Thursday, 14 February 2019

Manage Office 365 Groups using Azure AD Powershell module

Earlier you can manage modern Office 365 Groups (or Unified Groups) through Exchange Online Powershell module. Now the Azure AD Powershell team introduced new AzureADMSGroup cmdlets to provide the functionality of Microsoft Graph to create and manage unified groups, which includes creating modern O365 groups and dynamic groups through Powershell.

Before proceed, run the below command to connect Azure AD Powershell for Graph module:

Create new Office 365 Group:

In exchange module we need to run New-UnifiedGroup cmdlet to create an Office 365 Group, here you have to use the New-AzureADMSGroup cmdlet to create a new Office 365 Group.
New-AzureADMSGroup -DisplayName "Test O365 Group" -MailNickname "TestO365Group" -GroupTypes "Unified" -Description "This is a test group" -MailEnabled $true -SecurityEnabled $true
Note: When you create group using New-UnifiedGroup, the mailbox will be created immediately. When you use New-AzureADMSGroup, first the group object will be created in AzureAD and the group object synchronized with Exchange Online, which then creates the group mailbox, so there may be some delay in setting up group mailbox for the new group that was created by New-AzureADMSGroup.

Get a list of all Office 365 Groups:

In exchange module, you have to use the command Get-UnifiedGroup to retrieve all unified groups, with Azure AD Powershell you can achieve the same using the Get-AzureADMSGroup cmdlet.

By default the Get-AzureADMSGroup cmdlet gets information about all type of available groups in Azure Active Directory.
Get-AzureADMSGroup  -All:$true
We need to apply filter to list only Office 365 groups alone.
Get-AzureADMSGroup -Filter "groupTypes/any(c:c eq 'Unified')" -All:$true

Export report to CSV file:

Get-AzureADMSGroup -Filter "groupTypes/any(c:c eq 'Unified')" -All:$true |
Select-Object DisplayName, Mail, Visibility |
Export-CSV "C:\\O365Groups.csv" -NoTypeInformation -Encoding UTF8

Find members and owners of an Office 365 Group:

With exchange module you can list group members and owners by using the Get-UnifiedGroupLinks cmdlet, here you have to use the command Get-AzureADGroupMember to find members and need to run the command Get-AzureADGroupOwner to list owners.
Get-AzureADGroupMember -ObjectId (Get-AzureADGroup -SearchString "<GroupName>").ObjectId

List owners for the given group:

Get-AzureADGroupOwner -ObjectId (Get-AzureADGroup -SearchString "<GroupName>").ObjectId

Wednesday, 13 February 2019

Copy Members from Distribution Group to Office 365 Group in PowerShell

In this post, I am going to write powershell script to add users into Office 365 group by importing members from distribution list. We can use the Exchange powershell cmdlet Get-DistributionGroupMember to get members from distribution group and use the command Add-UnifiedGroupLinks to add user as a member into existing Unified group.

Before proceed run the following command to connect Exchange Online powershell module.
$365Logon = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $365Logon -Authentication Basic -AllowRedirection
Import-PSSession $Session
The below powershell command retrieves members from a given distribution group.
Get-DistributionGroupMember -Identity "YourDG" -ResultSize Unlimited
Use the below command to add users into an existing Office 365 group.
Add-UnifiedGroupLinks –Identity "O365Group" –LinkType Members  –Links

Copy members from distribution list to Office 365 group:

#Source - Provide distribution group
$DistGroup = "TestDG"
#Target - Provide office 365 group
$O365Group = "TestO365Group"
$DG_members = Get-DistributionGroupMember -Identity $DistGroup -ResultSize Unlimited
$totalMembers = $DG_members.Count
$i = 1 
$DG_members | ForEach-Object {
Write-Progress -activity "Processing $_" -status "$i out of $totalMembers members added"
Add-UnifiedGroupLinks –Identity $O365Group –LinkType Members  –Links $_.PrimarySmtpAddress

Thursday, 7 February 2019

Find Disabled Users in Office 365 Group using Powershell

In this post, I am going to share powershell script to find and list disabled users that are still a member of Office 365 Groups. In Azure AD environment, the disabled users are nothing but the sign-in access blocked users. You can retrieve Office 365 group members using the Exchange Online powershell command Get-UnifiedGroupLinks and find members' account status by using the Azure AD powershell command Get-AzureADUser. So we need to first connect both powershell modules before running the script.

