Uploading Graph credentials to Azure key Vault

If you have been following along with the recent articles I have been posting, you’ll know that I have been detailing how to use saved credentials from an Azure AD application to access multiple tenants using the Microsoft Graph. This post showed you how to create an Azure AD application inside multiple tenants and generate those credentials:

Using the Microsoft Graph with multiple tenants

Part of that process involved saving the Azure AD application credentials into locally encrypted XML files. I detailed how the encryption process for these configuration files locks those files to a single user on a single Windows 10 machine. Thus, if those files were copied to another location they couldn’t be used as you see below.

The potential challenge is, what if you want to use those credentials on multiple machines? And, what happens if the original machine on which those credential resides fails or is inaccessible? What is needed is a process to backup these files to somewhere secure in the cloud. Luckily, I know just the solution – Azure Key Vault.

To make things easy, I have created a free program to upload these credentials into an Azure Key Vault of your choosing. You’ll find the program at:



Simply download it and put into the same directory that the XML credential files for the domains live, as shown above.


When you run the program you’ll need to nominate an admin account for the Azure Key Vault destination as well as login into that Azure tenant into which you wish to save the credentials to. That tenant will need to have an Azure paid subscription.


Once you have logged into the destination tenant, you’ll be asked to select the subscription you wish to use for the Azure Key Vault. Remember, you need to have a paid Azure subscription to achieve all this.


When you enter the name of the destination Azure Resource Group for the destination Azure Key Vault, you’ll be warned if it already exists and if you are happy to use it. If no matching Azure Resource Group is found a new one will be created. Azure Resources Groups are just management containers for things like Azure Key Vaults.


You are then asked for the name of destination Azure Key Vault in that Resource Group. Again, the program will check to see if an Azure Key Vault of that name already exists and ask you whether you wish to use it. A single Azure Key Vault can hold many credentials, so using just one is fine if you choose to.

If the Azure Key Vault doesn’t already exist in that Azure Resource Group, a new one will be created with the name entered.

The destination Azure Key Vault will then be checked to determine whether a similar set of credentials already existing in there with the same name. If so, you’ll be given the option to use these existing entries or abort.

In most cases, with an Azure Key Vault with those credentials will not already exist so they can be written into the Azure Key Vault as shown above. At the end of the process, you’ll be given the option to delete the local XML configuration files if you want.


This process will continue through all the local XML configuration files for all the domains as shown above.


When the program has completed if you go and look in the destination Azure Key Vault, under the Secrets option on the left menu, you should find an entry for each configuration file uploaded as shown.

Effectively, you have now ‘backed up’ the Azure AD application credentials for all the tenants you have configured to a central secure location in Azure Key Vault.

I’ve also created a program here:


That will copy the credentials from Azure Key Vault and save them as local XML credential files. The good thing with this is now you can ‘restore’ these credentials securely to any Windows 10 machine.

Start by downloading the following file:



and placing it in a location where you want the Azure AD application credentials to be restored to.


When you run the program you’ll be asked to login to the Azure tenant with the Azure Key Vault containing the credentials you wish to restore as shown above.


You’ll then be prompted to select the subscription inside that tenant in which the Azure Key Vault is located as shown above.


Next, you’ll be prompted for the Azure Resource Group in which the Azure Key Vault lives as shown above.


Finally, you’ll be asked to select the Azure Key Vault inside that Azure Resource Group in which the credentials are stored. Remember, an Azure Resource Group can have many different resources, including multiple Azure Key Vaults if you choose.


The four credentials for each domain will be extracted one at a time and you will be prompted to hit CTRL+V (Paste) to save these in an encrypted format in the local directory. Thus, you’ll need to repeat this CTRL+V (Paste) process four times for each domain. I detailed this process previously if you need to understand it.


When the program is complete, if you look in the current directory, you should now see the familiar XML configuration files, four for each domain, as shown above. A copy of these credentials still remains in Azure Key Vault. You can now run any of the other Graph reporting programs on this machine as now the credential files are local o that machine.

These two programs now allow you to save the Azure AD application credential list into Azure Key Vault and restore them from there onto as many other Windows 10 workstations as you wish. Credentials are still stored securely locally and in Azure Key Vault.

Adding Microsoft To Do as a recommended app with Windows Information Protection

I’m a big fan of Microsoft To-Do but recently noticed that I was having trouble syncing data from my Windows 10 desktop to my other devices. Everything looked fine on my desktop but the next troubleshooting step I took revealed my problem as you can see below.


