Friday, March 9, 2012

Using remote PS to manage Office365 Identities

Copied from Blog :
With remote PowerShell you can connect to Office 365 to perform management tasks that are not available or practical in the web management interface. For example, you can use Remote PowerShell to automate repetitive tasks, extract data for custom reports, customize policies, and connect Exchange Online to existing infrastructure and processes. This is especially usefully when you need to perform the same task thousands of times. What would take days through the browser can take minutes with a script. The following is a list of common settings configured with remote PowerShell:
·         User management
·         License assignment
·         Security group management
·         Domain management
·         Admin role assignments
To use Remote PowerShell, your PC must be running the Windows Management Framework, which contains Windows PowerShell v2 and WinRM 2.0. These components are already installed in computers running Windows 7 or Windows Server 2008 R2. You can manually download these components for computers running other operating systems. You do not need to install any Exchange Server management or migration tools in order to use Remote PowerShell, however you will need to download and install the Microsoft Online PowerShell Module.
The Microsoft Online PowerShell Module contains Office 365’s core cmdlets, such as cmdlets to manage users, groups, etc. To download the module use the following links:
To get started, open PowerShell on your PC and run the Import-Module MSOnline cmdlet to load the module you just downloaded and installed. Next, you’ll need to connect to Office 365 using a set of credentials. Use the Get-Credential cmdlet to set your credentials to a variable you can pass into the Connect-MsolService cmdlet . The Connect-MsolService cmdlet passes your credentials to Microsoft Online and sets up the secure connection. Once you’re connected to Microsoft Online, you can start scripting you administrative actions. The figure below shows an example of how to connect to Microsoft Online with PowerShell after you’ve installed the module:
5-14.bmpYou’ll notice in the figure that the Get-MsolUser cmdlet was executed to fetch all the users in Microsoft Online. From a user management perspective there are many cmdlets you can use. The following scenarios will help you add/remove users, reset passwords, add/remove security groups, enable/disable password expiry, and enable/disable password strength requirements.
Creating a new user
To create a new user, use the New-MsolUser cmdlet. The following is an example of the cmdlet in use:
New-MsolUser -UserPrincipalName -DisplayName "John Doe" -FirstName "John" -LastName "Doe"
Assigning a user a license
When you first create a user, that users doesn’t have a license assigned to them and therefore cannot access SharePoint Online. To assign the use a license you must use the Set-MsolUserLicense cmdlet. However, first you must get the license key you want to assign them through the Get-MsolAccountSku cmdlet. Notice in the figure below the Get-MsolAccountSku cmdlet will return all the licenses you have purchased (ActiveUnits) along with how many of those licenses have been already allocated to users (ConsumedUnits).

With this information available you can run the Set-MsolUserLicense cmdet. Use the AddLicenses parameter to assign a license, and use the RemoveLicenses parameter to remove a license. This can be seen in the example below:
Set-MsolUserLicense -UserPrincipalName -AddLicenses "litwareinc: ENTERPRISEPACK" -RemoveLicenses "litwareinc:SHAREPOINTSTANDARD"
Note You can only assign one license to any given user. If you want to upgrade a user’s license, first remove the one they currently have, and then add the new license you want to give them.
Removing a user
You can remove a user by using the Remove-MsolUser cmdlet, as can be seen below:
Remove-MsolUser -UserPrincipalName
Resetting a user’s password
Quite commonly users will forget their passwords and they’ll need an administrator to reset it for them. Resetting passwords with PowerShell is quite easy. Simply use the Set-MsolUserPassword cmdlet. Set the NewPassword property if you want to specify a specific password to assign them. You have the option to use the ForceChangePassword property if you don’t want to require the user to change the password when they first log in. If you don’t use the NewPassword property the user will be assigned system generated password. In either case, the user will receive an email with their password after you run the cmdlet.
Set-MsolUserPassword -userPrincipalName
    -NewPassword "password" -ForceChangePassword $false
Blocking a user
To block a user from accessing Office 365 or SharePoint Online, without permanently deleting the user, use the Set-MsolUser cmdlet and set the BlockCredential property to true:
Set-MsolUser -UserPrincipalName user@ -blockcredential $true
Disabling password expiration for a user
By default all passwords will expire after 90 days. To disable this for a given user use the Set-MsolUser cmdlet and set the PasswordNeverExpires property to true:
Set-MsolUser -UserPrincipalName user@
    -PasswordNeverExpires $true
Disabling strong password strength requirements
By default all passwords must meet a certain level of complexity. You can disable these complexity requirements on a case by case basis with the Set-MsolUser cmdlet. Simply set the StrongPasswordRequired property to true:
Set-MsolUser -UserPrincipalName
    -StrongPasswordRequired $true
Adding a new security group
Security groups in Office 365 are helpful for SharePoint Online users because they can be uses across multiple site collections. SharePoint Groups can only be using in a single site collection, so if you want to manage authentication across more than one site collection a Office 365 security group can be helpful. To create a new group, simply use the New-MsolGroup cmdlet:

New-MsolGroup -DisplayName "Sales Executives" -Description "All sales staff"

Adding users to a security group
To add a user to a group, you can use the Add-MsolGroupMember cmdlet. The problem however is this cmdlet requires a handle to the group you want to add the user to, and to get a handle to that group you first must use the Get-MsolGroup cmdlet and search on the group’s display name:
$salesGroup = Get-MsolGroup | where-object { $_.DisplayName -eq "Sales Executives"}
Note You can use the “SearchString” parameter rather than the where-object option to make searching for a group or user easier, however it may return more than one result, which you wouldn’t want.
After you have your group assigned to a variable you’ll also want a handle on the user you want to add to that group, for example:
$user = Get-MsolUser | where-object { $_.DisplayName -eq "Phil" }
Hereafter can use the Add-MsolGroupMember cmdlet and add a user to that group, for example:
Add-MsolGroupMember -GroupObjectId $salesGroup.ObjectId -GroupMemberType "User"
    -GroupMemberObjectId $user.ObjectId
Deleting a security group
To delete a security group, simply use the Remove-MsolGroup cmdlet, as can be seen below:
Remove-MsolGroup -objectid $salesGroup.ObjectId

No comments:

Post a Comment