Microsoft Exchange User Administration PowerShell Guide

This guide provides a comprehensive overview of using PowerShell to manage Microsoft Exchange Online users. It covers connecting to Exchange Online PowerShell, common cmdlets for user administration, different modules and their functionalities, and cmdlets for various user management tasks.

Connecting to Exchange Online PowerShell

Before you can manage Exchange Online users with PowerShell, you need to connect to Exchange Online PowerShell. There are several ways to connect, depending on your environment and security requirements. This section outlines the process of connecting to Exchange Online PowerShell and installing the necessary modules for managing both Exchange Online and SharePoint Online users.

Installing the SharePoint Online Management Shell

If you need to manage SharePoint Online users in addition to Exchange Online users, you'll need to install the SharePoint Online Management Shell. This shell provides a set of cmdlets specifically designed for managing SharePoint Online1. You can download the SharePoint Online Management Shell from the Microsoft Download Center.

Using the Exchange Online PowerShell Module

The recommended way to connect to Exchange Online PowerShell is to use the Exchange Online PowerShell V2 module. This module uses modern authentication and works with or without multi-factor authentication (MFA)2.

To install the module, open an elevated PowerShell window and run the following command:

PowerShell

Install-Module -Name ExchangeOnlineManagement

Once the module is installed, you can connect to Exchange Online PowerShell by running the following command:

PowerShell

Connect-ExchangeOnline -UserPrincipalName <UPN> [-ExchangeEnvironmentName <Value>] [-ShowBanner:$false] [-DelegatedOrganization <String>]

Replace <UPN> with your user principal name (e.g., user@domain.com). You can also specify optional parameters to connect to different Exchange environments or to suppress the banner3.

Other Connection Methods

While the Exchange Online PowerShell module is the preferred method, there are other ways to connect:

• Basic authentication: This method involves providing your username and password directly in the PowerShell command. It is less secure and not recommended for accounts that use MFA. However, it may be necessary in certain environments where modern authentication is not available. To connect using basic authentication, you can use the following command: 3

PowerShell

$secpasswd = ConvertTo-SecureString '<Password>' -AsPlainText -Force$o365cred = New-Object System.Management.Automation.PSCredential ("admin@contoso.onmicrosoft.com", $secpasswd)Connect-ExchangeOnline -Credential $o365cred

It's crucial to be aware of the security implications of using basic authentication. Modern authentication is always the preferred method due to its enhanced security features3.

• Device login: This method is useful for interactive scripting scenarios on computers that don't have web browsers. It involves running a command that generates a unique code and a URL. You then open the URL in a web browser on any device and enter the code to authenticate3. To connect using device login, run the following command:

PowerShell

Connect-ExchangeOnline -Device

This will prompt you with a device code and a URL to authenticate your session.

• Azure managed identities: This method is useful for unattended scripts and applications that need to connect to Exchange Online PowerShell. It allows applications to authenticate without needing to manage credentials directly3. To connect using a system-assigned managed identity, you can use the following command:

PowerShell

Connect-ExchangeOnline -ManagedIdentity -Organization "cohovinyard.onmicrosoft.com"

For detailed instructions on each connection method, refer to the Microsoft documentation3.

Common Cmdlets for User Administration

Once connected to Exchange Online PowerShell, you can use various cmdlets to manage users. Here are some of the most common cmdlets and their use cases:

Different Mailbox Types

Before diving into specific cmdlets, it's important to understand the different types of mailboxes available in Exchange Online. These include: 4

• User mailboxes: These are the standard mailboxes assigned to individual users for their email and personal storage.

• Shared mailboxes: These mailboxes are not assigned to a specific user and can be accessed by multiple users for collaborative purposes.

• Resource mailboxes: These include room mailboxes and equipment mailboxes, used for scheduling resources like meeting rooms and equipment.

Understanding these mailbox types is fundamental for effective user management in Exchange Online.

Retrieving User Information

• Get-Mailbox: Retrieves information about a specific mailbox. You can use this cmdlet to view mailbox properties, such as storage quotas, email addresses, and mailbox features5.PowerShellGet-Mailbox -Identity "user@domain.com"

• Get-User: Retrieves information about a specific user in Exchange Online. This cmdlet provides details about the user's account properties, such as display name, title, and department5.PowerShellGet-User -Identity "user@domain.com"

• Get-MsolUser: This cmdlet retrieves information about user accounts in Azure Active Directory, including their assigned licenses and other properties. You can use this to gather comprehensive user data for reporting or automation purposes6.PowerShellGet-MsolUser -UserPrincipalName "user@domain.com"

Creating a New User

• New-Mailbox: Creates a new mailbox for a user. This cmdlet allows you to create a mailbox with various parameters, such as the user's alias, display name, and initial password5.PowerShellNew-Mailbox -UserPrincipalName "new.user@domain.com" -Alias "newuser" -DisplayName "New User" -Password (ConvertTo-SecureString -String "Password123!" -AsPlainText -Force)When creating a new user, remember that the grace period to assign a license to the account is 30 days7.

• New-MsolUser: This cmdlet creates a new user account in Azure Active Directory. You can specify various user attributes, such as display name, user principal name, and usage location6.PowerShellNew-MsolUser -UserPrincipalName "new.user@domain.com" -DisplayName "New User" -FirstName "New" -LastName "User" -UsageLocation "US"You can also use CSV files to create multiple user accounts efficiently. This is particularly useful for automating user creation for a large number of users6.

Modifying User Properties

• Set-Mailbox: Modifies mailbox properties, such as quotas, forwarding, and litigation hold. This cmdlet allows you to make changes to existing mailboxes, such as increasing storage quotas, setting up email forwarding, or enabling litigation hold for legal purposes5.PowerShellSet-Mailbox -Identity "user@domain.com" -IssueWarningQuota 4.5GB -ProhibitSendQuota 5GB -ProhibitSendReceiveQuota 6GB

• Set-User: Modifies user attributes, such as display name, title, and department. This cmdlet allows you to update user information in Exchange Online, such as changing a user's display name or job title8.PowerShellSet-User -Identity "user@domain.com" -DisplayName "John Doe" -Title "Manager"

• Set-MsolUser: This cmdlet allows you to modify user account properties in Azure Active Directory. You can use it to update user attributes, such as password settings, contact information, and group memberships9.PowerShellSet-MsolUser -UserPrincipalName "user@domain.com" -PasswordNeverExpires $true

Deleting a User

• Remove-Mailbox: Removes a mailbox. This cmdlet deletes a user's mailbox from Exchange Online. It's important to use the -Confirm:$false parameter with this cmdlet to avoid accidental deletions10.PowerShellRemove-Mailbox -Identity "user@domain.com" -Confirm:$falseWhen you remove a mailbox, it is soft-deleted and can be recovered within a certain period. You can use the Undo-SoftDeletedMailbox cmdlet to restore a soft-deleted mailbox11.

• Remove-MailUser: Removes a mail user. This cmdlet deletes a mail user object from Exchange Online. Mail users are typically used for external email contacts who do not have a mailbox within your organization10.PowerShellRemove-MailUser -Identity "user@domain.com" -Confirm:$false

• Remove-MsolUser: This cmdlet deletes a user account from Azure Active Directory. When you delete a user account, their associated mailbox is also deleted12.PowerShellRemove-MsolUser -UserPrincipalName "user@domain.com" -Force

Managing User Groups

• Add-DistributionGroupMember: Adds a member to a distribution group. This cmdlet allows you to add users to existing distribution groups, making it easier to send emails to a group of people13.PowerShellAdd-DistributionGroupMember -Identity "GroupName" -Member "user@domain.com"

• Get-DistributionGroupMember: Retrieves the members of a distribution group. You can use this cmdlet to view the list of members in a distribution group13.PowerShellGet-DistributionGroupMember -Identity "GroupName"

• New-DistributionGroup: Creates a new distribution group. This cmdlet allows you to create a new distribution group with a specified name and alias13.PowerShellNew-DistributionGroup -Name "GroupName" -Alias "GroupAlias"

• Set-OrganizationConfig: This cmdlet allows you to configure organization-wide settings for Microsoft 365 groups, such as the default group access type (public or private)14.PowerShellSet-OrganizationConfig -DefaultGroupAccessType Public

Managing User Access and Permissions

This section consolidates information about managing user licenses and roles, as they are closely related to user access control in Exchange Online.

