Tag Archives: Office 365

Office 365 – Creating Custom SKUs

If you are working with Office 365, one of the things you may need to do is provision an account with a subset of the Office 365 plans. For example, I have an E3 plan but I don’t want Skype for business or Exchange email, just Office 365 Pro Plus. (Why you would buy E3 when there is a ProPlus SKU, I don’t know but I’ve had to do this twice this month).

Making a custom plan is pretty straight forward.

First you need to get the account SKUs.

Get-MsolAccountSKu | fl

From there you will see all your SKUs. Use this to get its components:

$ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "{SkuPartNumber}"}

List the components using $ServicePlans.

Finally make your custom SKU by running:

$MyO365SKU = New-MsolLicenseOptions -AccountSkuId company:EnterprisePack -DisabledPlans Exchange_S_Enterprise,FLOW_O365_P2,POWERAPPS_O365_P2,TEAMS1,PROJECTWORKMANAGEMENT,INTUNE_O365,YAMMER_ENTERPRISE,RMS_S_ENTERPRISE,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,SWAY,Deskless

(In case it doesn’t wrap)

$MyO365SKU = New-MsolLicenseOptions -AccountSkuId company:EnterprisePack -DisabledPlans Exchange_S_Enterprise,FLOW_O365_P2,POWERAPPS_O365_P2,TEAMS1,PROJECTWORKMANAGEMENT,INTUNE_O365,YAMMER_ENTERPRISE,RMS_S_ENTERPRISE,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,SWAY,Deskless

Replace company:EnterprisePack with your own SKU and you are off to the races. Final command is to assign it.

Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses company:EnterprisePack -LicenseOptions $MyO365SKU

Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses company:EnterprisePack -LicenseOptions $MyO365SKU

A great walk through can be found at http://exitcodezero.wordpress.com/2013/03/14/how-to-assign-selective-office-365-license-options/comment-page-1/

 

Provisioning Users in Office 365 Who are Not Provisioned

One of things when setting up Office 365 is to provision new accounts with licenses. There is a quick and easy way in Office 365 to get a list of these users and then provision these users. Login to your Office 365 account via PowerShell

Get-MSOLUser -Domain "contoso.com" -UnlicensedUsersOnly -All | Select UserPrincipalName | Export-Csv -Path 
"c:\temp\filename.csv"

Once you have a file full of your unlicensed users you can then set each of the users with an Office 365 License. Using the same filename we created above we can run the following command which will basically loop for each user in the file and set the license.
Import-Csv -Path “c:\temp\filename.csv” |%{Set-MsolUserLicense -userPrincipalName $_.UserPrincipalName -AddLicenses “contso:ENTERPRISEPACK”}

How did I get the license to use? Easy, Just run  Get-MsolAccountSku and it will list off your licenses. For a full page of information check the TechNet blog for more of these.  I am also sure there is a way you can use a variable to pass the values on without creating a file, but I do like having the file for a sanity check if something goes wrong.

http://blogs.technet.com/b/treycarlee/archive/2013/11/01/list-of-powershell-licensing-sku-s-for-office-365.aspx

Using PowerShell to Set Properties on a List of Groups

In a previous post on Using PowerShell to Get a List of Groups from Active Directory, I showed you how to get a list of groups and export it to a CSV file. Now that we’ve done that, I’ll show you how to use that data to feed another set of commands where you can edit the groups. If you work with Address Book Segregation or new Address Lists in Office 365, you’ll need to do this at some point so that the data populates.

Lets import the file we created in PowerShell in that last post and import it into the routine here.

Import-csv $filename | %{Set-ADGroup -Identity $_.SamAccountName -Replace @{extensionAttribute1="YourTextHere"} }

What we are doing is importing the CSV file and then for each line in the file (the % {} handles that), we are using the Set-ADGroup cmdlet using the SamAccountName column as our identity and replacing extensionAttribute1 with a string of “YourTextHere”. You can change anything you want on the group, name description, etc.

Note that I am using $filename for the filename value. You can also use a string, say “.\filename.csv” as that works fine as well. I often use $filename as I am usually doing this in a routine which runs daily and I am changing the filename based on date. In a future post I’ll share with you my user provisioning PowerShell script for Office 365 which licenses up the users.

Saving an Office 365 PowerShell Export with the Current Date in Filename

Powershell Logo

Working with PowerShell for my Office 365 projects, I have created a couple of scripts to provision users and to run through and assign users specific address books.

One of things I do is dump all my new users to a CSV file. However, I want a file created each time its run showing me which users are created.

First thing is to make a variable with the current date in the format you would like.

$CurrentDate = Get-Date -format dd.MMM.yyyy

Next I create the filename in a variable using the combination of the filename I want and the date variable.  (The code is all one line, but might not display that way here.)

$filename1 = "c:\Export\Users\Provision-Student" + $CurrentDate + ".csv"

Finally I then call the file by piping a command to export-csv.

Get-MsolUsers -All Domain "contoso.com"| Select UserPrincipalName | export-csv -path $filename1


I schedule this to run once daily and every day I have a file all my users in the contoso.com domain.

In another post I’ll show you how to clean up these files so you aren’t overrun with them.

