I hope you find these useful!
* Update 5/10/13 - added scripts for changing user principal names (UPNs) singly or in bulk in Active Directory.*
* Update 5/6/13 - added scripts for changing mailboxes to shared singly or in bulk.*
* Update 5/1/13 - added script for changing from one SKU to another.*
---------------------------------------------------------------------------------------------------------- |
First Time in Office 365 PowerShell per Machine Set-ExecutionPolicy RemoteSigned |
Close PowerShell Session Remove-PSSession $session |
Full
Microsoft List of Office 365 Commandlets http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx |
Thomas
Ashworth's PowerShell Resources on Technet http://blogs.technet.com/b/thomas_ashworth/ |
Import
Contacts by CSV $csv = Import-Csv “C:\Contacts.csv” foreach($line in $csv) {New-MailContact -Name $line.DisplayName -ExternalEmailAddress $line.EmailAddress -OrganizationalUnit “users” -Alias $line.Alias} |
---------------------------------------------------------------------------------------------------------- |
Connect to Office 365 PowerShell $o365cred=get-credential |
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $o365cred -Authentication Basic -AllowRedirection |
Import-PSSession $session |
Grant Access to One Mailbox After you are connected, you must run the following command to give Alan full access to Bob’s mailbox: Add-MailboxPermission -identity Bob@domain.com -user Alan@domain.com -AccessRights FullAccess -InheritanceType All |
Grant Access to All Mailboxes If you wanted to give Alan full access to all mailboxes in your environment you would run: Get-Mailbox | Add-mailboxpermission -user Alan@domain.com -AccessRights FullAccess |
Set
Send-as Permissions for Users on Groups This grants Alan SendAs permission for Bob's mailbox: Add-RecipientPermission Bob@domain.com Set-Mailbox -Identity mailbox -GrantSendOnBehalfTo user |
For
Example: Add-RecipientPermission "grouptoaccess@domain.com" -AccessRights SendAs -Trustee "usertoaccess@domain.com" |
(Credit How to Grant Full Access to an Office 365Mailbox) |
---------------------------------------------------------------------------------------------------------- |
Assign
Licenses via CSV Import Connect-MsolService Get-MsolAccountSku |
That
will output your sku's. Once you have that you would run a script like
this: Connect-MSOLService -Credential $adminCredential $AccountSkuId = "sku:ENTERPRISEPACK" $UsageLocation = "US" $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $AccountSkuId $Users = Import-Csv c:\Users.csv $Users | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId -LicenseOptions $LicenseOptions } |
If
you wanted to do this for everyone you would change the line: $users | Import-Csv c:\Users.csv |
to: $users | get-msoluser -resultsize unlimited |
(Credit Can I assign a license to a group of usersby PowerShell?) |
---------------------------------------------------------------------------------------------------------- |
Assign
Licenses Granularly via PowerShell Open Microsoft Online Services Module for Windows PowerShell and connect to the service: Get-MsolAccountSku | Format-Table AccountSkuId, SkuPartNumber |
The
second column in this list is referenced in the next command as
[SkuPartNumber] : $ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "[SkuPartNumber]"} $ServicePlans.ServiceStatus |
This returns all the service plans |
Secondly
you need to assign the licence to the user(s): Set-MsolUser -UserPrincipalName user@domain.com -UsageLocation GB Set-MsolUserLicense -UserPrincipalName user@domain.com -AddLicenses [tenantname:AccountSkuId] -LicenseOptions $MyO365Sku |
Repeat for any other licences you want to apply for other users or other licence options you want to apply to this user. |
(Credit Granular license assignment from PowerShell) |
---------------------------------------------------------------------------------------------------------- |
Change Licenses from One SKU to Another via PowerShell |
This script will identify all users with one
SKU assigned and replace that SKU with a different one. To
test, change the "$Users = " variable assignment. Be careful - removing licenses rather than replacing them correctly will de-provision user services and delete data.