Managing User Licenses

You can use PowerShell to manage user licenses in Exchange Online. This includes assigning licenses to new users, removing licenses from departing users, and updating licenses as needed15.

Some common cmdlets for managing user licenses include:

• Set-MsolUserLicense: Assigns or removes licenses from users. This cmdlet allows you to add or remove licenses from user accounts, controlling their access to different Microsoft 365 services15.PowerShellSet-MsolUserLicense -UserPrincipalName "user@domain.com" -AddLicenses "license-name"

• Get-MsolUser: Retrieves information about users, including their assigned licenses. You can use this cmdlet to view the licenses assigned to a specific user or to generate a report of all licensed users in your organization16.PowerShellGet-MsolUser -UserPrincipalName "user@domain.com"

• Get-MsolAccountSku: Retrieves information about available licenses in your organization. This cmdlet provides a list of all the licenses that you have purchased for your Microsoft 365 tenant16.PowerShellGet-MsolAccountSku

Managing User Roles

Exchange Online uses role-based access control (RBAC) to manage permissions. You can use PowerShell to assign and manage user roles, which determine what actions users can perform in Exchange Online17. When assigning roles, it's essential to adhere to the principle of least privilege, granting users only the permissions they need to perform their jobs. This helps to improve the security of your Exchange Online environment18.

Some common cmdlets for managing user roles include:

• New-RoleGroup: Creates a new role group. This cmdlet allows you to create custom role groups with specific sets of permissions17.PowerShellNew-RoleGroup -Name "RoleGroupName" -Roles "MailRecipients"You can further refine permissions by using custom recipient write scopes. These scopes allow you to limit the users or groups that members of a role group can manage19.

• Add-RoleGroupMember: Adds a member to a role group. This cmdlet allows you to add users or groups to a role group, granting them the permissions associated with that role group19.PowerShellAdd-RoleGroupMember -Identity "RoleGroupName" -Member "user@domain.com"

• Get-ManagementRole: Retrieves information about available roles. This cmdlet provides a list of all the management roles that you can assign to role groups20.PowerShellGet-ManagementRole

• Get-ManagementRoleAssignment: This cmdlet retrieves information about role assignments, showing which users and groups have been assigned specific roles21.PowerShellGet-ManagementRoleAssignment -Role "MailRecipients"

• Get-ManagementRoleEntry: This cmdlet allows you to find the specific permissions required to run a cmdlet or parameter. This can be helpful for troubleshooting permission issues or for understanding the permissions required for specific tasks22.PowerShellGet-ManagementRoleEntry -Identity "Set-Mailbox*"

• Get-RoleGroupMember: This cmdlet allows you to find the members of a role group. This can be useful for auditing role group membership and ensuring that only authorized users have access to specific permissions22.PowerShellGet-RoleGroupMember "Organization Management"

Managing User Permissions

• Add-MailboxPermission: Grants permissions to a mailbox, such as Full Access or Send As. This cmdlet allows you to grant specific permissions to other users to access a mailbox. You must have a licensed user mailbox to manage permissions23.PowerShellAdd-MailboxPermission -Identity "user@domain.com" -User "delegate@domain.com" -AccessRights FullAccess -InheritanceType All

• Remove-MailboxPermission: Removes permissions from a mailbox. This cmdlet allows you to revoke permissions that were previously granted to other users23.PowerShellRemove-MailboxPermission -Identity "user@domain.com" -User "delegate@domain.com" -AccessRights FullAccess -InheritanceType All

• Set-MailboxFolderPermission: This cmdlet allows you to manage folder-level permissions for mailboxes. This provides granular control over mailbox access, allowing you to specify which users have access to specific folders within a mailbox24.PowerShellSet-MailboxFolderPermission -Identity "user@domain.com:\Inbox" -User "delegate@domain.com" -AccessRights Editor

Exchange Online PowerShell Modules and Functionalities

The Exchange Online PowerShell module provides a rich set of cmdlets for managing various aspects of Exchange Online. Here's a table summarizing the modules, their functionalities, and relevant cmdlets:

The Exchange Online PowerShell module also includes several specialized cmdlets for specific tasks, such as:

• Get-EXOMailbox: This cmdlet is optimized for retrieving mailbox information in bulk. It provides significant performance improvements when dealing with a large number of mailboxes2.

• Get-EXORecipient: This cmdlet is optimized for retrieving recipient information in bulk, including users, groups, and contacts. It offers similar performance benefits to Get-EXOMailbox2.

• Get-MigrationUser: Retrieves information about migration batches. This is useful for monitoring the progress of mailbox migrations to Exchange Online25.

• Set-MailboxAutoReplyConfiguration: Configures automatic replies for mailboxes. This allows you to set up out-of-office messages for users25.

• Get-MobileDeviceStatistics: This cmdlet retrieves statistics about mobile devices that are connected to Exchange Online. This information can be useful for monitoring mobile device usage and security2.

Managing User Settings and Preferences

You can use PowerShell to manage various user settings and preferences in Exchange Online. This includes mailbox settings, email forwarding, message delivery restrictions, and more26.

Some common cmdlets for managing user settings include:

• Set-Mailbox: Modifies mailbox settings, such as quotas, forwarding, and litigation hold. This cmdlet provides a versatile way to manage various mailbox settings26.PowerShellSet-Mailbox -Identity "user@domain.com" -ForwardingAddress "forward@domain.com"You can also use this cmdlet to enable single item recovery for mailboxes. Single item recovery allows you to recover individual items that have been deleted from a mailbox, even after they have been purged from the Deleted Items folder4.PowerShellSet-Mailbox -Identity "user@domain.com" -SingleItemRecoveryEnabled $trueFor legal and compliance reasons, you can enable litigation hold for mailboxes using the LitigationHoldEnabled parameter. This preserves all mailbox content, even if the user attempts to delete it4.PowerShellSet-Mailbox -Identity "user@domain.com" -LitigationHoldEnabled $true

• Set-CASMailbox: Modifies client access server settings, such as ActiveSync and OWA policies. This cmdlet allows you to control user access to Exchange Online through different client applications4.PowerShellSet-CASMailbox -Identity "user@domain.com" -ActiveSyncEnabled $false

• Set-User: Modifies user attributes, such as display name, title, and department. This cmdlet provides a way to update user information in Exchange Online8.PowerShellSet-User -Identity "user@domain.com" -DisplayName "John Doe"

• Set-UserPhoto: This cmdlet allows you to manage user photos in Exchange Online. You can use it to upload, update, or remove user photos2.PowerShellSet-UserPhoto "user@domain.com" -PictureData (::ReadAllBytes("C:\path\to\photo.jpg"))

Troubleshooting Common Issues

When working with Exchange Online PowerShell, you may encounter various issues, such as connectivity problems, authentication errors, and permission issues. Here are some tips for troubleshooting common problems:

• Connectivity problems: Ensure that you have a stable internet connection and that your firewall is not blocking access to Exchange Online PowerShell endpoints.

• Authentication errors: Verify that you are using the correct credentials and that your account has the necessary permissions to connect to Exchange Online PowerShell. If you are using MFA, ensure that you have configured your authentication method correctly.

• Permission issues: If you are unable to perform certain actions, check that your account has the required permissions. You can use the Get-ManagementRoleEntry cmdlet to determine the specific permissions needed for a cmdlet or parameter.

If you encounter persistent issues, refer to the official Microsoft documentation or seek assistance from the Exchange Online community forums.

Conclusion

PowerShell is an indispensable tool for managing Microsoft Exchange Online users. By understanding the various cmdlets, modules, and functionalities available, you can automate tasks, improve efficiency, and gain greater control over your Exchange Online environment. This guide provides a solid foundation for your Exchange Online PowerShell journey. For more in-depth information and advanced scenarios, explore the official Microsoft documentation, community forums, and online resources. Remember to always prioritize security best practices, such as using modern authentication and adhering to the principle of least privilege when managing user access and permissions.