Generating a CSV file from Office 365

Powershell LogoSometimes you need to run a command against multiple users. Maybe like me, you have 40,000 to run against. Entering each user name manually sucks, using the GUI would be unusable.

To generate a CSV file that lists all users in a particular domain in Office 365:



Get-MsolUser -DomainName "contoso.com" -All | Select UserPrincipalName |Export-Csv -path "C:\Exports\MyNewCSVFile.csv"

Which in turn generates a file with a list of the UPNs in Office365.

From there I can the run a command which sets something against each user in my Office 365 tenant.

Import-Csv -Path "C:\Exports\MyNewCSVFile.csv"  |%{Set-MsolUser -userPrincipalName $_.UserPrincipalName -"Rest of the commands you want here"}

Pretty simple and straight forward. If you want to add say a date to the filename add this to the script.

$CurrentDate = Get-Date -format dd.MMM.yyyy
$filename = "C:\exports\yourfile" + $CurrentDate + ".csv"

This will allow you to create a variable $filename which will contain your file name and a date added to it.

Now for the path variable you can put $filename rather than the full c:\xxxx information. It also allows you to use it in a script that can be automated and you will have files left behind to look it for checks.

 

 

Scripting Office 365 Tasks with PowerShell – Auto Logon

I’ve been spending most of my summer in what I like to affectionately call “Email Hell”. We moved 80,000 student mailboxes from Live@Edu to Office 365. We implemented Active Directory Synchronization and implemented a non-standard ADFS deployment to provide better service to BYOD laptops then you would get with a standard ADFS deployment. I’ll post about this on its own post. It’s a deep solution will probably be two posts.

One of my tasks is to automate the creation of new users to Office 365. We use Forefront Identity Manager to provision new AD accounts from our student information system. Once they are in AD and are an active user, DirSync is configured to pick up these new accounts and create a Office 365 accounts. Works slick, but you then have to license up the account before it can be used. This you do not want to have to do manually, especially when you add several thousand students at school start-up. You also don’t want to have to remember everyday to go in and check for new students. We needed a script and it had to be hands off.  Lets look at what we need to do so the script can logon without end user intervention. I gathered this information from various blogs and TechNet articles. I’ll add links to those sites and as I come across them.

Normally one would run this set of commands to start working in Office 365:

$cred = Get-Credential 
Connect-MsolService -Credential $cred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 
https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $session

If it was the first time logging in, you would have to run:

Set-ExecutionPolicy Remote

First thing we need to is to store the password.

read-host -prompt "Enter password to be encrypted in mypassword.txt " 
-assecurestring | convertfrom-securestring | out-file C:\passwd\O365Passwd.txt

This will create a file that is encrypted and contains the password for your Office 365 account you entered the password for above. Please, minimum requirements to do what you need to do on this account! Do not give this  full admin rights. Next as part of the PowerShell script, add these lines to the top:

$mypass = cat C:\passwd\O365Passwd.txt | convertto-securestring
$mycreds = new-object -typename System.Management.Automation.PSCredential 
-argumentlist "PowershellAcct@yourdomain.onmicrosoft.com",$mypass
Import-Module MSOnline
Connect-MsolService -Credential $mycreds
$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange 
-ConnectionUri https://ps.outlook.com/powershell -Authentication Basic 
-AllowRedirection -Credential $mycreds
Import-PSSession $O365Session

Below this, add whatever code you want. Typically you will want to set usage location, set licenses and timezone and language.

We also turn off ActiveSync and Mobile OWA by default so we can enforce our MDM policy.

This gets you on the road to automating your Office 365 scripts.

Publishing ADFS – Comparing ADFS Proxy vs TMG

If you have deployed Office 365 or are planning to and are looking to publish your ADFS to external users, for example, workers from a remote location like Starbucks or for mobile devices then you have a couple of choices.

You can chose to deploy an ADFS proxy. This is pretty simple and is really just a role service of ADFS.

Instructions on how to setup ADFS can be found on Kelsey Epp’s blog.

The one drawback of using ADFS Proxy is that you can’t logon to Office365 if the Active Directory (AD) account is expired or has been marked “User Must Change Password on Next Logon” If you have a lot of users who are using a web browser or mobile devices and they don’t come into the office much, this could be a problem.

The alternative is to use Microsoft Forefront Threat Management Gateway 2010. The drawback here is the product is being slated for retirement and it has a cost. But with it you can have users directed to a page where they can reset the password if it is expired.  The link to set up TMG for ADFS.

Following these instructions for TMG 2010 I did run into an issue where I was getting error 8004789A. The issue was I had to uncheck Link Translation. I found this on Risual Blogs.

TMG Link Translation

I am hoping over the next little bit that we will see Microsoft give us something that will allow us to change passwords remotely like TMG but make it free like ADFS Proxy.

 

Office 365 Beta Public Release

If you have been itching to try Microsoft’s new web based mail offering, itch no more. The beta is now open to the public.

In a nutshell, its Exchange server, Sharepoint server, Lync server and Office web apps all rolled into one.  Microsoft does the hosting for you so you don’t need to worry about it. According to their site, subscriptions start at about $7.00 per month but for the time of the beta, its all free. I created my account, my email is todd -at- rock.onmicrosoft.com

I am going to test it out for a while, redirecting email to this one and I’ll see how it works out.