint list or Teams channel for visibility.
• Version control your scripts in GitHub or Azure DevOps.
• Test in a pilot tenant or with limited scope first.
• Combine multiple checks into a single “Tenant Health Dashboard” script that runs daily/weekly.

Want Custom Scripts or a Full Health Check Dashboard?

Our team builds tailored PowerShell solutions and automated reporting for clients who want ongoing visibility into their Microsoft 365 environment without manual effort every week.

Contact us to discuss a custom monitoring and automation package: accredconsulting.com/contact

Frequently Asked Questions

Do I need to install modules every time? Use `Install-Module` once, then `Import-Module` or rely on the Microsoft Graph PowerShell SDK for modern authentication.

Are these scripts safe to run in production? Yes, when run with read-only permissions. Always test and use `-WhatIf` where available for any write operations.

Can these be turned into automated reports? Absolutely. We help clients build scheduled reports delivered via email or posted to a Teams channel.