Works cited

1. 10 Most Useful PowerShell Commands for Office 365 - ManageEngine, accessed on February 10, 2025, https://www.manageengine.com/microsoft-365-management-reporting/powershell/10-most-useful-powershell-commands-for-office-365.html

2. About the Exchange Online PowerShell V3 module | Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps

3. Connect to Exchange Online PowerShell - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

4. PowerShell Cmdlets to Manage Exchange Online Mailboxes - Microsoft 365 Scripts, accessed on February 10, 2025, https://m365scripts.com/exchange-online/top-powershell-cmdlets-to-manage-exchange-online-mailboxes/

5. Exchange Online Admin PowerShell - Medium, accessed on February 10, 2025, https://medium.com/@m365alikoc/exchange-online-admin-powershell-393c92da4282

6. Create Microsoft 365 user accounts with PowerShell, accessed on February 10, 2025, https://learn.microsoft.com/en-us/microsoft-365/enterprise/create-user-accounts-with-microsoft-365-powershell?view=o365-worldwide

7. Connecting Office 365 Exchange Online with PowerShell: A Step-by-Step Guide - NAKIVO, accessed on February 10, 2025, https://www.nakivo.com/blog/how-to-connect-office-365-exchange-online-powershell/

8. Set-User (ExchangePowerShell) - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/module/exchange/set-user?view=exchange-ps

9. Manage users in Office 365 using PowerShell - Office365Concepts, accessed on February 10, 2025, https://office365concepts.com/manage-users-in-office-365-using-powershell/

10. Remove-MailUser (ExchangePowerShell) - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/module/exchange/remove-mailuser?view=exchange-ps

11. Remove Exchange Online Mailboxes Using PowerShell - Microsoft 365 Scripts, accessed on February 10, 2025, https://m365scripts.com/exchange-online/remove-exchange-online-mailboxes-using-powershell-in-microsoft365/

12. Delete Microsoft 365 user accounts with PowerShell, accessed on February 10, 2025, https://learn.microsoft.com/en-us/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell?view=o365-worldwide

13. Manage Distribution Groups with PowerShell - Office365Concepts, accessed on February 10, 2025, https://office365concepts.com/manage-distribution-groups-with-powershell/

14. Manage Microsoft 365 Groups with PowerShell, accessed on February 10, 2025, https://learn.microsoft.com/en-us/microsoft-365/enterprise/manage-microsoft-365-groups-with-powershell?view=o365-worldwide

15. How to Use Set-MsolUserLicense in Powershell - Meeting Room 365, accessed on February 10, 2025, https://www.meetingroom365.com/blog/set-msoluserlicense-powershell/

16. Manage Office 365 licenses with PowerShell - Office365Concepts, accessed on February 10, 2025, https://office365concepts.com/manage-office-365-licenses-with-powershell/

17. Create and Manage Role Groups in Exchange Online - Office 365 Reports, accessed on February 10, 2025, https://o365reports.com/2024/10/01/create-and-manage-role-groups-in-exchange-online/

18. Permissions in Exchange Online | Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/exchange/permissions-exo/permissions-exo

19. Manage role groups in Exchange Online - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/exchange/permissions-exo/role-groups

20. Get-ManagementRole (ExchangePowerShell) | Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/module/exchange/get-managementrole?view=exchange-ps

21. Get-ManagementRoleAssignment (ExchangePowerShell) | Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/powershell/module/exchange/get-managementroleassignment?view=exchange-ps

22. office-docs-powershell/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md at main - GitHub, accessed on February 10, 2025, https://github.com/MicrosoftDocs/office-docs-powershell/blob/main/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md

23. Manage permissions for recipients in Exchange Online - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients

24. Mailbox and Folder Permissions in Exchange Online (Microsoft 365) - PowerShell Forums, accessed on February 10, 2025, https://forums.powershell.org/t/mailbox-and-folder-permissions-in-exchange-online-microsoft-365/23844

25. Top 10 PowerShell Tasks in Exchange Online - Altaro, accessed on February 10, 2025, https://www.altaro.com/hyper-v/10-tasks-online-powershell/

26. Manage user mailboxes in Exchange Online - Microsoft Learn, accessed on February 10, 2025, https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes