Keep Customer Microsoft 365 Documentation Current in Syncro Without Touching It
TL;DR
- A set of PowerShell scripts can auto-document Microsoft 365 licensing, MFA status, Exchange, and Intune into Syncro and keep the documentation tied to each customer record.
- The MFA report accounts for all three ways MFA can be enforced as of April 2021: the legacy MFA portal, Conditional Access policies, and Security Defaults, and flags DUO listed as a custom control.
- The Exchange report surfaces mailbox usage in GB, last login time, mail flow rules, DKIM configuration, and ATP policies in one place.
- Microsoft 365 users are created as Syncro contacts automatically; when a user is removed from 365, a note is added to the existing contact rather than deleting it.
- The scripts use the Secure Application Model for a headless connection into every customer tenant, so documentation runs across all clients without per-tenant logins.
Documentation is the work everyone agrees matters and nobody keeps current. Writing up a customer's Microsoft 365 environment is tedious; keeping that write-up accurate as licenses change, MFA gets reconfigured, and devices come and go is a job that quietly never gets done. The result is documentation that was true the day it was written and misleading every day after. The way out is to stop maintaining it by hand.
These scripts automate and update documents in Syncro that are tied to your customer environments. Together they handle:
- Microsoft License Information => displays all current licensed and unlicensed users, plus what licenses are available versus consumed
- Microsoft MFA Status => displays MFA status, Conditional Access policies, and DUO MFA custom controls
- Microsoft Exchange Information => displays mailbox usage in GB, last login time, mail flow rules, DKIM config, and ATP policies
- Microsoft Intune Information => displays enrolled devices, compliance status, OS version, Autopilot info, encryption, and assigned apps
- Microsoft Contact Creation => creates a contact on the customer record in Syncro for active 365 users
All documentation is listed for the customer, and contacts are automatically added or updated on the customer record.

Every script is published in the Syncro-Documentation repository on GitHub (opens in new tab).

The Microsoft license report
The license report displays all active and consumed licensing, plus every licensed and unlicensed user. It is also available as a standalone license report walkthrough if that is the only piece you want.


The MFA status report
This report shows every user's MFA status. Because Microsoft has evolved MFA registration over time, there are, as of April 2021, three different ways a user could have MFA enforced:
- Legacy MFA portal (where you see Enabled, Enforced, Disabled)
- Conditional Access policies
- Security Defaults
For that reason the report includes two columns showing whether a user has registered through one of these methods. Security Defaults and Conditional Access registration appear in a combined output. The report also lists the names of all Conditional Access policies and an additional field showing whether you have DUO listed as a custom control in any Conditional Access policy.


The Exchange report
The Exchange report shows mailboxes, active consumption in GB in descending order, last login time, mail flow rules, DKIM configuration, and ATP settings and policies.


The Intune report
The Intune report contains a summary of device compliance, devices, and all apps that are in an assigned state.

Microsoft contact creation
Microsoft 365 users are created as contacts for a customer if they do not already exist. If a user is no longer in 365, a note is added to the existing contact to say they are no longer active. At the time, Syncro had no flag for this, so a note was the cleanest way to show a user had been removed.

What you need before you start
You will need tokens and GUIDs from both the Secure Application Model and Syncro. The Secure Application Model is what allows a headless connection into all of your customer environments. The script to set it up comes from Kelvin at CyberDrain: the Create-SecureAppModel script on GitHub (opens in new tab).
In Syncro, create a new API key with permissions to customers and documentation so it can perform the necessary read and write actions. Syncro's documentation on generating an API key (opens in new tab) covers the steps. The only other variable you will be prompted for is your Syncro subdomain, which is simply the prefix of the URL you sign in at.

Frequently asked questions
Why does the MFA report show two registration columns?
Because MFA can be enforced three ways as of April 2021: the legacy MFA portal, Conditional Access policies, and Security Defaults. Security Defaults and Conditional Access registration show up in a combined output, so two columns capture whether a user is covered by one of these methods.
What does the Exchange report include?
Mailboxes with active consumption in GB shown in descending order, last login time, mail flow rules, DKIM configuration, and ATP settings and policies.
How does the script handle a user who left the company?
It does not delete the contact. If a user is no longer in Microsoft 365, the script adds a note to the existing Syncro contact marking them as no longer active, since Syncro had no built-in flag for this at the time.
Documentation proves what exists. It does not prove it is secure.
These scripts capture MFA status and ATP policies as a snapshot. They will not flag the control that quietly reverted last week. CloudCapsule checks 250+ Microsoft 365 controls per tenant in about 60 seconds.
See the features
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


