Remote Office
Microsoft offers its Office programs as a service in the cloud. To integrate the Office 365 service into your own infrastructure, PowerShell is a natural choice.
Companies are increasingly opting for cloud services like those offered by Microsoft with Office 365. These services are usually managed via a web interface. However, extensions for PowerShell offer administrators the ability to retrieve data and adjust settings.
To manage Office 365 in PowerShell, you must download and install two extensions. Next, load the normal PowerShell and connect this session with your Office 365 subscription. You first need to download and install the Microsoft Online Services Sign-in Assistant and the Windows Azure Active Directory Module for Windows PowerShell. The downloads can be found online. Make sure that you download the correct version for your setup – that is, 32-bit or 64-bit. You also need at least version 3.5.1 of the .NET Framework in place on your computer.
Problems that occur during the setup and installation most likely relate to incompatibilities between the Online Services Sign-in Assistant, the Windows Azure Active Directory Module for Windows PowerShell, and your Office 365 subscription. Always install the latest versions of these applications from the sites I just mentioned. You can also complete the setup in your Office 365 portal’s Software section. If errors occur, uninstall the individual modules in Windows using appwiz.cpl and then install the latest versions again. If you still cannot log in to Office 365, you most likely have an issue with the Microsoft Online Services Sign-in Assistant. In this case, either install the current beta version or use the current official version from the site. Also make sure you install the correct language.
You cannot run both versions in parallel on a computer. You must always uninstall the one version (appwiz.cpl) before you install the successor.
When you launch PowerShell for the first time as an administrator or with a connection to Office 365 or Windows Azure, you also need to allow script execution. To do this, enter the command Set-ExecutionPolicy RemoteSigned.
Connecting to the Cloud
To import the commandlets (cmdlets) for managing Office 365, enter the Import-Module MSOnline command in PowerShell. You can use this command and later also the Office 365 cmdlets in PowerShell ISE, of course. To be able to access your Office 365 subscription with the cmdlets, you must first log in to Office 365 and authenticate. The Connect-MsolService commandlet does this for you. In the login window that appears, enter the address and password of an Office 365 administrator. You will not get any feedback about the successful connection. That commandlet displays an error if the connection fails.
One advantage of using PowerShell ISE is the built-in help. If you enter a commandlet, the program displays the possible commands and options (Figure 1). Most commands for managing Office 365 in the PowerShell contain the Msol string. If you want to view a list of existing cmdlets for managing Office 365, just type Get-Command *msol*.
You can save the credentials for Office 365 in a variable. To do this, type $aut **= Get-Credential, for example. In the dialog that appears, enter the credentials you want to store in the variable. The Connect-MsolService -Credential $aut command then opens the connection again.
Overview
With PowerShell, you can access important information significantly faster than with the graphical user interface. Get-MsolDomain shows the domains that you use in your Office 365 subscription. You can also see the status of the domain – that is, whether it is verified by Office 365 and managed.
Get-MsolDomainVerificationDns queries data for the domain. If everything is OK, you will not see any feedback. If the domain is not connected to your Office 365 subscription, an error message appears. You can also remove domains via PowerShell and specify the default domain. To delete domains, you must first change the default domain. The following example illustrates the changes:
Set-MsolDomain -Name contoso.onmicrosoft.com -IsDefault
Once you have changed the default domain, you can delete unnecessary domains:
Remove-MsolDomain -DomainName contoso.com
You should never delete the default domain, domain.onmicrosoft.com, which is required in part by internal services. The same applies to mail.domain.onmicrosoft.com, which is used, for example, by the Exchange Online Protection antivirus software in Office 365. This also applies to Hybrid Deployments with Exchange 2010/2013.
Licenses
To manage Office 365, you first need to store some important information about your subscription, the stored users, and configured settings. The most important point in managing Office 365 is certainly licensing. You can manage the licenses in the web interface in the Licenses section of the Admin user management.
You can delegate the management of licenses in larger environments, for example, to accounts or controlling. However, this is only possible in larger editions of Office 365. Just click on Settings in the same section and select User management administrator. There, select the user that you want to manage the licenses. This user can then also use PowerShell to view and manage licenses. With PowerShell, you can, for example, display clear-cut tables, which is not possible in the graphical interface. To display all roles available in your Office 365 subscription and their functions in PowerShell, type Get-MsolRole.
Remember that the User Management Administrator user role has advanced rights for user management features, such as password resets. Get-MsolUser displays information on your users. If you use the | ft option, as with other cmdlets, you will see a formatted table, whereas | fl displays a formatted list. You can follow the |ft or |fl option with the columns that you want PowerShell to display. For example, to display the licensed user, use Get-MsolUser | ft UserPrincipalName, DisplayName, *lic* (Figure 2). The -AutoSize option lets you adjust the table to match the window size.
In PowerShell, you can also retrieve the licensing model and the Office 365 Edition that your company uses. To do this, use the Get-MsolAccountSku commandlet. The Get-MsolSubscription commandlet also displays more information about your subscription. Contact information, technical email, and other data can be retrieved using Get-MsolCompanyInformation. To manage the licenses of a specific user, use:
Get-MsolUser -UserPrincipalName "UPN" | select Licenses, isLicensed | fl
Of course, you can also assign licenses directly:
Set-MsolUserLicense -UserPrincipalName "UPN" -AddLicenses ""
For a detailed list of the options of Set-MsolUserLicense see the TechNet library. Information on batch changing of licenses is also available.
