Managing Microsoft 365 Using PowerShell

April 24, 2023
6 min read

Managing the powerful productivity and collaboration suite Microsoft 365 can be a daunting task, especially for organizations with thousands of users, licenses for those users, and hundreds of groups used to manage the users.

PowerShell is a command-line tool that can simplify and automate the management of Microsoft 365 and save time and resources. It’s important for Microsoft 365 administrators to have the ability to automate, bulk manage, and configure these users, licenses, and groups. To benefit, you need a thorough understanding of how PowerShell integrates with Microsoft 365 and how you can use PowerShell to manage users, licenses, and groups, and generate reports and PowerShell scripts to perform some of the more common M365 administrative tasks, like adding users in bulk or changing properties of users or groups.

Using PowerShell to accomplish this task involves not only managing access to Microsoft 365, but also the different services available in Microsoft 365 including:

  • SharePoint
  • Exchange
  • Security and Compliance Center
  • Microsoft Teams
  • Skype for Business
  • Delegated Access Permissions (DAP)

In this article, I’ll focus on management of users, licenses, and groups, and review the reporting capabilities available when using PowerShell. 

PowerShell for Microsoft 365 has several cmdlets for managing all aspects of Microsoft 365, including performing the following tasks:

  • Display information that can’t be seen from within the Microsoft 365 admin center
  • Configure features and settings only configurable using PowerShell
  • Perform bulk operations
  • Filter data
  • Print or save data

Note: You need to be a member of the global administrator role in Microsoft 365 to connect and manage Microsoft 365. If managing a specific component, like groups, users, or licenses, you can be a member of that specific admin role without being a member of the global admin role.

PowerShell Modules Used to Manage Microsoft 365

Before you can begin managing Microsoft 365 users, groups, and licenses using PowerShell, you must install one or both of the following PowerShell modules:

  • Azure Active Directory PowerShell for Graph (cmdlets include AzureAD in their name)
  • Microsoft Azure Active Directory Module for Windows PowerShell (cmdlets include Msol in their name)

Note: These two modules can reside on the same computer and, in some scenarios, you need both versions installed.

Microsoft 365 PowerShell module system requirements

  • Operating system (64-bit only)
    • Windows 10, Windows 8.1, Windows 8, or Windows 7 SP1
    • Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1
  • PowerShell
    • Azure AD PowerShell for Graph requires PowerShell 5.1
    • Microsoft Azure AD Module for Windows PowerShell 5.1 up to 6 (7 is not supported)

Let’s get started. To connect to Microsoft 365 with the Azure AD PowerShell for Graph module:

  1. Open Windows PowerShell Command Prompt in Admin mode.
  2. Enter and run Install-Module -Name AzureAD
  3. When you see the message asking about untrusted repository, respond Yes or Yes to All.
  4. Enter and run Import-Module AzureAD.
  5. Connect to AzureAD using Connect-AzureAD.
  6. When prompted, provide credentials to complete the connection process, as shown in Figure 1. 
The PowerShell command screen showing the tenant domain and account type, as well as four user names, their email addresses, and their user types.
Figure 1: Connect to Microsoft 365 using the Azure AD PowerShell for Graph module. View Full Size

If you want to connect to Microsoft 365 with the Azure AD Module for Windows PowerShell:

  1. Locate and download Microsoft Online Services Sign-in Assistant.
  2. Open Windows PowerShell Command Prompt in Admin mode.
  3. Enter and run Install-Module MSOnline.
  4. If prompted for NuGet provider type Y and press Enter.
  5. If prompted to install the module from PSGallery, type Y and press Enter.
  6. Connect to AzureAD using Connect-MsolService.
  7. When prompted, provide credentials to complete the connection process, as shown in Figure 2.
The PowerShell command page showing the status of untrusted repository and whether certain users are licensed or not.
Figure 2: Connect to Microsoft 365 with the Azure AD module for Windows PowerShell. View Full Size

Understanding Microsoft 365 cmdlets

There’s a plethora of Microsoft 365 PowerShell cmdlets, so I’m not going to discuss all of them. I’ll explore the most common cmdlets used to manage users and groups. The general cmdlets for managing these components involve using five primary commands that use a verb-noun pattern with some examples, following this overview.

  • Add-xxx: Adds a user to a M365 component.
  • Get-xxx: Retrieve and display information about a Microsoft 365 component.
  • New-xxx: Create a new Microsoft 365 component.
  • Set-xxx: Modify or change settings on a Microsoft 365 component.
  • Remove-xxx: Delete a Microsoft 365 component.

