Remediation
M365 Remediation Commands
| Command | Description |
|---|---|
| Revoke-UserSession | Revokes all active sessions for the user. |
| Disable-GraphUser | Disables a user's Entra ID account, blocking all cloud sign-ins. |
| Enable-GraphUser | Re-enables a previously disabled Entra ID user account. |
| Reset-GraphUserPassword | Resets a user's Entra ID password using a randomly generated or custom password. |
| Set-UsageLocation | Sets a user's usage location (ISO 3166 country code), required before assigning M365 licenses. |
| Grant-MailboxFullAccess | Grants the currently logged-in user full access to the target user's mailbox. |
| Remove-MailboxFullAccess | Removes full access permissions to a target user's mailbox. |
| Open-MailboxInOWA | Opens a user's mailbox in Outlook on the Web in a browser. |
On-Premises AD Commands
| Command | Description |
|---|---|
| Find-AdUser | Searches on-premises AD users by display name, UPN, email, SAM account name, or GUID. |
| Show-AdUserInfo | Displays comprehensive on-premises AD user attributes including password metadata and group memberships. |
| Disable-AdUser | Disables one or more AD user accounts and triggers AD replication and Entra ID delta sync. |
| Enable-AdUser | Re-enables one or more disabled AD user accounts and triggers AD replication and Entra ID delta sync. |
| Reset-AdUserPassword | Resets one or more on-premises AD user passwords using a randomly generated or custom password. |
| Push-AdSync | Forces an Active Directory to Entra ID delta sync cycle, automatically discovering the sync server if needed. |
| Find-AdOu | Searches Active Directory Organizational Units by name, CanonicalName, or DistinguishedName. |
| Show-AdOus | Lists all OUs in the domain sorted by CanonicalName with user and computer counts. |
| Find-AllDomainController | Returns the names of all domain controllers in the current AD domain. |
| Get-AdAdminUser | Retrieves all on-premises AD users with AdminCount=1 (accounts that have been members of privileged groups). |
Running On-Premises Commands on Remote Devices
To run them from a remote device that does not have the IRT module installed, use Copy-IRTFunction to copy the relevant functions to the clipboard, then paste and execute them in a remote session.
# Copy all onprem_ad functions to clipboard (hardcoded default)
Copy-IRTFunction
# Copy onprem_ad functions plus additional folders
Copy-IRTFunction -Path .\sign
# Paste the clipboard contents into a remote PSSession or RDP window
Copy-IRTFunction reads every .ps1 file in the onprem_ad/ folder (always included) and any
additional paths supplied via -Path, concatenates them into a single block with file headers, and
sends the result to the clipboard. Use -Recurse to walk subdirectories for extra paths.