Administering Microsoft Office 365 using Windows PowerShell

Microsoft Office 365 is a software plus services offering from Microsoft, the successor to the existing offering Business Productivity Online Suite. The following services are included in the initial release of Office 365:

  • Exchange Online
  • Lync Online
  • Sharepoint Online
  • Office Professional Plus 2010

One major advantage in Office 365 compared to the previous version is the ability to offer single sign-on, also referred to as identity federation, which makes  the offering more attractive for enterprises. Another feature that makes it attractive for larger environments is the greatly enhanced support for administration using Windows PowerShell. Many of the PowerShell capabilities are built on the remoting capabilities in PowerShell version 2, while some requires installation of a PowerShell snapin or module.

Office 365 PowerShell Management Interface

The Office 365 PowerShell Management Interface offers the ability to administer service-wide features, and is not limited to a specific service like i.e. Exchange Online. The initial features that can be administered using this interface include the following:

  • Account SKUs
  • Company info
  • Contacts
  • Domains
  • Domain Federation
  • Groups
  • Partner Contracts
  • Role-based Access Control
  • Subscriptions
  • Users

This interface is available through a PowerShell Module available from here:

The Microsoft Online Services Sign-In Assistant 7.0 is a prerequisite for installing the Microsoft Online Services Module for Windows PowerShell, and is available from here:

When installed you can launch Windows PowerShell and perform the following steps:

001
002
003
004
Import-Module msonline
$cred = Get-Credential
Connect-MsolService -cred $cred
Get-Command –Module msonline

1) Import the module.

2) Create a credential-object stored in the variable $cred

3) Create a new remote PowerShell connection against the PowerShell endpoint for Office 365

4) List the cmdlets available

 

A shortcut to the module is also available on the Start-menu (you can skip step 1 if launching this shortcut):

image

Here is an overview of the available cmdlets:

image

You can find a complete reference for the cmdlets here.

Exchange Online

Exchange Online is based on Exchange Server 2010, and thus offers great capabilities for administration through PowerShell remoting. The Role-based Access Control introduced in Exchange Server 2010 also makes it possible to define custom RBAC roles to delegate administration.

To connect to the Exchange Online endpoint for PowerShell remoting we can use the following procedure:

001
002
003
$cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session

1) Create a credential-object stored in the variable $cred

2) Create a new remote PowerShell session against the PowerShell endpoint for Exchange Online

3) Import the cmdlets available in the remote session

 

Before you attempt to connect, make sure that the PowerShell execution policy isn`t set to Restricted which is the default, as this will prevent the remote session from being loaded. A recommended approach is to use RemoteSigned which can be set by running Set-ExecutionPolicy RemoteSigned.

When the above steps are completed the cmdlets for managing Exchange Online is available in a script module:

image

To list the available cmdlets we can use Get-Command –Module tmp*:

image

Due to the fact that there is 290 cmdlets available when authenticating as a Office 365 global administrator the output above is truncated. Based on what RBAC-role the user is a member of, different cmdlets will be available.

A reference to the available cmdlets for administering Exchange Online is available here.

 

Microsoft Online Services Identity Federation Management

The Microsoft Online Services Identity Federation Management tool that was available in the Office 365 beta is now deprecated. The functionality of the tool is now integrated into the Microsoft Online Services Module for Windows PowerShell, which is used to configure Active Directory Federation Services 2.0 when deploying identity federation On-Premises. Instructions on how to manage federated domains is available here.

 

Microsoft Online Services Directory Synchronization tool

The Microsoft Online Services Directory Synchronization tool is used synchronize the On-Premises Active Directory environment with an Office 365 tenant. Instructions for setting up directory synchronization and installing the directory synchronization tool is available here.

