O365

Azure AD – Create Security Groups and Add Members using PowerShell

by

Azure AD security groups can be used to manage member and computer access to shared resources for a group of users. A security group can have users, devices, groups and SPNs as its members. In this post, I’ll go over steps on how to create a Azure AD security group, add users to one group and also bulk import users to one group and multiple groups.

Make sure you are connected to Azure AD,

$credential = Get-Credential
Connect-AzureAD -credential $credential

To create an Azure AD security group:

$GroupName = Read-Host "Enter name for Azure AD group"
New-AzureADGroup -DisplayName $GroupName -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"

To create multiple Azure AD security groups:

Note: csv file has name,description as column headers

$groups = import-csv "C:\tmp\AzureAD Groups\groups.csv"

Foreach($group in $groups) {
New-AzureADGroup -DisplayName $group.name -Description $group.description -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
}

To add an user and an owner to an existing group:

$Group = Read-Host "Enter name of Azure AD group"
$User = Read-Host "Enter username of user to be added"
$Owner = Read-Host "Enter username of group owner"

$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -SearchString $User
$OwnerObj = Get-AzureADUser -SearchString $Owner

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
Add-AzureADGroupOwner -ObjectId $GroupObj.ObjectId -RefObjectId $OwnerObj.ObjectId

To display members of a security group:

$Group = Read-Host "Enter name of Azure AD group to display members"
$GroupObj = Get-AzureADGroup -SearchString $Group
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId

To display owners of a security group:

$Group = Read-Host "Enter name of Azure AD group to display owner(s)"
$GroupObj = Get-AzureADGroup -SearchString $Group
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId

To bulk add multiple users to a specific group:

Note: csv file has UserPrincipalName as column header

$Group = Read-Host "Enter name of Azure AD group to add users"
$GroupObj = Get-AzureADGroup -SearchString $Group
$Members = Import-csv "C:\tmp\GroupMembers.csv"
Foreach($Member in $Members) {

$User = $Member.UserPrincipalName
Write-Progress -Activity "Adding user.." -Status $User

Try {
$UserObj = Get-AzureADUser -SearchString $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
}
catch {
Write-Host "Error occured while adding $User" -ForegroundColor Red
}
}

To bulk add multiple users to multiple groups. This below script checks to see if the user is already part of the Azure AD group and returns an error.

Note: csv file has UserPrincipalName,Group as column headers

$list = Import-csv "C:\tmp\UsersGroups.csv"
Foreach($entry in $list) {

$User = $entry.UserPrincipalName
$Group = $entry.Group
$UserObj = Get-AzureADUser -SearchString $User
$GroupObj = Get-AzureADGroup -SearchString $Group
$GroupMembers = (Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId).UserPrincipalName

If ($User -notin $GroupMembers) {
    Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
    Write-Host "$User added to $Group" -ForegroundColor Green
    }
    else {
    Write-Host "$User already in $Group" -ForegroundColor Red
    }
}

Hope this was helpful for you in exploring Azure AD security groups.

Thank you for stopping by. ✌

Office 365 – Convert User Mailbox to Shared Mailbox

by

Scenarios are plenty when O365 admins are requested to convert a user mailbox to a shared mailbox.

Here is one that comes up often,

  • User/Employee leaves the organization and others in the team need access to the user’s mailbox to keep track of the project they were working on

When we convert a user mailbox to a shared mailbox, the mailbox must have a license assigned and after the conversion is complete, we can remove the license.

One little caveat to the licensing part is, without license assigned to the shared mailbox, its size is limited to 50GB. So, before converting, make sure to check the mailbox’s size and to increase the shared mailbox’s size to 100GB, assign a Exchange Online Plan 2 license.

Note: If you are on Exchange hybrid environment, you’ll have to manage your mailboxes using on-premises Exchange management tools.

To convert a user mailbox to Shared mailbox using PowerShell

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

To convert to shared mailbox:

$Mbx = Read-Host "Enter user's email address for Shared Mailbox conversion"
Set-Mailbox -Identity $Mbx -Type Shared
Set-Mailbox

The -Type parameter also supports the below values:

  • Equipment
  • Regular
  • Room
  • Workspace (cloud-only)

Determine if it worked

To make sure the mailbox has been successfully converted:

$sMbx = Read-Host "Enter email address"
Get-Mailbox -Identity $sMbx | fl DisplayName,RecipientTypeDetails
Get-Mailbox

To convert a user mailbox to Shared mailbox using EAC

Exchange admin center also allows converting a user’s mailbox to shared mailbox.