$AccountSkuRemove = "STANDARDPACK" $AccountSkuId = ":ENTERPRISEPACK" $UsageLocation = "US" $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $AccountSkuId $Users = Get-MsolUser -MaxResults 50000 | Where-Object {$_.licenses[0].AccountSku.SkuPartNumber -eq $AccountSkuRemove -and $_.IsLicensed -eq $True} $Users | ForEach-Object {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses $AccountSkuRemove -AddLicenses $AccountSkuId -LicenseOptions $LicenseOptions} |
---------------------------------------------------------------------------------------------------------- |
Convert Mailboxes to Shared Mailboxes - For Single Mailboxes |
1. Start by checking your mailbox to see if it is under the 5 GB shared mailbox limit: |
Get-MailboxStatisics |
2. Change the mailbox type to shared: |
Set-Mailbox -Identity |
3. Add Full Access permissions to the mailbox - gives access to the contents of the mailbox: |
Add-MailboxPermission -Identity |
4. Add Send As permissions to the mailbox - allows a user to send as if they were the mailbox itself: |
Add-RecipientPermission -Identity |
5. Remove the user license from the mailbox |
$MSOLSKU = (Get-MSOLUser -UserPrincipalName Set-MsolUserLicense -UserPrincipalName |
Convert Mailboxes to Shared Mailboxes in Bulk |
1. Ensure that all mailboxes are under the 5 GB limit. |
2. Create an input.csv file in c:\temp with the following format: |
userPrincipalName |
User1@domain.com |
User2@domain.com |
User3@domain.com |
3. Run the following script in PowerShell: |
Import-csv C:\temp\input.csv | foreach { $UPN = $_.userPrincipalName Set-Mailbox $UPN -Type “Shared” -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB $MSOLSKU = (Get-MSOLUser -UserPrincipalName $UPN).Licenses[0].AccountSkuId Set-MsolUserLicense -UserPrincipalName $UPN -RemoveLicenses $MSOLSKU } |
(Credit Office 365 – Converting mailboxes to shared mailboxes) |
---------------------------------------------------------------------------------------------------------- |
Both of these scripts Alter the UPN Suffix for users. They will both require you to open PowerShell and run the following command first: |
import-module activedirectory |
Change the UPN Suffix for a Single User, Search by SAM Account Name |
Get-ADUser -Filter {SamAccountName -eq
" |
How to use it: replace |
Change the UPN Suffix for All Users in an OU |
Get-ADUser -SearchBase
"ou= |
How to use it: replace Test Before You Run Your Scripts! |
If you wish to test your scripts before running them (you should!) you can replace the final "$CompleteUPN}" with "$CompleteUPN -whatif}" and then run the script. If the script doesn't work you will get no return output. If it does, you'll be presented with something like this for all affected users: |
What if: Performing operation "Set" on Target
"CN= You can also test that you are affecting the correct user accounts by changing the end of the script. Replace everything from the pipe | to the end with the following: | FT -property name,userprincipalname You'll be presented a table with the affected users' full names and UPNs. |
I have an improvement on your first script I use. It connects both the PowerShell command set at the same time. It assume all preliminary configuration is complete including installing the MSOnline module but on my machine I have it run as Connect-MsolAll
ReplyDelete# THIS SCRIPT IS DESIGNED TO LOAD THE MSOLINE MODULE AND START THE EXCHAGE ONLINE
# SESSION. IF NO PARAMETERS ARE SUPPLIED IT WILL AUTOMATICALLY PROMPT FOR CREDENTIALS.
# THE SCRIPT WILL ACCEPT AN EXISTING CREDENTIALS VARIABLE.
Param($Cred = $null)
$Mod = Get-Module ; if ($Mod.Name -Notcontains "MSOnline") {Import-Module MSOnline}
$Cred = Get-Credential
Connect-MsolService -Credential $Cred
if (Get-PSSession -ComputerName *outlook.com -ErrorAction SilentlyContinue) {exit}
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ `
-Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Write-Host "It is a best practice to exit from a session when you will nolonger be using it by entering the command remove-pssession $Session."
Thats great! Thanks for sharing with us. I'll check it out and add it to my tool box.
DeleteVery interesting stuff - do you know if you can also manage contracts, i mean as a partner could i create a contract? I see that you can get information about a contract, not sure if you can create one.
ReplyDeleteThanks
Hi Scott, i just found your blog from Office365 Grid and you are doing a great work. Keep it up man. :D
ReplyDeletespecially with posts like this
I appreciate your comments, guys. I've been pleasantly surprised by the amount of traffic this particular post has generated. Apparently, PowerShell scripts are a point of interest for Office 365 admins. :)
ReplyDeleteHi....I'm trying to import contacts by csv but I get the following: The term '.New-MailContact' is not recognized as the name of a cmdlet...
ReplyDeleteCan you explain why I might be having this problem? Thanks.
is there a way to use the $cred from a secure file ??
ReplyDeleteI'm using:
$credential.Password | ConvertFrom-SecureString | Set-Content c:\Scripts\Admin.enc
$SecurePassAdmin = c:\Scripts\Admin.enc
$PasswordAdmin = Get-Content $SecurePassAdmin | ConvertTo-SecureString
$AdminCredentials = New-Object System.Management.Automation.PsCredential ($AdminUser,$PasswordAdmin)
then build the session with $admincredentials
works from a shell session, but not when calling the script from another (vb ...) script,
Ideas ?
Hi Scott....Excellent article - I do have a quick question for the switching between different SKUs of the same family - I tried that in my environment and it keeps giving me error - Unable to bind UserPrincipalName - I do have multiple domains verified on the company's office 365 tenant - any clue why it's giving me that?!
ReplyDeleteHi, Just wanted to ask you to take a look at my own 365 Powershell script and maybe contribute any updates you feel would be valuable. Hopefully if will be usefull for youself as well. https://github.com/Demarcation/PowerShell-Office-365-Administration-Script/
ReplyDelete