A Windows Information Protection (WIP) policy is preventing the use of Microsoft To Do on this device.

Ah ha, I had indeed recently changed my Windows Information Protection (WIP) policy for the desktop. This change had inadvertently stopped Microsoft To Do syncing as well as preventing me from logging in.

To solve the problem you need to add the Microsoft To Do app to the list of Protected apps in the Intune App Protection policy for the device, which by default, isn’t there.


Navigate to the Intune App Protection policy in question and view the properties as shown above. On the right hand side, select the Edit link next to Targeted apps as shown.


You should then see the Targeted apps as shown above.


Scroll to the bottom of the list of Protected Apps and select the +Add link at the bottom as shown.

This process is similar to one I documented a while back for Adobe Acrobat:

Adding Acrobat as an allowed app

The difference this time is that Microsoft To Do is a store app.


To identify the app you need to search for the store app on the Microsoft Store as shown above. When you locate the app and view the URL you will see a unique identifier as shown. In this case, for Microsoft To Do, it is 9NBLGGH5R558.

You’ll then need to visit this URL:



Doing so will spit out the information you need to add the app as a protected app to your policy. To view the result for other store apps just insert the appropriate identifier into the URL instead of the one for Microsoft To Do shown here.

Thus, for Microsoft To Do you’ll need:

“packageIdentityName”: “Microsoft.Todos”

“publisherCertificateName”: “CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”


Back on the Add apps page opened earlier, change the pull down at the top of the page to be Store apps. Then enter the information for Name, Publisher and product name as:

Name = Microsoft To Do

Publisher = CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Product name = Microsoft.Todos

Select OK at the bottom of the dialog to save the changes. Then select  Review+Save to update the policy.


You can either wait for the policy to be pushed down or force a sync from the device sync settings in the user account information for the Windows device. Once the policy has been updated to the machine you’ll be able to open and use Microsoft To Do or any store app you have configured. Doing so fixed my Microsoft To Do issue by allowing me to login to the app again on the desktop and sync information.

Summary report on multiple tenants with the Microsoft Graph

In recent articles I’ve covered off how to add an Azure AD application to multiple tenants, then set the permissions and finally run a report all quickly and easily using automation. You’ll find all that here:

Reporting on multiple tenants with the Microsoft Graph

With those same Azure AD applications and permissions in place I have now developed a program that will provide you a summary report of emails, Teams, OneDrive for Business and SharePoint usage across multiple tenants, all WITHOUT the need to login to any of them!

You’ll find this program available at my GitHub repo here:


For it to execute you’ll have needed to completed the process I detailed earlier of creating an Azure AD application in every tenant and adding suitable permissions. When that is complete you can simply run the above program. The program will need to be downloaded into the same directory that the tenant configuration files are located and run from there.


When it runs, it will get the configuration files in the current directory and access each tenant in order. It will collect information via the Microsoft Graph and then report on emails (above),


Teams (above),


OneDrive for Business (above),


and SharePoint (above). It will do this for each user in each tenant, again without the need to login to the tenant.

Thus, you could use this report to run on a regular schedule and provide details on each of the tenants. because no login is required to the tenants you can do this whole process unattended!

There is lots more that can be done in this manner via the Microsoft Graph, so look out for more stuff I’ll be making available in the future.

Need to Know podcast–Episode 237

FAQ podcasts are shorter and more focused on a particular topic. In this episode I’ll talk about the differences between OneDrive for Business and SharePoint.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:


Subscribe via iTunes at:


The podcast is also available on Stitcher at:


Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


CIAOPS Patron Community

Introduction to file collaboration in Microsoft 365, powered by SharePoint



Robert Crane  0:00 
Welcome along to the Need to Know podcast. My name is Robert Crane and this is episode 237. Now, these episodes are shorter episodes known as FA Q’s and they are aimed at a deeper dive into some of the technologies in the Microsoft Cloud. Now these episodes are brought to you by my CIAOPS Patron community and again, you’ll find information about that at http://www.ciaopspatron.com. Check it out if you’re interested in learning more and keeping up to date with everything in the Microsoft Cloud. Now what I want to cover today is a very common question I see out there around the differences between OneDrive for Business and SharePoint. Now the first point of order is to note that SharePoint is a technology, a service that OneDrive for Business takes advantage of. So the way to think about it is that SharePoint is the overarching technology that OneDrive for Business runs on and will also designate the common area as team sites. So again, think of SharePoint, the top of the tree, and that’s providing the storage capabilities for files and folders for OneDrive for Business and for team sites. And also for Microsoft Teams as well. So think of, again SharePoint as the manner in which items files are stored in Microsoft is five, four, which OneDrive

