This post is for Students who attend the M20347 or other Office 365 courses and anyone else who is interested Smile

General / Misc stuff:

Myth busting office 365 ebook.  Download Here

Find out what’s coming to Office 365 soon (Roadmap):


To test your records are correct remember to use: 

Limitations of the platform:

Legal Sector: 

Important note in regards to IP Based Filtering:

“Microsoft Office 365 relies on third-party content caching engines to achieve good performance and response times. The types of content cached with these third parties are non-SSL resources, such as the images downloaded to draw the Outlook Web App user interface. As stated above, it’s possible and supported to use IP-based filtering for the SSL content downloaded from Office 365 and for the Office 365 end-points that make in-bound calls to an on-premises environment. However, it isn’t possible or supported to use IP-based filtering for the non-SSL resources hosted on third-party content caching engines. To express filtering rules that allow those non-SSL resources to be downloaded to clients on your intranet, you need to use hostname-based filtering (as opposed to IP-based filtering). This is because the IPs used by the third-party content caching engines change frequently in a manner which makes it impractical to track each individual IP change. Allow the following hostnames for these non-SSL resources:”

For more reading and understanding here is the technet blog URL 

What is Delve?

What are Microsoft Teams?

Which Blogs should you use?:



Service Descriptions:

Check out the Service Comparisons too:

Office 365 Service Comparison Spreadsheet



Setting up PowerShell:

Install required software

These steps are required once on your computer, not every time you connect. However, you’ll likely need to install newer versions of the software periodically.

  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.

  2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version).

Awesome site for command:

Useful Commands:

Capture administrative credential for future connections.

$credential = get-credential

Imports the installed Azure Active Directory module.

Import-Module MSOnline

Establishes Online Services connection to Azure Active Directory.

Connect-MsolService -Credential $credential

Imports the installed Skype for Business Online services module.

Import-Module LyncOnlineConnector

Create a Skype for Business Powershell session using defined credential.

$lyncSession = New-CsOnlineSession -Credential $credential

Imports Skype for Business session commands into your local Windows PowerShell session.

Import-PSSession $lyncSession

Imports SharePoint Online session commands into your local Windows PowerShell session.

Import-Module Microsoft.Online.Sharepoint.PowerShell

This connects you to your SharePoint Online services. Substitute the ‘tennantid’ with the URL with the name of your SharePoint Online tenant.

Connect-SPOService -url -Credential $credential

Creates an Exchange Online session using defined credential.

$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "" -Credential $credential -Authentication "Basic" -AllowRedirection

This imports the Office 365 session into your active Shell.

Import-PSSession $ExchangeSession

Adding and Managing Users in PowerShell:

Use the Get-MsolUser command to get an overview of all users in Azure Active Directory:


And use the Get-MsolAccountSku command to see what license is available:


When creating a new user in Azure Active Directory you can use the New-MsolUser command, combined with the results of the Get-MsolAccountSku command for the license information. You can use the –LicenseAssignment and –UsageLocation options to assign a proper license.

New-MsolUser –UserPrincipalName –FirstName Bob –LastName Builder -DisplayName 'Bob Builder' -Password 'Pa$$w0rd' –ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB


The –ForceChangePassword option is to ensure the user changes his password the first time he logs on, either to the Online Portal or to OWA. Optional is the -BlockCredential $true option, which create a disabled or blocked account in Azure Active Directory.

It is also possible to create multiple users in Azure Active Directory from a CSV file. For example when using the following CSV file:


You can use a PowerShell command similar to this:

$Users = import-csv e:\users.csv

ForEach ($User in $Users) {New-MsolUser -UserPrincipalName $User.UserName -FirstName $User.FirstName -LastName $User.LastName -DisplayName $User.DisplayName -Password 'Pa$$w0rd' -ForceChangePassword:$TRUE -LicenseAssignment "gk365london:ENTERPRISEPACK" -UsageLocation GB}


Change licenses using PowerShell

To add, remove or change a license for a specific user you can use the Set-MsolUserLicense command which accepts the –AddLicenses and –RemoveLicenses options. For example, to add a license to a user named you can use a command like this:

Set-MsolUserLicense –UserPrincipalName –AddLicenses “gk365london:ENTERPRISEPACK”

Or remove a license from a user:

Set-MsolUserLicense –UserPrincipalName –RemoveLicenses “gk365london:ENTERPRISEPACK”

You can also combine the –AddLicenses and –RemoveLicenses options to replace a license, for example:

Set-MsolUserLicense –UserPrincipalName –RemoveLicenses “gk365london:ENTERPRISEPACK” –AddLicenses <other license>

It is also possible to use only specific Service Plans in a subscription. For example, you can use the Get-MsolAccountSku command to retrieve the individual service plans:

Get-MsolAccountSku | Where {$_.SkuPartNumber –eq “ENTERPRISEPACK”} | ForEach {$_.ServiceStatus}


If you want to disable Yammer, Rights Management Server, Office Web Apps and SharePoint Enterprise you can use the following commands:


Set-MsolUserLicense –UserPrincipalName –LicenseOptions $Options

Be careful with removing licenses. When you do the data stored in the accompanying application will be deleted as well!

Block Users using PowerShell

When a user leaves the organization it is not uncommon to block his user account. You can use the Set-MsolUser command with the –BlockCredential option, like this:

Set-MsolUser –UserPrincipalName -BlockCredential $true

To enable the account again, just change the –BlockCredential option to $false, like this:

Set-MsolUser –UserPrincipalName -BlockCredential $false

Remove Users using PowerShell

Removing users from Azure Active Directory is just a matter of using the Remove-MsolUser command with the –UserPrincipalName option. The –Fore option is to suppress the confirmation that normally followes a Remove PowerShell command, for example:

Remove-MsolUser –UserPrincipalName –Force

Clearly visible in the following figure is the confirmation message when the –Force option is omitted:


When users are deleted, they are not permanently deleted but they are stored in the Azure Active Directory recycle bin where they stay for another 30 days. Only then they are (automatically) permanently deleted. You can use the –RemoveFromRecycleBin option with the Remove-MsolUser command to remove the user account permanently, without temporarily storing them in the recycle bin.

Please be aware that when you remove a user account the user’s data is also deleted!

  • Disabling an account does not necessarily remove access to the mailbox immediately
  • Deleting an account will mark the mailbox for deletion unless other action is taken!

Restore Users from Recycle Bin

As explained above users are stored in the recycle bin when they are deleted using the Remove-MsolUser command. To get a list of all users that are located in the recycle bin you can use the Get-MsolUser command with the –ReturnDeletedUsers option, like this:

Get-MsolUser –ReturnDeletedUsers

As shown in the following figure:


To restore a user from the recycle bin, you can use the Restore-MsolUser command with the –UserPrincipalName, like this:

Restore-MsolUser –UserPrincipalName


Managing Passwords and Password Policy using PowerShell

It is not uncommon for an administrator to change a user’s password, and in an Office 365 environment this is not different. To reset a user’s password using PowerShell you can use the Set-MsolUserPassword command with the –UserPrincipalName and –NewPassword options, for example:

Set-MsolUserPassword –UserPrincipalName –NewPassword ‘Pa$$w0rd’ –ForceChangePassword $TRUE

The –ForceChangePassword will make sure the user changes his password after the first logon to Office 365.

By default a user’s password in Azure Active Directory expires every 90 days with a 14 days notification interval. To change the password policy you can use the Set-MsolPasswordPolicy with the –DomainName, -ValidityPeriod and the –NotificationDays options, like this:

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName 

The ValidityPeriod determines the time the password can be used and this can range from 14 days to 730 dayes (2 years). The NotificationDays is the number of days a user gets a notification before the password expires. This can range from 1 day to 30 days.

To set the password to never expires on a user (which is not a best practice, but can be very useful for Service Account passwords, for example when setting up Directory Synchronization) you can use the Set-MsolUser command, for example:

Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true

For more information you can check the Manage Azure AD users on TechNet:

Set Password never expired for Office 365 user:

Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires $True

Disable Password never expired option for a Office 365 user

Set-MsolUser –UserPrincipalName &lt;UserPrincipalName&gt; -PasswordNeverExpires $False

Set Password never expired for ALL Office 365 users (Bulk Mode)

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True

Display Password settings for all Office 365 users

Get-MsolUser | Select UserPrincipalName,PasswordNeverExpires

Display information about Office 365 Password Policy

Get-MsolPasswordPolicy –DomainName <Domain Name>

Managing Administrative Roles using PowerShell

Office 365 admin center role name

Windows PowerShell role name

Role tasks

Global administrator

Company administrator

Perform all administrative tasks

Billing administrator

Billing administrator

Make purchases, manage subscriptions, manage support tickets, and monitor service health

Password administrator

Helpdesk administrator

Change and reset passwords, manage service requests, and monitor service health

Service administrator

Service support administrator

Manage service requests and monitor service health

User management administrator

User account administrator

Create and delete users and groups, reset passwords, manage service requests, and monitor service health

To assign a role in PowerShell use the following command:

Add-MsolRoleMember –RoleMemberEmailAddress <UPN Address> –RoleName <FromListAbove>

To view who is a member of a role:

$role = Get-MsolRole –RoleName “Company Administrator”
Get-MsolRoleMember –RoleObjectId $role.objectid

The reason that the RoleName has to be an attributed is because the ObjectID for “Company Administrator” is unique to every Office 365 tenant.

Outline of Commands:





The Convert-MsolFederatedUser cmdlet is used to update a user in a domain that was recently converted from single sign-on (also known as identity federation) to standard authentication type. A new password must be provided for the user.


The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. An individual user will be retrieved if the ObjectId or UserPrincipalName parameter is used.


The New-MsolUser cmdlet is used to create a new user in Windows Azure AD. In order to give the user access to services, they must also be assigned a license (using the LicenseAssignment parameter).


