Copied from Blog : http://philwicklund.com/blog/Pages/Using-remote-PowerShell-to-manage-Office-365-identities.aspx
With remote PowerShell you can
connect to Office 365 to perform management tasks that are not available
or practical in the web management interface. For example, you can use
Remote PowerShell to automate repetitive tasks, extract data for custom
reports, customize policies, and connect Exchange Online to existing
infrastructure and processes. This is especially usefully when you need
to perform the same task thousands of times. What would take days
through the browser can take minutes with a script. The following is a
list of common settings configured with remote PowerShell:
· User management
· License assignment
· Security group management
· Domain management
· Admin role assignments
To use Remote PowerShell, your PC
must be running the Windows Management Framework, which contains
Windows PowerShell v2 and WinRM 2.0. These components are already
installed in computers running Windows 7 or Windows Server 2008 R2. You
can manually download these components for computers running other
operating systems. You do not need to install any Exchange Server
management or migration tools in order to use Remote PowerShell, however
you will need to download and install the Microsoft Online PowerShell
Module.
The Microsoft Online PowerShell
Module contains Office 365’s core cmdlets, such as cmdlets to manage
users, groups, etc. To download the module use the following links:
X64: http://bit.ly/l8lS9z
X86: http://bit.ly/jTqbJW
To get started, open PowerShell on your PC and run the Import-Module MSOnline
cmdlet to load the module you just downloaded and installed. Next,
you’ll need to connect to Office 365 using a set of credentials. Use the
Get-Credential cmdlet to set your credentials to a variable you can pass into the Connect-MsolService cmdlet . The Connect-MsolService
cmdlet passes your credentials to Microsoft Online and sets up the
secure connection. Once you’re connected to Microsoft Online, you can
start scripting you administrative actions. The figure below shows an
example of how to connect to Microsoft Online with PowerShell after
you’ve installed the module:
You’ll notice in the figure that the Get-MsolUser
cmdlet was executed to fetch all the users in Microsoft Online. From a
user management perspective there are many cmdlets you can use. The
following scenarios will help you add/remove users, reset passwords,
add/remove security groups, enable/disable password expiry, and
enable/disable password strength requirements.
Creating a new user
To create a new user, use the New-MsolUser cmdlet. The following is an example of the cmdlet in use:
New-MsolUser -UserPrincipalName john@litwareinc.com -DisplayName "John Doe" -FirstName "John" -LastName "Doe"
Assigning a user a license
When you first create a user, that
users doesn’t have a license assigned to them and therefore cannot
access SharePoint Online. To assign the use a license you must use the Set-MsolUserLicense cmdlet. However, first you must get the license key you want to assign them through the Get-MsolAccountSku cmdlet. Notice in the figure below the Get-MsolAccountSku
cmdlet will return all the licenses you have purchased (ActiveUnits)
along with how many of those licenses have been already allocated to
users (ConsumedUnits).
With this information available you can run the Set-MsolUserLicense cmdet. Use the AddLicenses parameter to assign a license, and use the RemoveLicenses parameter to remove a license. This can be seen in the example below:
Set-MsolUserLicense -UserPrincipalName user@litwareinc.onmicrosoft.com -AddLicenses "litwareinc: ENTERPRISEPACK" -RemoveLicenses "litwareinc:SHAREPOINTSTANDARD"
Note You can only assign one
license to any given user. If you want to upgrade a user’s license,
first remove the one they currently have, and then add the new license
you want to give them.
Removing a user
You can remove a user by using the Remove-MsolUser cmdlet, as can be seen below:
Remove-MsolUser -UserPrincipalName john@litwareinc.onmicrosoft.com
Resetting a user’s password
Quite commonly users will forget their
passwords and they’ll need an administrator to reset it for them.
Resetting passwords with PowerShell is quite easy. Simply use the Set-MsolUserPassword cmdlet. Set the NewPassword property if you want to specify a specific password to assign them. You have the option to use the ForceChangePassword property if you don’t want to require the user to change the password when they first log in. If you don’t use the NewPassword
property the user will be assigned system generated password. In either
case, the user will receive an email with their password after you run
the cmdlet.
Set-MsolUserPassword -userPrincipalName john@litwareind.onmicrosoft.com
-NewPassword "password" -ForceChangePassword $false
Blocking a user
To block a user from accessing Office 365 or SharePoint Online, without permanently deleting the user, use the Set-MsolUser cmdlet and set the BlockCredential property to true:
Set-MsolUser -UserPrincipalName user@ litwareinc.onmicrosoft.com -blockcredential $true
Disabling password expiration for a user
By default all passwords will expire after 90 days. To disable this for a given user use the Set-MsolUser cmdlet and set the PasswordNeverExpires property to true:
Set-MsolUser -UserPrincipalName user@ litwareinc.onmicrosoft.com
-PasswordNeverExpires $true
Disabling strong password strength requirements
By default all passwords must meet a
certain level of complexity. You can disable these complexity
requirements on a case by case basis with the Set-MsolUser cmdlet. Simply set the StrongPasswordRequired property to true:
Set-MsolUser -UserPrincipalName user@litwareinc.onmicrosoft.com
-StrongPasswordRequired $true
Adding a new security group
Security groups in Office 365 are
helpful for SharePoint Online users because they can be uses across
multiple site collections. SharePoint Groups can only be using in a
single site collection, so if you want to manage authentication across
more than one site collection a Office 365 security group can be
helpful. To create a new group, simply use the New-MsolGroup cmdlet:
New-MsolGroup -DisplayName "Sales Executives" -Description "All sales staff"
Adding users to a security group
To add a user to a group, you can use the Add-MsolGroupMember
cmdlet. The problem however is this cmdlet requires a handle to the
group you want to add the user to, and to get a handle to that group you
first must use the Get-MsolGroup cmdlet and search on the group’s display name:
$salesGroup = Get-MsolGroup | where-object { $_.DisplayName -eq "Sales Executives"}
Note You can use the
“SearchString” parameter rather than the where-object option to make
searching for a group or user easier, however it may return more than
one result, which you wouldn’t want.
After you have your group
assigned to a variable you’ll also want a handle on the user you want to
add to that group, for example:
$user = Get-MsolUser | where-object { $_.DisplayName -eq "Phil" }
Hereafter can use the Add-MsolGroupMember cmdlet and add a user to that group, for example:
Add-MsolGroupMember -GroupObjectId $salesGroup.ObjectId -GroupMemberType "User"
-GroupMemberObjectId $user.ObjectId
Deleting a security group
To delete a security group, simply use the Remove-MsolGroup cmdlet, as can be seen below:
Remove-MsolGroup -objectid $salesGroup.ObjectId
No comments:
Post a Comment