takes advantage of it, and so does team sites. Now one of the other differentiators here is to appreciate that OneDrive for Business is designed as personal storage per user. And team sites are designed for shared data. So think about a OneDrive for Business as what is on your desktop, my documents or a home drive or traditional home drive, you would have had potentially with a on prem server, and think of team sites as location for shared file. So this is going to be you know, the F drive in the old style file, so therefore shared location used by multiple people. Now, OneDrive for Business, as I said, is aimed at personal storage. And basically all you get is a single document library, right? So inside SharePoint technology, there are these apps or these locations where you can put information. The location that you put files into in SharePoint technology is called a document library.

And you only get one of those with OneDrive for Business. Whereas with team sites, you can have as many document libraries as you want. So the first differentiation point around these two technologies is that OneDrive is you get one document library with team sites, you can create as many document libraries as you want to help you separate out and manage your different files in their environment. So when we open our OneDrive for Business, we see one document library, and basically just see a list of files and folders. So think about the fact that we get no width. We don’t get the ability to add additional apps. We can’t add document libraries to OneDrive for Business. We can’t add calendars, contacts, lists all the other things that our intranet into OneDrive for Business or OneDrive for Business is a solely aimed at allowing users to store they follow information. Now this is really good to allow users to get information off there.

My Documents off their desktop off their home drive from a server and put it into an area in the cloud, which is backed up manage, maintain controlled and accessible remotely. Now, the most important thing I think about any SharePoint technology bit OneDrive for Business or team sites, is the fact that it’s all searchable. So once we put information up into SharePoint technologies, we’re able to take advantage of the fact that all the data will be indexed and can be recovered or can be viewed basically using search. Alright, so OneDrive for Business, one document library, you can’t add more document libraries. And you can, for example, add sub areas, you just get one single area with no width and no depth. It’s just a storage location. Now when you start out, in most cases, users will get at least one terabyte of space in their OneDrive for business to be able to store their own personal files. Okay, so one terabyte per user.

Generally is what is provision and is aimed at the users personal documents is not a place for parsers. It’s not a place largely for common documents, right? That is what we use team sites for. Now, the idea here with team sites is that it’s designed for this shared storage concepts. divined for designed for users to work on files in a group environment. Right. Now, as I mentioned, in SharePoint, you can add as many apps as you want to broaden what is available in that location. So you can add multiple document libraries. So you may have one location for your policies, your procedures, maybe a templates areas where you can keep building these out. And the advantage of having different document libraries, for example, is you can format them in a different way. And you can also have different permissions. But with team sites, we can also add things like calendars, contacts, lists,

We can build it out into a true intranet environment. So the idea with team sites is that it is for a group of people. And we can add more content in there besides just pure files and OneDrive for Business, largely designed for pure file storage. Now, when we basically configure our environment with our team sites, we get one terabyte of total storage across all of the teams I separate. So remember that when we create a Microsoft team, we get a team site, a SharePoint team site, into which we can put our documents for our Microsoft team, that and all the other SharePoint team sites when added together their total storage is or cannot exceed, generally one terabyte now, you get that one terabyte standing space which is shared across your Microsoft team, the team’s site environment and you also then get an additional 10

gigabytes per user added onto that space, you start with one terabyte. And then for every licenced user you have, using SharePoint team sites, you will get an additional 10 gig of storage capacity added on to that one terabyte, right? So if you have 10 users, you’re going to get 10 times the 10 gigs, you’re going to get hundred gigs of additional storage. And that means you’re going to get basically 1.1 gigs worth or sorry, 1.1 terabytes worth of data out there that you can use to put all your shared documents in. Now, not only can you get the one terabyte starting space with SharePoint team sites, you get the 10 gig per licence use as well, but you could also buy additional storage. So one of the advantages of SharePoint team sites is the fact that you get the one terabyte 10 gig per licence user

