Skip to main content

Creating a Custom Setting

  • Updated

Custom Settings Disclaimer

Please note that any configurations involving custom settings or custom scripting fall outside the scope of our support services. Consequently, the Service Desk team will be unable to assist with issues arising from such custom settings.

Getting started — Pre-authentication & Module Management

There's no need to worry about loading or authenticating any of the supported PowerShell modules as that's already done for you. The following modules are pre-loaded, pre-authenticated and therefore ready to use.

Supported modules:

Microsoft.Graph

Microsoft.Graph.Beta

PnP.PowerShell

ExchangeOnlineManagement

MicrosoftTeams


This means you can use commands like Get-MgUser, Get-Mailbox, Get-PnPSite etc...without running Connect-MgGraph or similar.

PowerShell Script Overview

Script Template

$setting = GET-SOMETHING | Select-Object PROPERTY

if ($setting.PROPERTY -eq $inputData.Enabled) {
    $compliance = [Compliance]::Yes
    $message = "Setting is compliant. Value is: $($setting.PROPERTY)"
}
else {
    if ($inputData.ComplianceAction -eq [ComplianceActionType]::Enforce) {
        SET-SOMETHING -PROPERTY $inputData.Enabled

        $compliance = [Compliance]::Fixed
        $message = "Setting has been fixed. Was: $($setting.PROPERTY), Now: $($inputData.Enabled)"
    }
    elseif ($inputData.ComplianceAction -eq [ComplianceActionType]::Notify) {
        $compliance = [Compliance]::No
        $message = "Setting is not compliant. Was: $($setting.PROPERTY), Should be: $($inputData.Enabled)"
    }
}

Add-Result -TargetType "Tenant" -Target $inputData.TenantDomain -Message $message -Compliant $compliance

 

Script Components Explained


Compliance Enum

Used to represent the compliance state:

  • [Compliance]::Yes – Setting is already compliant.

  • [Compliance]::No – Setting is not compliant.

  • [Compliance]::Fixed – Setting was not compliant but has been remediated.

  • [Compliance]::Unknown – Unknown or undetermined compliance.

ComplianceActionType Enum

Tells the script what action to take:

  • [ComplianceActionType]::Notify – Only notify about issues, do not change settings.
  • [ComplianceActionType]::Enforce – Attempt to fix non-compliance by applying changes.

$inputData Object

This is automatically populated and contains:

  • TenantId – The M365 tenant ID.
  • TenantDomain – The M365 domain name (e.g., example.onmicrosoft.com).
  • ComplianceAction – Enum indicating enforcement or notification.
  • TargetIds – Array of target user IDs (automatically populated).
  • Your parameters (e.g., $inputData.Enabled) added through the UI.

Add-Result Function

Used to report the result of your compliance check.

Add-Result -TargetType "Tenant" -Target $inputData.TenantDomain -Message $message -Compliant $compliance

Parameters:

  • TargetType: E.g., "Tenant", "User", "Mailbox", “Group”
  • Target: Name or domain of the object
  • Message: Description of compliance outcome
  • Compliant: Enum of [Compliance]::Yes, No, Fixed, or Unknown
This means you can use commands like Get-MgUser, Get-Mailbox, Get-PnPSite etc...without running Connect-MgGraph or similar.

Step-by-Step: Create a New Custom Setting

On 365 Tenant Manager, if you have created an Azure Function App, you will be able to create a custom setting.

 

To create a new Custom Setting, follow the steps below:

  1. Navigate to [365 Tenant Manager] > [Setting Library] 
  2. Select the [Custom] tab and click on [Create New]
  3. Enter a name and a description for the setting




  4. From the top right corner, select a Microsoft App where the setting will apply from the drop-down menu




  5. Click on [Add], then enter a Parameter name and description. Select a parameter type and set a default value if required



    Note that depending on the selected parameter type, you have different options for the default value:
    • Bool: True/False
    • Integer: Any positive or negative integral number
    • String: Sequence of letters and numbers
    • List of strings: List of strings that can contain literals and numbers
    • List of integers: List of integers that can contain any positive or negative integral number

    ⏱ Parameters will be available in your script through the $inputData object.


  6. Paste your custom PowerShell script




  7. Click [Validate] to check for errors and click [Versions] to confirm compatibility with supported Microsoft libraries.

  8. Once done, click [Save]
  9. To assign the custom setting to a Tenant, you can check the following KB article

Example 1 — Enforce Modern Auth

Microsoft App Context

  • Exchange

Parameter

  • Name: Enabled
  • Type: Bool
  • Default Value: True
  • Description: "Defines the enablement state of OAuth2ClientProfileEnabled (Modern Authentication) in Exchange Online."
$setting = Get-OrganizationConfig | Select-Object -ExpandProperty OAuth2ClientProfileEnabled

if ($setting -eq $inputData.Enabled) {
    $compliance = [Compliance]::Yes
    $message = "Modern Authentication is enabled as required. Value is: $($setting)"
}
else {
    if ($inputData.ComplianceAction -eq [ComplianceActionType]::Enforce) {
        Set-OrganizationConfig -OAuth2ClientProfileEnabled $inputData.Enabled

        $compliance = [Compliance]::Fixed
        $message = "Modern Authentication enablement was: $($setting), It is now: $($inputData.Enabled)"
    }
    elseif ($inputData.ComplianceAction -eq [ComplianceActionType]::Notify) {
        $compliance = [Compliance]::No
        $message = "Modern Authentication enablement is: $($setting), It should be: $($inputData.Enabled)"
    }
}

Add-Result -TargetType "Tenant" -Target $inputData.TenantDomain -Message $message -Compliant $compliance

 

Example 2 — Ensure All Users Have UsageLocation Set to "GB"

Microsoft App Context

  • Entra

Parameter

  • Name: RequiredUsageLocation

  • Type: String

  • Default Value: GB

  • Description: "The country code to enforce as the user's UsageLocation (e.g., GB, US, DE)"

foreach ($userId in $inputData.TargetIds) {
 try {
       $user = Get-MgUser -UserId $userId -Property DisplayName, UsageLocation -ErrorAction Stop

       if ($user.UsageLocation -eq $inputData.RequiredUsageLocation) {
           $compliance = [Compliance]::Yes            $message = "User '$($user.DisplayName)' is compliant. UsageLocation is: $($user.UsageLocation)"      }      else {          if ($inputData.ComplianceAction -eq [ComplianceActionType]::Enforce) {              Update-MgUser -UserId $userId -UsageLocation $inputData.RequiredUsageLocation 
             $compliance = [Compliance]::Fixed              $message = "User '$($user.DisplayName)' UsageLocation was '$($user.UsageLocation)'. Set to: $($inputData.RequiredUsageLocation)"           }           elseif ($inputData.ComplianceAction -eq [ComplianceActionType]::Notify) {               $compliance = [Compliance]::No               $message = "User '$($user.DisplayName)' UsageLocation is '$($user.UsageLocation)'. Should be: $($inputData.RequiredUsageLocation)"           }
     }

     Add-Result -TargetType "User" -Target $user.DisplayName -Message $message -Compliant $compliance
     }
     catch {
         Add-Result -TargetType "User" -Target $userId -Message "Unable to evaluate user with ID '$userId': $($_.Exception.Message)" -Compliant ([Compliance]::Unknown)
     }
}

Related articles

Articles in this section