Managing Office 365 in PowerShell
Remote Office
Companies are increasingly opting for cloud services like those offered by Microsoft with Office 365. These services are usually managed via a web interface. However, extensions for PowerShell offer administrators the ability to retrieve data and adjust settings.
To manage Office 365 in PowerShell, you must download and install two extensions. Next, load the normal PowerShell and connect this session with your Office 365 subscription. You first need to download and install the Microsoft Online Services Sign-in Assistant and the Windows Azure Active Directory Module for Windows PowerShell . The downloads can be found online [1]-[3]. Make sure that you download the correct version for your setup – that is, 32-bit or 64-bit . You also need at least version 3.5.1 of the .NET Framework in place on your computer.
Problems that occur during the setup and installation most likely relate to incompatibilities between the Online Services Sign-in Assistant, the Windows Azure Active Directory Module for Windows PowerShell, and your Office 365 subscription. Always install the latest versions of these applications from the sites I just mentioned. You can also complete the setup in your Office 365 portal's Software section [4]. If errors occur, uninstall the individual modules in Windows using appwiz.cpl
and then install the latest versions again. If you still cannot log in to Office 365, you most likely have an issue with the Microsoft Online Services Sign-in Assistant. In this case, either install the current beta version or use the current official version from the site [5]. Also make sure you install the correct language.
You cannot run both versions in parallel on a computer. You must always uninstall the one version (appwiz.cpl
) before you install the successor.
When you launch PowerShell for the first time as an administrator or with a connection to Office 365 or Windows Azure, you also need to allow script execution. To do this, enter the command Set-ExecutionPolicy RemoteSigned
.
Connecting to the Cloud
To import the commandlets (cmdlets) for managing Office 365, enter the Import-Module MSOnline
command in PowerShell. You can use this command and later also the Office 365 cmdlets in PowerShell ISE, of course. To be able to access your Office 365 subscription with the cmdlets, you must first log in to Office 365 and authenticate. The Connect-MsolService
commandlet does this for you. In the login window that appears, enter the address and password of an Office 365 administrator. You will not get any feedback about the successful connection. That commandlet displays an error if the connection fails.
One advantage of using PowerShell ISE is the built-in help. If you enter a commandlet, the program displays the possible commands and options (Figure 1). Most commands for managing Office 365 in the PowerShell contain the Msol
string. If you want to view a list of existing cmdlets for managing Office 365, just type Get-Command *msol*
.
You can save the credentials for Office 365 in a variable. To do this, type $aut **= Get-Credential
, for example. In the dialog that appears, enter the credentials you want to store in the variable. The Connect-MsolService -Credential $aut
command then opens the connection again.
Overview
With PowerShell, you can access important information significantly faster than with the graphical user interface. Get-MsolDomain
shows the domains that you use in your Office 365 subscription. You can also see the status of the domain – that is, whether it is verified by Office 365 and managed.
Get-MsolDomainVerificationDns
queries data for the domain. If everything is OK, you will not see any feedback. If the domain is not connected to your Office 365 subscription, an error message appears. You can also remove domains via PowerShell and specify the default domain. To delete domains, you must first change the default domain. The following example illustrates the changes:
Set-MsolDomain -Name contoso.onmicrosoft.com -IsDefault
Once you have changed the default domain, you can delete unnecessary domains:
Remove-MsolDomain -DomainName contoso.com
You should never delete the default domain, domain.onmicrosoft.com
, which is required in part by internal services. The same applies to mail.domain.onmicrosoft.com
, which is used, for example, by the Exchange Online Protection antivirus software in Office 365. This also applies to Hybrid Deployments with Exchange 2010/2013.
Licenses
To manage Office 365, you first need to store some important information about your subscription, the stored users, and configured settings. The most important point in managing Office 365 is certainly licensing. You can manage the licenses in the web interface in the Licenses section of the Admin user management.
You can delegate the management of licenses in larger environments, for example, to accounts or controlling. However, this is only possible in larger editions of Office 365. Just click on Settings
in the same section and select User management administrator
. There, select the user that you want to manage the licenses. This user can then also use PowerShell to view and manage licenses. With PowerShell, you can, for example, display clear-cut tables, which is not possible in the graphical interface. To display all roles available in your Office 365 subscription and their functions in PowerShell, type Get-MsolRole
.
Remember that the User Management Administrator
user role has advanced rights for user management features, such as password resets. Get-MsolUser
displays information on your users. If you use the | ft
option, as with other cmdlets, you will see a formatted table, whereas | fl
displays a formatted list. You can follow the |ft
or |fl
option with the columns that you want PowerShell to display. For example, to display the licensed user, use Get-MsolUser | ft UserPrincipalName, DisplayName, *lic*
(Figure 2). The -AutoSize
option lets you adjust the table to match the window size.
In PowerShell, you can also retrieve the licensing model and the Office 365 Edition that your company uses. To do this, use the Get-MsolAccountSku
commandlet. The Get-MsolSubscription
commandlet also displays more information about your subscription. Contact information, technical email, and other data can be retrieved using Get-MsolCompanyInformation
. To manage the licenses of a specific user, use:
Get-MsolUser -UserPrincipalName "UPN" | select Licenses, isLicensed | fl
Of course, you can also assign licenses directly:
Set-MsolUserLicense -UserPrincipalName "UPN" -AddLicenses "<licensed name>"
For a detailed list of the options of Set-MsolUserLicense
see the TechNet library [6]. Information on batch changing of licenses is also available [7].