Managing Users
In addition to the cmdlets already mentioned, other commands let you create, manage, and delete users in Office 365. The most important cmdlets in this area include:
- New-MsolUser – Create a new user. For example, to create a new user with a short command, use New-MsolUser -UserPrincipalName "<email address>" -DisplayName "<display name>". The commandlet generates the password and displays it.
- Remove-MsolUser – Delete the user and return the assigned licenses. After that, the user can still sign in for 30 days.
- Restore-MsolUser – The user’s original state is restored. This works up to 30 days after deletion. However, you can permanently delete mailboxes to prevent them from being restored.
- Set-MsolUser – Update a user and change their settings.
- Set-MsolUserPassword – Change the password.
To view all of the user management cmdlets, type Get-Command *msoluser* (Figure 3). The commands available for group administration are shown by typing get-command *msolgroup*.
For example, if you want to specify that a user password never expires, use
Set-MsolUser -UserPrincipalName-PasswordNeverExpires $True
Without this option, the corresponding user must change their password every 90 days. $False lets you reverse this option. It is also possible to activate complex passwords for a user, which is what the -StrongPasswordRequired option does:
Set-MsolUser -UserPrincipalName-StrongPasswordRequired $True
$False disables this function.
As mentioned earlier, a user resides for 30 days in the Recycle Bin when you delete them and can be restored from the Recycle Bin using Restore-MsolUser. The following command displays deleted mailboxes that can be restored:
Get-MsolUser -ReturnDeletedUsers | fl UserPrincipalName, ObjectID
If finally you want to delete a user, use their ObjectID:
Get-MsolUser -Remove-MsolUser -ObjectID GUID -RemoveFromRecycleBin -Force
Additionally, you can use the command
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
to erase individual users, as well as remove all users from the Recycle Bin.
Connecting to the Exchange Management Shell
Office 365 accounts and a local Exchange server are used in parallel in many environments. It thus makes sense to make the commands from the Exchange Management Shell available in PowerShell in addition to Office 365 cmdlets. To do this, first store the Office 365 login credentials in a variable:
$cred = Get-Credential
Open a connection to Office 365 and the Exchange Management Shell:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange \ -ConnectionUri https://ps.outlook.com/powershell \ -Credential $cred -Authentication Basic -AllowRedirection
Then, import this data with Import-PSSession $Session.
Exchange Online Protection
Microsoft offers the cloud virus scanner Exchange Online Protection (EOP) for local Exchange installations and for Office 365. This tool is the successor of Forefront Online Protection for Exchange (FOPE). In Office 365, Exchange Online Protection is automatically enabled, which means that incoming and outgoing email is scanned for viruses and spam.
If you also have local Exchange servers, you can send email from your local servers to Office 365, where it is scanned for viruses and then forwarded. This approach also works in both directions with Exchange Server 2013 and with the virus scanner integrated in Exchange 2013.
The following command ensures that Exchange Server 2013 will scan email messages after Exchange Online Protection has scanned them:
Set-MalwareFilteringServer -ForceRescan $true
To check the value, enter:
Get-MalwareFilteringServer | Format-List Name, ForceRescan
This redirection between Exchange and Office 365 is controlled by the MX record in the domain. The wizard for connecting Office 365 with a local Exchange installation adds an additional accepted domain to the Exchange organization for hybrid messaging. This domain is added as a secondary proxy domain. By default, this is the domain.mail.onmicrosoft.com domain. You can view the accepted domain with:
Get-AcceptedDomain | fl DomainName, IsCoexistenceDomain
In the Exchange Management Shell, you can view the settings by typing Get-HybridConfiguration.
Besides managing the Office 365 services in the PowerShell, you can also manage other cloud services from Microsoft, such as Windows Azure. The installation file for managing Windows Azure in PowerShell can be found online. After the install, just import the cmdlets by typing Import-Module Azure. Before you can manage Azure with PowerShell, you must modify your PC so that it connects to Windows Azure.
To begin, enter Get-AzurePublishSettingsFile and then log in to Windows Azure. Download the file, which the wizard then displays. Enter the Import-AzurePublishSettingsFile <publishsettings File> command followed by Get-AzureSubscription.
Microsoft offers the Windows Azure Backup service, which lets you back up data from servers in the cloud. In PowerShell, you can view the available cmdlets for Windows Azure Backup with Get-Command *ob* (Figure 4). Alternatively, you can use the Get-Command -Module MSOnlineBackup command. More information about Azure Backup is available in the “Azure Backup” article in this issue.
Conclusions
Microsoft’s PowerShell provides a powerful shell with many options for managing local servers. In addition to the standard operating systems by Microsoft, all current server applications, such as Exchange, SQL, SharePoint, and Lync, support PowerShell-based administration. If your company additionally uses cloud services like Windows Azure and Office 365, it makes sense to manage them in PowerShell, too. The advantages of this approach are obvious: Administrators can manage local servers and cloud services in the same session. Additionally, many options and features in PowerShell are much faster and easier to handle than in the various web interfaces.
If you have some experience with scripting, you can also compose scripts for comprehensive management of your services. These scripts can perform changes in local and cloud services in parallel. Because Microsoft provides the extensions for PowerShell free of charge, administrators should seriously look into their options. With a little training, you can use PowerShell to manage many services quickly and easily – including ones that run in the cloud.
The Author
Thomas Joos is a freelance IT consultant and has been working in IT for more than 20 years. In addition to his projects, he writes hands on books and papers on Windows and other Microsoft topics. Online you can meet him on http://thomasjoos.spaces.live.com.