Office 365 includes a wide variety of services, such as Exchange Online, SharePoint Online and OneDrive for Business, that foster communication and collaboration between users. To use Office 365 services, however, each user needs their own user account in Office 365 with assigned licenses. You can easily remove licenses from user accounts that are no longer in use and re-assign them to other user accounts.
In this blog post, I’ll cover how to create Office 365 accounts quickly and efficiently, assign the appropriate licenses to them, and how to delete Office 365 accounts when they are no longer needed. I’ll be sharing how to accomplish these tasks in Office 365 using PowerShell. Though the Office 365 admin center is a starting point for most admin tasks and includes links to service-specific admin centers for Azure Active Directory, Exchange Online, SharePoint Online and Skype for Business Online, some advanced tasks can only be performed using PowerShell. Moreover, the syntax of PowerShell commands changes very infrequently, making PowerShell well suited for long-term administrative use.
Connecting to Office 365
The first step in any of these tasks is open a PowerShell session to Office 365 from your local machine. I’ve created a script to simplify this process; just copy it into a text file and save the file with the extension .PS1. When you’re ready to connect, go to the PowerShell console window and run the script by typing .scriptname.ps1 (that’s period, backslash, name of file), and enter your Office 365 administrative credentials when prompted.
$URL = "https://ps.outlook.com/powershell" $Credentials = Get-Credential -Message "Enter your Exchange Online or Office 365 administrator credentials" $CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -Connect ionUri $URL -Credential $Credentials -Authentication Basic -AllowRedirection -Name "Office 365/Exchange Online" Import-PSSession $CloudSession –Prefix “365”
The –Prefix parameter in the last cmdlet of this script is important in hybrid deployments; if you want to run this script in a purely cloud environment, you can remove this parameter. The reason it’s needed in a hybrid environment is that sometimes namespaces for cmdlets collide. For instance, if you were to run the New-Mailbox command when you had both on-premises Exchange Server and Office 365 Exchange Server running, PowerShell would not know whether to create the new user mailbox or shared mailbox locally or in the cloud. To fix this, this script loads the Office 365 namespace of cmdlets with the prefix “365”. Therefore, you should name all Exchange cmdlets that should run in the cloud with the prefix “365”, such as “New-365Mailbox” or “Get-365DistributionGroup”, and leave all Exchange cmdlets that should run on your local deployment as they are by default. This makes it very easy to tell them apart.
Create Office 365 Accounts
Once you have connected to Office 365, you can create accounts either one at a time or in batches.
To provision a single new Office 365 user, use the following script:
New-MsolUser -DisplayName "Employee Name Here" -FirstName FirstName -LastName LastName -UserPrincipalName alias@yourtenant.onmicrosoft.com –UsageLocation US
If your users are outside the United States, replace “US” with the appropriate two-letter ISO country code. This is a required field; you can’t assign licenses (as explained in the next section) until Office 365 knows which country your users will access their services from.
To provision multiple new Office 365 user accounts at the same time, create a CSV file with the following structure:
UserPrincipalName,FirstName,LastName,DisplayName,UsageLocation
For example, here are three entries:
newuser1@yourtenant.onmicrosoft.com,John,Smith,John Smith,US newuser2@yourtenant.onmicrosoft.com,Greg,Jones,Greg Jones,US newuser3@yourtenant.onmicrosoft.com,Jacob,Rogers,Jacob Rogers,UK
Then use PowerShell to import the CSV file and pipe the contents to the New-Msoluser command, like this:
Import-Csv -Path "C:newusers.csv" | foreach {New-MsolUser -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -UserPrincipalName $_.UserPrincipalName} –UsageLocation $_.UsageLocation | Export-Csv -Path "C:newuserresults.csv"
The script will create the user accounts and also write a new CSV file that lists the new users along with the passwords that were automatically generated for them, which you can then share with your users.
Assigning Licenses
It’s not enough to create accounts in Office 365; to be able to do anything, users need licenses to be assigned to their accounts. Different types of licenses “light up” different features of the service. You have 30 days after creating an account to assign a license to it. You can generally mix and match licenses within a family, so some of your users could have E3 plans, for example, while others have E1 and still others have E5.
Use the Get-MsolAccountSku cmdlet to view the licensing plans and available licenses in your organization, and use Get-Msoluser to see the licensing status of all users in your tenant.
To assign licenses, use the Set-MsolUserLicense cmdlet. For example, to assign the Office 365 Enterprise E3 plan (which shows up in PowerShell as “ENTERPRISEPACK”) to a user, use this command:
Set-MsolUserLicense -UserPrincipalName "newuser1@yourtenant.onmicrosoft.com" -AddLicenses "yourorgname:ENTERPRISEPACK"
To assign E3 licenses to all users who currently do not have a license assigned to them, use the following two commands:
$UsersWithoutALicense = Get-MsolUser -All -UnlicensedUsersOnly $UsersWithoutALicense | foreach {Set-MsolUserLicense -AddLicenses "yourorgname:ENTERPRISEPACK"}
Where to Buy Licenses
You can acquire licenses for your organization in a few ways:
- Directly from Microsoft in the Office 365 web portal. For most organizations, this is the most direct way to purchase services: You simply add a quantity of licenses to your cart and buy them with a credit card, and they’re generally immediately available for use.
- Through a volume licensing agreement. This method can enable you to take advantage of organizational discounts; however, it will take some time before you receive a code for your licenses. Then you can redeem the code on the web portal (at this time, there is no way to use PowerShell to redeem licenses).
- From a reseller. Sometimes it can be more cost-effective to purchase Office 365 through a reseller, who might offer additional services like online backup or enhanced spam filtering bundled with the core Office 365 In this case, redemption of licenses varies, but the reseller will walk you through the process.
Blocking Users
If a user is on leave or otherwise temporarily away, you can disable their Office 365 account (in O365 terms, you “block” user accounts) so that no one can use it to sign in. This is a good security precaution if you don’t want to delete a user account but the associated user won’t need it for an extended period of time. One PowerShell command will take care of it:
Set-MsolUser -UserPrincipalName newuser2@yourtenant.onmicrosoft.com -BlockCredential $true
Obviously, to disable the block, use this command:
Set-MsolUser -UserPrincipalName newuser2@yourtenant.onmicrosoft.com -BlockCredential $false
Delete Office 365 User Accounts
When a user leaves your company or no longer needs to use Office 365, you’ll want to delete their user account. PowerShell makes this easy, too:
Remove-MsolUser -UserPrincipalName newuser2@yourtenant.onmicrosoft.com
In addition to removing the user account, this command automatically removes the Office 365 license assignment and puts the deleted license instance back in your general pool where it is available to be reassigned to another account in the future.
See the Exchange Online chapter for a tip about how to preserve access to a departed employee’s mailbox even after you delete their Office 365 account.