Manage users in Office 365 using PowerShell

After you’ve add domains to your Office 365 environment (using PowerShell of course) you might want to add users as well. In this blog post I’ll discuss how to add users, add and change licenses, remove users and change password settings.

Add Users using PowerShell

Use the Get-MsolUser command to get an overview of all users in Azure Active Directory (these were created in an earlier blog post):

image

And use the Get-MsolAccountSku command to see what license is available:

image

When creating a new user in Azure Active Directory you can use the New-MsolUser command, combined with the results of the Get-MsolAccountSku command for the license information. You can use the –LicenseAssignment and –UsageLocation options to assign a proper license.

New-MsolUser -UserPrincipalName Santa@office365labs.nl -FirstName Santa -LastName Klaus -DisplayName 'Santa Klaus' -Password 'Pass2015' –ForceChangePassword:$TRUE -LicenseAssignment "inframan:ENTERPRISEPACK" -UsageLocation NL

image

The –ForceChangePassword option is to ensure the user changes his password the first time he logs on, either to the Online Portal or to OWA. Optional is the -BlockCredential $true option, which create a disabled or blocked account in Azure Active Directory.

Of course it is also possible to create multiple users in Azure Active Directory from a CSV file. For example when using the following CSV file:

image

You can use a PowerShell command similar to this:

$Users = import-csv Bulk_Users.csv
ForEach ($User in $Users) {New-MsolUser -UserPrincipalName $User.UserName -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -Password 'Pass2015' -ForceChangePassword:$TRUE -LicenseAssignment "inframan:ENTERPRISEPACK" -UsageLocation NL}

image

Change licenses using PowerShell

To add, remove or change a license for a specific user you can use the Set-MsolUserLicense command which accepts the –AddLicenses and –RemoveLicenses options. For example, to add a license to a user named Paul@office365labs.nl you can use a command like this:

Set-MsolUserLicense –UserPrincipalName paul@office365labs.nl –AddLicenses “inframan:ENTERPRISEPACK”

Or remove a license from a user:

Set-MsolUserLicense –UserPrincipalName paul@office365labs.nl –RemoveLicenses “inframan:ENTERPRISEPACK”

You can also combine the –AddLicenses and –RemoveLicenses options to replace a license, for example:

Set-MsolUserLicense –UserPrincipalName paul@office365labs.nl –RemoveLicenses “inframan:ENTERPRISEPACK” –AddLicenses <other license>

It is also possible to use only specific Service Plans in a subscription. For example, you can use the Get-MsolAccountSku command to retrieve the individual service plans:

Get-MsolAccountSku | Where {$_.SkuPartNumber –eq “ENTERPRISEPACK”} | ForEach {$_.ServiceStatus}

image

If you want to disable Yammer, Rights Management Server, Office Web Apps and SharePoint Enterprise you can use the following commands:

$Options = New-MsolLicenseOptions –AccountSkuId inframan:ENTERPRISEPACK –DisabledPlans YAMMER_ENTERPRISE,RMS_S_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE
Set-MsolUserLicense –UserPrincipalName john@office365labs.nl –LicenseOptions $Options

image

When you check this using the Microsoft Online Portal you’ll see that the individual services are no longer available for this user:

image

Please be careful with removing licenses. When you do the data stored in the accompanying application will be deleted as well!

Block Users using PowerShell

When a user leaves the organization it is not uncommon to block his user account. You can use the Set-MsolUser command with the –BlockCredential option, like this:

Set-MsolUser –UserPrincipalName john@office365labs.nl -BlockCredential $true

To enable the account again, just change the –BlockCredential option to $false, like this:

Set-MsolUser –UserPrincipalName john@office365labs.nl -BlockCredential $false

Remove Users using PowerShell

Removing users from Azure Active Directory is just a matter of using the Remove-MsolUser command with the –UserPrincipalName option. The –Fore option is to suppress the confirmation that normally followes a Remove PowerShell command, for example:

Remove-MsolUser –UserPrincipalName john@office365labs.nl –Force 

Clearly visible in the following figure is the confirmation message when the –Force option is omitted:

image

When users are deleted, they are not permanently deleted but they are stored in the Azure Active Directory recycle bin where they stay for another 30 days. Only then they are (automatically) permanently deleted. You can use the –RemoveFromRecycleBin option with the Remove-MsolUser command to remove the user account permanently, without temporarily storing them in the recycle bin.

Please be aware that when you remove a user account the user’s data is also deleted!

Restore Users from Recycle Bin

As explained in the previous section users are stored in the recycle bin when they are deleted using the Remove-MsolUser command. To get a list of all users that are located in the recycle bin you can use the Get-MsolUser command with the –ReturnDeletedUsers option, like this:

Get-MsolUser –ReturnDeletedUsers

As shown in the following figure:

image

To restore a user john@officd365labs.nl from the recycle bin, you can use the Restore-MsolUser command with the –UserPrincipalName, like this:

Restore-MsolUser –UserPrincipalName john@office365labs.nl

image

Change Passwords and Password Policy using PowerShell

It is not uncommon for an administrator to change a user’s password, and in an Office 365 environment this is not different. To reset a user’s password using PowerShell you can use the Set-MsolUserPassword command with the –UserPrincipalName and –NewPassword options, for example:

Set-MsolUserPassword –UserPrincipalName john@office365labs.nl –NewPassword ‘Pass2015’ –ForceChangePassword $TRUE

The –ForceChangePassword will make sure the user changes his password after the first logon to Office 365.

By default a user’s password in Azure Active Directory expires every 90 days with a 14 days notification interval. To change the password policy you can use the Set-MsolPasswordPolicy with the –DomainName, -ValidityPeriod and the –NotificationDays options, like this:

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName office365labs.nl

The ValidityPeriod determines the time the password can be used and this can range from 14 days to 730 dayes (2 years). The NotificationDays is the number of days a user gets a notification before the password expires. This can range from 1 day to 30 days.

To set the password to never expires on a user (which is not a best practice, but can be very useful for Service Account passwords, for example when setting up Directory Synchronization) you can use the Set-MsolUser command, for example:

Set-MsolUser -UserPrincipalName SA_DirSync@inframan.nl -PasswordNeverExpires $true

For more information you can check the Manage Azure AD users on TechNet: https://msdn.microsoft.com/en-us/library/azure/dn919674.aspx

4 thoughts on “Manage users in Office 365 using PowerShell”

  1. Hi, and thanks for the post. I’m trying to remove Yammer licences using the example above but it doesn’t seem to have any effect. I notice Yammer is still ticked (but greyed out) in your screenshot (as normal) – are you able to confirm whether it prevented users from logging on to Yammer for you please?

    Like

  2. Hi Jaap, first I have read a number of your articles throughout the years and i wanted to thank you for the great information that you provide. My question is with regards to -blockcredential action and how and when it takes effect as it pertains to skype for business online. i have include the -blockcredential command in my user de-provisioning script when an employee leaves the company. My concern is that is this enough to block the user who is actively in a SFB online session from sending an IM or joining a meeting? The concern is around when the block credential actually takes place due to the issue of authentication cache. all the best, Joe

    Like

    1. Hi Joe, I see what you mean, but to be honest I have no idea. I think you better ask this question at the SfB forum, this forum is also managed by Microsoft support employees and can better answer this question. I’m sorry

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s