The Remove-MsolUser cmdlet is used to remove a user from Windows Azure AD. This cmdlet will delete the user, their licenses, and any other associated data.


The Restore-MsolUser cmdlet restores a user that is in the Deleted users view to their original state. Users will remain in the Deleted users view for 30 days.


The Set-MsolUser cmdlet is used to update a user object. Note that this cmdlet should be used for basic properties only. The licenses, password, and User Principal Name for a user can be updated through Set-MsolUserLicense, Set-MsolUserPassword and Set-MsolUserPrincipalName cmdlets respectively.


The Set-MsolUserPassword cmdlet is used to change the password of a user. This cmdlet can only be used for users with standard identities.


The Set-MsolUserPrincipalName cmdlet is used to change the User Principal Name ([Template Token Value]) of a user. This cmdlet can be used to move a user between a federated and standard domain, which will result in their authentication type changing to that of the target domain.


The Redo-MsolProvisionUser cmdlet can be used to retry the provisioning of a user object in Windows Azure Active Directory when a previous attempt to create the user object resulted in a validation error.





The Add-MsolGroupMember cmdlet is used to add members to a security group. The new members can be either users or other security groups.


The Get-MsolGroup cmdlet is used to retrieve groups from Windows Azure AD. This cmdlet can be used to return a single group (if ObjectId is passed in), or to search within all groups.


The Get-MsolGroupMember cmdlet is used to retrieve members of the specified group. The members can be either users or groups.


The New-MsolGroup cmdlet is used to add a new security group to Windows Azure AD.


The Remove-MsolGroup cmdlet is used to delete a group from Windows Azure AD.


The Remove-MsolGroupMember cmdlet is used to remove a member from a security group. This member can be either a user or a group.


The Set-MsolGroup cmdlet is used to update the properties of a security group.


The Add-MsolRoleMember cmdlet is used to add a member to a role. Currently, only users can be added to a role (adding a security group is not supported).


The Get-MsolRole cmdlet can be used to retrieve a list of administrator roles.


The Get-MsolUserRole cmdlet is used to retrieve all of the administrator roles that the specified user belongs to. This cmdlet will also return roles that the user is a member of through security group membership.


The Get-MsolRoleMember cmdlet is used to retrieve all members of the specified role.


The Remove-MsolRoleMember cmdlet is used to remove a user from an administrator role.


The Redo-MsolProvisionGroup cmdlet can be used to retry the provisioning of a group object in Windows Azure Active Directory when a previous attempt to create the group object resulted in a validation



Free Product key for Exchange Hybrid:

Office 365 Data Import Service

IMAP / Staged / Cutover / Hybrid?  Which one should I choose?

Hybrid & Migration Links:

Cross Premise Mailbox Permissions (Send As / On Behalf Of) 

Office 365 Groups

Misc Stuff:


Skype for Business:



PSTN Conferencing:


Using Powershell to manage SharePoint Online:

Important changes to the Storage for SharePoint:


OneDrive for Business:


Managing access & other settings:

What to do when a user leaves the organisation:


DirSync / AD Connect / ADFS:

AD Connect Articles:

Force replication with Azure Active Directory Connect (AAD Connect) (old Dirsync Start-OnlineCoe

Force AD Connect Synchronization – v1.1.105.0 onwards

Azure AD Connect Health Monitoring and Insights – Step by Step

Enabling and Disabling the AAD Connect Automatic Update / Upgrade Feature

ADFS Articles:

Deploy ADFS in Azure rather than on prem:

To change the UPN for ALL users in an OU or Domain:

Import-Module ActiveDirectory
Get-ADUser -Filter {UserPrincipalName -like "*@corp.msft"} -SearchBase "OU=Test,DC=ad,DC=corp,DC=msft" |
ForEach-Object {
    $UPN = $_.UserPrincipalName.Replace("corp.msft","")
    Set-ADUser $_ -UserPrincipalName $UPN

Workflow on what to do when a user leaves the organisation:

Office 365 Pro Plus / Client:

Office 365 Configuration XML Editor (MUST USE!)

Office 365 ProPlus and the Office Deployment Tool

Getting started guide for deploying Office 365 ProPlus

Deploying Office 365 – Essential Info for every admin (note a couple of things are out of date, you do not need to use VL for Office on an RDS Server any longer!):

Standard Info for deploying Office 365 Pro Plus:

Channels and Name Changes:

  • New: Current Channel = Old: Current Branch
  • New: First Release for Current Channel = Old: First Release for Current Branch
  • New: Deferred Channel = Old: Current Branch for Business
  • New: First Release for Deferred Channel = Old: First Release for Current Branch for Business

A collection of useful PowerShell scripts to make deploying Office 2016 and Office 365 ProPlus easier: 

Deploy via Group Policy:

Deploy Via Intune:

Installing Office365 ProPlus on a RDS Server (Terminal Server) using Shared Computer Activation

Deploy via SCCM: