Managing Microsoft 365 through PowerShell
What's PowerShell?
The best way to explain PowerShell is directly from Microsoft:
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.
To put it another way, PowerShell is a command-line + a scripting language combined. It's a powerful tool that can be used to automate actions on your computer as well as actions in Microsoft 365. But it doesn't manage Microsoft 365 out of the box. You first have to extend it which can be done using modules.
Why PowerShell?
From PowerShell, you can make changes in bulk. For example, you can connect to Microsoft 365 using PowerShell, get a list of unlicensed users and license them all. All from a single script. You can also export data. Need a list of all the users or all the mailboxes? It's no problem with PowerShell. Get the data and export it to CSV. Or maybe you need to give a lot of users access to a SharePoint site. That's no problem with PowerShell.
How do you access PowerShell?
PowerShell is automatically installed on all the latest versions of Windows. To access PowerShell on your computer click in the search box then type PowerShell. Finally, click PowerShell in the start menu.
How to connect to Microsoft 365 using PowerShell
One time setup
The following instructions need to be performed once per user on the machine.
1. If you're not running Windows 10, install Microsoft Online Services Sign-in Assistant.
2. Run Windows PowerShell as an administrator by searching for PowerShell in the start menu. Right-click Windows PowerShell then click Run as administrator.
3. When prompted click Yes.
4. Run the following command: Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
5. If prompted with the following click Y then press Enter.
NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Users\BasicUser\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import the NuGet provider now?
6. Run the following command: Install-Module MSOnline
7. Run the following command: Install-Module -Name AzureAD
8. Run the following command: Install-Module -Name ExchangeOnlineManagement
9. Run the following command: Install-Module -Name Microsoft.Online.SharePoint.PowerShell
10. Run the following command: Install-Module -Name MicrosoftTeams -Force -AllowClobber
11. Run the following command: Set-ExecutionPolicy RemoteSigned
12. When prompted with the following type Y then press Enter.
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):
That's it. Your computer is set up to connect to Microsoft 365 using PowerShell. Now we need to connect to Microsoft 365 using PowerShell.
Connect to Microsoft 365 using PowerShell
You may have noticed that we installed modules for MSOnline, Azure AD, Exchange Online, SharePoint, and Microsoft Teams. Just like the Microsoft 365 admin centers, PowerShell is separated into different modules. Depending on the task you want to perform you'll need to connect using the correct module/command. The first connection we'll make is to Office 365. The MSOnline module is used to manage users, groups, licenses, and the tenant as a whole. It's directly related to the Microsoft 365 admin center from the last lesson.
The following commands will need to be run every time you want to connect to Microsoft 365 using PowerShell.
1. Run the following command: Connect-MsolService
2. When prompted enter your username then click Next.
3. Then enter your password and click Sign in.
4. If prompted for MFA, enter your MFA information then finish the connection.
How to learn more
That's all it takes to connect to Microsoft 365 using PowerShell but the question is what now? How do you get a list of the users? Or the groups? Well, you can view all of the commands available to you via the command Get-Command -Module MSOnline. You can get help on each of the commands by running "get-help <the-command>".
For example, there's a command available called "Get-MsolUser". To see the help for it you can run Get-Help Get-MsolUser.
To see an example of running the commands you can run "Get-Help <the-command> -Examples"
If you need further help simply Google it.
Connect to Exchange Online using PowerShell
So now you've connected to Office 365, but you can't manage email from the Microsoft 365 PowerShell. To manage the email you need to connect to Exchange Online.
1. From PowerShell run the following command: Connect-ExchangeOnline
2. Enter your username and password like you did when connecting to Microsoft 365.
That's it. You're now connected to Exchange Online using PowerShell. Just like Microsoft 365, you can run Get-Command -Module ExchangeOnlineManagement to get the primary commands but there are a lot more not listed. You can view all the commands by going to Exchange Online Commands.