Two Windows PowerShell snapins is installed as part of the Directory Synchronization tool:

  • Coexistence-Configuration
  • Coexistence-Install

There is no shortcuts to the snapins either on the Start-menu or the desktop. They can either be launched by using Add-PSSnapin or by launching the PowerShell Console-files in C:Program FilesMicrosoft Online Directory Sync:

image

The available cmdlets:

image

By default the Directory Syncronization Tool performs a delta sync every 3 hours. To perform a sync more often, or as part of a provisioning script, the Start-OnlineCoexistenceSync cmdlet can be invoked (no parameters needed).

The cmdlets available in the Coexistence-Install snapin is primarily needed when using a remote SQL Server database. By default a local SQL Express instance is used as the database, which scales up to approximately 50 000 objects. When the number of contacts, users and groups in the On-Premises Active Directory environment exceeds this limit, it`s recommended to configure the Directory Synchronization Tool to use a full version of SQL Server.

Conclusion

With the new offerings in Office 365 the ability to automate administration using Windows PowerShell is greatly enhanced compared to the previous version. The use of PowerShell remoting makes it a dynamic feature, as Microsoft can add more cmdlets without the need for administrators to download updated administration tools.

To my knowledge there will be no cmdlets available for administering Lync Online and Sharepoint Online when Office 365 is released for general availability, however, this may be a added in the future. This blog-post will be updated when more information on administering Office 365 using Windows PowerShell becomes available.

 

Update 22.05.2010: The blog-post is now updated to reflect the availability of the Microsoft Online Services Module for Windows PowerShell.

Administering Active Directory Rights Management Services using Windows PowerShell

Starting with Windows Server 2008 R2, Active Directory Rights Management Services (AD RMS) can be installed and administered using Windows PowerShell.
The PowerShell support in AD RMS is divided into two PowerShell modules:

  • ADRMS – Deployment module
  • ADRMSAdmin – Administration module

On a Windows Server 2008 R2 server with the AD RMS server role installed we can see the modules using Get-Module –ListAvailable:

image

 

The AD RMS configuration is exposed through a PowerShell Provider, which we can see using Get-PSProvider after the RMS-modules are imported:

image

Before we can use any of the cmdlets exposed through the AD RMS modules we need to create a PSDrive using the AD RMS PowerShell Providers. In the following example we`re creating a new PSDrive for the AD RMS Administration module, where we specify the PSProvider to use as well as the URL to the AD RMS cluster:

image

When a PSDrive is set up we can navigate to the PSDrive using cd (alias for Set-Location), and access the different configuration properties. The available containers we can see are similar to what is available in the Graphical User Interface for managing AD RMS:

image

As an example we can we and edit the SuperUser configuration:

image

 

Next we can have a look at the available cmdlets in the AD RMS Administration module by using Get-Command –Module ADRMSAdmin:

image

Note that 5 new cmdlets was added to the AD RMS Administration module in Windows Server 2008 R2 SP1, due to added functionality to support Microsoft Federation Gateway.

Let`s try the Get-RmsSystemHealth cmdlet:

image

Notice that the –Path parameter is required, and needs to be pointed at the PSDrive we created earlier.

The same concepts as we`ve looked at for the AD RMS Administration module is the same for the AD RMS Deployment module:

image

We need to create a PSDrive where the AD RMS Cluster configuration are set before we can use the three cmdlets available for installing, uninstalling or updating the AD RMS deployment.

 

For further reference, the AD RMS PowerShell support are well documented on Microsoft TechNet:

Using Windows PowerShell to Deploy AD RMS

AD RMS Deployment Cmdlets

Using Windows PowerShell to Administer AD RMS

AD RMS Administration Cmdlets

Active Directory Rights Management Services on Windows Server TechCenter

Generate random passwords for Active Directory users v2

A litte while ago I posted a script to generate random passwords for each user in a specified OU in an Active Directory environment.

Now I`ve just posted another version of this script on PoshCode.

This script are intended for another scenario:
Power users with delegated permissions to reset password for specified Organizational Units. The power users get this script available as a published application in Remote Desktop Services.