Then you also can add additional storage on there as a paid option if you so choose. So that makes it a little bit more extensive, a little bit more flexible to achieve what you want. Now, remember that this total space is one terabyte you can manage that you can make that automatically allocated, you can control that by the different team site, if you wish. Now, what are some of the other differences between my SharePoint team sites versus OneDrive for Business? Well, in a SharePoint team site, you get something called check in check out. So what that means is that when users work on typically we’re typically Office documents inside these technology inside SharePoint technologies. Then what happens is, is they are co authored by default, which means that multiple users can edit them, update them, change them at the same time by default. Now, there are probably times when you want to make sure that only as

single author has access to a document. In that case, you can check the document out, the author can update the file, everybody else can view the last version of it. And then when they’re finished, when the author’s finished with that they check the document in and make it available later on. So, SharePoint team sites gives us the ability to do these document manage which we management, which we don’t see with OneDrive for Business, because OneDrive for Business, again, is designed for a single user to work with. Now, probably the biggest difference between OneDrive for Business and SharePoint team sites is the fact that you get metadata. So metadata is available in SharePoint team sites, what use metadata for us think of it like tagging files. So the idea is is you will put a file into a SharePoint team site document library, and then you would tag it so instead of creating folders or very deep structure, you would use the tagging to keep that structure as flat as possible. The advantage of

Doing and using metadata which you can now filter, you can now sort. And you can now launch automated processes based on the metadata, you have now, a file an item inside, a SharePoint team site can have as many metadata tags effectively as you wish. So you can tag a file lot by, for example, an author by location by whatever you wish by a customer. And then you can start using that to filter and sort and we don’t see that metadata capability in OneDrive for Business. Now, the other thing with SharePoint team site is we can create a hierarchical structure so we can create something called sub sites inside our SharePoint team sites to allow us to organise our data in a hierarchical structure. Now generally best practices not to do very deep data structures these days, but it is possible and again, it’s one of the differentiation points between

A SharePoint team site and OneDrive for Business so they get ticked off. At SharePoint team sites. It’s much more like a traditional file server with data located in a hierarchical structure, and OneDrive for Business as just a single location with no sub area that you can put your files and folders if you want. So just in summary, again, the idea here is that the technology the storage technology, then the Microsoft Cloud typically uses easy storage technology, known as SharePoint that’s been with us probably for over 20 years now. Now, that technology allows us to build OneDrive for Business, which is a limited subset of the full features of SharePoint, as well as team sites. So team sites are aimed at grouping together information files, Contacts, Calendars, for a group of people, a team of people, where I OneDrive for Business is purely designed as a

storage location for a user’s files, right. So every user generally, by default, will get their own OneDrive for Business, they can put their own files in there, they can then access them in any location, they can share the odd file in and out of that. But if they’re working on a group of files, like your traditional file server, the idea is to put it into SharePoint team sites. Now, there are some differences between the two and what’s available and what surfaced and you get more of the functionality in SharePoint team sites. So you get things like check in check out, you get the ability to add additional metadata. You can, for example, pin files to the top of a document library list. To highlight them. You can also add calendars, contacts lists a number of different apps into a SharePoint team site to make it more like an intranet, right? So you want to gather all your information in there. Now importantly, remember that other components of the Microsoft Cloud like Microsoft Teams, do you

Use SharePoint team sites. So every time you create a Microsoft team, it will create a SharePoint team site in which you can put your files and folders in there that is surfaced in the Microsoft team’s interface. But you can dig in behind that. And you can go and get access to that full SharePoint team site from that Microsoft team if you want. Alright, so remember that the storage for a group of users is going to be in a SharePoint team site. And the individual data location for users and their files is going to be OneDrive for Business. And both of these are built on SharePoint technology giving us a lot of these enterprise capabilities, document management that is available in that. So hopefully that has given you a bit better clarification as to the difference between OneDrive for Business and SharePoint Online. And it sort of boils down to the fact that they both stores locations, they’re both built on SharePoint, OneDrive for Business is

individual users with SharePoint team sites are four groups of users. And that’s where you’re going to get the best usage and functionality out of that. Now, of course, you can use those services for other things, but they really shine when they are used in the correct way for storing data. So with that, Have you enjoyed that episode? Thank you very much for listening. You have been listening to the Need to Know podcast from CIA ops training on using technologies like SharePoint online or Microsoft 365, visit www dot CIA ops academy.com. by purchasing from the selections available, you’ll be directly supporting this podcast. To provide feedback on this episode, visit www.ciaops.com slash contact


ANZAC Day 2020

The world of today is a very different place from what it was just a few months ago. A single event has changed everything to a new reality. This  means, we can never return to what it used to be like. We have experienced untold community and personal suffering. People have died and sadly, will continue to die for the foreseeable future. Yet, such times are not totally unprecedented in history. Humanity has experience even more challenging times and emerged triumphantly.

