Click here if you like to subscribe the ChangeLog as an RSS feed.

Delegate365 changelog 9.2-More improvements

Monday, March 8, 2021

Delegate365 v9.2 will be extended with some new features this March. See the latest features here.

  • See the latest features of Delegate365 v9.2 such as extended reports retention dates, new message tracing options, a new license order process, some fixes and more at Delegate365 changelog 9.2-improvements
  • Schema Extensions: Another new feature is described at Introducing user schema extensions in Delegate365. This allows to add custom user data to Azure AD. The custom data can be used with PowerShell for own business processes. See more at how to use Azure AD schema extensions in Graph PowerShell.
  • Invite guests: When inviting guest users to the M365 tenant, the admin has to fill out a form with the Display name and the email address of the external user. The panel was extended with First Name and Last Name.
    The invited user will show up in Delegate365 in the Users list automatically and can be administrated in the same way as internal users. The new fields are stored in the user object, as shown in the Azure Portal.
    By default, the guest user gets an invitation to join the M365 tenant. See a detailed description at Delegate365-Working with guest users

The update will be rolled out in March for all Delegate365 tenants. Also, we are working on the next version Delegate365 v9.3 that will come in spring with some more improvements. Stay tuned!

Working with Azure AD schema extensions in Graph PowerShell

Thursday, March 4, 2021

Schema extensions enable to store extended custom data directly to objects in Azure AD. This article describes how to access data we defined and added in Introducing user schema extensions in Delegate365 with the Microsoft Graph PowerShell module.


To work with Microsoft Graph and PowerShell, we need to install the Microsoft.Graph module as described at Install the Microsoft Graph PowerShell SDK. You can install the module in PowerShell Core or Windows PowerShell using the following command.

Install-Module Microsoft.Graph -Scope CurrentUser

If you already have the module installed, check the version (currently, the latest version is '1.3.1'):

Get-InstalledModule Microsoft.Graph

To update to the latest version, run:

Update-Module Microsoft.Graph -Force

If you want to completely uninstall the Microsoft.Graph module, run Uninstall-Module Microsoft.Graph.

Connect to Graph

Once installed, we can use the Connect-MgGraph to authenticate with a user and device login to access data in the M365 tenant. The scopes define the permissions we need in our script. In this sample, we want to access User data (and eventually) Group data.

Import-Module Microsoft.Graph
# Select-MgProfile -Name "beta"
Connect-MgGraph -TenantId '<tenantname>' `
    -Scopes "User.ReadWrite.All","Group.ReadWrite.All"

Sign-in and copy the device code into the browser page. When you close the browser, Connect should welcome you: Welcome To Microsoft Graph!

We can check the connection with Get-MgContext. The output should look as here.


ClientId              : <someid>
TenantId              : <tenantid>
CertificateThumbprint :
Scopes                : {User.ReadWrite.All, Group.ReadWrite.All…}
AuthType              : Delegated
CertificateName       :
Account               : admin@<tenantname>
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :

Looks good. Now we are ready to access the schema properties.

Get all existing schema extensions

To see how to work and how to get Schema Extensions, check out the documentation at Get schemaExtension. To get all schema extensions in the tenant with PowerShell, we can use the Get-MgSchemaExtension cmdlet with the -All parameter.

Get-MgSchemaExtension -All

We get a long list. It seems, Microsoft is using schema extension extensively. To see the properties delivered, we analyze the first element:

$SchemaExtensionList[0] | fl

Description          : sample desccription
Id                   : adatumisv_exo2
Owner                : 617720dc-85fc-45d7-a187-cee75eaf239e
Properties           : {p1, p2}
Status               : Available
TargetTypes          : {Message}
Keys                 : {}
Values               : {}
AdditionalProperties : {}
Count                : 0

The relevant properties are, of course, the Id, the Owner, the Properties and the Status. The status can be "InDevelopment", or "Available". When set to "Available", the properties can no longer be extended. In Delegate365, we use the Status "InDevelopment" to be more flexible.

Get specific existing schema extensions

To get only our own schema extensions, we need the App Id that owns the custom schema extension OR the name of the extension. In Delegate365, we can open the Delegate365 settings and get the schema extension name in the Schema Extensions section as here.


The schema extension name always ends with "delegate365userextension". Azure AD creates a random prefix for the name. In this sample, the generated name is "extmersxab8_delegate365userextension".

Unfortunately, the Graph (still) does not have an OData function to search with contains or endswith. Also, the cmdlet Get-MgSchemaExtension has a -Filter option - but that does not work! However, we can get all the schema extensions and filter for our own extension ourselves. So, let´s use our object and filter for our extension - adapt the search as needed.

$myext = Get-MgSchemaExtension -All | ? id -like '*_delegate365userextension'

Id                                   Description              Properties                          TargetTypes Status        Owner
--                                   -----------              ----------                          ----------- ------        -----
extmersxab8_delegate365userextension delegate365userextension {jobtitle, costcenter, favcolor}    {User}      InDevelopment a3f620a2-8418-44b6-9847-aa3db8cd37db
ext7ztddysl_delegate365userextension delegate365userextension {jobtitle}                          {User}      InDevelopment a3f620a2-8418-44b6-9847-aa3db8cd37db
extvndtvtlr_delegate365userextension delegate365userextension {jobtitle}                          {User}      InDevelopment a3f620a2-8418-44b6-9847-aa3db8cd37db

We see that our Delegate365 schema extension "extmersxab8_delegate365userextension" with it´s properties. The command also shows us the "owner". Here the owner is the Delegate365 app with the App Id "a3f620a2-8418-44b6-9847-aa3db8cd37db". Only the owner is allowed to modify the schema extension.

