Connect To Azure AD Powershell: A Reviewed Guide
In this post, we are going to see the reviewed guide on Azure AD powershell to administrate Office 365.
PowerShell (also known as Windows PowerShell) is a command-line environment that’s designed specifically for system administration. PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications, such as Office 365.
The most basic part of PowerShell is called a cmdlet (pronounced command-let). Cmdlets allow you to do things in the Office 365 PowerShell environment like adding users to your Office 365 organization, managing Office 365 license assignments and know which mailboxes are inactive.
Connect to azure ad powershell allows you to manage Office 365 using a single point of administration by using automated and scripted actions and streamlines your daily work.
Benefits of AAD Powershell Module
- Windows PowerShell Can Reveal “Hidden” Information Not Available in the Admin Center
- Office 365 has Features That You Can Only Configure by Using Windows PowerShell
- Windows PowerShell Excels at Carrying Out Bulk Operations
- Windows PowerShell is Great at Filtering Data
- Windows PowerShell Makes It Easy to Print or Save Data
- Windows PowerShell Lets You Do “Cross-Product” Management
Before you can run any of the cmdlets discussed in this article, you must install the Azure module.
The Azure Module is supported on the following Windows operating systems with the default version of Microsoft .NET Framework and Windows PowerShell: Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
The easiest way to install the module is from the PowerShell Gallery. You can install the module with the Install-Module cmdlet: Install-Module MSOnline
The Connect-MsolService cmdlet attempts to initiate a connection to Azure Active Directory. You must specify a credential, as a PSCredential object, or specify the CurrentCredentials parameter to use the credentials of the current user.
This cmdlet may return a warning or error if the version of the module is out of date.
Now, we can start with managing Azure services
Connect to Azure AD powershell — Get users details
To get a user:
Get-MsolUser -UserPrincipalName “User UPN”
If you’re not sure of a user UPN but knows a display name, use the searchstring.
Get-MsolUser -SearchString “Test“
The searchstring helps to find a user using UPN, object ID or the displayname
To get a user information based on a title:
Get-MsolUser -Title “Manager”
To get a user based on a department:
Get-MsolUser -Department “IT”
To view a list of users in your organization:
Get-MsolUser
The Get-MsolUser command will show a maximum of 1000 users.
To view all users:
Get-MsolUser -All
Export user details
We have seen how to view user details. What if you want to export results into a csv file. It’s straight forward. Just add the export.
To export 1000 users:
Get-MsolUser | Export-Csv “C:\msolusers.csv” -NoTypeInformation
Note: You will get the warning message like the below if your organization have more than 1000 users.
So, add the all to export everyone in your organization.
Note: You may also mention the MaxResults if you want to export only a specific number of users. For example, 25,000 users. I would recommend going with the All to avoid any confusion.
Get-MsolUser -MaxResults 25000
How to find errors on a user account?
To retrieve errors on a user object:
(Get-MsolUser -UserPrincipalName test@techieberry.com).errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription
To retrieve all errors for all users on Azure:
Get-MsolUser -HasErrorsOnly | ft DisplayName,UserPrincipalName,@{Name=”Error”;Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize -Wrap
How to change a user UPN?
A User Principal Name (UPN) is made up of two parts, the prefix (user account name) and the suffix (DNS domain name).
For example: user1@techieberry.com
In this case, the prefix is “user1” and the suffix is “Techieberry | Tips on Azure, Exchange and Teams.”
You also change a user’s UPN in the Azure AD by changing their username.
Set-MsolUserPrincipalName -UserPrincipalName “test1@techieberry.com” -NewUserPrincipalName “test2@techieberry.com”
Get Office 365 plan details
Get Office 365 plan (Account SKU) details
Get-MsolAccountsku
Get group details
To retrieve groups from the Office 365 services:
Get-MsolGroup
To retrieve group members:
Get-MsolGroupMember -GroupObjectId $Group.ObjectId
Get details of Administrative roles
To retrieve a list of administrator roles:
Get-MsolRole
To retrieve all members of the specified role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
Remove and restore a user
To remove a user:
Remove-MsolUser -UserPrincipalName “User UPN” -Force
This command removes a user from Azure Active Directory. If the user has any licenses, the cmdlet removes these.