In these uncertain times we can look back in history for inspiration on how to deal with the challenges and the positives they can provide. On the 25th of April 1915 Australian and New Zealand troops (ANZACs) began their first engagement in what was euphuistically known as ‘the war to end all wars’. It wasn’t, and the senseless waste of life continues in conflicts to this day. However, if you look past the politics, if you look past the military decisions and implementations, you find individuals who lives that were utterly changed the day they stepped ashore in a foreign land to fight what they, rightly or wrongly, believed.

It wasn’t long before such innocence gave way to the stark realities and horrors of war. A war that would continue for three more years but yet see these ANZAC troops distinguish themselves in places like northern France and Belgium amongst unimaginable human carnage, death and devastation. Even when the horrors of the war ceased in November 1918, many faced the confrontation of the Spanish Flu pandemic that raged for an additional three years, encompassing the globe and taking more lives than the War had.

Few of us today can appreciate the experiences of fighting in a World War and then having to live through a global pandemic. Yet they did. Not all survived unscathed but those that did rebuilt the world that we enjoy today. Even with challenges of the day, we are lucky. Never forget that things could always be worse and be thankful for what you have rather than desiring what may no longer be possible. Remember many have given the ultimate sacrifice to provide the life you enjoy.

We pause and reflect on the sacrifices of those who serve. Not just those in the military past and present, but also first responders, doctors, nurses and others on the front line of the public medical battles we face today. Many of these are demonstrating the resolve, compassion and dedication evidenced by  previous generations, including the ANZAC forces.

For many, ANZAC day today is a new experience. Hopefully, it is something we will never have to experience again in our lifetime. Circumstances dictate that we need to largely remember as individuals rather than in groups. However, that should not diminish the hope that such remembrances provide. It should not diminish the resolution and focus on others that people like the ANZACs demonstrated during their many trials. In the end, they did what they did for their ‘mates’. That, should be our inspiration and take away from ANAZAC day 2020. Let’s honour our heroes but pulling together as a community and doing so for our ‘mates’. They did what they did for others, so should we.

Lest We Forget 

If you want to learn more about the ANZAC battlefields in northern France, visit my web site – www.anzacsinfrance.com.

Microsoft 365 mailbox reporting issue


If I look at my mailbox I see a total of 64,382 items in the deleted items as shown above.


If I then look at my Online Archive I see 44,024 items in the archived deleted item as shown.

This means I have 64,382 + 44,024 = 108,406 items in total in my deleted items.


If I however run the Exchange Online PowerShell module v2 command as shown above,


it only reports 11,865 items??


If I look at the Mailbox usage statistics in the Microsoft 365 Admin center reports for 7 days I see 11,637 as the deleted item amount.


If I look at the Mailbox statistics in the Microsoft 365 Admin center reports for 30 days I see 11,637 as the deleted item amount. The same number as for 7 days.



Both 90 and 180 day options reveal the same results, Deleted Item Count = 11,637? Why?

Now compare this to Email activity over 7, 30, 90 and 180 days.





The numbers vary based on the period as you see above. This is what I would expect to also see for Mailbox usage numbers.

If you have a look at:

Microsoft 365 Reports in the admin center – Mailbox usage

It says:

Deleted Item Count refers to the total number of deleted items in the mailbox.

but that is only reporting 11,637 items not the expected 64,382. Also, changing the period of those reports doesn’t change the number of Deleted Items. I would have thought that if the figures shown were total items during that period, they would vary as I changed the period. But they don’t. I would expect a small figure for Deleted Item for 7 days and a larger figure for 180 days say. I wouldn’t expect the same figure for 7, 30, 90 and 180 days!

So there must be something I’m missing here with these numbers? Anyone care to enlighten me?

Microsoft Graph tenant management summary

I’ve covered a lot in recent articles around using the Microsoft Graph to manage a tenant. You can find those previous articles here:

Reporting on multiple tenants with the Microsoft Graph

Making PowerShell automation easier with the Microsoft Graph

To bring this all together I have created a summary video which you’ll find here:


In it, you see how to use the code that I created to install Azure AD applications in tenants, provide permissions to these Azure AD applications and then finally run a report routine to extract the desired information.

Hopefully, this summary provides a nice easy way to see this concept in action end to end.