Side story when working with Schema Extensions in Graph: Currently, one application (in our case, the Delegate365 app) can only own up to 5 schema extensions. As of today, the Microsoft Graph API seems to have an issue here: If a new schema extension is created, it internally creates 2 or 3 schema extensions with unique names, but with the same initial properties (as we see the 3 lines above). The multiple extensions are connected: All schema extensions deliver the same data. In Delegate365, we use only the first (and created) schema extension by name. The remaining 2 are unused and cannot be deleted - another (corresponding) bug in the Microsoft Graph API. This leaves (5 - 3 =) only 2 more possible schema extensions for an app. When the next new schema extension is created, it can happen that 2 extensions are created... To make it short: The Graph API has some reproducible issues and the Delegate365 schema extension should not be removed in any case to ensure the properties can be extended in Delegate365 if needed. Therefore, removing an existing user schema extension in Delegate365 is not available. Also, the Delegate365 setup has been renewed to ensure that the Delegate365 app is never deleted and all secrets and certificates are renewed properly, when a new Delegate365 setup is executed. However, user schema extensions in Delegate365 are useful and Delegate365 works around that Graph issue.

Get users with specific data

A typical use case is to get a list of all users with a specific value set in a schema extension. For example, we want to get all users who have the favcolor set to "red", or all users who have the cost center set to "1200" or similar.

Unfortunately, there is currently no ready-to-use cmdlet available for that. So, we need to accomplish this with a Graph REST call, with a query running Invoke-MgGraphRequest (using the authentication from before) as here:

$Url = '$filter=startswith(extmersxab8_delegate365userextension/favcolor, ''red'')&$select=id,displayname&$top=2'

$result = Invoke-MgGraphRequest -Method GET -Uri $Url

The syntax for the property query is <schemaextensionname>/<propertyname> (it took some time to figure this out). The request above shows the syntax. This returns a result with all (well, the first two) users who have the property favcolor starting with "red". Note that Graph only delivers up to 100 items per page. So, we have to take care and process additional data ourselves if needed, see below.

Process the result

First, let´s check the result. This is … clumsy, as we see when we output the $result.value from the operation above.


Name                           Value
----                           -----
id                             <userid>
displayName                    Adele Vance            <someid>/directoryObjects/<userid>/Microsoft.Dire...
id                             <userid>
displayName                    Bianca Pisani            <someid>/directoryObjects/<userid>/Microsoft.Dire...

We get a a hash table, including a hash table for each item (including the selected properties). Really? So, we need to split the data to work with the corresponding users… Also, what if we get more pages of users?

Filter and loop through all users

After we initially loaded the first page, we can follow the data in the odata.nextLink property. See more at Paging Microsoft Graph data in your app. To make it short, here´s the solution for getting all filtered users for the query to continue to work with the user id for additional steps.

# Define the first request:
$Url = '$filter=startswith(extmersxab8_delegate365userextension/favcolor, ''red'')&$select=id,displayname&$top=2'
do {
    $page = Invoke-MgGraphRequest -Method GET -Uri $Url
    # Returns a hash table, including a hash table for each item....!
    # We are only interested in the "id" and displayname property

    $page.value | ForEach-Object { Write-Host $_['id'] $_['displayname'] } 
    # Check if there are following pages
    if ($page.'@odata.nextLink') {
        Write-Host 'Loading next page…'
        $Url = $page.'@odata.nextLink'
    } else {
        Write-Host 'We got everything!'
} while ($true)

When we run this script, we loop through all filtered users with the page size of 2. When no more data is returned, we´re done and end the forever-loop. As output we should get all users with their id and their Displayname:

bef4b76a-289a-43bc-bad4-84ee0c5f1c12 Debra Berger
30ad21be-3f2c-4c39-87c4-fad4784cb22d Adele Vance
Loading next page…
d92c0583-4b8e-4979-abd3-be0fd7c6fa3b Bianca Pisani
We got everything!

We can now continue to work with that data and do something with the users in the ForEach-Object { <do-something> } block. Eventually, we would like to add these users to a group, send emails to these users or do similar actions.


This article demonstrates the current status of working with Azure AD schema extensions with Microsoft.Graph PowerShell. You can download the script shown above in the Delegate365 GitHub Samples here. A sample for running such a script in an Azure Automation Account and synchronizing filtered users to an email enabled security group will be added in this repository shortly. We hope this step-by-step instructions helps to automate user specific processes and to customize tasks based on custom user data.

See also:

Happy managing your M365 tenant with Delegate365 and happy scripting!

Introducing user schema extensions in Delegate365

Thursday, February 25, 2021

The current version of Delegate365 adds a new feature: Schema extensions for users. Schema extensions allow to add custom data to Azure AD objects. In Delegate365, administrators can use the Delegate365 schema extension feature to add custom properties to a user. Find out, how you can use the user schema extension in Delegate365 here.

Possible areas of application are e.g. predefined job titles, cost center, employee type, other emails or managers, or other user specific data where there is no property in Azure AD existing. The Delegate365 user schema extension can be declared and used in Delegate365 and in the Azure AD. There can be multiple properties defined, as a text field, or with predefined values as a selection field.

So, Delegate365 supports a free customizable user defined schema extension. The custom user data can be used outside of Delegate365 as well.

  • Default setting: You can find the schema extension settings in the Administration / Delegate365 settings menu, at the end of the page, in the Schema extensions section. By default, the schema extensions are not activated.
  • Activate and create the schema extension: Turn on the switch "Use schema extensions in Delegate365".
    The switch activates the usage of the user schema extension in the Users menu, as a new function in the right menu, as here.
    In order to be able to use the schema extensions, we have to define the following properties. If you want to deactivate that functionality, set the "Use schema extensions in Delegate365" switch to No.
  • Create the schema extension properties: Then, we can create one or more properties below. In our sample, we first add a new property with the name "jobtitle". Delegate365 offers a text field for free input, or a selection field (a dropdown). We want that the jobtitle shall be picked from a predefined list. So, we set the Is selection to Yes.
    Click the Values icon to the right of the switch. Now, we can add values for the selection in the panel on the right.
    Add multiple values and the desired order (that is used for the output) here. In this sample. we added 5 values for the jobtitle field. Click OK to save the values. When done, we can click Create extension.image
    A toast message shows the successful creation of the new schema extension.
    This process creates the schema extension in Azure AD for all users in the tenant.
  • Schema extension name "extxxxxxxx_delegate365userextension": The schema extension is automatically named with a random extension number by Azure AD, followed by the name "delegate365userextension". In this sample, the generated name is "extmersxab8_delegate365userextension". The name cannot be changed. In Azure AD, the extension stores string values. See the following post how to access it from outside of Delegate365.
  • Update the schema extension: You can add additional properties to the schema extension if needed. In real world, this should be just a handful of properties you really need for all users, such as cost center, employee type, other emails or additional managers or similar. Simple properties for simple data. If you need to store more extensive user information, such as a picture or similar, we recommend to store just a reference as a link to that data in the user object.
    In this sample, we add another property with the name "costcenter". This is a free text field, and Is selection stays to No. The admin shall enter any string value. Now, we can click Update extension to update the schema extension in Azure AD. We shall get a short success-message.
  • Existing property names cannot be changed: Note, that existing properties cannot be renamed or deleted. But, you can add new properties. Here this means, you cannot modify the property name jobtitle to e.g. oldjobtitle. When you update the schema extension , Azure AD will deliver an error as here.
    If you such an error is shown, simply open another menu on the left, and come back to the Delegate365 settings menu. It will show the (unchanged) properties as they exist in the Azure AD. Again, you can a) add more new properties and b) you can modify the selection values anytime if needed!
  • Existing properties cannot be deleted: According to the previous point, properties cannot be removed, once the schema extension has been created or updated. This schema extensions behavior is by design. You would get and error similar as here: SaveSchemaExtension: Code: BadRequest Message: Cannot delete an existing property. So, create the properties wisely.
  • Fill and use the user schema extension: Once defined (and activated), the Delegate365 admins will see the Schema extensions menu in the Users list, as here.
    The schema extensions panel opens on the right side, showing the defined properties. In this sample, we see the jobtitle as a dropdown and the costcenter as a text field.
    The jobtitle selection offers the values we defined before. The predefined order defines the order in the dropdown. Here, Adele Vance, gets the role "HR Manager" assigned.
    So, the data for this user can be selected and entered in the panel. As cost center, we input "1200" as a text value.
    Click Save to save the custom data in the user schema property and to close the panel.
  • Users with custom data: To see, remove or manage the custom property values, select the user and open the Schema extensions menu anytime.
  • Limits and behavior: One application (in our case, the Delegate365 app) can only own up to 5 schema extensions. The Delegate365 user schema extension cannot be deleted to ensure manageability and expandability for additional properties if needed. Therefore, the Delegate365 setup has been renewed to ensure that the Delegate365 app is never deleted and all secrets, certificates and permissions are renewed or prolonged properly, when a new Delegate365 setup is executed.
    The article Working with Azure AD schema extensions in Graph PowerShell demonstrates how to use the Delegate365 schema extensions outside of Delegate365. You can access the schema extension by the name provided here.

The Delegate365 schema extension for users allows enables the management and storage of additional data for user objects. The selector is useful to only allow predefined values for some custom properties. This helps in standardizing certain values within an organization. See the following article how to access that data from outside of Delegate365.

The new feature will be available in Delegate365 v9.2 in March. Happy managing your M365 tenant with Delegate365!

Delegate365 changelog 9.2-improvements

Thursday, October 22, 2020

The next version of Delegate365 is here. Delegate365 v9.2 follows the last update v9.1. This update includes a bunch of helpful features and improvements such as SharePoint sites management, Group OU improvements, report improvements, a new message trace job and more. See a description of the new features here.

  • License bars on the dashboard, for users and quotas: The license information is now visually improved for Portal Administrators. A license bar per license (SKU) shows how many licenses are in use and how many are available in total.
    The same applies to a user's licenses…
    …and license quotas.
    The new display enables a quick view of the licenses.
  • SPO site auto-assign: This new feature allows to automatically assign SharePoint Online sites to an OU by site name in the Administration / sync rules module. Please see the details at Delegate365 changelog 9.2-SPO site auto-assign. and ensure you have configured the SPO access for Delegate365 as described at Delegate365 changelog 9.1-SharePoint Online.
  • Group OUs no longer require domains: When working with Group OU´s (see here), administrators required to have the domain of the users in the Group OU´s assigned to see them. That turned out to be cumbersome. Now, this is no longer required. Administrators now see ALL users of the assigned Group OU´s regardless of the user´s domain. The people picker now shows all users of entitled Group OU´s. Please see Delegate365 changelog 9.2-Group OUs for a sample and more information.
  • Named report files: The Reports module allows to generate reports for the entitled OU´s. The generated report files used be just named with a current number, such as 287.csv and 287.xlsx, etc. With this version, the new file names identify the group and the report purpose, such as "report-AzureAD-directoryroleusers-287.csv" etc.
    The new file names support for later, automatic analysis, for example with Power BI, an article about this will follow. Admins see the new file names in the Delegate365 storage, as here.
  • Reports retention date: When talking about reports, there´s another new feature regarding the retention date of generated reports. Previously reports were only kept for 7 days. There is a new setting in the Administration / Delegate365 settings, in the Report settings.
    Now admins can control the retention date of the report files with a time frame from 7 days up to 365 days before these reports are automatically deleted.
    Amongst other things, this can be helpful for saving weekly or monthly reports for a longer time directly in the Delegate365 storage.
  • Message Tracing two options: Menu Mailboxes / Message trace now comes with two options. In the first section, the date range (up to 7 days) and sender or recipients can be filled in.
    Below, the administrator can now run the query by clicking "Run now" (as before), or run the query as a job by clicking "Run as job". Run now is the default, when not many results are expected. The result is shown below as here.

    The new option Run as job schedules a job as background task to avoid any time-outs if the query is running too long. Use this query if a large result set is expected, or if Run now does not deliver a result.
    The Run as job notifies the user when the report is completed.
  • Date format harmonization: The web now is using the international date format (ISO 8601) for all audiences world-wide. There are not many date fields, so we hope the the harmonization works for everyone. The ISO 8601 format is YYYY-MM-DD (2020-07-12) to ensure accuracy in all situations.
  • PowerShell module update: The Delegate365 PowerShell module has been updated to v1.0.0.9 in the PowerShell Gallery. This version is fully compatible with the previous version and works with Delegate365 v9.2. The Set-Admin command now supports Group OU's. See the ReadMe and the description of Set-DAdministrator command and below.
    To install the Delegate365 module from the PowerShell gallery, run:
    Install-Module -Name Delegate365
    If you have already installed a previous version, we recommend to update your installed version to the latest version. Check your version (see below) and run the update:
    Update-Module -Name Delegate365 -Force
    Check the version:
    Get-Module -ListAvailable -Name Delegate365
    The output could look like here.
  • PowerShell update for Group OU's: The Set-DAdmin command now allows to set the Group OU as well. See the sample here and more at Set-DAdministrator.
    Set-DAdministrator -Identity '' `
    -OrganizationalUnits 'London', 'New York' `
    -GroupOrganizationalUnits 'Kuala Lumpur', 'Paris'
    Overwrites the OU assignment and the Group OU assignments of an administrator. The -GroupOrganizationalUnits parameter can be used starting with version Delegate365 v9.2 only. Pls. note that any OU or GroupOU assignments always overwrite existing assignments for the administrator. An OU can not be assigned as OU AND as GroupOU at the same time (as in the web portal). The administrator has to decide to which role the OU shall be assigned. If the same OU name is used as OU AND as GroupOU, the OU assignment always wins.You can check the result in the output as here.
  • New License order process (internal and external): With this update, the license order process can be changed in the Administration / Delegate365 settings. The default behavior "Internal order with approval (default)" (before this update) remains. License orders must be approved by a license admin in Delegate365, in the Licenses / license orders menu.
    Now there are four options. Internal orders mean that license orders (as before) are fulfilled from the pool of existing (bought) Microsoft 365 licenses, while external orders licenses are bought new (they are added to the licenses in the M365 license pool) and made available via the Microsoft partner. For external orders, atwork must be your CSP partner and the customer ID for the atwork shop system needs to be filled out. Both order processes can take place with or without approval by a license administrator. In addition, licenses for Delegate365 itself can now also be ordered by license administrators if the setting "Allow Delegate365 orders for license administrators" is switched on. This increases licenses for Delegate365 and creates an invoice to the customer address by default. If billing of license orders shall happen to an OU instead of a single billing address, the invoice data must be filled out in the OU management.
    A detailed article will follow shortly. Without changes here, the order behavior is as before.
  • Sync and little things: Some performance improvements in sync were made, now using more delta-queries, and small adjustments, such as labels and descriptions, have been made.
  • Update Oct., 24th, Update user fix: The Microsoft update user API service has been changed, causing update user operations and user license operations to fail in Delegate365. We have fixed this problem and all Delegate365 tenants have been updated to the latest version Delegate365 v9.2. With that update, these operations are now working properly again.

We hope you like the new and improved features of Delegate365. Delegate365 version 9.2 is available by end of October, and existing versions will be upgraded automatically. There is no interaction and no setup required. New versions get the latest Delegate365 version automatically.

Delegate365-Goodbye, Basic Authentication

Wednesday, October 21, 2020

Delegate365 provides a toolbox for easy management of a Microsoft 365 tenant. Management ranges from Exchange Online to Azure AD, SharePoint Online, Reporting and Intune. Delegate365 communicates with the Microsoft 365 services via apps and Modern Authentication, wherever possible. However, a service account had to be used for some Exchange features and the multi-factor authentication management. This will change with the next versions.

Some M365 background information

So far, some Microsoft services such as Exchange Online (EXO) could only be reached with Basic Authentication, while other (new) services such as Microsoft Graph can be used with an app. Basic Authentication relies on sending usernames and passwords with every request increasing risk of attackers capturing users´ credentials. Therefore, Microsoft recommends that you stop using Basic Authentication. Basic Authentication is superseded by Modern Authentication based on OAuth 2.0 that is supported for the new Microsoft 365 services.

