Managing users in Office 365 delegated tenants via PowerShell

Managing users in Office 365 delegated tenants via PowerShell

Managing users in your clients Office 365 tenants is quite easy via PowerShell.  You just need to connect using your own account (provided it has delegated permissions), and retrieve the client’s tenant ID.

From there, all the commands are the same as if you were running them on your own tenant, you just add the -tenantid $tenantID parameter to each cmdlet.

For instance the following would get a list of users in your own Office 365 organisation:


While this would get a list of users in the Office 365 tenant that matches that ID:

Get-MsolUser -TenantId $tenantID

Keep in mind that while this works for all of the Azure AD/MSOL cmdlets, it’s not as easy for the Exchange cmdlets.

Our example Office 365 delegated admin scenario

In our case, we’re in the process of updating all the unlicensed admin credentials across all of our delegated tenants. To start with, we ran a script that blocked the credentials of all unnecessary unlicensed admins.

Now, if we need to run a MSOL cmdlet on a tenant organisation, we just use the delegated method. Though if we want to make changes to Exchange Online, we need to unblock an unlicensed admin and reset the password.

How to connect to Office 365 delegated tenants via PowerShell

Make sure you’ve got the Azure Active Directory PowerShell Module installed on your PC.

Run the following command


You’ll need to know the name (or just part of the name) of the business you’re connecting to.

Run the following cmdlet

$Tenant = Get-MsolPartnerContract | Where-Object{$_.Name -match "tenant name"}

If you’re not sure of the name but you do know part of the default domain name, you can try this cmdlet. The default domain name is often the .onmicrosoft.com address.

$Tenant = Get-MsolPartnerContract | Where-Object{$_.DefaultDomainName -match "domain"}

Keep in mind that since we’re using -match, you don’t need to enter the entire business name or entire default domain name. You just need to make sure that it returns one result.

To confirm that you’ve retrieved the single tenant that you’re looking for, just enter the following on it’s own


Select Office 365 Tenant From Delegated Tenants

If you want to make sure it’s the correct tenant, you could enter the following to display all details.

$tenant | fl *

Confirm Correct Office 365 Tenant

To use this for our delegated admin commands, we need to retrieve the tenant ID on it’s own. To get this we run:

$tenantID = $tenant.tenantId

Confirm correct delegated tenant ID

You can run $tenantID on it’s own again to make sure it’s worked.

Easily get a customer’s Office 365 tenant ID with a PowerShell function

To save entering those commands every time you want to retrieve a customer’s tenant ID, you can add it to your PowerShell profile. This function will allow you to easily retrieve the tenant ID by searching for the customer’s name whenever you open PowerShell.

  1. To set it up, go to the start menu and search for ‘PowerShell’
  2. Right click on Windows Powershell and choose ‘Run as administrator’Run PowerShell As Administrator
  3. If you haven’t created your PowerShell profile on this PC yet, run the following cmdlet:
    New-item –type file –force $profile
  4. Then open the PowerShell profile in notepad using
    notepad $profile
  5. Add the following script to the notepad file and save it. I also recommend added the Exchange PowerShell function to the same notepad file as well – see our guide here.
    Function Get-CustomerID {
    	$name = Read-Host "Type part of the organisations name"
    	$Customers = @()
    	$Customers = @(Get-MsolPartnerContract | ? {$_.Name -match $name})
    	if($Customers.Count -gt 1){
    		Write-Host "More than 1 customer found, rerun the function:"
    		Write-Host " "
    		ForEach($Customer in $Customers){
    			Write-Host $Customer.Name
    	if($Customers.count -eq 0){
    		Write-Host "No customers found, rerun the function"
    	if($Customers.Count -eq 1){
    	$global:cid = $Customers.tenantid
    	Write-Host "$($Customers.name) selected. User the -tenantid `$cid parameter to run MSOL commands for this customer."
  6. Once you’ve saved it, restart PowerShell and connect to Azure Active Directory as an Office 365 administrator with delegated admin permissions using the following command:
  7. From now on, you can just run the following:
  8. Enter some text from your customers Office 365 name. If it only returns one result, the script will confirm the customer name and assign their ID to the variable $cid.Using Get-CustomerID To Get Office 365 TenantID Of Delegated Tenants
  9. You can now use this in scripts as follows:
    Get-MsolUser -TenantId $cid


Using the Tenant ID to manage Office 365 delegated tenants

In our example we want to get a list of users in the tenant. We’ll use this to find and unblock the admin user that we’ll use to connect to Exchange Online

To do this, we run the following:

Get-MsolUser -TenantId $tenantID

Get-MsolUser On Delegated Tenant

It will return a list of users. To unblock the admin user, we can run the standard Set-MsolUser Command with the tenantid parameter specified.

Set-MsolUser -TenantId $tenantID -UserPrincipalName [email protected] -BlockCredential $false

To finish up our example, we need to set a new password on this user.

Set-MsolUserPassword -TenantId $tenantID -UserPrincipalName [email protected] -NewPassword Password123 -ForceChangePassword $false

MSOL Commands On Delegated Tenant Users

Now we can use this user to connect to Exchange Online.

Note that it’s also possible to run Exchange Online commands via a delegated admin, though it’s not as straightforward. For most tasks, it’s easier to log in as an admin on the tenant. I’ll add some scripts for this in the next few days and you can make your own minds up 🙂

Was this article helpful?

Related Articles

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *