Managing Microsoft 365 through PowerShell

What's PowerShell?

The best way to explain PowerShell is directly from Microsoft:

PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.

To put it another way, PowerShell is a command-line + a scripting language combined. It's a powerful tool that can be used to automate actions on your computer as well as actions in Microsoft 365. But it doesn't manage Microsoft 365 out of the box. You first have to extend it which can be done using modules.

Why PowerShell?

From PowerShell, you can make changes in bulk. For example, you can connect to Microsoft 365 using PowerShell, get a list of unlicensed users and license them all. All from a single script. You can also export data. Need a list of all the users or all the mailboxes? It's no problem with PowerShell. Get the data and export it to CSV. Or maybe you need to give a lot of users access to a SharePoint site. That's no problem with PowerShell.

How do you access PowerShell?

PowerShell is automatically installed on all the latest versions of Windows. To access PowerShell on your computer click in the search box then type PowerShell. Finally, click PowerShell in the start menu.

Access PowerShell

How to connect to Microsoft 365 using PowerShell

One time setup

The following instructions need to be performed once per user on the machine.

1. If you're not running Windows 10, install Microsoft Online Services Sign-in Assistant

2. Run Windows PowerShell as an administrator by searching for PowerShell in the start menu. Right-click Windows PowerShell then click Run as administrator.

Open PowerShell as an admin

3. When prompted click Yes.

PowerShell Allow open as admin

4. Run the following command: Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted

5. If prompted with the following click Y then press Enter.

NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Users\BasicUser\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import the NuGet provider now?

Install NuGet

6. Run the following command: Install-Module MSOnline

7. Run the following command: Install-Module -Name AzureAD

8. Run the following command: Install-Module -Name ExchangeOnlineManagement

9. Run the following command: Install-Module -Name Microsoft.Online.SharePoint.PowerShell

10. Run the following command: Install-Module -Name MicrosoftTeams -Force -AllowClobber

Install Microsoft 365 PowerShell Modules

11. Run the following command: Set-ExecutionPolicy RemoteSigned

12. When prompted with the following type Y then press Enter.
Execution Policy Change

The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):

Set-ExecutionPolicy RemoteSigned

That's it. Your computer is set up to connect to Microsoft 365 using PowerShell. Now we need to connect to Microsoft 365 using PowerShell.

Connect to Microsoft 365 using PowerShell

You may have noticed that we installed modules for MSOnline, Azure AD, Exchange Online, SharePoint, and Microsoft Teams. Just like the Microsoft 365 admin centers, PowerShell is separated into different modules. Depending on the task you want to perform you'll need to connect using the correct module/command. The first connection we'll make is to Office 365. The MSOnline module is used to manage users, groups, licenses, and the tenant as a whole. It's directly related to the Microsoft 365 admin center from the last lesson.

The following commands will need to be run every time you want to connect to Microsoft 365 using PowerShell.

1. Run the following command: Connect-MsolService

2. When prompted enter your username then click Next.

Connect to Microsoft 365 PowerShell - Enter Username

3. Then enter your password and click Sign in.

Microsoft 365 PowerShell Sign in Enter Password

4. If prompted for MFA, enter your MFA information then finish the connection.

How to learn more

That's all it takes to connect to Microsoft 365 using PowerShell but the question is what now? How do you get a list of the users? Or the groups? Well, you can view all of the commands available to you via the command Get-Command -Module MSOnline. From there you can get help on each of the commands by running "get-help <the-command>".

For example, there's a command available called "Get-MsolUser". To see the help for it you can run Get-Help Get-MsolUser.

P{owerShell command Get-Help Get-MsolUser

To see an example of running the commands you can run "Get-Help <the-command> -Examples"

PowerShell running Get-Help Get-MsolUser -Example

If you need further help simply Google it.

Connect to Exchange Online using PowerShell

So now you've connected to Office 365, but you can't manage email from the Microsoft 365 PowerShell. To manage email you need to connect to Exchange Online.

1. From PowerShell run the following command: Connect-ExchangeOnline

2. Enter your username and password like you did when connecting to Microsoft 365.

That's it. You're now connected to Exchange Online using PowerShell. Just like Microsoft 365 you can run Get-Command -Module ExchangeOnlineManagement to get the primary commands but there are a lot more not listed. You can view all the commands by going to Exchange Online Commands.

Running a command

So here's an example command: Set-Mailbox. You can use the set-mailbox command to edit the settings of existing mailboxes. Hypothetically, let's say someone deleted emails in User1's mailbox and you check the audit logs but they are empty. What do you do? You enable auditing for User1's mailbox. How? you run Set-Maibox -Identity "User1" -AuditEnabled $true. Simply replace User1 with the user you want to enable auditing for and you're good to go.

Here's another example: let's say yesterday you created retention labels so users can flag emails with a label to retain the emails permanently but a user needs to use the new label today what do you do? Run Get-Mailbox -ResultSize unlimited -RecipientTypeDetails UserMailbox | %{ Start-ManagedFolderAssistant $_.UserPrincipalName }.

Connect to Azure AD using PowerShell

Awesome, now we are connecting to Microsoft 365 and Exchage Online. But what about Azure AD? It's just as easy.

1. From PowerShell run the following command: Connect-AzureAD

2. Enter your username and password like you did when connecting to Microsoft 365.

That's it. You're now connected to Azure AD using PowerShell. You can run Get-Command -Module AzureAD to get the commands for Azure AD.

Connect to Security & Compliance center using PowerShell

1. From PowerShell run the following command: Connect-IPPSSession

2. Enter your username and password like you did when connecting to Microsoft 365.

That's it. You're now connected to Security & Compliance using PowerShell. You can view the commands by going to Security & Compliance Center PowerShell commands.

Here's a more complex example of using PowerShell. From the Security & Compliance admin center, you can download an XML of the rules, update the XML, then upload the XML to modify the rules.

1. Run Connect-IPPSession to connect to the security and compliance PowerShell

2. Export the XML file of the current rules using the following:

$ruleCollections = Get-DlpSensitiveInformationTypeRulePackage

Set-Content -path C:\custompath\exportedRules.xml -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection

3. Modify the exported XML.

4. Upload your new rules

New-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path "C:\custompath\exportedRules.xml" -Encoding Byte)

To confirm, type Y, and then press Enter.

Connect to SharePoint Online using PowerShell

Connecting to SharePoint Online using PowerShell takes a couple of extra steps. It isn't difficult, you just need to grab another piece of information.

1. Go to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/alladmincenters and login to your Office 365 tenant using the global admin credentials.

2. Click SharePoint in the list.

Open SharePoint admin center

3. Copy the SharePoint URL. Everything before the _layouts.

Copy the SharePoint URL

4. Run the following command Connect-SPOService -Url <The URL you copied> replacing the <The URL you copied> with the URL you copied in step 3.

Connect the SharePoint Online using PowerShell

5. Login with your admin credentials.

That's it. You're now connected to SharePoint Online using PowerShell. To view the commands run Get-Command -Module Microsoft.Online.SharePoint.PowerShell.

Let's take another example command. Let's say you're tasked with securing your SharePoint environment. You need to stop users from downloading, printing, and syncing files from SharePoint Online using unmanaged devices. What's a managed device? A managed device is a device is hybrid Azure AD joined or compliant in Intune. In short, it's a user that has logged in to your SharePoint environment using their personal device. How do you do it? You run Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess. Let's break down the command. The Set-SPOTenant portion is the command. It's run to set properties on the SharePoint Online organization.

Connect to Microsoft Teams using PowerShell

Awesome, now we are connecting to Microsoft 365, Exchage Online, Azure AD, SharePoint Online, and Security & Compliance center. But what about Microsoft Teams? It's just as easy.

1. From PowerShell run the following command: Connect-MicrosoftTeams

2. Enter your username and password like you did when connecting to Microsoft 365.

That's it. You're now connected to Microsoft Teams using PowerShell. You can run Get-Command -Module MicrosoftTeams to get the commands for Microsoft Teams.

To Disconnect from Microsoft 365 using PowerShell

To disconnect from Microsoft 365 PowerShell simply close the PowerShell window. As a matter of fact, you can simply close the window to disconnect from all the PowerShell connections.

To disconnect from Exchange Online or Security and Compliance PowerShell run the following command: Disconnect-ExchangeOnline

To disconnect from Azure AD PowerShell run the following command: Disconnect-AzureAD

To disconnect from SharePoint Online PowerShell run the following command: Disconnect-SPOService

To disconnect from Microsoft Teams PowerShell run the following command: Disconnect-MicrosoftTeams