First connect Exchange Online powershell module by running below commands:
$365Logon = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $365Logon -Authentication Basic -AllowRedirection
Import-PSSession $Session
Run the below command to import AzureAD module:

Find and list disabled users who are still a member in a given Office 365 group:

#Replace your group name
$o365Group = "YourO365Group"
$groupMembers = Get-UnifiedGroupLinks -Identity $o365Group -LinkType Members -ResultSize Unlimited
$groupMembers | ForEach-Object {
$memberId = $_.ExternalDirectoryObjectId
$user = Get-AzureADUser -ObjectId $memberId -ErrorAction SilentlyContinue
If ($user -ne $Null) 
If ($user.AccountEnabled -eq $true) {
$userStatus = "Enabled"
} Else {
$userStatus = "Disabled"
$Result += New-Object PSObject -property @{ 
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
AccountStatus = $userStatus
#Write-Host "User not found: $_.DisplayName"
$Result |Where-Object {$_.AccountStatus -eq "Disabled"} | Select-Object UserName,UserPrincipalName

Export result to CSV file:

You can export disabled members of the given Office 365 Group to CSV file by running below command.
$Result | Where-Object {$_.AccountStatus -eq "Disabled"} |
Select-Object UserName,UserPrincipalName |
Export-CSV "C:\\DisabledO365GroupMembers.csv" -NoTypeInformation -Encoding UTF8

Find enabled users alone in Office 365 Group:

You can run the below command to list only enabled users that are member of the given O365 group.
$Result | Where-Object {$_.AccountStatus -eq "Enabled"} | Select-Object UserName,UserPrincipalName

How to map Mailbox object with AzureAD user object using Powershell

Recently I wrote a Powershell script to find disabled users that are associated with particular set of mailboxes, for this need, I have to first get mailboxes using the Exchange Online powershell cmdlet Get-Mailbox, then I need to find Azure AD object for required mailbox using Get-AzureADUser cmdlet. The Get-AzureADUser cmdlet accepts ID parameter only as a UPN or ObjectId of a user in Azure AD. After exploring Mailbox object attributes, I don't find any attribute with the name UserPrincipalName or ObjectId and the properties Id, Guid and Identity are not suitable here as they hold different values and finally found the attribute ExternalDirectoryObjectId perfectly holds same value as its equivalent Azure AD object's ObjectId value.

Note: You might have noticed the properties WindowsEmailAddress and PrimarySmtpAddress got the value as same UserPrincipalName in Azure AD, but I have not preferred any of these two fields as it may or may not be equivalent with UPN in all cases.
$mailbox = Get-Mailbox -Identity "Alex Wilber"
$azureADuser = Get-AzureADUser -Object $mailbox.ExternalDirectoryObjectId

How to find AzureAD user object for its equivalent mailbox object in Powershell
You can also find the attribute ExternalDirectoryObjectId with other Exchange powershell cmdlets like Get-Recipient.
$mailbox = Get-Recipient -Identity "Alex Wilber"
$azureADuser = Get-AzureADUser -Object $mailbox.ExternalDirectoryObjectId

Tuesday, 5 February 2019

Find and Export Disabled Office 365 Users using Powershell

In this post, I am going share powershell commands to find the list of disabled or sign-in blocked Azure AD users and export them to CSV file. We can use the Azure AD Powershell command Get-AzureADUser to get user details and this command includes the property AccountEnabled which indicates the user account status.

Before proceed install Azure Active Directory PowerShell for Graph module and run the below command to connect Azure AD PowerShell module:
The below command checks the given user account is enabled or disable.
$user = ""
$accountEnabled = (Get-AzureADUser -ObjectId $user).AccountEnabled
If ($accountEnabled) {
Write-Host "$user : account enabled" -foreground Green
} Else {
Write-Host "$user : account disabled" -foreground Red

Find and List All Disabled Office 365 Users :

Get-AzureADUser -All $True | Where-Object { $_.AccountEnabled -eq $false}

Export Disabled Users to CSV file :

Get-AzureADUser -All $True | Where-Object { $_.AccountEnabled -eq $false} |
Select-Object UserPrincipalName, DisplayName |
Export-CSV "C:\\DisabledO365Users.csv" -NoTypeInformation -Encoding UTF8

Monday, 21 January 2019

Set Language and TimeZone in Office 365 Mailboxes using Powershell

Mailbox users can easily change their regional settings from Outlook Web App (OWA). But in some scenarios, we may need to change language and time zone settings for bulk mailboxes. We can use the exchange powershell cmdlet Set-MailboxRegionalConfiguration to set mailbox regional configuration. We can also use the same command for Exchange on-premise mailbox.

Before proceeding run the following command to connect Exchange Online powershell module.
$365Logon = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $365Logon -Authentication Basic -AllowRedirection
Import-PSSession $Session
Run the below command to set the language “German” and time zone “W. Europe Standard Time”.
Set-MailboxRegionalConfiguration -Identity "" -Language 1031 -TimeZone "W. Europe Standard Time" -DateFormat "dd.MM.yyyy" -TimeFormat "HH:mm"
You can get the required language id from this source: Language Locale ID Values and you can get the time zone name from this source: Time Zone Values.

