Not many Office 365 administrators know that the Get-MsolUser PowerShell cmdlet plays an important role when managing Office 365 Windows Azure Active Directory, or WAAD for short. Get-MsolUser can be very handy in daily operational tasks related to Office 365 WAAD.
But before you can use the Get-MsolUser cmdlet or any of the other Office 365 PowerShell cmdlets, you'll need to install the Microsoft Online Sign-In Assistant for IT Professional and Windows Azure Active Directory Module for Windows PowerShell on a computer running Windows 7 or later.
Note: In October 2015, Microsoft developers released a new version of Azure Active Directory Module that supports Office 365 user accounts that are multi-factor enabled (MFA).
The old version of Azure Active Directory Module does not support MFA-enabled accounts. You can download the MFA version of Azure PowerShell from the Microsoft connect site at http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185.
In this case, we're using the Office 365 Business Premium with a free trial for 30 days. We've added a domain named ExampleIT.com and this is the domain we will be using for Office 365 services such as email, SharePoint, Lync and for allowing users to download Office applications such as Word, Excel and PowerPoint on desktops or mobile devices.
After installing the MSOnline Sign-In Assistant and Azure PowerShell Module on a computer, go to start > search > type "Windows Azure Active Directory Module," right click on the shortcut and then click "Run As Administrator" to open Azure PowerShell window in an elevated mode. Next, you'll need to use "Connect-MSolservice" to connect to Office 365 Tenant, which in turn, enables you explore WAAD users using the Get - MSOlUser cmdlet.
By default, when you run the GetMsolUser PowerShell cmdlet, you are given the User Principal Name, Display Name and whether the user is licensed or not as shown in the screenshot below:
As you can see in the output above, when running Get-MSOlUser, it lists all the users that have been created in Office 365 with their UserPrincipalName, DisplayName and the license status. The license status indicates whether a user is subscribed to an Office 365 service or not.
This is the basic output you see when you run Get-MsolUser cmdlet with no parameters. However, there is a lot more that you can do with Get-MsolUser cmdlet.
For example, you can use it to search for users as well as identify when a particular user was created, when a particular user changed their password the last time, licenses associated with a user, password policies that apply to a user, whether a user is synchronized from On-Premises Active Directory or not, and much more. Here is a list of Get-MsolUser PowerShell commands that you might find useful in your daily operational needs:
Getting Creation Date and Time for Office 365 Users
In cases where you need to get a list of users with their creation time, run the following PowerShell command:
Get-MsolUser | Select-Object UserPrincipalName, WhenCreated | FT -AutoSize
The "WhenCreated" property displays the user creation time as shown in the output window below:
The above command displays the result in the PowerShell window. If you wish to export the list to a CSV file, use this command:
Get-MsolUser -ALL | Select-Object UserPrincipalName, WhenCreated | Export-CSV AllUsersWithWhenCreated.CSV -NoTypeInformation
A CSV file with the filename "AllUsersWithWhenCreated.CSV" will be generated in the local folder.
Tip: The Export-CSV PowerShell cmdlet is supported for all Windows PowerShell cmdlets.
Searching for Users
Although you can search for users in the Office 365 Admin Center, using the Get-MsolUser cmdlet provides you the opportunity to store the output in a CSV file. For example, to retrieve a list of users that contain "Rick" in the display name, run the following command:
Get-MsolUser -SerachString "Rick" | Select-Object UserPrincipalName, IsLicensed | Export-CSV UsersWithRick.CSV -NoTypeInformation
List Users that are Enabled/Disabled
You can also use the Get-MsolUser cmdlet to retrieve a list of users that are enabled or disabled by adding the "-EnabledFilter" parameter. The "-EnabledFilter" parameter supports two values: EnabledOnly and DisabledOnly as shown in these commands:
Get-MsolUser -EnabledFilter EnabledOnly -ALL | Export-CSV EnabledOffice365Users.CSV -NoTypeInformation
Get-MsolUser -EnabledFilter DisabledOnly -ALL | Export-CSV DisabledOffice365Users.CSV -NoTypeInformation
The first command retrieves the users that are enabled while the second command retrieves a list of users that are currently disabled.
Getting Synchronized Users
Office 365 allows you to implement a "Synchronized Identity" scenario in which users from an on-premises Active Directory are synced by using DirSync, AADSync or AADConnect tools and populated to Office 365 WAAD, which, in turn, eliminates the need for creating users in Office 365 separately. Every user must be synchronized in order to retrieve updated information from the on-premises Active Directory.
It is important to note that Azure PowerShell cmdlets do not provide a switch you can use to list the users that are synchronized from On-Premises Active Directory. This is where the power of Get-MSOlUser cmdlet comes.
Every user that is synchronized from On-Premises Active Directory is assigned some value to a user attribute called "ImmutableID." The "ImmutableID" attribute holds that data if the user is synchronized from On-Premises Active Directory. To query synchronized users and store output in a CSV file, run the PowerShell command below:
Get-MSOlUser -All | Where ImmutableID -ne $Null
The above command instructs Get-MSOlUser to query all users that do not have a value assigned to the ImmutableID attribute.
Getting Last Synchronization Time for Users
Every user that is synchronized from an on-premises Active Directory will have a synchronization timestamp. If you need to know the last synchronization time for a single user or multiple users, run these commands.
To get last synchronization time for a single user:
Get-MSOlUser -UserPrincipalName "Rick@ExampleIT.Com" | Select-Object UserPrincipalName, LastDirSyncTime
And to run this command for all the users and store output in a CSV file, use this command:
Get-MSOlUser -ALL | Select-Object UserPrincipalName, LastDirSyncTime
There's other valuable Office 365 user information you can retrieve using the Get-MsolUser PowerShell cmdlet, but you first need to know if there are properties available for the Office 365 user that holds the required information.
What you can do is get a list of user properties associated with Office 365 users by running the "Get-MSOlUser | Get-Member" command. Once you know the user properties that might hold the required user information, use the following Get-MSOlUser syntax to retrieve the user information:
Get-MSOlUser -UserPrincipalName "UserName@ExampleIT.Com" | Select-Object Property1, Property2, Property3 and so on
Getting Information for All Office 365 Users
You might have noticed the use of the -MaxResults or -ALL parameters in some of the PowerShell commands explained above. By default, the Get-MsolUser cmdlet can retrieve only 500 users in a command.
If there are more than 500 users in an Office 365 WAAD, you must use either the -ALL or -MaxResults parameters. The -MaxResults <value> parameter instructs the Get-MsolUser cmdlet to return up to the value specified in the -MaxResults parameter, whereas the -ALL parameter allows you to get results for all Office 365 users. Do not forget to use these parameters based on your command requirements.
Microsoft Office 365 provides PowerShell cmdlets that can dramatically reduce the time it takes to perform tasks via the Office 365 Admin Center. Since most of the tasks in an Office 365 cloud environment are associated with a user, the use of Get-MsolUser PowerShell cmdlet provides greater flexibility in terms of managing Office 365 WAAD instances.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at firstname.lastname@example.org.