Running a command
So here's an example command: Set-Mailbox. You can use the set-mailbox command to edit the settings of existing mailboxes. Hypothetically, let's say someone deleted emails in User1's mailbox and you check the audit logs but they are empty. What do you do? You enable auditing for User1's mailbox. How? you run Set-Mailbox -Identity "User1" -AuditEnabled $true. Simply replace User1 with the user you want to enable auditing for and you're good to go.
Here's another example: let's say yesterday you created retention labels so users can flag emails with a label to retain the emails permanently but a user needs to use the new label today what do you do? Run Get-Mailbox -ResultSize unlimited -RecipientTypeDetails UserMailbox | %{ Start-ManagedFolderAssistant $_.UserPrincipalName }.
Connect to Azure AD using PowerShell
Excellent, now we are connecting to Microsoft 365 and Exchange Online. But what about Azure AD? It's just as easy.
1. From PowerShell run the following command: Connect-AzureAD
2. Enter your username and password like you did when connecting to Microsoft 365.
That's it. You're now connected to Azure AD using PowerShell. You can run Get-Command -Module AzureAD to get the commands for Azure AD.
Connect to Security & Compliance center using PowerShell
1. From PowerShell run the following command: Connect-IPPSSession
2. Enter your username and password like you did when connecting to Microsoft 365.
That's it. You're now connected to Security & Compliance using PowerShell. You can view the commands by going to Security & Compliance Center PowerShell commands.
Here's a more complex example of using PowerShell. From the Security & Compliance admin center, you can download an XML of the rules, update the XML, then upload the XML to modify the rules.
1. Run Connect-IPPSession to connect to the security and compliance PowerShell
2. Export the XML file of the current rules using the following:
$ruleCollections = Get-DlpSensitiveInformationTypeRulePackage
Set-Content -path C:\custompath\exportedRules.xml -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection
3. Modify the exported XML.
4. Upload your new rules
New-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path "C:\custompath\exportedRules.xml" -Encoding Byte)
To confirm, type Y, and then press Enter.
Connect to SharePoint Online using PowerShell
Connecting to SharePoint Online using PowerShell takes a couple of extra steps. It isn't difficult, you just need to grab another piece of information.
1. Go to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/alladmincenters and login to your Office 365 tenant using the global admin credentials.
2. Click SharePoint in the list.
3. Copy the SharePoint URL. Everything before the _layouts.
4. Run the following command Connect-SPOService -Url <The URL you copied> replacing the <The URL you copied> with the URL you copied in step 3.
5. Login with your admin credentials.
That's it. You're now connected to SharePoint Online using PowerShell. To view, the commands run Get-Command -Module Microsoft.Online.SharePoint.PowerShell.
Let's take another example command. Let's say you're tasked with securing your SharePoint environment. You need to stop users from downloading, printing, and syncing files from SharePoint Online using unmanaged devices. What's a managed device? A managed device is a device that is hybrid Azure AD joined or compliant in Intune. In short, a user has logged in to your SharePoint environment using their device. How do you do it? You run Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess. Let's break down the command. The Set-SPOTenant portion is the command. It's run to set properties on the SharePoint Online organization.
Connect to Microsoft Teams using PowerShell
Excellent, now we are connecting to Microsoft 365, Exchage Online, Azure AD, SharePoint Online, and Security & Compliance center. But what about Microsoft Teams? It's just as easy.
1. From PowerShell run the following command: Connect-MicrosoftTeams
2. Enter your username and password like you did when connecting to Microsoft 365.
That's it. You're now connected to Microsoft Teams using PowerShell. You can run Get-Command -Module MicrosoftTeams to get the commands for Microsoft Teams.
To Disconnect from Microsoft 365 using PowerShell
To disconnect from Microsoft 365 PowerShell simply close the PowerShell window. You can simply close the window to disconnect from all the PowerShell connections.
To disconnect from Exchange Online or Security and Compliance PowerShell run the following command: Disconnect-ExchangeOnline
To disconnect from Azure AD PowerShell run the following command: Disconnect-AzureAD
To disconnect from SharePoint Online PowerShell run the following command: Disconnect-SPOService
To disconnect from Microsoft Teams PowerShell run the following command: Disconnect-MicrosoftTeams