Common AzureAD Graph cmdlets

Get-AzureADGroup, New-AzureADGroup, Set-AzureADGroup, Remove-AzureADGroup 
Get-AzureADUser, New-AzureADUser, Remove-AzureADUser, Set-AzureADUser
Get-AzureADDevice, New-AzureADDevice, Set-AzureADDevice, Remove-AzureADDevice
Get-AzureADApplication, New-AzureADApplication, Remove-AzureADApplication

Common Microsoft Online cmdlets

Get-MsolUser, New-MsolGroup, Set-MsolGroup, Remove-MsolGroup
Get-MsolUser, New-MsolUser, Remove-MsolUser, Set-MsolUser
Get-MsolGroupMember, Add-MsolGroupMember, Remove-MsolGroupMember
Get-MsolRoleMember, Add-MsolRoleMember, Remove-MsolRoleMember

Obtaining Help on Available Microsoft 365 PowerShell cmdlets

There are way too many M365 PowerShell cmdlets for anyone to remember all of them, but you can get help on all the PowerShell cmdlets by using the following command:

Get-Command -Module MsOnline 

Use the following command to display a list of Microsoft 365 PowerShell cmdlets that begin with a verb, like Add:

Get-Command -Module MsOnline Add -*

Use the following command to display the details of a specific Microsoft 365 PowerShell cmdlet:

              Get-Help New-MsolUser -Detail

Use the following command to see examples of a specific Microsoft 365 PowerShell cmdlet:

              Get-Help New-MsolUser -Examples

Managing M365 Users in Bulk

If you have the need to add users in bulk, you can create a .csv file containing the necessary fields, separated by a comma for each user, and use PowerShell to perform a bulk import. For instance, if you wanted to add several new users, you can create a .csv file called NewUsers.csv using a format similar to this (code line broken in this and other snippets to facilitate publishing):

UserPrincipalName,DisplayName,Department,LicenseAssignment,
UsageLocation

In subsequent lines, provide the values for each new user you want to add:

Brian@Microtechpoint.com,”Brian
Alderman”,”Marketing”,”MicrotechPoint:ENTERPRISEPACK”,”US”

To add the new users, open Windows PowerShell in Administrator mode and execute the following command:

Import-Csv C:\users\Brian\Desktop\NewUsers.csv | ForEach-Object {New -
MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName 
$_.DisplayName -Department $_.Department -LicenseAssignment 
$_.LicenseAssignment -UsageLocation $_.UsageLocation}

Note: The only three required fields are UserPrincipalName, DisplayName, and UsageLocation. All others are optional, including licensing the new users as you create them. To obtain information about what licenses are available to assign to your users, you can issue the following PowerShell cmdlet:

Get-MsolAccountSku

Using Microsoft 365 PowerShell cmdlets

The PowerShell screen shown in Figure 3 contains the commands used to create and manage a new Microsoft 365 user by using the following steps:

  1. Create a new user called Don using this information:
  • UserPrincipalName Don@Microtechpoint.com
  • DisplayName “Don Alderman” 
  • After retrieving the available licenses, assign Don an EXCHANGESTANDARD license.
  • Set Don’s UsageLocation at “US”.

2. After creating the user, add a Department of Marketing to Don’s account. 

3. After modifying Don’s department, generate a report of all users by using the Get-MsolUser cmdlet.

A PowerShell screen showing Active, Warning, and Consumed units, licensing for new user “Don,” and adds the new user data to the list of email addresses and licensing data.
Figure 3: PowerShell cmdlets are used to add a new user, modify a property of the new user, and generate a report of all your Microsoft 365 tenant users. View Full Size

Figure 3 shows all of the Microsoft 365 users, the new user’s principal name (Don), display name, and that Don has a standard Exchange license. 

There are too many Microsoft 365 PowerShell cmdlets to discuss in this brief article, but you can review and learn about them here: the MSOnline website or on the AzureAD website.

 

Brian Alderman

Brian Alderman

Brian Alderman is a former Microsoft MVP, and has his Master's in Computer Information Systems. Since 1995, he has held several Microsoft certifications that currently include; MCT, MCSE for SharePoint, MCSA for Office 365, MCITP for SQL Server(R), MCSA and MCSE for Windows Server(R), and also his PMP certification. As a Senior Technical Instructor and Consultant, he has 30 years of experience in networking, SQL Server databases, SharePoint technologies, and project management. Brian's publications include Windows 2000 Professional, SQL Server 2000 Administration, SharePoint 2010 Administrator's Companion, and Microsoft SharePoint 2013 Administration Inside Out. He is an active speaker at SharePoint Industry conferences including SharePoint Saturday's, SPLive, DevIntersection, SharePoint Fest, Microsoft Ignite, and several international SharePoint conferences including London, Milan, and Madrid.