Microsoft has announced that it will disable authorization with Basic Authentication for Exchange Online. The only problem for third party tools like Delegate365 is, that Microsoft (still) does not offer an API with modern authentication for EXO administration. They just deliver a new (and faster) Exchange Online PowerShell v2 module - instead of the Remote Exchange PowerShell module - that, at least, supports Modern Authentication with an app and a certificate. So let's take that.

To make it short: Delegate365 takes this into account and will therefore access Exchange Online differently. Basic Authentication will no longer be required in near future.

How Delegate365 communicates with an M365 tenant

When the Delegate365 setup is executed, the setup creates two Delegate365 apps in the Microsoft 365 tenant and automatically removes eventually existing older apps. Delegate365 is using these apps to transfer data to the tenant. Around 90% of all operations are performed through these apps. This also applies to access SharePoint Online. For the rest of the operations, Delegate365 currently requires a service account since Microsoft does not provide an API to access EXO and MFA services with an app. This will change as described below.

Delegate365 versions using a service account

Currently (up to Delegate365 v9.2), Delegate365 is using - next to the apps - a service account for accessing a small number of services. This applies to some operations in Exchange Online and for Multi-Factor Authentication (MFA) operations. The service account can be changed anytime in the Administration / Microsoft 365 account menu. MFA cannot be enabled for this service account, but it can use a password of up to 150 characters or an app password. Customers using MFA, need to make an exceptions for such service accounts for Delegate365 and other background tasks (cron-jobs, etc.) if they are using Conditional Access policies in their tenant.


The service account can then be used by Delegate365 to connect to the Microsoft legacy interfaces.

Note: If Basic Authentication is deactivated in an M365 tenant (see here) or no valid service account is saved, some Exchange functions and MFA will not work in Delegate365. But the rest in Delegate365 still does.

How to use a service account with MFA

As of today, there is a workaround available: Create a service account without MFA, run the Delegate365 setup, activate MFA, enable app passwords, create an app password, and use the app password in Delegate365. See details about the process at the article Delegate365 - Secure and setup your tenant. This workaround will no longer be required with Delegate365 v9.3.

What will change in the Delegate365 setup

To move forward and comply with security policies, Delegate365 v9.3 will no longer require a service account. This means, the setup process for Delegate365 will change as well. The goal is that Basic Authentication can be turned off in the M365 tenant. All operations accessing Exchange Online will be using the latest (currently in preview) EXO v2 module and the Delegate365 app for sending emails. MFA functions are removed (see below).

The new Delegate365 setup tool

With MFA: Administrators can download a Delegate365 setup tool to run the setup task in the next versions. The tool will allow a Global Admin - with MFA enabled - to sign-in interactively and asks for the required Delegate365 parameters on the local computer. The tool then communicates with the Azure AD and creates the apps, and generates a certificate .pbx file and a .json setup configuration file. This information can be uploaded into the new Delegate365 app settings. Then, Delegate365 will use the generated certificate and the app data to access the M365 tenant and all the services.

Without MFA: Alternatively, a Delegate365 service account can be used in the web interface as before, but no MFA must be activated. The setup asks for the service account and for additional parameters (as requested by the new Delegate365 setup tool). As long as no MFA is used, there is no need to use the new setup tool (but it can be used).

The Administrator / Microsoft 365 service account menu will be changed into App settings and allow to upload the generated files or to paste the app data and to modify each setting as well. Existing configuration will be updated and missing entries must be added then. The module will also allow to download the Delegate365 configuration to store the files in a safe place or for documentation. The new setup process and the interface will be described in an extra article when ready.

What will change in the Delegate365: No more MFA functions

This is associated with low costs: Since there is no longer a service account existing, MFA operations will no longer be accessible in Delegate365, as Microsoft does not provide an API for this currently. So, the MFA function in the Users menu will be removed.


Furthermore, the MFA sync rule section will be removed. If this settings was active, after the update to Delegate365 v9.3, this section will no longer be visible and has no effect.


Instead of using these MFA functions, Microsoft recommends to configure Conditional Access, see more here. Just remember, Conditional Access requires an Azure AD Premium P1 license.

The rest of the Delegate365 functionality remains unchanged.

Vote for the MFA API

Microsoft is still in the process to deliver MFA management functionality with the Graph API. We are waiting for that feature. You can support this request at Vote for it! As soon as this API is available, we are happy to reintegrate the MFA functions into Delegate365 again.

Next steps

With this article we would like to give you advance information about the next steps in Delegate365. At the end of October, we will announce the new features of Delegate365 v9.2. The v9.2 update is planned for mid-November. We plan to release Delegate365 v9.3 with the new setup as indicated here in December.

Happy Delegating!

Delegate365-Working with guest users

Friday, June 26, 2020

Delegate365 supports working with guest users. Guest users or external users are users that are invited to the company tenant by email. Once they accept the invitation, they get access to corporate resources. For example, a guest user can be a member of a Microsoft team or collaborate in Planner or in a SharePoint site or similar. See some samples here.

Invite a guest user

In Delegate365, admins can invite a guest user by clicking on the "Invite guest user" icon next to the "+" icon (new user). If you don´t see this icon, ask your Delegate365 Portal Admin to enable that feature in the permission policies.


Fill out the invite guest user form and click the Invite button.


You will find the invited user in the users list instantly as here. You can manage that user in the same way as the other users.


What´s the user´s UPN?

Azure AD stores that user internally with the default domain of the tenant. In this sample, we see that user became

Note: When inviting external users, the default domain of the tenant is used. So, this can be a custom domain as well. The Azure AD portal and the Microsoft 365 admin center show the original username Anyway, internally the extended username is used.

We can change the username to a more friendly name or to a different domain later in Delegate365, see below.

How does the guest user complete the invitation?

The invited user gets an email. Here, the user accepts the invitation to that Microsoft 365 tenant.


Then, the user follows the process and signs-in with a custom password. Also, the user has to accept that the Microsoft 365 tenant can sign him or her in and to read the user´s (Azure AD) profile. Now the guest user has his email address and a password for the organization´s Microsoft 365 tenant. If the organization enforces MFA, the user must follow that process as well to get access.

Note: In Azure AD, the guest user is added as "Microsoft Account" and the status is "Invitation accepted". Other invited users that have not accepted the invitation get the status "Invited user".


In Delegate365, the guest users show up after the sync in the users list as Type "User" and Status "Cloud".


Assign guest users to OU´s

The same happens to users that have been invited outside of Delegate365, e.g. in the Azure AD portal. The Azure AD UPN is ending with Here, users and are shown in the list of OU / Assign.


So, we can assign these users to an OU, in our sample, we assign the two selected users to OU New York at the page bottom.


Manage guest users UPNs

As we see, now there are 3 guest users which we can manipulate in the same way as the internal users we can manage.


Important: A administrator must be assigned to an OU AND to the DOMAIN of the users he or she can manage. In our sample, the current admin has the OU New York assigned AND the domain! See also Troubleshooting Delegate365.

Wait! What if you don´t want to assign the default domain to your admins in Delegate365?

Well, then you can modify the UPN domain of the guest user as follows.

Modify the guest users UPN

In Delegate365, you can change the UPN. The UPN is the internal name of the guest user in your tenant.

Note: You can´t change the guest users UPN in the Azure AD portal, so that´s a feature of Delegate365.

), as in the sample here when we remove the #EXT# and change the domain:


So, now the UPN is <name>


How does the guest user sign-in to Microsoft 365?

Even if you change the guest user´s UPN in your Microsoft 365 tenant, the user continues to use his or her own email address to sign-in. So, the login process is unchanged as we see here. When the guest user signs-in to e.g.…


..after the successful login, the Office portal follows.


Benefits of managing guest users in Delegate365

Guest users can be managed in Delegate365. Notice the domain of the UPN of the guest user, and check if the domain is assigned to the admins in Delegate365. Benefits are:

  • Changing the UPN of guest users in Delegate365 helps to get a friendly UPN.
  • Changing the UPN and the domain allows to delegate guest user management to admins that are now allowed to manage the default domain of the Microsoft 365 tenant. In our sample, admins who are only allowed to manage users with the domain "" (but not the tenant´s default domain, will see that guest user and are able to manage that user.
  • Also, the user can get an Office 365 license from your organization if needed.
  • Guest users that are assigned to the own OU´s (or Guest OU´s) can be added to groups as well.image
  • Note: There´s a change in Delegate365 v9.2: If a admin is assigned to a Group OU, the domain assignments will no longer be used as filter in that case. The people picker (e.g. in group membership assignments) will show ALL users in the Group OU, regardless of the domain. This allows admins to add users to their groups, regardless of the user´s UPN domain. This is only valid for Group OU´s. Users in assigned OU´s still filter for the domain of the current admin.

We have seen, that administration of guest users can be delegated with Delegate365. Portal Admins can control, what users can be managed by whom and what guest users can be managed.

Delegate365 changelog 9.2-SPO site auto-assign

Monday, June 15, 2020

Delegate365 v9.2 brings a new feature for auto-assigning existing SharePoint site to an OU. This follows the same principle as auto-assigning groups. See it here.

Note: To use the SharePoint Online management feature, ensure you have configured the SPO access for Delegate365 as described at Delegate365 changelog 9.1-SharePoint Online.

The following scenario describes how to use the new SPO site auto assign.

A scenario

In this demo tenant, there are some SharePoint Online sites with a prefix in their site name: There are two sites starting with "New York", one site with "Paris" and three sites starting with "Seattle". All site names are separated with an underscore between OU name and the following site name, as here in screenshot of the SharePoint admin center (open it with your tenant-name and a Admin at https://<yourtenant>


In Delegate365 v9.2, there´s a new section SharePoint in the Administration / Sync rules. Here, Admins can define that SPO sites with an OU as prefix are automatically assigned to that OU, as here.


Define the desired separator option and click Save at the page bottom.

As with the other (group) rules, the name must match, and upper / lower case is ignored. So, "new york" = "New York" = "NEW YORK".

The SPO sync

The SPO site sync is currently not part of the Delegate365 sync and runs every 3 hours. If you have just created new sites outside of Delegate365, it can take up to three hours until the new SPO sites show up in Delegate365. As of today, you cannot start the SPO sync job manually, pls. simply wait and check from time to time. Once the SPO sites are showing up, the sites can be assigned manually or automatically.

What we expect

We want to have the new SPO sites automatically assigned to our OU´s. In our sample, we have only two OU´s defined, New York and Seattle.


Check the result after the SPO sync

After the SPO sync is completed, let´s see the result. The SPO sites with the prefix New York and Seattle should have been automatically assigned to the corresponding OU´s.


This worked well and as expected. A change of the site name would - with the settings above - cause that a site will be assigned to another OU. If the site name would be changed and there´s no corresponding OU, the site OU assignment would stay untouched and the site remains in the existing OU.

Since there is no OU with the name Paris, this SPO site has not been automatically assigned. This site Paris_site3 show up in the OU´s / Assign module in the SharePoint section and can be manually assigned to an OU (as before).



If you have a large and growing number of new Teams and SPO sites, this feature reduces the effort to manually assign sites to an OU in Delegate365. If the OU name is used as prefix in the SPO site name, let the SPO site auto assignment to the work. The assignment definition works in the same way as with groups.

Delegate365 changelog 9.2-Group OUs

Friday, June 5, 2020

Delegate365 allows the separation of a single Microsoft 365 tenant with the OU concept. Every admin only sees and manages his own objects. Group OU´s allow administrators to add users from other organizational units to their managed groups without having access to manage those users. Until now, when using Group OUs, the domains had to be added to the administrators. That has now been changed with this version.

Note: Article Delegate365 changelog version 8.0-Group OU's also describes the basic concept of Group OU´s in Delegate365. This article describes the modification that the user´s domain must no longer be assigned to an administrator.

A typical scenario

To demonstrate that, let´s have a look a the following scenario:

  • A M365 tenant has two domains: and
  • User Admin manages OU´s Seattle and New York, and has both domains assigned.
  • User Adele manages OU New York only, and has domain assigned.

So, Adele can manage only her users and groups assigned to New York.

Group OU´s

The goal is that Adele can add or remove users from another OU - from Seattle - to her groups. For this purpose there is the concept of the Group OUs. We can assign Seattle as Group OU to Adele as here.


In the panel, we select Seattle and click Save.


New in this version: Note that Adele has only the assigned.


Test users and their OU´s and domains

The admin sees Seattle and New York. In Seattle, we see two users with two different domains assigned:



Test the Group OU´s

User Adele can manage New York… in her users list, she sees the three users AlexW, BiancaP and NestorW with the domain (but not Ringo or Paul…).


With the assigned Group OU Seattle, she should now be able to add users from Seattle to her groups! So, let´s check it by going to a group…


…and edit the group to add more members like here. The people picker shows corresponding names from all entitled OU´s.


As we see, the Group OU allows Adele to add users from Seattle to her own groups!

The important (new) part here is, that Adele sees ALL users of the assigned Group OU´s regardless of the user´s domain.

It is worth mentioning here - in contrast to above - that Adele only sees users from her assigned OU´s if the user´s domain name is in the list of her assigned domains as before. Adele is able to add only "her" three users she sees in her users list above. If there are users assigned to New York, but with a different domain name ( in our sample), she would not see them in the people picker.

As result, we see that Adele ha successfully added AlexW, Ringo and Paul to her group Project Apple. To identify objects easily, Delegate365 shows the OU of the users in brackets.


When clicking the Save button and confirming the message, these users are added as members to that group.

Visibility rules

As we have seen, Group OU´s allow to see users from other OU´s to be able to add them to your own groups, regardless of the user´s domain. Before, the domain also had to be assigned to the administrators. Now, no domain assignment is required any longer.

We think, this makes sense, because admins shall not be able to manage users with domains they shall not be able to use for their own objects. This sample shows the new behavior available with Delegate365 v9.2 (along with many other new features). Stay tuned!

Delegate365 changelog 9.1-more updates

Monday, March 30, 2020

With the many new functions in the latest version, Delegate365 has received even more updates in version 9.1. See more new features such as the new user sync property StateOrProvince, the notification license names lookups and logs and guest user modifications here.

See an overview of all updates at Delegate365 changelog 9.1-many new features. The following features have been added to Delegate365 v9.1 including all existing versions:

