Managing users (better call them Office 365 Identities!) with PowerShell might be an activity that you can run more times than expected.
Reasons? Well for a start managing multiple objects in batch mode to review and amend changes can be a lot faster and then let’s face it don’t you really have an open PowerShell console waiting in the tray bar already? 😉
Jokes aside the number of avaialble cmd-lets avaialble to handle all these objects is always increasing and definitely helping speeding up certain scenarios. In this post I would like to show probably the easiest or better most popular PowerShell commands that an Office 365 Admin will use on a daily basis. Before progressing with this part make sure you also take a quick look at this post on how to connect to Office 365 Services with PowerShell.
The basic commands I would like to cover in this post are the following:
What can these cmd-lets actually do? let’s take a look..
This is probably the most popular command that will be used considering that even without any associated parameter it is already offering nice information at a glance
Essentially with the Get-MsolUser it is possible to retrieve info about individuals or list of users even based on their properties assuming the value of the UserPrincipalName (UPN from now on..) does exist. But on which kind of properties can we act upon? The list is long (56 columns at the time of writing) and possibly an export to a CSV file will show them for easier consultation. So a command like this would export the requested information including the user identities as well
Amongst the others, indeed columns like City, Country, Department, DisplayName, LastDirSyncTime, LastPasswordChangeTimeStamp, LicenseReconciliationNeeded, Office, PasswordNeverExpires, UsageLocation and UserType can be useful field names to help discriminate which Users (Identities!) we would like to update or operate with. For sure knowing which identities have been set with PasswordNeverExpires set to True would be interesting to see if this is still adherent with the company domain policies. Or knowing the UsageLocation as well can help determining which plans and services would be avaialble from the active Office 365 subscriptions based on current users location. An example is provided below. Let’s say we want to target for specific operations only Users located in London the query command will look something like this
Not to forget that Get-MSolUser already ships with useful parameters that make the life of an Office 365 Admin even easier. Worth mentioning a couple of them making a great job:
Once we determined the Office 365 identities to work with at this point we can review the parameters available for this cmd-let.
The main use for this cmd-let is to easily update properties for the User objects in Office 365. Now although the temptation to use this command to update also Licenses, Passwords and UPN this command should be used only to update simple properties only. For the other requests there are already the Set-MsolUserLicense, Set-MsolUserPassword and Set-MsolUserPrincipalName that can do a great job.
So in the example below lets say we want to update the PhoneNumber property for the user Michele. The steps will look like the following:
We can use the Get-MsolUser command to determine the current value for the PhoneNumber
We can then run the Set-MsolUser cmd-let to update this property as shown below. No wonder I was not receiving calls before! 😉
This command can be easily used in many scenarios and proves to be very flexible when updating multiple properties also in batch mode.
We are now close to the final part of this post. What if I want to remove identity users from Office 365? So for example assuming we have a number of users where the license has expired or simply left the company. How to deal with this ones?
The Remove-MsolUser will help us with this operation by performing an hard deletion. And yes there is a difference between a soft and hard deletion.
The first one refers to when the users are deleted from the Office 365 Portal using the available commands. In this case the users are not really deleted but “parked” into the Azure Active Directory Recycle Bin for 30 days. Should these users be restored within the 30 days (for example because of renewed licences) this operation would be a lot easier and the ObjectID of the user would be retained as well along with the rest of the properties associated.
The latter it then refers to a permanent deletion. So essentially with Remove-MsolUser it is possible not just to remove the users in the Recycle Bin but also the other ones that should be removed completely bypassing the Azure Active Directory Recycle Bin. Only a permanent deletion will release the licenses to be used by other Office 365 identities. To delete a specific user the command will look like below:
In case we have a list of already unlicensed users deleted through the Office 365 Portal and sitting in the Recycle Bin we can issue the following command for a permanent deletion.
Should these users be recreated they will get a new ObjectID from Azure Active Directory. Other considerations though have to be done when connecting or I should say “syncing” the local Active Directory with Office 365 through Azure Active Directory Connect tool which would be part of my next topics.
This concludes the first part of this post about managing Office 365 users with PowerShell.