M365

The Workflow The Implementation A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains. 1. The Workflow The script performs the following steps: Connection: Authenticates to Exchange Online via module parameters. Auditing: Iterates through all user mailboxes checking forwarding properties. Evaluation: Compares the forwarding destination against the tenant’s accepted domains. Alerting: Outputs a high-priority warning if external exfiltration is detected. 2. The Implementation Connect-ExchangeOnline -ShowBanner:$false $AcceptedDomains = (Get-AcceptedDomain).Name foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) { if ($Mailbox.ForwardingSmtpAddress) { $ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","") if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) { Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red } } }

Overview In a Managed Service Provider (MSP) environment, manual offboarding is a massive liability. Missing a step when revoking access can lead to data breaches, compliance violations, and wasted licensing costs. This guide outlines an architectural approach to “Zero-Touch” offboarding, leveraging a self-hosted n8n instance running in Docker to trigger a robust PowerShell workflow that interacts directly with the Microsoft Graph API. The Architecture Relying on technicians to manually run scripts on their local machines creates bottlenecks. By containerizing the automation engine, we achieve predictable, auditable execution. ...