Remove-MsolUser -UserPrincipalName “User UPN” -RemoveFromRecycleBin
This command removes a user from the Azure Active Directory recycle bin. The command prompts you to confirm the operation. This command permanently removes the user. When this operation has been completed, you will not be able to recover the user by using the Restore-MsolUser cmdlet.
Find deleted users:
Get-MsolUser -ReturnDeletedUsers
To find a specific user from deleted users list:
Get-MsolUser -UserPrincipalName “User UPN” -ReturnDeletedUsers
To restore a user:
Restore-MsolUser -UserPrincipalName “User UPN”
How to manage groups?
To add a new group to the Azure AD:
New-MsolGroup -DisplayName “Marketing” -Description “Marketing”
To add members: The new members can be either users or other security groups.
Add-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId
To remove a member from a group:
Remove-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId
To delete a group:
Remove-MsolGroup -ObjectId “Group ObjectId” -Force
To check a group members count:
(Get-MsolGroupMember -GroupObjectId 7a87e16a-dfa7–4f98–81e4–2cf95ebce03b).count
Export members of a specific group into a csv file:
Get-MsolGroupMember -All -GroupObjectId 36c8a37b-1ce6–4973-b062-fe7804bb8b54 | Export-Csv C:\members.csv -NoTypeInformation
How to identify Azure AD Connect status in Office 365?
If you have integrated your on-premises Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD) by synchronizing your on-premises environment with Microsoft 365, you can also check the status of your synchronization using the following command.
Get-MsolCompanyInformation | fl lastd*
How to check the last dirsync time of a single user?
The following command helps to identify when was the last time a user account synced to office 365.
Get-MsolUser -UserPrincipalName “User UPN” | fl lastd*
Export licensed users
Get-MSOLUser | Where-Object { $_.isLicensed -eq “True”} | Select-Object DisplayName, UserPrincipalName, isLicensed | Export-Csv C:\Users.csv -NoTypeInformation
Export unlicensed users
Get-MsolUser -all –UnlicensedUsersOnly | Export-Csv C:\non-licensed_users.csv -NoTypeInformation
ImmutableId
Directory synchronization uses a unique id to match the AD and Office 365 accounts up, this is called the “ImmutableID”. It is based on the AD accounts ObjectGUID. If a user had an old AD account but created a new AD account then a different ObjectGUID will be created so the AD and Office365 account no longer had a matching “ImmutableID”.
We are going to find the objectGUID of the new AD account and use PowerShell to change the “ImmutableID” on the recovered Office365 to match the new AD accounts objectGUID.
- On a domain controller or a computer with the remote server admin tools open ADSI or ADAC
- Find and open the properties for the user.
- On the “Attribute Editor” tab find and copy the distinguishedName.
- Run the following command replacing the DN with the one from the previous step and execute them in Exchange on-premises powershell.
ldifde -d “CN=Someone,OU=Users,DC=someplace,DC=com” -f c:\user.txt
- Open the text file you created and copy the user’s ObjectGUID
Checking what the current immutableid in Azure:
Get-MsolUser -UserPrincipalName “User UPN” | fl im*
To change the immutableid:
Set-MsolUser –UserPrincipalName “User UPN” -ImmutableId “GXXXXXXXXXXXXXXXQ==”
Allow for a few hours for these changes to reflect in Office 365 and the sync type will change to “Synced with Active Directory”
Duplicate immutableid attributes:
This issue may occur if user objects have duplicate immutableid values. To resolve this issue, find the users who have duplicate immutableid, and then change it so that they are unique. To do this, follow the below command.
Get-msoluser -all | where {$_.ImmutableId -eq “vXXXXXXXXXXXXXXXXXXQ==”}