Manage users in Office 365 using PowerShell

After you’ve add domains to your Office 365 environment (using PowerShell of course) you might want to add users as well. In this blog post I’ll discuss how to add users, add and change licenses, remove users and change password settings.

Add Users using PowerShell

Use the Get-MsolUser command to get an overview of all users in Azure Active Directory (these were created in an earlier blog post):


And use the Get-MsolAccountSku command to see what license is available:


When creating a new user in Azure Active Directory you can use the New-MsolUser command, combined with the results of the Get-MsolAccountSku command for the license information. You can use the –LicenseAssignment and –UsageLocation options to assign a proper license.

New-MsolUser -UserPrincipalName -FirstName Santa -LastName Klaus -DisplayName 'Santa Klaus' -Password 'Pass2015' –ForceChangePassword:$TRUE -LicenseAssignment "inframan:ENTERPRISEPACK" -UsageLocation NL


The –ForceChangePassword option is to ensure the user changes his password the first time he logs on, either to the Online Portal or to OWA. Optional is the -BlockCredential $true option, which create a disabled or blocked account in Azure Active Directory.

Of course it is also possible to create multiple users in Azure Active Directory from a CSV file. For example when using the following CSV file:


You can use a PowerShell command similar to this:

$Users = import-csv Bulk_Users.csv
ForEach ($User in $Users) {New-MsolUser -UserPrincipalName $User.UserName -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -Password 'Pass2015' -ForceChangePassword:$TRUE -LicenseAssignment "inframan:ENTERPRISEPACK" -UsageLocation NL}


Change licenses using PowerShell

To add, remove or change a license for a specific user you can use the Set-MsolUserLicense command which accepts the –AddLicenses and –RemoveLicenses options. For example, to add a license to a user named you can use a command like this:

Set-MsolUserLicense –UserPrincipalName –AddLicenses “inframan:ENTERPRISEPACK”

Or remove a license from a user:

Set-MsolUserLicense –UserPrincipalName –RemoveLicenses “inframan:ENTERPRISEPACK”

You can also combine the –AddLicenses and –RemoveLicenses options to replace a license, for example:

Set-MsolUserLicense –UserPrincipalName –RemoveLicenses “inframan:ENTERPRISEPACK” –AddLicenses <other license>

It is also possible to use only specific Service Plans in a subscription. For example, you can use the Get-MsolAccountSku command to retrieve the individual service plans:

Get-MsolAccountSku | Where {$_.SkuPartNumber –eq “ENTERPRISEPACK”} | ForEach {$_.ServiceStatus}


If you want to disable Yammer, Rights Management Server, Office Web Apps and SharePoint Enterprise you can use the following commands:

Set-MsolUserLicense –UserPrincipalName –LicenseOptions $Options


When you check this using the Microsoft Online Portal you’ll see that the individual services are no longer available for this user:


Please be careful with removing licenses. When you do the data stored in the accompanying application will be deleted as well!

Block Users using PowerShell

When a user leaves the organization it is not uncommon to block his user account. You can use the Set-MsolUser command with the –BlockCredential option, like this:

Set-MsolUser –UserPrincipalName -BlockCredential $true

To enable the account again, just change the –BlockCredential option to $false, like this:

Set-MsolUser –UserPrincipalName -BlockCredential $false

Remove Users using PowerShell

Removing users from Azure Active Directory is just a matter of using the Remove-MsolUser command with the –UserPrincipalName option. The –Fore option is to suppress the confirmation that normally followes a Remove PowerShell command, for example:

Remove-MsolUser –UserPrincipalName –Force 

Clearly visible in the following figure is the confirmation message when the –Force option is omitted:


When users are deleted, they are not permanently deleted but they are stored in the Azure Active Directory recycle bin where they stay for another 30 days. Only then they are (automatically) permanently deleted. You can use the –RemoveFromRecycleBin option with the Remove-MsolUser command to remove the user account permanently, without temporarily storing them in the recycle bin.

Please be aware that when you remove a user account the user’s data is also deleted!

Restore Users from Recycle Bin

As explained in the previous section users are stored in the recycle bin when they are deleted using the Remove-MsolUser command. To get a list of all users that are located in the recycle bin you can use the Get-MsolUser command with the –ReturnDeletedUsers option, like this:

Get-MsolUser –ReturnDeletedUsers

As shown in the following figure:


To restore a user from the recycle bin, you can use the Restore-MsolUser command with the –UserPrincipalName, like this:

Restore-MsolUser –UserPrincipalName


Change Passwords and Password Policy using PowerShell

It is not uncommon for an administrator to change a user’s password, and in an Office 365 environment this is not different. To reset a user’s password using PowerShell you can use the Set-MsolUserPassword command with the –UserPrincipalName and –NewPassword options, for example:

Set-MsolUserPassword –UserPrincipalName –NewPassword ‘Pass2015’ –ForceChangePassword $TRUE

The –ForceChangePassword will make sure the user changes his password after the first logon to Office 365.

By default a user’s password in Azure Active Directory expires every 90 days with a 14 days notification interval. To change the password policy you can use the Set-MsolPasswordPolicy with the –DomainName, -ValidityPeriod and the –NotificationDays options, like this:

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName

The ValidityPeriod determines the time the password can be used and this can range from 14 days to 730 dayes (2 years). The NotificationDays is the number of days a user gets a notification before the password expires. This can range from 1 day to 30 days.

To set the password to never expires on a user (which is not a best practice, but can be very useful for Service Account passwords, for example when setting up Directory Synchronization) you can use the Set-MsolUser command, for example:

Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true

For more information you can check the Manage Azure AD users on TechNet:

4 thoughts on “Manage users in Office 365 using PowerShell”

  1. Hi, and thanks for the post. I’m trying to remove Yammer licences using the example above but it doesn’t seem to have any effect. I notice Yammer is still ticked (but greyed out) in your screenshot (as normal) – are you able to confirm whether it prevented users from logging on to Yammer for you please?


  2. Hi Jaap, first I have read a number of your articles throughout the years and i wanted to thank you for the great information that you provide. My question is with regards to -blockcredential action and how and when it takes effect as it pertains to skype for business online. i have include the -blockcredential command in my user de-provisioning script when an employee leaves the company. My concern is that is this enough to block the user who is actively in a SFB online session from sending an IM or joining a meeting? The concern is around when the block credential actually takes place due to the issue of authentication cache. all the best, Joe


    1. Hi Joe, I see what you mean, but to be honest I have no idea. I think you better ask this question at the SfB forum, this forum is also managed by Microsoft support employees and can better answer this question. I’m sorry


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s