  • New user sync property StateOrProvince: In Administration / Sync rules, in the User section, there is a new property StateOrProvince available. This new property allows that all users with an OU name in that user property can be automatically assigned to the OU, in the same way as with the other user properties.
    Note: In general, it is recommended to use the Sync with security group feature from an organizational perspective if possible. See more at Sync with Security Group.
  • New: Notifications include Licenses names: When licenses are assigned (manually or automatically), license errors can occur. Delegate365 informs about such errors and logs them. For example, if there are no more licenses in the pool or if the quota is exceeded, a warning is created in the Delegate365 notification center. Unfortunately, the Office 365 API only delivers a message with the ID of the SKU, but no licenses name, such as:
    Code: Request_BadRequest Message:
    Subscription with SKU c7df2760-2c81-4ef7-b578-5b5392b571df does not have any available licenses.
    Inner error: AdditionalData: request-id: 07c100b3-9e70-409e-8a38-66b1517573c1
    date: 2020-03-30T07:31:00 ClientRequestId: 07c100b3-9e70-409e-8a38-66b1517573c1
    To make more sense, Delegate365 now completes such messages and adds the Office 365 licenses name, and if used, the Delegate365 friendly license name after the SKU ID.
    Code: Request_BadRequest Message:
    Subscription with SKU c7df2760-2c81-4ef7-b578-5b5392b571df (OFFICE 365 ENTERPRISE E5) (Enterprise E5) does not have any available licenses.
    Inner error: AdditionalData: request-id: 07c100b3-9e70-409e-8a38-66b1517573c1
    date: 2020-03-30T07:31:00 ClientRequestId: 07c100b3-9e70-409e-8a38-66b1517573c1
    In the sample above, the "Office 365 Enterprise E5" license (with the friendly name "Enterprise E5") could not be assigned to user "ChristieC" because there are no licenses left in the Office 365 tenant. The same completion happens for other license-related messages containing an Office 365 license ID. Another example with excluding license assignments, when a license shall be set, but another license is already assigned:
    License assignment failed because service plans afc06cb0-b4f4-4473-8286-d644f70d8faf (Skype for Business Online (Plan 1)),0feaeb32-d00e-4d66-bd5a-43b5b83db82c (Skype for Business Online (Plan 2)) are mutually exclusive, service plans 4a82b400-a79f-41a4-b4e2-e94f5787b113 (Exchange Online Kiosk),efb87545-963c-4e0d-99df-69c6916d9eb0 (Exchange Online (Plan 2)) are mutually exclusive.
    Here, the Skype for Business Online (Plan 1) cannot be assigned if Skype for Business Online (Plan 2) is already assigned to a user or vice versa. To handle thousands of such possible messages in large tenants, the license name completion happens automatically in the background within some minutes. It can take up to five minutes till the completed messages show up in the notification center in the top menu bar as shown here.
    We think this update makes a lot of sense to make such errors more readable for administrators.
  • New notifications log: The notifications that are shown in the Delegate365 notification center are now logged extra to the Delegate365 log storage. Here Delegate365 works on the same principle: The prefix of the tables is named "notification", followed with the year, month and day. Messages are saved daily for the last 7 days (notification20200330), in a monthly log (notification202003), per year (notification2020) and overall (notificationLog). The messages are the same as in the notification center shown above. The Microsoft Storage Explorer helps to access the data directly.
    This allows admins to work with the notification log data in other systems easily. See more at Working with Audit Logs.
  • Guest UPN: New behavior when editing guest users: In Azure AD, guest users are stored with a "special" UPN. "" is stored as "". For such users, Delegate365 now allows to leave the UPN unchanged when setting the first name, last name and the display name. The UPN remains and is not generated automatically from the name fields for guest users. Alternatively, administrators can set a new UPN without #EXT# if desired. "@domain.ext" is controlled by the Domain dropdown below and is added automatically.
    Note: The login for guest users works as before, with their email address they used when registering. The UPN is just the Azure AD "internal" name that can be set to a more user friendly name in Delegate365. This is a feature of Delegate365 only. Changing the UPN to another name is not available in the Office 365 Admin portal or in the Azure portal.
    In this sample, the UPN of that guest is set to (without the ".com#EXT#" text). "@domain.ext" is added automatically.
    Note: Don´t add a "@" in the UPN because that would result in 2 times "@" in the UPN, such as and that would not be valid.
    This Delegate365 feature allows to leave the UPN of guest users unchanged (…#EXT#), or to change the UPN without this format if desired.

This update was carried out automatically in all existing Delegate365 versions 9.1 and is included in all new versions as well. We hope to support many administrators with the new features.

Delegate365 changelog 9.1-Intune

Friday, March 6, 2020

Delegate365 v9.1 provides basic device management of devices for Scope admins with Microsoft Intune. See a description of the new features here.

Setup Intune

Manage devices with Delegate365

When devices are enrolled, they will be visible in Delegate365 in the users module. The Delegate365 sync updates the devices with the users automatically in the background. Any modifications to device settings and operations in Delegate365 are done directly in Azure AD in the same way as all other objects.

  • Devices are assigned to a user and are shown in the Users module. Select a user and click on the Devices menu in the right side.
  • Managed devices: The Managed devices list shows all devices that are registered for that identity. Depending on the status, Delegate365 provides the following functions: Manage owners, Manage users, Wipe device, Retire device, Sync device, Update device, Remote lock, Remove device. The list of devices can also be exported.
  • Manage owners: You can assign multiple owners for a selected device. Search for a user with the people picker and click Set owner.
  • Manage users: The same works for assigning users to a device. Search for a user with the people picker and click Set user.
  • Wipe device: The Wipe action restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment state and user account checkbox. Otherwise, all data, apps, and settings will be removed. Click on Wipe and confirm the action.
  • Retire device: The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. Click on Retire and confirm the action.
  • Sync device: The Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it. Click on Sync and confirm the action.
  • Update device: This feature updates the owner type and the managed device name of the device in Azure AD. This works for all managed devices and has no influence on the device itself. As type, select Company, Personal or Unknown. Modify the device name if needed and click Update.
  • Remote lock: Causes the device lock and to ask for the PIN code or for the unlocking action. The device must run iOS or Android and the user has to unlock the device. Click on Lock and confirm the action.
  • Remove device: To remove a device, click the Remove device menu. The next time the device checks in, any company data on it will be removed.
  • Reports: To see all managed devices from your entitled OU´s admins can generate a report as follows.
    The report includes one line per device. For better readability, here´s the provided data as picture for a sample device.
  • (Update) Unassigned devices: In Administration / Devices, Delegate365 shows a list of device objects that are registered in the organization but not assigned to any user in an OU. In real world, this mostly are old devices that have been registered but no longer are used by tenant users. Admins can select devices, see assigned owners and users. Devices can be deleted here as well.
    In this environment, there are no unassigned devices in the Microsoft 365 tenant.

By managing devices in Delegate365, scope administrators can respond to scenarios to reset company data or the device, for example if users have lost their device or it has been stolen. The managed devices report allows to export devices for users of entitled OU´s. This functionality enables Delegate365 to be used as a simple tool for managing devices.

If you want to see the full changelog, please visit our blog.