<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

–A–

applications (Azure), list - see Azure enterprise applications, list

Azure enterprise applications, list

to list all Azure enterprise applications

Get-AzureADServicePrincipal -All $True | Sort-Object DisplayName | ft

Note that if you omit the -All $true parameter, you'll get fewer groups than if you don't.

Azure groups, show

to list all groups

Get-AzureADGroup -All $True | Sort-Object DisplayName | ft

Note that if you omit the -All $true parameter, you'll get fewer groups than if you don't.

for just one user

$UserIdentity = "someUser"

$User = Get-ADUser -Identity $UserIdentity

all the Azure groups to which the user belongs

Get-AzureADUser -SearchString $User.UserPrincipalName | Get-AzureADUserMembership

remove the user from all Azure groups to which he belongs

Get-AzureADUser -SearchString $User.UserPrincipalName | Get-AzureADUserMembership | `
      % {Remove-AzureADGroupMember -ObjectId $_.ObjectId `
      -MemberId (Get-MsolUser -UserPrincipalName $User.UserPrincipalName).ObjectId}

–B–

–C–

Connect to Azure

$User = "someUser@yourDomain.com"
$PWord = ConvertTo-SecureString –String "topSecret" –AsPlainText -Force
$cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User, $PWord
Connect-AzureAD -Credential $cred

create user - see user, create

–D–

delete orphaned synced user attempt, but system won't allow you to delete - see synced user in AAD has no corresponding user in AD and won't let you delete

deleted user (soft deleted), delete permanantly - see user, soft deleted - delete permanantly - useful in a situation where you're trying to delete a user but the system claims some other, similarly named user is already clogging up the deleted users

deleted users (soft deleted), list - see also deleted mailboxes, list

Get-MsolUser -All -ReturnDeletedUsers | Sort-Object UserPrincipalName | ft UserPrincipalName, DisplayName, ObjectId

deleted user (soft deleted), restore when UserPrincipalName has a domain not accepted by the tenant - see user, restore when UserPrincipalName has a domain not accepted by the tenant

Display name, change

domain controller, nearest

$DC = Get-ADDomainController -Discover

$DCName = $DC.Hostname

write-host $DCName

domain controllers, replicate

Repadmin /replicate $Destination $Source 'dc=domain,dc=com'

domain, find users who belong to a particular domain

Get-MsolUser | where {($_.userprincipalname -match "yourdomain.com")}

domain, find all users - sort by domain

Get-MsolUser | Select-Object @{n="Dom";e={$_.UserPrincipalName.split("@")[1]}}, displayName, userprincipalname | Sort-Object dom, displayName

domain, force removal from tenant

Remove-MsolDomain -DomainName "yourdomain.com" -Force

–E–

email user info

get-msoluser -userprincipalname test@yourdomain.com | fl

enterprise applications (Azure), list - see Azure enterprise applications, list

–F–

–G–

ghost users, track down (duplicates, etc.)

Sometimes the system claims there's interference with users you just can't seem to find anywhere. This is a list of commands to try to find locations of these interferences.

$m="someuser@yourTenant.onmicrosoft.com"

Get-MsolUser -All | where-Object {$_.ProxyAddresses -match "$m"} | fl

Get-MsolUser -All | Where-Object {$_.UserPrincipalName -match "$m"} | fl

Get-MsolContact -All | Where {$_.EmailAddress -match "$m"} | FL

Get-MsolGroup -All | Where-Object {$_.ProxyAddresses -match "$m"} | fl

Get-MsolUser -ReturnDeletedUsers -All | Where-Object {$_.ProxyAddresses -match "$m"} | fl

#Get-Recipient -ResultSize unlimited | Where {$_.EmailAddresses -match "$m"} | FL Name, RecipientType, emailAddresses

Get-Recipient -ResultSize unlimited | Where {$_.EmailAddresses -match "$m"} | FL

Get-Mailbox -SoftDeletedMailbox | Where {$_.EmailAddresses -match "$m"} | FL

Get-Recipient -Filter: "name -like '*cnf*'" | fl

Get-Mailbox -PublicFolder | FL EmailAddresses

groups (Azure), show - see Azure groups, show"

guest users, show those recently created (like since yesterday)

Get-MsolUser | ? {($_.UserType -eq 'Guest') -and ($_.WhenCreated -ge [DateTime]::Today.AddDays(-1))} | Select-Object UserPrincipalName, DisplayName, WhenCreated

guest users, order by department

Get-MsolUser | ? {($_.UserType -eq 'Guest')} | Select-Object Department, UserPrincipalName, DisplayName, FirstName, LastName | `
    Sort-Object Department, LastName, DisplayName | ft

