Microsoft 365 PowerShell
PowerShell Modules for Microsoft 365
Install-Module AzureAD
Install-Module MSOnline
Install-Module ExchangeOnlineManagement
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
AzureAD and MSOnline both manage Azure Active Directory.
Connecting to Microsoft 365
To use these modules you have to connect to them and authenticate
Connect-AzureAD
Connect-MsolService
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@example.onmicrosoft.com
Update-Module -Name Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Url https://example-admin.sharepoint.com
After running each of these commands you will be asked to authenticate and the following dialog box will pop up.
Enter your credentials, authenticate then you can use the module
AzureAD
Get-command -Module AzureAD -Verb Get -Noun *user*
get-command -Module azuread -Verb get -Noun *user*
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-AzureADDeviceRegisteredUser 2.0.2.135 AzureAD
Cmdlet Get-AzureADUser 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserAppRoleAssignment 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserCreatedObject 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserDirectReport 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserExtension 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserLicenseDetail 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserManager 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserMembership 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserOAuth2PermissionGrant 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserOwnedDevice 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserOwnedObject 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserRegisteredDevice 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserThumbnailPhoto 2.0.2.135 AzureAD
Get-Command -Module AzureAD -Verb Get -Noun *Device*
PS C:\Users\Administrator> get-command -Module azuread -Verb get -Noun *device*
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-AzureADDevice 2.0.2.135 AzureAD
Cmdlet Get-AzureADDeviceConfiguration 2.0.2.135 AzureAD
Cmdlet Get-AzureADDeviceRegisteredOwner 2.0.2.135 AzureAD
Cmdlet Get-AzureADDeviceRegisteredUser 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserOwnedDevice 2.0.2.135 AzureAD
Cmdlet Get-AzureADUserRegisteredDevice 2.0.2.135 AzureAD
get-command -Module azuread -Noun *license*
PS C:\Users\Administrator> get-command -Module azuread -Noun *license*
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-AzureADUserLicenseDetail 2.0.2.135 AzureAD
Cmdlet Set-AzureADUserLicense 2.0.2.135 AzureAD
Adding a new user with AzureAD
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "H1sBoyElroy"
New-AzureADUser -DisplayName "New User" -PasswordProfile $PasswordProfile -UserPrincipalName "NewUser@example.onmicrosoft.com" -AccountEnabled $true -MailNickName "Newuser"
Licensing User with AzureAD
set-msoluser -UserPrincipalName "NewUser@example.onmicrosoft.com" -UsageLocation 'au'
Set-MsolUserLicense -UserPrincipalName "NewUser@example.onmicrosoft.com" -AddLicenses "example:SPB"
Get-MsolAccountSku is probably the best way of finding the -AddLicenses value to use above
Adding Employee ID and other extension attributes
First you need to find out what the extension attributes are:
Get-AzureADUser -ObjectId $adamsId | Select -ExpandProperty ExtensionProperty
Key Value
--- -----
odata.metadata https://graph.windows.net/3c979ef9-2a07-4d44-9da0-d1cceb66b46a/$metadata#directoryObjects/@Element
odata.type Microsoft.DirectoryServices.User
createdDateTime 3/07/2021 2:58:14 AM
employeeId 1
onPremisesDistinguishedName
userIdentities []
The next step is to use the Set-AzureADUserExtension command to change the attribute
Set-AzureADUserExtension -ObjectId $adamsId -ExtensionName employeeId -ExtensionValue $EmployeeNumber
MSOnline
The MSOnline modules do pretty much the same thing as the AzureAD modules only the syntax and default output is different
There are more commands under AzureAD more than twice as many. Here is an example of how they compare.
PS C:\Users\Administrator> Get-AzureADUser -ObjectId 8a9ad0ac-180d-43dc-b6ff-20a8febf6ab2
ObjectId DisplayName UserPrincipalName UserType
-------- ----------- ----------------- --------
8a9ad0ac-180d-43dc-b6ff-20a8febf6ab2 Adam Ant aant@pdtadmin.onmicrosoft.com Member
PS C:\Users\Administrator> Get-MsolUser -ObjectId 8a9ad0ac-180d-43dc-b6ff-20a8febf6ab2
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
aant@pdtadmin.onmicrosoft.com Adam Ant True
There are no usernames in AzureAD so you have to rely on object ids and search strings I like that you can use the UserPrincipalName in Get-MsolUser
When you are working with a single user in AzureAD it is a good idea to assign their objectId to a variable.
