This document summarizes the key security aspects of the PowerShell modules contained in this repository.
| Command/Module | Required Roles |
|---|---|
| SupportTools general commands (e.g., Add-UserToGroup, CleanupGroupMembership) | Microsoft 365 Group Administrator and Graph permissions (Group.ReadWrite.All) |
| Exchange commands (e.g., Set-SharedMailboxAutoReply) | Exchange Online Administrator |
| SharePointTools cleanup/reporting functions | SharePoint Tenant Admin or Site Collection Administrator for the target site |
| ServiceDeskTools ticket functions | Service Desk account with rights to create and update incidents via API |
- Microsoft Graph – user and group management (
Add-UserToGroup,CleanupGroupMembership). - PnP.PowerShell / SharePoint REST – site cleanup, reports and file uploads (
Invoke-ArchiveCleanup,Get-SPToolsLibraryReport, etc.). - Service Desk REST API – create and update tickets (
New-SDTicket,Set-SDTicket). - Exchange Online – mailbox automation (
Set-SharedMailboxAutoReply). - Windows Event Log – local log queries (
Get-FailedLogin).
- Commands call
Write-STLogwhich writes to$env:ST_LOG_PATHor~/SupportToolsLogs/supporttools.log. - Structured events can be recorded via
Write-STRichLogandWrite-STTelemetryEventin~/SupportToolsTelemetry/telemetry.jsonlwhen telemetry is enabled. - Scripts like
Submit-SystemInfoTicketoptionally start a transcript log file for additional auditing. - Actions performed through SharePoint or Exchange are also captured in their respective tenant audit logs when enabled.
- Cleanup functions (
Invoke-ArchiveCleanup,Invoke-FileVersionCleanup) permanently delete data if misconfigured. - Group and mailbox commands modify tenant resources and may expose information if run with excessive privileges.
- API tokens stored in environment variables should be protected to prevent unauthorized access.
- Always review scripts before execution and run test mode (
-Simulateor-ChaosModeswitches where available) in non‑production environments first.
All PowerShell files can be signed with the provided Sign-RepositoryFiles.ps1 script. The script scans the src and scripts folders for .ps1, .psm1, and .psd1 files and applies Set-AuthenticodeSignature to each file. Supply the code-signing certificate using the -CertificatePath parameter or set the ST_SIGN_CERT_PATH environment variable.
$env:ST_SIGN_CERT_PATH = 'C:\certs\internal.pfx'
./scripts/Sign-RepositoryFiles.ps1