  1. Login to Exchange admin center, in the left navigation menu, click recipients
  2. Click Mailboxes
  3. Search for the mailbox and select it
  4. In the right side details window, Click Convert under Convert to Shared Mailbox
  5. Click Yes in the warning window
Convert to Shared Mailbox
successfully converted to shared mailbox

Determine if it worked

  1. Login to Exchange admin center, in the left navigation menu, click recipients
  2. Click shared
  3. Search for the mailbox
Shared tab in recipients

Hope this post helped you out.

Thank you for stopping by.✌

O365 – Determine Licensed users

by

Who are the licensed users in our tenant and what licenses are assigned to them? This question comes up way too often in several scenarios and there are a few methods to determine this. I will go over those in this post. I’ve updated this post with some newer information about exporting from the admin portal when I learned them.

Using PowerShell

There are two versions of the PowerShell module that you can use to connect to Microsoft 365 and administer user accounts, groups, and licenses:

  • Microsoft Azure AD Module for Windows PowerShell, whose cmdlets include Msol in their name
  • Azure AD PowerShell for Graph, whose cmdlets include AzureAD in their name

Please make sure you have the MSOnline Module for PowerShell installed and loaded

The Get-MsolUser is a powerful cmdlet which provides a lot of details and I’m going to use it for determining the user’s license.

To connect to the service,

$credential = Get-Credential -credential "adminuser@tenant.onmicrosoft.com"
Connect-MsolService -credential $credential

To get all (licensed and unlicensed) users,

Get-MsolUser -All
Get-MsolUser output

To list only licensed users,

Get-MsolUser -All | Where {$_.isLicensed -eq $true}

To list unlicensed users,

Get-MsolUser -All -UnlicensedUsersOnly

To export all users to a csv with their user name, license status and license assigned,

Get-MsolUser -All | Where {$_.isLicensed -eq $true} | Select Displayname,userprincipalname,islicensed,{$_.Licenses.AccountSkuId} | Export-csv "C:\tmp\userlist.csv" -NoTypeInformation

The exported csv will look like this,

csv data

Using the O365 admin portal

Microsoft has enabled exporting licensing information from the portal.

  1. Login to O365 admin center
  2. Users –> Active Users
  3. Click Export Users
  4. Click Continue
admin portal licensing information

This is how the csv output looks like,

csv export from admin center

Thank you for stopping by. ✌

Office 365 – Update Primary Email Address in Bulk using PowerShell

by

In this post, I’ll go over steps on how to update users’ primary email address in bulk.

I had to update the custom domain name address for one of the tenants I manage. When the O365 tenant was setup, I didn’t have my domain name ready for various reasons and the users were setup with @{tenantname}.onmicrosoft.com addresses. Once I added the necessary DNS records for O365 and made sure my new domain name is listed as default in the domain tab(Microsoft 365 admin center -> Settings -> Domains) in the list of , I was ready to update the user accounts with the new domain name.

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

To bulk update accounts from a csv file:

Note: csv file has User,Emailaddress as column headers. Enter the users’ email address with new domain in the csv file. It is strongly recommended to leave the onmicrosoft.com address in the users’ proxy addresses and specifying the new address as PrimarySmtpAddress with SMTP.

$users = Import-Csv C:\tmp\Update-Email\emails.csv
foreach ($user in $users){

$Mailbox= Get-Mailbox -Identity $user.User
$PrimaryEmail=$Mailbox.PrimarySmtpAddress
$SMTP ="SMTP:"+$user.Emailaddress
Set-Mailbox -Identity $user.User -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $user.Emailaddress -MicrosoftOnlineServicesID $user.Emailaddress 

}

To bulk update all accounts in the O365 tenant:

Note: This below script will change all accounts in the tenant from whatever your enter for the $oldDomain to the $newDomain. So, proceed with caution and comply with your change management process and steps.

$oldDomain = Read-Host "Enter existing domain name in '@domainname.com' format"
$newDomain = Read-Host "Enter new domain name in '@domainname.com' format"

$mailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox).where{$_.PrimarySmtpAddress -like "*$oldDomain"}
foreach ($mbx in $mailboxes){

$PrimaryEmail = $mbx.PrimarySmtpAddress
$newSMTPAddress = $mbx.PrimarySmtpAddress -split '@'
$newSMTPAddress = $newSMTPAddress[0] + $newDomain
$SMTP ="SMTP:"+$newSMTPAddress
Write-Host "Processing: $mbx.Name --> $newSMTPAddress"
Set-Mailbox -Identity $mbx.Identity -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $newSMTPAddress -MicrosoftOnlineServicesID $newSMTPAddress
}

You can also make this change in bulk in the portal as well,

  1. Select all the users whom you wish you update
  2. Click on Change domains
  3. Select the desired domain name from the drop down at the pop-up window
  4. Click Save changes

Thank you for stopping by.✌