Managing users in Office 365 delegated tenants via PowerShell
Managing users in your clients Office 365 tenants is quite easy via PowerShell. You just need to connect using your own account (provided it has delegated permissions), and retrieve the client’s tenant ID.
From there, all the commands are the same as if you were running them on your own tenant, you just add the -tenantid $tenantID parameter to each cmdlet.
For instance the following would get a list of users in your own Office 365 organisation:
Get-MsolUser
While this would get a list of users in the Office 365 tenant that matches that ID:
Get-MsolUser -TenantId $tenantID
Keep in mind that while this works for all of the Azure AD/MSOL cmdlets, it’s not as easy for the Exchange cmdlets.
Our example Office 365 delegated admin scenario
In our case, we’re in the process of updating all the unlicensed admin credentials across all of our delegated tenants. To start with, we ran a script that blocked the credentials of all unnecessary unlicensed admins.
Now, if we need to run a MSOL cmdlet on a tenant organisation, we just use the delegated method. Though if we want to make changes to Exchange Online, we need to unblock an unlicensed admin and reset the password.
How to connect to Office 365 delegated tenants via PowerShell
Make sure you’ve got the Azure Active Directory PowerShell Module installed on your PC.
Run the following command
Connect-MsolService
You’ll need to know the name (or just part of the name) of the business you’re connecting to.
Run the following cmdlet
$Tenant = Get-MsolPartnerContract | Where-Object{$_.Name -match "tenant name"}
If you’re not sure of the name but you do know part of the default domain name, you can try this cmdlet. The default domain name is often the .onmicrosoft.com address.
$Tenant = Get-MsolPartnerContract | Where-Object{$_.DefaultDomainName -match "domain"}
Keep in mind that since we’re using -match, you don’t need to enter the entire business name or entire default domain name. You just need to make sure that it returns one result.
To confirm that you’ve retrieved the single tenant that you’re looking for, just enter the following on it’s own
$tenant
If you want to make sure it’s the correct tenant, you could enter the following to display all details.
$tenant | fl *
To use this for our delegated admin commands, we need to retrieve the tenant ID on it’s own. To get this we run:
$tenantID = $tenant.tenantId
You can run $tenantID on it’s own again to make sure it’s worked.
Easily get a customer’s Office 365 tenant ID with a PowerShell function
To save entering those commands every time you want to retrieve a customer’s tenant ID, you can add it to your PowerShell profile. This function will allow you to easily retrieve the tenant ID by searching for the customer’s name whenever you open PowerShell.
- To set it up, go to the start menu and search for ‘PowerShell’
- Right click on Windows Powershell and choose ‘Run as administrator’
- If you haven’t created your PowerShell profile on this PC yet, run the following cmdlet:
New-item –type file –force $profile
- Then open the PowerShell profile in notepad using
notepad $profile
- Add the following script to the notepad file and save it. I also recommend added the Exchange PowerShell function to the same notepad file as well – see our guide here.
Function Get-CustomerID { $name = Read-Host "Type part of the organisations name" $Customers = @() $Customers = @(Get-MsolPartnerContract | ? {$_.Name -match $name}) if($Customers.Count -gt 1){ Write-Host "More than 1 customer found, rerun the function:" Write-Host " " ForEach($Customer in $Customers){ Write-Host $Customer.Name } } if($Customers.count -eq 0){ Write-Host "No customers found, rerun the function" } if($Customers.Count -eq 1){ $global:cid = $Customers.tenantid Write-Host "$($Customers.name) selected. User the -tenantid `$cid parameter to run MSOL commands for this customer." } } - Once you’ve saved it, restart PowerShell and connect to Azure Active Directory as an Office 365 administrator with delegated admin permissions using the following command:
Connect-MsolService
- From now on, you can just run the following:
Get-CustomerID
- Enter some text from your customers Office 365 name. If it only returns one result, the script will confirm the customer name and assign their ID to the variable $cid.
- You can now use this in scripts as follows:
Get-MsolUser -TenantId $cid
Using the Tenant ID to manage Office 365 delegated tenants
In our example we want to get a list of users in the tenant. We’ll use this to find and unblock the admin user that we’ll use to connect to Exchange Online
To do this, we run the following:
Get-MsolUser -TenantId $tenantID
It will return a list of users. To unblock the admin user, we can run the standard Set-MsolUser Command with the tenantid parameter specified.
Set-MsolUser -TenantId $tenantID -UserPrincipalName [email protected] -BlockCredential $false
To finish up our example, we need to set a new password on this user.
Set-MsolUserPassword -TenantId $tenantID -UserPrincipalName [email protected] -NewPassword Password123 -ForceChangePassword $false
Now we can use this user to connect to Exchange Online.
Note that it’s also possible to run Exchange Online commands via a delegated admin, though it’s not as straightforward. For most tasks, it’s easier to log in as an admin on the tenant. I’ll add some scripts for this in the next few days and you can make your own minds up 🙂
Leave a Reply
Want to join the discussion?Feel free to contribute!