Get-Command -Module MSOnline -Verb Get
PS C:\Users\Administrator> Get-Command -Module MSOnline -Verb Get
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-MsolAccountSku 1.1.183.57 MSOnline
Cmdlet Get-MsolAdministrativeUnit 1.1.183.57 MSOnline
Cmdlet Get-MsolAdministrativeUnitMember 1.1.183.57 MSOnline
Cmdlet Get-MsolCompanyAllowedDataLocation 1.1.183.57 MSOnline
Cmdlet Get-MsolCompanyInformation 1.1.183.57 MSOnline
Cmdlet Get-MsolContact 1.1.183.57 MSOnline
Cmdlet Get-MsolDevice 1.1.183.57 MSOnline
Cmdlet Get-MsolDeviceRegistrationServicePolicy 1.1.183.57 MSOnline
Cmdlet Get-MsolDirSyncConfiguration 1.1.183.57 MSOnline
Cmdlet Get-MsolDirSyncFeatures 1.1.183.57 MSOnline
Cmdlet Get-MsolDirSyncProvisioningError 1.1.183.57 MSOnline
Cmdlet Get-MsolDomain 1.1.183.57 MSOnline
Cmdlet Get-MsolDomainFederationSettings 1.1.183.57 MSOnline
Cmdlet Get-MsolDomainVerificationDns 1.1.183.57 MSOnline
Cmdlet Get-MsolFederationProperty 1.1.183.57 MSOnline
Cmdlet Get-MsolGroup 1.1.183.57 MSOnline
Cmdlet Get-MsolGroupMember 1.1.183.57 MSOnline
Cmdlet Get-MsolHasObjectsWithDirSyncProvisioningErrors 1.1.183.57 MSOnline
Cmdlet Get-MsolPartnerContract 1.1.183.57 MSOnline
Cmdlet Get-MsolPartnerInformation 1.1.183.57 MSOnline
Cmdlet Get-MsolPasswordPolicy 1.1.183.57 MSOnline
Cmdlet Get-MsolRole 1.1.183.57 MSOnline
Cmdlet Get-MsolRoleMember 1.1.183.57 MSOnline
Cmdlet Get-MsolScopedRoleMember 1.1.183.57 MSOnline
Cmdlet Get-MsolServicePrincipal 1.1.183.57 MSOnline
Cmdlet Get-MsolServicePrincipalCredential 1.1.183.57 MSOnline
Cmdlet Get-MsolSubscription 1.1.183.57 MSOnline
Cmdlet Get-MsolUser 1.1.183.57 MSOnline
Cmdlet Get-MsolUserByStrongAuthentication 1.1.183.57 MSOnline
Cmdlet Get-MsolUserRole 1.1.183.57 MSOnline
Exchange Online
Exchange Online Cheat Sheet
"Don't run this as a script"
Break;
#region Adding and Removing Distribution Group members
Add-DistributionGroupMember -Identity 'DistributionGroup' -Member memberToAdd
Remove-DistributionGroupMember -Identity 'DistributionGroup' -Member memberToRemove
#endregion
#region Add and Remove Permissions
"Adding Calendar Permission"
add-MailboxFolderPermission -Identity SharingUser":\calendar" -User ShareeUser -AccessRights owner
"To view permissions"
Get-MailboxFolderPermission SharingUser:\calendar
"To remove Calendar Permission"
Remove-MailboxFolderPermission -Identity SharingUser":\calendar" -User ShareeUser
"Adding public folder permissions"
Add-PublicFolderClientPermission -Identity "\pubicFolderName" -AccessRights owner -User User
"Adding Mailbox permissions"
Add-MailboxPermission SharingUsersMailbox -AccessRights fullaccess,deleteitem -User SharedWithUser -AutoMapping $true
Remove-MailboxPermission SharingUsersMailbox -AccessRights fullaccess,deleteitem -User SharedWithUser
#endregion
#region SendAs and SendOnBehalf
#SendOnBefalf
Set-Mailbox sharingMailbox -GrantSendOnBehalfTo sharedWithUser
#O365 Sendas
Add-RecipientPermission Rob.Smith@example.mail.onmicrosoft.com -Trustee me@example.com -AccessRights sendas
remove-RecipientPermission Rob.Smith@example.mail.onmicrosoft.com -Trustee me@example.com -AccessRights sendas
#endregion
#region Forwarding
Set-Mailbox -Identity "forwardingMailbox@example.com.au" -ForwardingAddress "ForwardedToMailbox@example.com.au" -DeliverToMailboxAndForward $true
#removing Forwarding
Set-Mailbox -Identity "forwardingingUser" -ForwardingAddress $null -DeliverToMailboxAndForward $false
#endregion