GUID for a user

Get-Mailbox -identity someuser | select DisplayName, GUID, ExchangeGUID

–H–

–I–

immutable ID

clear (to "unsync") - note: you need the quotes around null below or it won't clear properly

Set-MSOLUser -UserPrincipalName someUser@yourDomain.com -ImmutableID "$null"

find for a user

Get-MsolUser -UserPrincipalName someUser@yourDomain.com | Select-Object UserprincipalName,ImmutableID,LastDirSyncTime

set (if you don't know the value for the $immutableID variable below, probably best to see sync local user to cloud user)

Set-MSOLuser -UserPrincipalName someuser@yourdomain.com -ImmutableID $immutableID

sync local user to cloud user - see sync local user to cloud user

–J–

–K–

–L–

licenses currently available on this tenant

Get-MsolAccountSku

which returns the same thing as those licenes ostensibly used

Get-MsolAccountSku | Where {$_.ConsumedUnits -ge 1}

licenses for a user

short version

Get-MsolUser -UserPrincipalName user@yourdomain.com | Select-Object Licenses

longer version that lists all the doo-dads associated with a license

Get-MsolUser -UserPrincipalName user@yourdomain.com | Select-Object -ExpandProperty Licenses | Select-Object -ExpandProperty ServiceStatus

licenses, how many left?

$license = "$($tenantName):$license"

$Account = Get-MsolAccountSku | Where-Object {$_.AccountSkuId -eq $license}

$Result = $Account.ActiveUnits - $Account.ConsumedUnits

licenses, who has a particular

In this case, Office Premium

Get-MSOLUser -All | where {$_.isLicensed -eq "TRUE" -and $_.Licenses.AccountSKUID -eq "yourtenant:O365_BUSINESS_PREMIUM"} | select displayname,userprincipalname,isLicensed

What if we want to know who with an email ending in a particular domain does not have a particular license?

Get-Mailbox *yourDomain.com -RecipientTypeDetails UserMailbox | Get-MsolUser | ? { $_.isLicensed -eq "TRUE" -and $_.Licenses.AccountSKUID -notcontains "yourTenant:O365_BUSINESS_PREMIUM"}

licenses, who has what on this tenant?

$Sku = @{
    "EMS" = "Enterprise Mobility Suite"
    "EXCHANGEDESKLESS" = "Exch Kisok" #"Exchange Online Kiosk"
    "EXCHANGESTANDARD" = "O356 Exch Only" #"Office 365 Exchange Online Only"
    "O365_BUSINESS_PREMIUM" = "O365 Prem" #"Office Business Premium"
    "OFFICESUBSCRIPTION" = "O365 Pro+" # "Office 365 ProPlus"
    "POWER_BI_STANDARD" = "Power-BI standard"
    "SHAREPOINTENTERPRISE" = "SP Pl2" #"SharePoint Online (Plan 2)"
    "SHAREPOINTSTANDARD_YAMMER" = "SP Pl1 Ymr" # "SharePoint Online (Plan 1) with Yammer"
    "VISIOCLIENT" = "Visio" #"Visio Pro Online"
}
$logfile = "Office_365_License" + [DateTime]::Now.ToString("yyyy-MM-dd_HH-mm-ss") + ".csv"
$mytemp = [environment]::getfolderpath("mydocuments")
$logfile = $mytemp + "\" + $logfile  # your local "My Documents"
$licenseType = Get-MsolAccountSku | Where {$_.ConsumedUnits -ge 1} # list  all licenses in the tenant
$headerString = "Display Name, Domain, UPN" # Build the Header for the CSV file
$numLicenses = 0
write-host "Geting the licenses and writing the header..."
foreach ($license in $licenseType) # Loop through all license types found in the tenant to add licenseTypes
{
    $headerString = $headerString + "," + $Sku.Item($license.SkuPartNumber)
    $numLicenses++
}
$headerString = $headerString + ",Errors, ImmutableId, BlockCredential" # Add other attributres
Out-File -FilePath $LogFile -InputObject $headerString -Encoding UTF8 -append
write-host "Getting all users in the Office 365 tenant..." # Get a list of all the users in the tenant
$users = Get-MsolUser -all | where { $_.isLicensed -eq "True"}
foreach ($user in $users) # Loop through all users found in the tenant
{
    $lineString = $user.displayname -Replace ",","" # use last name, comma first name as display name so remove the comma
    write-host ("Processing " + $lineString)
    $lineString = $lineString + "," + $user.UserPrincipalName.Split("@")[1]  + "," + $user.userprincipalname  #+ "," + $user.isLicensed
        for($j=0;$j -lt $numLicenses; ++$j) # Loop through all license types found in the tenant
        {
            $userhaslicense = ""
            foreach ($row in $user.licenses) # Loop through all licenses assigned to this user
            {
                if ($row.AccountSkuId.ToString() -eq $licenseType.AccountSkuId[$j])
                {
                    $userhaslicense = "x"
                }
            }
            $lineString = $lineString + "," + $userhaslicense
        }
    $lineString = $lineString + "," + $user.Errors + "," + $user.ImmutableId + "," + $user.BlockCredential
    Out-File -FilePath $LogFile -InputObject $lineString -Encoding UTF8 -append
}
write-host ("Script Completed. Results available in " + $LogFile)

–M–

–N–

–O–

orphaned synced user, can't delete - see synced user in AAD has no corresponding user in AD and won't let you delete

–P–

password change

Set-MsolUserPassword -UserPrincipalName "someEmail_gmail.com#EXT#@yourTenant.onmicrosoft.com" -NewPassword "topSecret"

in bulk - also forces users to change their password on first login

Import-Csv c:\user-boxes.csv | %{Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword "Welcome" -ForceChangePassword $true}

properties - all properties for a user

Get-MsolUser -UserPrincipalName 'someUser@yourDomain.com' | Select-Object *

–Q–

–R–

recycle bin, remove user from

Remove-MsolUser -UserPrincipalName user@yourdomain.com -RemoveFromRecycleBin

recycle bin, restore user from the domain is no longer accepted by the tenant

Restore-MsolUser -UserPrincipalName someuser@baddomain.com -AutoReconcileProxyConflicts -NewUserPrincipalName someuser@yourTenant.onmicrosoft.com

replicate domain controllers - see domain controllers, replicate

role, assign

New-ManagementRoleAssignment -Role ApplicationImpersonation -User 'someUser@yourDomain.com'

–S–

session, kill existing

Get-PSSession | Remove-PSSession

This doesn't do diddly squat to get rid of O365 session. When I run Get-MsolUser, I get results - even after I run the command above and run Get-PSSession by itself (which returns no results).

soft deleted user, delete permanantly - see user, soft deleted - delete permanantly - useful in a situation where you're trying to delete a user but the system claims some other, similarly named user is already clogging up the deleted users

sync local user to cloud user

$guid = (get-Aduser someuser).ObjectGuid
$immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
Set-MSOLuser -UserPrincipalName someuser@yourdomain.com -ImmutableID $immutableID

This alone, all by itself, doesn't work so good if you have one user synced that you don't care about but whose immutable ID you want to steal to apply to a cloud-only user which actually has useful stuff you care about in it that you want to attach to a local AD user. Let's say you have two similarly-named users:

Get-MSOLuser -SearchString "someUser" | Select-Object UserPrincipalName, ImmutableID

Assume the command returns two results: one synced & one cloud-only. And you want to sync the cloud-only ID with your local ID. So you attempt to set your cloud-only ID's immutable ID to that of your converted local ID's GUID by running:

Set-MSOLuser -UserPrincipalName someUser@yourTenant.onmicrosoft.com -ImmutableID $immutableID

which will return the following error:

Set-MSOLuser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MSOLuser -UserPrincipalName someUser@yourTenant.onmicro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser],
MicrosoftOnlineException
+ FullyQualifiedErrorId :
Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Online.Administration.Automation.SetUser

which makes sense because you already have a synced ID with that same immutableID!

Run the command to show both your users (both the synced one as well as the one in the cloud) and show both the UPN and ObjectID.

Get-MsolUser -ReturnDeletedUsers -SearchString someUser@yourDomain.com | FL UserPrincipalName, ObjectID

At some point, move your synced object in your local AD from an OU that's synced over to an OU that's not synced. Or simply delete it from your local AD. Then sync your local AD to the cloud. This should have the effect of deleting the synced object. But you still can't reassign the old synced object's immutable ID to the cloud-only version until you also delete it from the recycle bin. For some reason, trying to stuff the value of the Object ID into a variable…

$objectID = Get-MsolUser -ReturnDeletedUsers -SearchString someUser@yourDomain.com | Select-Object ObjectID

…and then use the variable to try to delete it doesn't work:

Remove-MsolUser -ObjectId $objectID -RemoveFromRecycleBin -Force

you get an error:

Remove-MsolUser : Cannot bind parameter 'ObjectId'. Cannot convert the "@{ObjectId=3540aa84-5a35-4b2c-bdb9-2671ff28ad9c}" value of type "Selected.Microsoft.Online.Administration.User" to type "System.Guid".
At line:1 char:27
+ Remove-MsolUser -ObjectId $objectID -RemoveFromRecycleBin -Force
+ ~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Remove-MsolUser],
ParameterBindingException
+ FullyQualifiedErrorId :
CannotConvertArgumentNoMessage,Microsoft.Online.Administration.Automation.RemoveUser

Instead, you have to actually paste the value in from the command you ran above:

Remove-MsolUser -ObjectId 3540aa84-5a35-4b2c-bdb9-3782ff28ad9c -RemoveFromRecycleBin -Force

which works better. There's probably some way to simply use the variable rather than cutting and pasting the value into your subsequent command. Maybe this might work:

$objectID = (Get-MsolUser -ReturnDeletedUsers -SearchString someUser@yourDomain.com).ObjectID

I'll try that next time.

sync problems

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName UserPrincipalName
Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName ProxyAddresses
Get-MsolUser -UserPrincipalName user@yourdomain.com | fl DirSyncProvisioningErrors

synced user in AAD has no corresponding user in AD and won't let you delete

Remove-MsolUser -UserPrincipalName someUser@yourTenant.onmicrosoft.com -force

–T–

tenant, which one am I on?

Get-MsolAccountSku

term 'xx' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. (Exchange)

for example:

get-mailbox -ResultSize Unlimited

returns:

get-mailbox : The term 'get-mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get-mailbox -ResultSize Unlimited
+ ~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (get-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

need to run:

add-pssnapin *exchange* -erroraction SilentlyContinue

–U–

unlicensed users

Get-MsolUser -All -UnlicensedUsersOnly

unlicensed users, suppress entries from showing up in the Offline Address Book (OAB) or Global Address List (GAL) - see Global Address List (GAL), suppress entries

usage location for all users

this sorts by domain name, display name

Get-MsolUser | Select-Object @{n="Dom";e={$_.UserPrincipalName.split("@")[1]}}, UsageLocation, UserPrincipalName, displayName | Sort-Object dom, displayName | ft dom, displayName, UsageLocation, UserPrincipalName

user, create

New-MsolUser -UserPrincipalName "SomeUser@yourDomain.com" -DisplayName "Some User" -FirstName "Some" -LastName "User"

or

$NewUserParams = @{
    'UserPrincipalName' = $UPN
    'DisplayName' = $DisplayName
    'FirstName' = $FirstName
    'LastName' = $LastName
    'Title' = $Title
    'Department' = $Department
    'Password' = $DefaultPassword
}
New-MsolUser @NewUserParams

user, does he exist?

$User = Get-MsolUser -UserPrincipalName $target -ErrorAction SilentlyContinue -ErrorVariable errorVariable
If ($User -ne $Null)
{
    write-host "$target exists" -Foregroundcolor green
}
Else
{
    write-host "$target does not exist" -Foregroundcolor yellow
}

user info

Get-MsolUser -UserPrincipalName someUser@yourDomain.com | fl

But this doesn't give you many properties. To see all properties:

Get-MsolUser -UserPrincipalName 'someUser@yourDomain.com' | Select-Object *

users, list all sorted by domain - see domain, find all users - sort by domain

user, soft deleted - delete permanantly

Sometimes you run into a situation where you're trying to delete a user but the system claims some other, similarly named user is already clogging up the deleted users

Get-MsolUser -ReturnDeletedUsers -SearchString someuser@yourdomain.com | FL UserPrincipalName, ObjectID

Sometimes, can't return a soft deleted user by name even though you see him right there. In that case, run:

Get-MsolUser -All -ReturnDeletedUsers | ft DisplayName, ObjectId

and grab the appropriate ObjectID so you can delete it that way. Whichever way you get it, once you have it, use the ObjectId to delete:

Remove-MsolUser -ObjectId 8b0b9ca0-a3cf-4444-9b1b-c8dc92e69261 -RemoveFromRecycleBin -Force

Now, finally, you can delete the object you orginally intended

Remove-MsolUser -UserPrincipalName someuser@yourdomain.com -RemoveFromRecycleBin

user soft deleted, restore when UserPrincipalName has a domain not accepted by the tenant

Restore-MsolUser -UserPrincipalName someuser@baddomain.com -AutoReconcileProxyConflicts -NewUserPrincipalName someuser@yourTenant.onmicrosoft.com

user info (email) - Office 365

individual - use either UPN:

Get-MsolUser -userprincipalname test@yourdomain.com | fl

or objectID:

Get-MsolUser -ObjectId 81701046-cb37-439b-90ce-2afd9630af7d | fl

everyone:

Get-MsolUser | Sort-Object DisplayName,UserPrincipalName

userPrincipalName

change:

Set-MsolUserPrincipalName -UserPrincipalName "becky.smith@yourcompany.onmicrosoft.com" -NewUserPrincipalName"becky.smith@yourcompany.com"

–V–

–W–

Where am I? As in: which tenant am I on?

Get-MsolAccountSku

Which tenant am I on? - the closest I can find is the command to list all the licenses that a tenant has available: Get-MsolAccountSku. This will return a list of license SKUs. Embedded in each AccountSkuId will be the tenant name before the ":". Pretty hokey.

–X–

–Y–

–Z–