As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for using Powershell to create Office 365 User and add them to groups. We have several clients with high employee turn-over which makes it necessary to often create Office 365 user. We will detail how to find all the needed data to create the proper script for each client (yes it will take a different script for each client due to different group names for each client).
Research
You need to get two pieces of information – the license type used by the organization to create users and the names of the groups to add users to
To find out the license types used use this commands:
Connect-MsolService
Get-MsolAccountSku
To find out all the groups in the organization use this commands:
Connect-ExchangeOnline
Get-UnifiedGroup | Format-Table Alias
Variables
$displayName = Full user name – usually First name & Last Name
$userPrincipleName = Email address for user
$adminuser = Email address for admin of Office 365 Tenant
$adminpass = Password for admin of Office 365 Tenant
$licenseType = Office 365 license type found in research above
There is also the need for variables for each group you will be adding users to (found in research above). For this example I will be using:
$CompanyShared = Company Shared Contacts
$CompanyTimeOff = Company Time Off Calendar
$BillingPayroll = Billing & Payroll Group Email
Script Snippet
###Use this command to be allowed to use DotNet assemblies
Add-Type -AssemblyName System.web
$displayName = "UserFirst UserLast"
$userPrincipleName = “User@Company.com”
$adminuser = "admin@Company.com"
$adminpass = '@dm1nP4ssw0rd'
$CompanyShared = "yes"
$CompanyTimeOff = "yes"
$BillingPayroll = "no"
###converts admin credentials to useable format for connections to Office 365
$adminpassword = ConvertTo-SecureString -string $adminpass -AsPlainText -Force
$admincred = new-object -typename System.Management.Automation.PSCredential -argumentlist $adminuser, $adminpassword
Connect-AzureAD -Credential $admincred
Connect-MsolService -Credential $admincred
$mailNickname = $userPrincipleName.Split("@")[0]
###To find User License Types use Get-MsolAccountSku
$licenseType = "companytenantID:SPB"
###Generates a random password length
$minPassLength = 8 ## characters
$maxPassLength = 15 ## characters
$passlength = Get-Random -Minimum $minPassLength -Maximum $maxPassLength
###Generates a random number of non-alpha characters in the password
$minNonAlphaChars = 1 ## characters
$maxNonAlphaChars = 5 ## characters
$nonAlphaChars = Get-Random -Minimum $minNonAlphaChars -Maximum $maxNonAlphaChars
###Creates the password, makes it useable by Azure, sets it up to not require password change, and creates account
$password = [System.Web.Security.Membership]::GeneratePassword($passlength, $nonAlphaChars)
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "$password"
$PasswordProfile.ForceChangePasswordNextLogin = $false
Write-Host "Password is set to $password for $displayName"
$user = New-AzureADUSer -DisplayName $displayName -PasswordProfile $PasswordProfile -UserPrincipalName $userPrincipleName -mailNickname $mailNickname -AccountEnabled $true
###Waits 5 minutes for the user creation process in Office 365
Start-Sleep -Seconds 300
###Sets additional parameters for account that are needed like location, license type, and sets password to never expire
Get-MsolUser -UserPrincipalName $userPrincipleName | Set-MsolUser -UsageLocation US
Get-MsolUser -UserPrincipalName $userPrincipleName | Set-MsolUserLicense -AddLicenses $licenseType
Get-MsolUser –UserPrincipalName $userPrincipleName | Set-MsolUser –PasswordNeverExpires $True
###Adds new user to groups
if ($CompanyShared -eq "yes")
{ Add-MailboxPermission -Identity companyshared@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
if ($CompanyTimeOff -eq "yes")
{ Add-MailboxPermission -Identity companytimeoff@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
if ($BillingPayroll -eq "yes")
{ Add-MailboxPermission -Identity billing_payroll@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
This script requires that the admin account you use to setup the user have multifactor authentication turned off (I know not secure), so use a really long complex password. The script creates a random password for the new user and write it to output. The script will take several minutes to run due to the waiting for the account to finish setup before adding additional parameters and adding them to groups.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.