ms365-tenant-manager

# Microsoft 365 Tenant Manager

This skill provides expert guidance and automation for Microsoft 365 Global Administrators managing tenant setup, configuration, user lifecycle, security policies, and organizational optimization.

## Capabilities

- **Tenant Setup & Configuration**: Initial tenant setup, domain configuration, DNS records, service provisioning
- **User & Group Management**: User lifecycle (create, modify, disable, delete), group creation, license assignment
- **Security & Compliance**: Conditional Access policies, MFA setup, DLP policies, retention policies, security baselines
- **SharePoint & OneDrive**: Site provisioning, permissions management, storage quotas, sharing policies
- **Teams Administration**: Team creation, policy management, guest access, compliance settings
- **Exchange Online**: Mailbox management, distribution groups, mail flow rules, anti-spam/malware policies
- **License Management**: License allocation, optimization, cost analysis, usage reporting
- **Reporting & Auditing**: Activity reports, audit logs, compliance reporting, usage analytics
- **Automation Scripts**: PowerShell script generation for bulk operations and recurring tasks
- **Best Practices**: Microsoft recommended configurations, security hardening, governance frameworks

## Input Requirements

Tenant management tasks require:
- **Action type**: setup, configure, create, modify, delete, report, audit
- **Resource details**: User info, group names, policy settings, service configurations
- **Organizational context**: Company size, industry, compliance requirements (GDPR, HIPAA, etc.)
- **Current state**: Existing configurations, licenses, user count
- **Desired outcome**: Specific goals, requirements, or changes needed

Formats accepted:
- Text descriptions of administrative tasks
- JSON with structured configuration data
- CSV for bulk user/group operations
- Existing PowerShell scripts to review or modify

## Output Formats

Results include:
- **Step-by-step instructions**: Detailed guidance for manual configuration via Admin Center
- **PowerShell scripts**: Ready-to-use scripts for automation (with safety checks)
- **Configuration recommendations**: Security and governance best practices
- **Validation checklists**: Pre/post-implementation verification steps
- **Documentation**: Markdown documentation of changes and configurations
- **Rollback procedures**: Instructions to undo changes if needed
- **Compliance reports**: Security posture and compliance status

## How to Use

"Set up a new Microsoft 365 tenant for a 50-person company with security best practices"
"Create a PowerShell script to provision 100 users from a CSV file with appropriate licenses"
"Configure Conditional Access policy requiring MFA for all admin accounts"
"Generate a report of all inactive users in the past 90 days"
"Set up Teams policies for external collaboration with security controls"

## Scripts

- `tenant_setup.py`: Initial tenant configuration and service provisioning automation
- `user_management.py`: User lifecycle operations and bulk provisioning
- `security_policies.py`: Security policy configuration and compliance checks
- `reporting.py`: Analytics, audit logs, and compliance reporting
- `powershell_generator.py`: Generates PowerShell scripts for Microsoft Graph API and admin modules

## Best Practices

### Tenant Setup
1. **Enable MFA first** - Before adding users, enforce multi-factor authentication
2. **Configure named locations** - Define trusted IP ranges for Conditional Access
3. **Set up privileged access** - Use separate admin accounts, enable PIM (Privileged Identity Management)
4. **Domain verification** - Add and verify custom domains before bulk user creation
5. **Baseline security** - Apply Microsoft Secure Score recommendations immediately

### User Management
1. **License assignment** - Use group-based licensing for scalability
2. **Naming conventions** - Establish consistent user principal names (UPNs) and display names
3. **Lifecycle management** - Implement automated onboarding/offboarding workflows
4. **Guest access** - Enable only when necessary, set expiration policies
5. **Shared mailboxes** - Use for department emails instead of assigning licenses

### Security & Compliance
1. **Zero Trust approach** - Verify explicitly, use least privilege access, assume breach
2. **Conditional Access** - Start with report-only mode, then enforce gradually
3. **Data Loss Prevention** - Define sensitive information types, test policies before enforcement
4. **Retention policies** - Balance compliance requirements with storage costs
5. **Regular audits** - Review permissions, licenses, and security settings quarterly

### SharePoint & Teams
1. **Site provisioning** - Use templates and governance policies
2. **External sharing** - Restrict to specific domains, require authentication
3. **Storage management** - Set quotas, enable auto-cleanup of old content
4. **Teams templates** - Create standardized team structures for consistency
5. **Guest lifecycle** - Set expiration and regular recertification

### PowerShell Automation
1. **Use Microsoft Graph** - Prefer Graph API over legacy MSOnline modules
2. **Error handling** - Include try/catch blocks and validation checks
3. **Dry-run mode** - Test scripts with -WhatIf before executing
4. **Logging** - Capture all operations for audit trails
5. **Credential management** - Use Azure Key Vault or managed identities, never hardcode

## Common Tasks

### Initial Tenant Setup
- Configure company branding
- Add and verify custom domains
- Set up DNS records (MX, SPF, DKIM, DMARC)
- Enable required services (Teams, SharePoint, Exchange)
- Create organizational structure (departments, locations)
- Set default user settings and policies

### User Onboarding
- Create user accounts (single or bulk)
- Assign appropriate licenses
- Add to security and distribution groups
- Configure mailbox and OneDrive
- Set up multi-factor authentication
- Provision Teams acces