Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

How to Connect to Office 365 PowerShell: Azure AD Modules

PowerShell

Connect to Office 365 visual

Office 365 PowerShell is a powerful tool that lets you manage your Office 365 settings straight from the command line.

After connecting Office 365 PowerShell to your Office 365 organization, you can use the PowerShell command-line interface to automate common tasks for Office 365 and to run scripts and batch processes across your Office environment.

Get the Free PowerShell and Active Directory Essentials Video Course

I'd recommend this for both new and advanced PowerShell users. Building an AD tool is a great learning experience.

In this guide, we’ll show you how to install the required software for connecting Office 365 PowerShell to your Office 365 install. We’ll also show you how to connect Office 365 services to PowerShell, including Office 365 tenant, Exchange Online, SharePoint Online, and Skype for Business Online.

Once you’ve mastered the basics of using Office 365 PowerShell, you can also use it to unlock hidden Office 365 settings. We can show you how to do that in our free Office 365 PowerShell course.

Reasons to Connect Powershell to Office 365

the advantages of connecting to Office 365

The standard way of managing Office 365 and all its applications is by using a web browser to connect to the Office 365 Admin Center or the Exchange Admin Center. Both of these systems have an intuitive GUI that lets you complete most admin tasks easily.

However, there are some cases where the GUI provided by the Office 365 Admin center is not efficient. For example, if you need to perform the same action across hundreds of user accounts, doing this through the GUI will take an extremely long time.

The solution is to use a command-line interface, which will allow you to apply bulk actions to user accounts, change settings automatically, use wildcards and scripts to automate repetitive tasks.

Most experienced Office 365 administrators are accustomed to using PowerShell to manage local Exchange Servers. However, the standard install of PowerShell cannot be used with cloud implementations such as Azure and Office 365. To use PowerShell in this environment, you’ll have to install special PowerShell modules that allow you to connect to Office 365.

There are several specific advantages to doing this. Here are just a few:

  • The ability to automate commands through the command line makes you more productive, especially if you are using Office 365 File Sharing and File Sharing Remediation Software.
  • You can use PowerShell to apply security updates to user accounts in one command, rather than relying on users to install these manually. This is a critical component of using Microsoft Teams safely.
  • Also, some third-party integrations, including with Varonis, require the use of the command line to interact with the Office 365 API.
  • Finally, some Office 365 settings can only be set with PowerShell, as we show in our course on the subject.

Though Office 365 is not the only secure file sharing option, it is the most familiar and the one most relied upon by today’s typical small online businesses. For small business owners, mastering the PowerShell command-line interface is critical, because obtaining expertise in administering Office 365 remotely will allow you to continue to manage this easily as your team grows.

What Do You Need Before You Begin?

In order to connect PowerShell to Office 365, you will need to be running the following versions of Windows:

  • Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1)
  • Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1

You should also note that:

  • You must use PowerShell version 5.1 or later. For Windows 8.1, Windows 8, Windows 7 Service Pack 1 (SP1), Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 SP1, download and install the Windows Management Framework 5.1.
  • Use a 64-bit version of Windows. Support for the 32-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell was discontinued in October of 2014.

Finally, the process we will describe below is intended for users who have an Office 365 admin role. If you don’t have that, the commands below will not work until you elevate your privileges.

For more information on the roles within Office 365, and the level of access you need to connect Office 365 to PowerShell, check the Microsoft page on Office 365 admin roles.

Azure AD for Graph vs. Azure Active Directory for Windows

Before we begin, you should also be aware that there are two different versions of the PowerShell module that you can use to connect to Office 365:

  • Azure Active Directory PowerShell for Graph (cmdlets include AzureAD in their name)
  • Microsoft Azure Active Directory Module for Windows PowerShell (cmdlets include MSol in their name)

Up until the date of writing this article (February 2020), the Azure Active Directory PowerShell for Graph module has not completely replaced the functions of the  Microsoft Azure Active Directory Module for Windows PowerShell module. The cmdlets in the second module will offer you extra functionality in terms of administering users, groups, and licenses across your 365 platform, but the former system is under more active development.

There are differences between Windows and Azure AD that will affect your choice of which to use primarily. Most admins prefer to use Azure AD because most common tasks are easy to perform in this module (check out our article on Azure Active Directory best practices and tutorials to see this). But in practice, the incompatibility of the two platforms means that you will probably need to use both modules. You can safely install both on the same computer, though, and this is exactly what we will do below.

Connect Powershell with the Azure Active Directory PowerShell for Graph Module

First, let’s show you how to connect PowerShell with the Azure Active Directory PowerShell for Graph module. In order to do that, you’ll have to install some software, and then configure it to work with your Office 365 setup.

1. Install Required Software

You will only need to install this software once, and on the computer you will use to manage your Office 365 environment.

  • Open a Windows PowerShell command prompt with elevated privileges. You can do this by right-clicking on the PowerShell application in your application menu, and then clicking “run as administrator”.
  • At the command prompt, run this command:
# Install-Module -Name AzureAD
  • At this point, you will likely see a prompt about installing a module from an untrusted repository. Type “Y”, hit enter, and the module will install.

2. Connect To Azure AD for your Office 365 Subscription

You will now need to connect to Azure AD using the authentication details for your Office 365 subscription. Whether you connect the old-fashioned way with a name and strong password or add multi-factor authentication to the mix, the process is the same. However, you will need to run a different command depending on the type of Office 365 subscription you have:

Office 365 cloud Command
Office 365 Worldwide (+GCC)
Connect-AzureAD
Office 365 operated by 21 Vianet
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
Office 365 Germany
Connect-AzureAD -AzureEnvironmentName AzureGermanyCloud
Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High
Connect-AzureAD -AzureEnvironmentName AzureUSGovernment

Once you run these commands, you will be presented with a “sign into your account” dialog box. Enter your username and password, and PowerShell will be connected.

If you are using multi-factor authentication, you will be presented with instructions on how to enter these details in additional dialog boxes.

That’s it. You can now use the cmdlets for the Azure Active Directory PowerShell for Graph module to manage Office 365.

Connect with the Microsoft Azure Active Directory Module for Windows PowerShell

Most administrators will need both the Azure AD module and the Windows PowerShell module in order to access all the tools they need for managing Office 365. It’s, therefore, a good idea to install the Azure AD module for Windows PowerShell alongside the module we’ve installed above.

Commands in the Microsoft Azure Active Directory Module for Windows PowerShell have Msol in their cmdlet name, so you can distinguish them from Azure Active Directory PowerShell for Graph cmdlets.

You should note, at this point, that PowerShell Core does not support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with Msol in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

The process for installing the  Microsoft Azure Active Directory Module for Windows PowerShell module is as follows:

1. Install the required software

As above, you will only need to install this software once. It is worth checking for updates on a regular basis, however, to keep your install secure.

Here’s the process for installing the Microsoft Azure Active Directory Module for Windows PowerShell module:

  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
  2. Next, install the Microsoft Azure Active Directory Module for Windows PowerShell. You can do this as follows:
    • Open an elevated Windows PowerShell command prompt by right-clicking the PowerShell icon in your applications menu and then clicking “run Windows PowerShell as an administrator”.
    • Run this command: Install-Module MSOnline
    • If prompted to install the NuGet provider, type Y and press ENTER.
    • If prompted to install the module from PSGallery, type Y and press ENTER.

2. Connect to Azure AD for your Office 365 subscription

You will now need to connect to Azure AD for your Office 365 subscription. Which command you need to run will depend on the type of subscription you have. Here are the relevant commands:

Office 365 Cloud Command
Office 365 Worldwide (+GCC)
Connect-MsolService
Office 365 operated by 21 Vianet
Connect-MsolService -AzureEnvironment AzureChinaCloud
Office 365 Germany
Connect-MsolService -AzureEnvironment AzureGermanyCloud
Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High
Connect-MsolService -AzureEnvironment USGovernment

Once you run these commands, you will be presented with a “sign into your account” dialog box. Enter your username and password, and PowerShell will be connected.

If you are using multi-factor authentication, you will be presented with instructions on how to enter these details in additional dialog boxes.

That’s it. You can now use the cmdlets for the Azure Active Directory PowerShell for Windows module to manage Office 365.

Verify Your Connection

After connecting PowerShell to your Office 365 install, you should test that it works.

If you didn’t encounter any errors during the process above, it’s likely that you connected successfully. To double-check, though, you can run a command.

For example, you can use the  Microsoft Azure Active Directory Module for Windows PowerShell module to run the following command:

Get-MsolUser

If it returns an error, you should check the following:

Troubleshooting

common connection issues

  • The most frequent problem is an incorrect password. Look again at Step 2 above, and try to connect again. Pay careful attention to the user name and password you enter.
  • The Microsoft Azure Active Directory Module for Windows PowerShell requires that the Microsoft .NET Framework 3.5.x feature is enabled on your computer. If you check your .NET install, you will probably find that you have a newer version installed, likely 4 or 4.5.x

The issue may be that backward compatibility with older .NET frameworks might be disabled. You can enable this, but the commands to do so vary by the version of Windows you are running. Check the Microsoft documentation for the relevant version here:

Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion

If the version number returned is lower than 1.0.8070.2, uninstall the Microsoft Azure Active Directory Module for Windows PowerShell and install the latest version from the link in Step 1.

Security Considerations

tips to connect to Office 365 securely

Once you’ve connected PowerShell to your Office 365 setup, you should put in place some extra security measures. File sharing systems are notorious for having security vulnerabilities, but there are still secure file sharing options.

Ideally, your Office 365 install will be integrated into a cyber threat intelligence system like Varonis, which will scan the connections that are made over your network and highlight anomalous activity. For most businesses, Office 365 cloud servers contain huge amounts of sensitive data, and you need to ensure that it is protected, especially given that companies are prime targets of cybercrime.

One key component of the best security practices for PowerShell is to use an App Password for Office 365. This is a strong password that you can use for an app that doesn’t support multi-factor authentication (which will we describe below).

Setting up an App Password is quite easy:

  1. Login to the Office 365 portal and go to https://portal.office.com/account/#security
  2. Find and click on Additional Security Verification
  3. Click Create and manage app passwords (this is towards the bottom of the page)
  4. Create a new App Password for PowerShell

Now you’ve set up an App Password, you can connect to Office 365 with PowerShell by using the following commands:

# Store your credentials - Enter your username and the app password

$Cred = Get-Credential

# Connect to Msol

Connect-MsolService -Credential $Cred

# Connect to AzureAd

Connect-AzureAD -Credential $Cred

# Connect to Exchange Online

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

As you can see, you only need to login once, and then use the same credential object for every connection. This will make your PowerShell session much more secure, and add another level of security to your Office 365 install.

Multi-Factor Authentication in Office 365

If you want to go one step further in improving your cloud security, you can use multi-factor authentication (MFA) for connecting PowerShell to your Office 365 account.

Multi-factor authentication is a more secure way of authenticating for Office 365 (and many other systems). It makes use of a second device or account – typically a smartphone or email account – to ensure that users are who they say they are when they are logging.

Setting Up MFA For PowerShell and Office 365

You can set up MFA to access Office 365 Services using an additional verification method in the form of an SMS code, Call or Mobile app code. In Office 365, MFA comes with four verification methods:

  • Phone call
  • SMS text message
  • Mobile app verification code
  • Mobile app notification

In Office 365, a user has three possible statuses when it comes to MFA:

  • Disabled, which is the default state for new users.
  • Enabled, which indicates that an administrator has enrolled a user with MFA, but the user hasn’t completed the registration process.
  • Enforced. This means that the user has completed the registration.

Enabled users are automatically switched to “Enforced” when they complete the registration process for Azure MFA, so you shouldn’t manually change the user state to Enforced.

You can use PowerShell to set up users for MFA, and for managing their status.

For example, you can use the following commands to show the MFA status of each user on your system:

Get-MsolUser | Select-Object UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

Get-MsolUser | Where-Object {$_.StrongAuthenticationRequirements -like "*"} | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

This will return a list of users with MFA details, like this:

office 365 install script

In order to set up MFA on your system, you can use the following code:

Create the StrongAuthenticationRequirement object
$mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = "*"
$mfa = @($mf)

You can then enable MFA just for individual users:

Set-MsolUser -UserPrincipalName eshlomo@elishlomo.us -StrongAuthenticationRequirements $mfa

Or set all users to use MFA as default:

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfa

The Office GUI will then guide users through the steps of registering and using MFA for their accounts. Office 365 also provides users with Single Sign-On between applications, and that means that after a user signs into Office application, that account is available in Excel, PowerPoint, and other applications.

Using MFA will make user connections to Office 365 much more secure, and you can manage their access via PowerShell.

After Connecting to Office 365

PowerShell is a powerful tool with a variety of uses — learn more about its capabilities through the resources below:

Free Office 365 PowerShell Course

  • Eligible for 1 (ISC)² CPE credit
  • 1.5 hours of course videos
  • Course Slides
  • Demo Scripts shown in the course

Using PowerShell also allows you to access some Office 365 features and settings that are hidden to GUI users. You’ll learn about securing SharePoint Online External Collaboration, creating truly private Office 365 Groups, configuring guest Policies for Office 365 Groups and earn a CPE credit along the way. Unlock the free course here.

Additional Resources

Explore more Office 365 guides below:

A Final Word

Connecting PowerShell to Office 365 brings many benefits, whether you are working in a small startup or a huge enterprise. It allows administrators to automate many common tasks and gives you the power of scripting to manage user accounts, access, and licenses.

Setting up PowerShell and Office 365 as we’ve shown above can therefore greatly improve your productivity, and save you huge amounts of time when it comes to managing user accounts. Just ensure that you also take the time to put in place extra security measures to keep your sensitive data safe.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.