You can retrieve the existing regional configuration by running below command.
Get-MailboxRegionalConfiguration -Identity ""
You can also set language and time zone values individually.
Set-MailboxRegionalConfiguration -Identity "" -TimeZone "W. Europe Standard Time"
Set-MailboxRegionalConfiguration -Identity "" -Language 1031 -DateFormat "dd.MM.yyyy" -TimeFormat "HH:mm"
You have to set supported date format for the corresponding language. When you set the language without date time format, you will get the error like 'DateFormat "M/d/yyyy" isn't valid for current language setting "de-DE"' if the existing date time format do not support the new language setting.

Set Regional Configuration for all Mailboxes:

Get-Mailbox -ResultSize Unlimited | Set-MailboxRegionalConfiguration -Language en-US -TimeZone "Pacific Standard Time" -DateFormat  "M/d/yyyy" -TimeFormat "h:mm tt"

Set language and time zone for multiple users from CSV:

Use the below powershell commands to set regional settings for bulk office 365 mailbox users by importing users from CSV file. Consider the CSV file MailBoxUsers.csv which contains set of mailbox users with the csv column headers UserPrincipalName, TimeZone, Language, DateFormat and TimeFormat.
Import-Csv 'C:\MailboxUsers.csv' | ForEach-Object {
$mailbox = $_."UserPrincipalName"
$language = $_."Language" # Use language code (Ex: de-DE) as input. don't use language id here.
$timeZone = $_."TimeZone"
Set-MailboxRegionalConfiguration -Identity $mailbox -Language $language -TimeZone $timeZone -DateFormat $_."DateFormat" -TimeFormat $_."TimeFormat"
You can list regional config of all mailboxes by running below command.
Get-Mailbox -ResultSize Unlimited | Get-MailboxRegionalConfiguration
You can also export the results to csv file by running below command.
Get-Mailbox -ResultSize Unlimited | Get-MailboxRegionalConfiguration | Export-CSV "C:\\Mailbox-Regional-Configs.csv" -NoTypeInformation -Encoding UTF8
Note: Setting regional settings through powershell will not reflect immediately in all services, it may takes few mins to hours to sync in all services.

Saturday, 19 January 2019

Set up Manager for Office 365 Users

Every organization should have a hierarchy set up for their employees to run day-to-day to work smoothly. Office 365 introducing many advanced features (ex: Office 365 Groups, Flow, Planner ,Teams, and etc.) to reduce the hurdles in collaboration and communication between employees and their manager. So, setting up manager for users is important to use advanced features like Flow and Workflow.

In this post, we are going to explain how to update manager field for Azure AD users by following three different ways.

Set Manager via Exchange Online Admin center

You can follow the below steps to set a manager in required mailbox user through Exchange Online Admin center.
  • Go to Office 365 Admin center.
  • In the left navigation, expand Admin centers, and then select Exchange.
  • In the Exchange Administration Center (EAC), navigate to recipients > mailboxes.
  • Select required user to update manager field and then click on Edit icon.
  • In Edit Uer Mailbox popup, go to organization tab and you can set manager field as shown in below image.
Add manager from Exchange Admin Center

Set Manager via Azure AD portal

Follow the below steps to configure manager from Azure AD Portal.
  • Go to Azure AD Portal.
  • In the left navigation, click Azure Active Directory and click Users.
  • Select (click on user name hyperlink) required user, click on Edit under Job info section and then add or remove manager field as shown in below image.
Add or Remove manager from office 365 user in Azure AD Portal

Set or Remove Manager using PowerShell

Powershell is always a good tool for Administrators to manager Azure Ad objects. We can use the Azure AD powershell cmdlet Set-AzureADUserManager to set manager field and Remove-AzureADUserManager to remove manager.

Before proceed install Azure Active Directory PowerShell for Graph and run the below command to connect Azure AD PowerShell module:
You can run following command to add manager after replacing required user’s and manager’s UPN or ObjectId.
$User  = ""
$Manager  = ""
$ManagerObj = Get-AzureADUser -ObjectId $Manager
Set-AzureADUserManager -ObjectId $User -RefObjectId $ManagerObj.ObjectId
You can run following command to remove or clear manager field.
Remove-AzureADUserManager -ObjectId ""
You can check and get users' existing manager value by running following command.
Get-AzureADUserManager -ObjectId ""
Note: Setting up manager field in one place does not immediately reflect in other places or in Delve and you have to wait few mins to hours for a full crawl of Active Directory by the SharePoint User Profiles.

Thursday, 20 December 2018

Office 365 Admin Roles which has permission to manage users license

Managing Office 365 users license is an occasional or may be a one-time task, but we can't always use the Global Admin account to administer license. In large environment with thousands of users, we may need to assign a dedicated person to manage users license.

Earlier you should have either a Global administrator or a User management administrator role to update users license, but now Office 365 introduced a new admin role License administrator.

With anyone of the below Admin role, users can add, update and remove user's license subscription or individual service plans:
  • License administrator
  • User management administrator
  • Global administrator
With anyone of the above role, you can manage license in following three ways: