Get a list of every customers’ Office 365 administrators via PowerShell and delegated administration
To increase security in our customer’s Office 365 tenants, we’re keeping track of all Global Administrators, and blocking access to any unnecessary users until we’ve reset the credentials and documented them securely.
The type of user we’re most concerned with is the unlicensed Company Administrator. This is usually a default user that’s created when a customer or partner sets up Office 365. However, it may be the case that the person who set up or purchased Office 365 is not the person who needs to have Administrative credentials for their entire company.
I’ve broken this process down into two scripts:
- The first script checks every Office 365 customer for unlicensed users that are members of the Company Administrator role. Once it’s finished, it exports the details to a CSV file.
- The second script retrieves these unlicensed admins from the CSV and blocks their access.
Looking for a different type of User Role?
If you’d like a report on users with a different role, just modify the $RoleName variable in the first script. Here’s a list of roles you can choose from:
- Compliance Administrator
- Exchange Service Administrator
- Partner Tier 1 Support
- Company Administrator
- Helpdesk Administrator
- Lync Service Administrator
- Directory Readers
- Directory Writers
- Device Join
- Device Administrators
- Billing Administrator
- Workplace Device Join
- Directory Synchronization Accounts
- Device Users
- Partner Tier2 Support
- Service Support Administrator
- SharePoint Service Administrator
- User Account Administrator
Get a CSV of all Unlicensed Office 365 Admins via PowerShell using Delegated Administration
- You’ll need to ensure you have the Azure Active Directory PowerShell Module installed, follow our quick guide here for instructions.
- Copy and paste the following script into Visual Studio Code, PowerShell ISE, NotePad etc.
- Save it with an extension of .ps1 and run it using Windows PowerShell
cls # This is the username of an Office 365 account with delegated admin permissions $UserName = "[email protected]" $Cred = get-credential -Credential $UserName #This script is looking for unlicensed Company Administrators. Though you can update the role here to look for another role type. $RoleName = "Company Administrator" Connect-MSOLService -Credential $Cred Import-Module MSOnline $Customers = Get-MsolPartnerContract -All $msolUserResults = @() # This is the path of the exported CSV. You'll need to create a C:\temp folder. You can change this, though you'll need to update the next script with the new path. $msolUserCsv = "C:\temp\AdminUserList.csv" ForEach ($Customer in $Customers) { Write-Host "----------------------------------------------------------" Write-Host "Getting Unlicensed Admins for $($Customer.Name)" Write-Host " " $CompanyAdminRole = Get-MsolRole | Where-Object{$_.Name -match $RoleName} $RoleID = $CompanyAdminRole.ObjectID $Admins = Get-MsolRoleMember -TenantId $Customer.TenantId -RoleObjectId $RoleID foreach ($Admin in $Admins){ if($Admin.EmailAddress -ne $null){ $MsolUserDetails = Get-MsolUser -UserPrincipalName $Admin.EmailAddress -TenantId $Customer.TenantId if(!$Admin.IsLicensed){ $LicenseStatus = $MsolUserDetails.IsLicensed $userProperties = @{ TenantId = $Customer.TenantID CompanyName = $Customer.Name PrimaryDomain = $Customer.DefaultDomainName DisplayName = $Admin.DisplayName EmailAddress = $Admin.EmailAddress IsLicensed = $LicenseStatus BlockCredential = $MsolUserDetails.BlockCredential } Write-Host "$($Admin.DisplayName) from $($Customer.Name) is an unlicensed Company Admin" $msolUserResults += New-Object psobject -Property $userProperties } } } Write-Host " " } $msolUserResults | Select-Object TenantId,CompanyName,PrimaryDomain,DisplayName,EmailAddress,IsLicensed,BlockCredential | Export-Csv -notypeinformation -Path $msolUserCsv Write-Host "Export Complete"
Get a CSV of all Licensed AND Unlicensed Office 365 Admins via PowerShell using Delegated Administration
The only difference between this script and the last one is that this one gets ALL administrators, licensed or not.
- You’ll need to ensure you have the Azure Active Directory PowerShell Module installed, follow our quick guide here for instructions.
- Copy and paste the following script into Visual Studio Code, PowerShell ISE, NotePad etc.
- Save it with an extension of .ps1 and run it using Windows PowerShell
cls # This is the username of an Office 365 account with delegated admin permissions $UserName = "[email protected]" $Cred = get-credential -Credential $UserName #This script is looking for unlicensed Company Administrators. Though you can update the role here to look for another role type. $RoleName = "Company Administrator" Connect-MSOLService -Credential $Cred Import-Module MSOnline $Customers = Get-MsolPartnerContract -All $msolUserResults = @() # This is the path of the exported CSV. You'll need to create a C:\temp folder. You can change this, though you'll need to update the next script with the new path. $msolUserCsv = "C:\temp\AdminUserList.csv" ForEach ($Customer in $Customers) { Write-Host "----------------------------------------------------------" Write-Host "Getting Unlicensed Admins for $($Customer.Name)" Write-Host " " $CompanyAdminRole = Get-MsolRole | Where-Object{$_.Name -match $RoleName} $RoleID = $CompanyAdminRole.ObjectID $Admins = Get-MsolRoleMember -TenantId $Customer.TenantId -RoleObjectId $RoleID foreach ($Admin in $Admins){ if($Admin.EmailAddress -ne $null){ $MsolUserDetails = Get-MsolUser -UserPrincipalName $Admin.EmailAddress -TenantId $Customer.TenantId $LicenseStatus = $MsolUserDetails.IsLicensed $userProperties = @{ TenantId = $Customer.TenantID CompanyName = $Customer.Name PrimaryDomain = $Customer.DefaultDomainName DisplayName = $Admin.DisplayName EmailAddress = $Admin.EmailAddress IsLicensed = $LicenseStatus BlockCredential = $MsolUserDetails.BlockCredential } Write-Host "$($Admin.DisplayName) from $($Customer.Name) is an unlicensed Company Admin" $msolUserResults += New-Object psobject -Property $userProperties } } Write-Host " " } $msolUserResults | Select-Object TenantId,CompanyName,PrimaryDomain,DisplayName,EmailAddress,IsLicensed,BlockCredential | Export-Csv -notypeinformation -Path $msolUserCsv Write-Host "Export Complete"
Block access to the Office 365 Admins in the CSV file
- Make sure you’ve thoroughly checked the exported CSV file and removed any essential Office 365 admins.
- Copy and paste the following script into Visual Studio Code, PowerShell ISE, NotePad etc.
- Save it with an extension of .ps1 and run it using Windows PowerShell
cls # This is the username of an Office 365 account with delegated admin permissions $UserName = "[email protected]" $Cred = get-credential -Credential $UserName $users = import-csv "C:\temp\AdminUserList.csv" Connect-MsolService -Credential $cred ForEach ($user in $users) { $tenantID = $user.tenantid $upn = $user.EmailAddress Write-Output "Blocking sign in for: $upn" Set-MsolUser -TenantId $tenantID -UserPrincipalName $upn -BlockCredential $true }
How to re-enable Office 365 admins via PowerShell using delegated administration
In our case, we’ll be re-enabling these users and resetting their credentials when it comes time to connect to them via Exchange Online. See our guide for an example of how to reenable these users when required.
Leave a Reply
Want to join the discussion?Feel free to contribute!