Using PowerShell to add users

Adding users with PowerShell is a fairly straightforward process that uses the New-MsolUser command. However, there are a lot of parameters to keep track of.

Here are the basics that you'll likely use every time you create a new account:

  • -DisplayName: Display name; might appear differently than first and last name.
  • -FirstName: User's given name.
  • -LastName: User's family name/surname.
  • -UserPrincipalName: The user's login name such as user@tenantname.onmicrosoft.com.
  • -UsageLocation: Two-digit country code, such as US or UK—important because it is required for certain services such as Exchange Online and Skype for Business.
  • -LicenseAssignment: An array of valid SKU part numbers (license codes) that will be assigned to the user, for example @("tenant_id:AAD_BASIC", "tenant_id:ENTERPRISEPACK", " tenant_id:PROJECTESSENTIALS"," tenant_id:EMS", and "tenant_id:DYN365_ENTERPRISE_PLAN1"); you can get a list of valid strings using the Get-MsolSubscription command—just remember to prefix them with the tenant name and a colon.
  • -Password: An optional password, temporary or permanent depending on other options that you specify; if you do not specify -Password, a random one will be generated for the user.

Here's a very simple example:

PS C:\WINDOWS\system32> New-MsolUser -FirstName John -LastName Deer -DisplayName "John Deer (Contractor)" -UserPrincipalName jdeer@liquidhgdev.onmicrosoft.com -UsageLocation "US" -LicenseAssignment "liquidhgdev:ENTERPRISEPACK" -Verbose

Password UserPrincipalName                 DisplayName            isLicensed
-------- -----------------                 -----------            ----------
Zot42*** jdeer@liquidhgdev.onmicrosoft.com John Deer (Contractor) True

Note that in the preceding example, the generated password is returned in the command's output. (We've redacted the output for security reasons, but it is normally perfectly readable.) This is very important, since we did not specify a password. It will be the only time the user password is provided. Unlike the Office 365 admin portal, you will need to use this to notify the user manually—or through whatever scripting method you may devise.

If you want to keep accurate records for organizational structure and contact information, the following parameters, which are mostly self-explanatory, will also be useful:

  • -Office: Office location
  • -Department: Department within the company the user works within
  • -Title: User's job title
  • -MobilePhone: User's mobile phone number
  • -PhoneNumber: Business or home phone number—whichever makes more sense in your organization
  • -Fax: Fax number (for those who are still using these)
  • -StreetAddress: User's street address
  • -City: Locality (city, town, village, and so on)
  • -State: State or province
  • -PostalCode: Zip or postal code
  • -Country: Address country code

The following parameters will help you when creating accounts that have unusual security requirements:

  • -BlockCredential: If true, the user can't login; we couldn't think of a good use case for this other than perhaps having a new hire and not wanting to activate the account on the day you create it.
  • -ForceChangePassword: If true, the provided password is temporary, and the user must change it when they next log in.
  • -PasswordNeverExpires: If true, password expiration will not be enforced. We highly recommend that you do not do this for ordinary users; it should only be used for service accounts and other such situations where changing passwords might break system functionality.
  • -StrongPasswordRequired: If true, the password must be 8-16 characters, must not contain the username, and must contain at least one lowercase letter, uppercase letter, and nonalphanumeric character; additionally, it must not contain any spaces, tabs, or line breaks.
  • -AlternateEmailAddresses: An external email address (not on any configured domain in Office 365) that can be used for account recovery; this is required for users who will be given administrative roles in Office 365.
  • -AlternateMobilePhones: A mobile phone that can be used for account verification; this is required for users who will be given administrative roles in Office 365.

In multinational organizations, the following parameters can be helpful in designating geographic or language preferences that are different than the default for the tenant:

  • -PreferredDataLocation: In late 2017, Microsoft introduced Multi-Geo, a paid service that allows a single tenant to be spread across different geographic areas worldwide; while details are sparse, you may specify regions such as NAM for North America, EUR for Europe, AUS for Australia, Asia-Pacific Canada, India, Japan, South Korea, the United Kingdom, and France. Note that additional tenant configuration is required for this setting to work as intended.
  • -PreferredLanguage: Though PowerShell documents do not specify, this parameter accepts a language/culture code such as en-US (American English), en-UK (English in the UK), es-ES (Spanish as spoken in Spain), or fr-CA (French Canadian).

And finally, here are a few advanced options:

  • -LicenseOptions: When you need to assign only inpidual parts of a license, you can use this array of objects to do so; note that generating a collection of license options is significantly more complex than merely passing a collection of SKU part numbers
  • -ImmutableId: For those using AD Connect, this is the immutable ID of the user's federated identity in the AD; it should not be specified for In Cloud accounts
  • -TenantId: Used by Microsoft partners when managing multiple customer tenants

That's about all there is to creating new users in Office 365. A quick search online will provide plenty of examples that will let you create users based on data in a CSV file and many other useful scripts.

上一章目录下一章