When performing nearly any action in Office 365, you perform it against some type of object, whether it’s a user, a contact, a group, or a resource mailbox—the list goes on. Depending on the type of environment (managed domains with cloud ID or synchronized from an on-premises directory) and type of workload (Exchange, Skype, Microsoft SharePoint, Azure Active Directory), you might need to manage one or more object types or an object type in different contexts (managing the object properties of an Azure AD user versus the email properties of a mail-enabled user).
The Office 365 Admin Center displays several types of objects, as shown in Figure 11-1.
The objects presented are a composite view, displaying properties from Azure Active Directory as well as Exchange Online and Skype for Business Online.
When you explore the details of a user, for example, this is evident. See Figure 11-2.
As you can see in the screenshot, you can manage Azure Active Directory and Exchange properties (as well as settings for Office ProPlus and Microsoft OneDrive). For example, on a user’s properties sheet, you can view or manage Sign-In Status (Azure Active Directory), Group Memberships (Azure Active Directory or Exchange), Product Licenses (Azure Active Directory), Roles (Azure Active Directory), User Name (Azure Active Directory), Email Address (Exchange), and Aliases (Exchange).
Just as Active Directory is the foundation for on-premises services such as Exchange and Skype for Business, Azure Active Directory plays the analogous foundational role for online services. Before you can manipulate Azure AD objects with Windows PowerShell, you must download and install the necessary components.
Some features require the older version of the cmdlets (Azure Active Directory 1.0 or MSOnline), and some features require Azure Active Directory 2.0. Eventually, all features will be migrated to the newer module, but as of the time of writing, you still need both sets of modules to administer all the object types and settings fully.
After you install these components, launch an elevated Windows PowerShell prompt and run the following command to install the Azure Active Directory 2.0 PowerShell module:
Install-Module AzureADPreview
If this is the first time you’ve used Install-Module or PowerShellGet, you might be prompted to install NuGet or allow it to download from untrusted repositories.
After you’ve installed the necessary components, you can launch a new Windows PowerShell window and connect to Azure Active Directory, as shown in Figure 11-3:
Import-Module MSOnline,AzureADPreview $Credential = Get-Credential Connect-MsolService -Credential $Credential Connect-AzureAD -Credential $Credential
From here, you have several avenues to view, create, manage, or delete objects. This section focuses mainly on cloud ID users. Because many synchronized users’ details are managed on-premises, you won’t be able to run most Set- commands on them. For purposes of this discussion, the MSOnline module cmdlets are referenced because the newer Azure Active Directory and Azure AD Preview modules don’t have all of the capability at this time.
In Azure Active Directory, you can manipulate several object and resource types. Here’s a list of types of common objects you can work with.
As mentioned earlier, there are many ways to interact with objects in Office 365, including the Office 365 admin centers and Windows PowerShell.
Users are the basic security principals in Azure Active Directory. The main cmdlets for managing users are:
As you might expect, New-MsolUser is used for creating security principals, Get-MsolUser returns objects, Set-MsolUser sets properties on the objects, and Remove-MsolUser removes a user object from Azure Active Directory.
In these next two examples, you can see how the process of creating a new user is a relatively simple task in either the Office 365 Admin Center or Windows PowerShell.
To create a user in the Office 365 Admin Center, follow these steps.
If licensing is selected, additional features are enabled, such as an Exchange mailbox or access granted to download the Office ProPlus Click-To-Run media. See Figure 11-5.
To do the equivalent new user creation task in Windows PowerShell, follow these steps.
New-MsolUser -UserPrincipalName [email protected] -FirstName Kim -LastName Akers -DisplayName “Kim Akers” -UsageLocation US -LicenseAssignment cohovineyardandwinery:ENTERPRISEPACK
For more information on license assignment in Office 365, see Chapter 2, “Preparing your environment for the cloud,” as well as https://blogs.technet.microsoft.com/undocumentedfeatures/2016/06/21/office-365-license-assignment/, “Office 365 License Assignment.”
You can use the Get-MsolUser cmdlet to look at the properties of a user. For example, if you want to return the list of properties that appear in the Office 365 Admin Center default view of an active user, you can run these commands when connected to Office 365 by Windows PowerShell.
$FormatEnumerationLimit = -1 $User = Get-MsolUser -UserPrincipalName [email protected] $Groups = @() $Roles = @() $GroupsMembers = @() $RolesMembers = @() $Groups = Get-MsolGroup $Groups | % { $data = Get-MsolGroupMember -GroupObjectId $_.ObjectID | ? { $_.ObjectId -eq $User.ObjectId }; $data | Add-Member -Type NoteProperty -Value $_.DisplayName -Name “Groups“; $GroupsMembers += $data } $Roles = Get-MsolRole $Roles | % { $RoleName = $_.Name; $data = Get-MsolRoleMember -RoleObjectID $_.ObjectId | ? { $_.ObjectId -eq $User.ObjectId }; $data | Add-Member -Type NoteProperty -Value $RoleName -Name Roles; $RolesMembers += $data } $User | Add-Member -Type NoteProperty -Value $GroupsMembers -Name Groups $User | Add-Member -Type NoteProperty -Value $Rolesmembers -Name Roles $User | Format-List @{Name=“User Name“; Expression={$_.UserPrincipalName}}, @{Name=“Aliases“; Expression={$_.ProxyAddresses}}, Licenses, @{Name=“Group Memberships“; Expression={$_.Groups.Groups}}, @{Name=“Sign-in Status“; Expression={If ($_.BlockCredential -eq $false) {“Sign-in Allowed“} Else {“Sign-in Blocked“}}}, @{Name=“Roles“;Expression={$_.Roles.Roles}}, @{Name=“Display Name“; Expression={$_.DisplayName}}, @{Name=“Office Phone“;Expression={$_.PhoneNumber}}
The resulting output in Figure 11-7 shows you the same data that you see in the portal, with the exception of Office Installs (because there currently is no Windows PowerShell cmdlet you can use to return that data).
Just as you can navigate and edit the properties of a user through the admin center, you can also update the properties by using the Set-MsolUser command. For example, you could use the following command to change the Department property for a user.
Set-MsolUser -UserPrincipalName [email protected] -Department “Marketing“
The Remove-MsolUser cmdlet is the corollary to deleting a user in the admin center. Deleting a user is a two-step process. First, the user is moved to the Recycle Bin. Then, if the user is not recovered in 30 days, an Azure Active Directory cleanup job removes the object. Alternatively, you can run the Remove-MsolUser cmdlet with the RemoveFromRecycleBin parameter to delete the user fully, as shown in Figure 11-8.
Remove-Msoluser -UserPrincipalName [email protected] Remove-Msoluser -UserPrincipalName [email protected] -RemoveFromRecycleBin
Contacts are objects that you can create to represent mail-enabled external recipients. External recipients can be on-premises mailboxes or distribution lists that aren’t synchronized to Office 365, third-party email systems, or partner organizations—any object that you want to configure to appear in the global address list.
Contacts can be created from the Office 365 Admin Center with the following process.
Contacts, like distribution lists and Office 365 groups, are actually created in Exchange Online and then synchronized back into Azure Active Directory. As such, there is no corresponding new contact cmdlet in either the MSOnline or AzureAD PowerShell modules.
There are many types of groups in Azure AD and Office 365.
You use roles to grant rights to perform certain functions in either the Office 365 Admin Center or other service admin centers. For example, the Global Administrator role grants full administrative access to every object and inside every service admin center in the tenant.
You can manage role memberships from the Office 365 Admin Center by navigating to a user, clicking the Edit button next to Roles, and then selecting a role you want to assign to the user. By selecting Customized Administrator (Figure 11-9), you can select either built-in Office 365 administrator roles or more restrictive roles for individual services or features.
If you want to manage the user’s role membership from Windows PowerShell, you must get a list of roles and role ObjectIds, which you obtain from running Get-MsolRole. See Figure 11-10.
After you find the ObjectId of the role you want to add a member to, you can note it, copy it to the clipboard or Notepad, or save it to a variable.
The next step is to locate the user’s ObjectId. You can find that by running:
Get-MsolUser -UserPrincipalName [email protected] | Select ObjectId
Again, save the value to the clipboard, Notepad, or a variable.
Finally, assign the role to the user and confirm membership. Use this command:
Add-MsolRoleMember -RoleObjectId <role_object_ID> -RoleMemberObjectID <user_object_ID>
In the following example, the object ID for the user Terry Adams is saved to the variable $UserObjectID, and the Object ID of the role to be assigned to the user, SharePoint Service Administrator, is saved as $SharePointRoleObjectID. Review the output in Figure 11-11.
$SharePointRoleObjectId = (Get-MsolRole | ? { $_.Name -eq “SharePoint Service Administrator” }).ObjectId $UserObjectID = (Get-MsolUser -UserPrincipalName [email protected]).ObjectId Add-MsolRoleMember -RoleObjectId $SharePointRoleObjectId -RoleMemberObjectId $UserObjectID Get-MsolRoleMember -RoleObjectId $SharePointRoleObjectId
Roles are built in to the service and cannot be added or removed.
Security and distribution groups (or distribution lists, as they’re sometimes referred to) are group objects that can be used for granting access to resources or delivering messages to multiple users.
Security and distribution groups can be easily managed from the Office 365 Admin Center, as demonstrated in the following example.
Office 365 groups, mail-enabled security groups, and distribution lists are provisioned through Exchange Online, and then the underlying group object is synchronized back to Azure Active Directory through the backward sync process. See Figure 11-12.
If you choose an Office 365 group, a distribution list, or a mail-enabled security group, you can also enable the group to receive messages from Internet users. This sets the RequireSenderAuthenticationEnabled parameter to $false in Exchange Online. For Office 365 groups, you also have options to configure whether the group is public or private, what language the mailbox is in, and whether you want members of the group to receive emails and invites in their mailbox like a traditional distribution or mail-enabled security group. If you want to configure an Office 365 group to receive email from external senders, you have to edit the group after creation.
Because Office 365 groups, distribution lists, and mail-enabled security groups are Exchange objects, the only option for creation from the Azure Active Directory module or MSOnline modules is a standard security group. You can create a security group in Azure AD by following this example.
New-MsolGroup -DisplayName “Coho Marketing Security Group” -Description “Marketing Security Group” -ManagedBy (Get-MsolUser -userprincipalname [email protected]).ObjectID
As is mentioned elsewhere in this book, Exchange Online is the messaging service that’s built on Azure Active Directory. You can administer it through both the Office 365 Admin Center (under Admin Centers | Exchange) and Windows PowerShell. To connect to Exchange Online by Windows PowerShell, you only need to import the cmdlets from Exchange Online into your current session. See Figure 11-14.
$Credential = Get-Credential $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid -Authentication Basic -AllowRedirection -Credential $Credential
Exchange Online has several types of objects, many of which overlap the objects that you can create or manipulate with Azure Active Directory and MSOnline. The types of objects in Exchange Online include:
The Site Mailbox feature was deprecated as of March 2017. You can no longer provision new site mailboxes, but existing site mailboxes will continue to function. Office 365 tenants created after March 2017 do not have access to the site mailbox feature. For more information about the transition plan for site mailboxes to Office 365 groups, visit https://support.office.com/en-us/article/Prepare-for-using-site-mailboxes-in-Office-365-6381daa5-3d98-4629-972d-d19e1dc48c1b.
Just as you can manage directory objects through both the admin centers and Azure AD PowerShell, you can also manage Exchange-specific objects both ways.
As discussed previously in this chapter, users are the fundamental principal objects in Azure Active Directory. A mailbox is the primary recipient object type in Office 365 and Exchange Online. The main cmdlets for creating, managing, and deleting mailboxes are:
In these next two examples, you see a new mailbox created in both the Office 365 Admin Center and in Windows PowerShell. The first is from the admin center.
These steps are identical to those to create an Azure Active Directory user from the Office 365 Admin Center earlier, with one minor change—you must select a license that includes a service plan for Exchange Online.
Here are the steps.
Although user mailboxes require a license, shared and resource mailboxes do not. You can create these mailboxes through the Office 365 Admin Center (Groups | Shared Mailboxes | Add A Mailbox for shared mailboxes or Resources | Rooms & Equipment | Add for room and equipment mailboxes), the Exchange Admin Center (Recipients | Resources | + | Room Mailbox or Equipment Mailbox for room and equipment mailboxes or Recipients | Shared | + for shared mailboxes), or Windows PowerShell (using New-Mailbox -Type [room | shared | equipment]) for the appropriate mailbox type.
When creating a room, equipment, or shared mailbox through either one of the admin centers or Windows PowerShell, a disabled Azure Active Directory user account is created as well for the mailbox.
You can also remove a mailbox from either the Office 365 Admin Center or Exchange Admin Center or through a remote Exchange Online session by running the Remove-Mailbox cmdlet.
In Exchange Online (as opposed to Azure Active Directory), if you remove a mailbox, the deletion flows through the backward synchronization process to Azure Active Directory, and the associated user account will be moved to the Recycle Bin.
When this happens, the user account’s UserPrincipalName is renamed ExRemoved-<guid>@tenant.onmicrosoft.com, as shown in Figure 11-16.
You can also create a user mailbox by using Windows PowerShell.
[array]$DisabledPlans = @() $Sku = (Get-MsolAccountSku | ? { $_.AccountSkuId -like “*ENTERPRISEPACK*“}).AccountSkuId [array]$ServicePlans = (Get-MsolAccountSku | ? { $_.AccountSkuId -eq $sku }).ServiceStatus [array]$EnabledPlans = @('EXCHANGE_S_ENTERPRISE') [regex]$EnabledPlansRegex = '(?i)^(' + (($EnabledPlans |foreach {[regex]::escape($_)}) –join “|“) + ')$' Foreach ($Plan in $ServicePlans) { $item = $Plan.ServicePlan.ServiceName If ($item -notmatch $EnabledPlansRegEx) {$DisabledPlans += $Plan.ServicePlan.ServiceName} } $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $Sku -DisabledPlans $DisabledPlans New-MsolUser -UserPrincipalName [email protected] -FirstName David -LastName Hamilton -DisplayName “David Hamilton” -UsageLocation US -LicenseAssignment cohovineyardandwinery:ENTERPRISEPACK -LicenseOptions $LicenseOptions
The Get-Mailbox cmdlet returns data about mailboxes in your Exchange Online tenant. You can specify a number of parameters to return different sets of mailboxes.
You can run Set-Mailbox commands against all mailbox types (user and resource) to configure or update various settings, such as mailbox quotas, regional configurations, proxy addresses, and names. In synchronized environments, however, a number of attributes are managed in the on-premises directory. If you attempt to manage attributes that are synchronized from the on-premises environment, you receive an error and guidance to update the attribute in Active Directory.
For more information on customizing Office 365 licensing, see Chapter 5, “Installing Azure AD Connect,” and https://blogs.technet.microsoft.com/undocumentedfeatures/2016/06/21/office-365-license-assignment.
A mail-enabled user (or mailuser) is a user account in Azure Active Directory that has mail properties applied to it so that it shows up in the Exchange global address list.
A mail-enabled user can be created or managed from the Exchange Admin Center or Windows PowerShell.
To create a mail-enabled user in the Exchange Admin Center, follow these steps.
From Windows PowerShell, the creation of a new mail-enabled user is accomplished by running New-MailUser, as shown in Figure 11-24, after you import the remote Exchange Online session.
New-MailUser -FirstName Sanjay -LastName Patel -Alias sanjaypatel -ExternalEmailAddress [email protected] -DisplayName “Sanjay Patel” -Name “Sanjay Patel” -Password (Get-Credential).Password -MicrosoftOnlineServicesID [email protected]
Contacts are mail-enabled objects that show up in the global address list. You can create contacts from the Office 365 Admin Center (mentioned earlier in this chapter), through the Exchange Admin Center, or through Windows PowerShell.
To create contacts through the Office 365 Admin Center, follow these steps.
Creating and managing a contact from a remote Exchange Online PowerShell session requires only a single line of code. See Figure 11-25.
New-MailContact -FirstName David -LastName Pelton -Name DavidPelton -DisplayName “David Pelton” -Alias davidpelton -ExternalEmailAddress [email protected]
Exchange Online has many available types of groups, depending on the needs of the organization. Distribution lists, for example, can be managed from the Office 365 Admin Center, Exchange Admin Center, or Windows PowerShell.
Security and distribution groups can be managed easily from the Office 365 Admin Center, as demonstrated in the following example.
If you choose an Office 365 group, a distribution list, or a mail-enabled security group, you can also enable the group to receive messages from Internet users. This sets the RequireSenderAuthenticationEnabled parameter to $false in Exchange Online. For Office 365 groups, you also have options to configure if the group is public or private, mailbox language, and whether you want members of the group to receive email and invites in their mailbox like a traditional distribution or mail-enabled security group. If you want to configure an Office 365 group to receive email from external sources, you have to edit the group after creation.
Manage groups from the Exchange Admin Center by following these steps.
If you select an Office 365 group, a dialog box appears similar to the following, shown in Figure 11-27.
Although the Office 365 New Group dialog box in the Office 365 Admin Center enables you to configure the group to allow anonymous senders from outside the organization in setup, you must configure that afterward, when adding an Office 365 group in the Exchange Admin Center.
If you select a distribution group, a very similar dialog box appears, except it has a link, to create a standard distribution group if you would rather do that.
If you select Security Group, the New Security Group dialog box appears, as shown in Figure 11-28.
If you select Dynamic Distribution Group, you see the dialog box shown in Figure 11-29, which enables you to select criteria for creating and evaluating the group.
Because there are a few types of distribution groups in Office 365, there are slightly different cmdlets to configure them all from an Exchange Online PowerShell session.
To create a standard distribution list, use the following command.
New-DistributionGroup -Name Coho-Marketing-DL -DisplayName “Coho Marketing DL” -RequireSenderAuthenticationEnabled $false -PrimarySmtpAddress [email protected] -alias cohomarketingdl
A room list is a special distribution list that is designed to contain room mailboxes. Room lists help users search for available rooms across the entire group and appear in Room Finder in Microsoft Outlook. Room lists can only be created from Windows PowerShell. Creating a room list is exactly the same as a normal distribution list, except it also includes the RoomList parameter, as shown in Figure 11-30.
New-DistributionGroup -Name Coho-MeetingRooms -DisplayName “Coho MeetingRooms” -RequireSenderAuthenticationEnabled $true -PrimarySmtpAddress [email protected] -alias cohomeeting -RoomList
A mail-enabled security group is a type of distribution group that can be used to grant permissions to resources. The syntax is again very similar to creating a distribution group, except it uses the Type parameter with a value of Security, as shown in Figure 11-31.
New-DistributionGroup -Name Coho-SalesSecurity -DisplayName “Coho Sales Security Group” -RequireSenderAuthenticationEnabled $true -PrimarySmtpAddress [email protected] -alias cohosalessecurity -Type Security
All the distribution groups based on the New-DistributionGroup cmdlet can be viewed, modified, or removed using these additional cmdlets.
You can find additional syntax for these cmdlets online at https://technet.microsoft.com/en-us/library/dn641234(v=exchg.160).aspx, “Users and groups cmdlets in Exchange Online.”
Unified groups are new to Office 365 and are created through the New-UnifiedGroup cmdlet. They’re referred to as Office 365 groups in the Office 365 and Exchange admin centers. See Figure 11-32.
New-UnifiedGroup -Name “CohoHR-UnifiedGroup” -DisplayName “Coho HR” -PrimarySmtpAddress [email protected] -Alias cohohr -AccessType Public -SubscriptionEnabled
Unified groups have a unique set of cmdlets available to them.
Additional syntax for these cmdlets is online at https://technet.microsoft.com/en-us/library/dn641234(v=exchg.160).aspx, “Users and groups cmdlets in Exchange Online.”
The membership for dynamic distribution groups is evaluated during delivery. By using Windows PowerShell, you can use filters and attributes to specify which members to include.
New-DynamicDistributionGroup -Name 'Coho Wine Club Administartors' -Alias 'cohowine' -IncludedRecipients 'MailboxUsers' -ConditionalDepartment @('Wine Club')
After a dynamic distribution group is created, you can use the following cmdlets to view, update, or remove the group.
Additional syntax for these cmdlets is online at https://technet.microsoft.com/en-us/library/dn641234(v=exchg.160).aspx, “Users and groups cmdlets in Exchange Online.”
This chapter discussed the various object types in Office 365 and how to manage them. There are many types of objects (users, groups, contacts), and most of them have dozens of properties that are used to define them further. Some properties are only manageable through certain interfaces, so as you gain more experience in managing Office 365, you’ll know which cmdlets or user interface to use by which types of properties you need to modify.
18.116.62.239