Category Archives: Office 365

Jean-Marie AGBO 11:26 pm on 15 February 2021  

How to import PST to Office 365 – Exchange Online mailbox

1/ Make sure you have the required permissions

Before importing a pst to an exchange mailbox, make sure your are assigned the role Mailbox Import Export, it’s a pre requisite for using the below process.

2/ Prepare your pst import mapping file

Supposing the pst file you want to import is located in a network share named : \\myPC\ImportPST

Your mapping file should contains the below data

Name : pst file name

Mailbox : the destination mailbox email address

IsArchive : FALSE – because the mailbox we are importing is not an archive mailbox

TargetRootFolder : “/” – we want to import the data to the root folder of the destination folder. If you want to import data to a folder named “myImport” for example, use this synctax : /myImport

In this example, here is how my mapping csv file looks like. I saved it on my computer as import.csv

You are almost ready to import your PST data to an Office 365 mailbox.

3/ Start the import job

Connect to the Security and compliance center (https://protection.office.com), then under Information governance, select Import > New import job

Name your import job with 2-64 lowercase letters, numbers or hyphens, must start with a letter, no spaces

In the next page, select Upload your data > Next

On the import data page, click on Show network upload SAS URL and copy it to clipboard.

Click on the link Download Azure AzCopy and install it.

The default location of AzCopy will be C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy\

You are now ready to begin the data import. Open a PowerShell and run the below command to copy your pst file using AzCopy to a temporary Azure Storage from which you will copy the data to destination mailbox.

cd "C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy\"

Then run the below commandline replacing the value with your own data

.\AzCopy.exe /Source:"\\myPC\ImportPST" /Dest:"<Copy here the previous SAS URL>" /V:"\\myPC\Logs\AzCopy1.log" /Y

Back to the Import data page, check the two checkboxes “I am done uploading my files” and “I have access to the mapping file” and go on the next page clicking on the next botton.

Now click on “Select mapping file” and choose the the mapping csv we previously built. Validate the file and Save the job to begin file analysis.

A job analyse will start. Once it’s done you will be able to import the PST data to the destination mailbox.

Click on the link “Ready to import to Office 365”, on the next page click on “Import to Office 365” button and start the import job.

Select the Next button, and start the data importation on the next page. Once you are done, you will

4/ Check if the import job was successful

You are done with the copy, now, let’s check in the destination mailbox if the data has been well copied. In outlook, you will see a folder named <source email address>, it’s the email address of the mailbox from which you have exported the pst file.

If you had chosen to import the pst file into a folder named /importPST, you would have seen in Outlook, under that folder another folder named <source email address>

Another way to check your pst import result is use a powershell command :

Get-MailboxFolderStatistics <destination mailbox> | Out-GridView

Et voilà 🙂

How to export Office 365 mailbox to a pst ?

Jean-Marie AGBO 1:37 am on 29 November 2020
Tags: ,   

How to export office 365/Exchange online mailbox to PST.

Hello, in this post we are going to see how to export an Office 365 (Exchange online) mailbox content to a PST file. This process can also be used to search for SharePoint, OneDrive, Teams sites, Office 365 group… content. Now that we have set the scene, we can get started.

In the Security and compliance center (https://protection.office.com), under “Search” click on “Content Search”

In the content search portal, start a New search

Check “Specific location” and select modify to specify the location/mailbox you want to export the content from.

On the next tab, click on “choose users, groups or teams” and specify the mailbox for which you want to export the content to PST.

Select the checkbox and click on Choose, selct Done and on the next tab click on Save to validate your choice.

Save and run to start the content search process.

Give a name to your content search process and click save to start the search.

Once the content search of the mailbox you specified is done, in the menu select Export results.

In the next tab, select the export options according to your need and click on “Export”

The export process has now started, you can see the status in the Exports tab by clicking on the name you gave to your export.

Once the export status is completed, you now can start downloading the result.

Clique on “Copy to clipboard” to copy the “Export secret” and click on “Download the result”. On the next page, enter the Export secret and specify the location where to save the pst file.

Start the downloading process – sorry, my OS is in french version 🙂 . At the end of the downloading, retrieve the pst file in the location you previously specified.

How to import pst to Office 365 ?

Jean-Marie AGBO 1:53 pm on 30 October 2019  

How to grant read-only permission on a MailBox

In this post I will show you how to grant user Perry Brill read-only permission on the mailbox of Joe Dan using PowerShell.

The first thing to do is to find all the folders present in Serge Boss mailbox then grant read only permission on those folders to John Doe.

Let’s go with the fistr step :

To find the folders in the mailbox, use the below commandline 

Get-MailboxFolderStatistics -Identity <mailbox identity> | Select-Object Identity

To grant access to a particular folder, use this commandline

Add-MailboxFolderPermission -Identity <Folder Identity> -User <User who needs access> -AccessRights <Type of Access>

To grant read-only access to all the folders, you must apply the previous command to all the folder. The easiest way is to use a loop. I propose you a function to reach that goal.

function Add-PermissionOnAllMailboxFolders {
    param (
        [Parameter(Mandatory = $true)]
        $Identity,

        [Parameter(Mandatory = $true)]
        $User,

        [Parameter(Mandatory = $true)]
        [validateSet("Author","Reviewer","Contributor")] #Find complete list of permission on https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps
        $AccessRights
    )

    $ExcludeFolders = ":\Top of Information Store",":\Recoverable Items",":\Audits",":\Calendar Logging",":\Deletions",":\DiscoveryHolds",":\Purges",":\SubstrateHolds",":\Versions",":\Sync Issues",":\Yammer Root"
    $alias = (Get-Mailbox -Identity $Identity).alias
    
    Add-MailboxFolderPermission "$($alias):\" -User $User -AccessRights $AccessRights

    (Get-MailboxFolderStatistics -Identity $alias).Identity | Foreach-object {
        $folder = $_.replace("$alias\","$($alias):\")
        if ($folder.replace("$alias","") -notin $ExcludeFolders) {
            Add-MailboxFolderPermission $folder -User $User -AccessRights $AccessRights
        }
    }

}

Run the script to load the function and then use the commands below to grant the permissions according to your need

To grant read-only permission

#Reviewer : FolderVisible, ReadItems
Add-PermissionOnAllMailboxFolders -Identity "Joe Dan" -User "Perry Brill" -AccessRights Reviewer

To grant the other type of permission

#Author : CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
Add-PermissionOnAllMailboxFolders -Identity "Joe Dan" -User "Perry Brill" -AccessRights Author

#Contributor : CreateItems, FolderVisible
Add-PermissionOnAllMailboxFolders -Identity "Joe Dan" -User "Perry Brill" -AccessRights Contributor

Now you can add the mailbox to the user Outlook and access it content

The mailbox now appears in your outlook.

Jean-Marie AGBO 5:14 am on 22 August 2019  

Directly assigned or Inherited Office 365 Licenses ?

Hello, today I am sharing with you an interesting Office 365 script that I hope will help you. This script will tell you how licenses are assigned to a set of user in your Office 365 tenant : Direct or Inherited ?

My script consists of 2 parts, the first determines License Plans assigned to a user account, the second one dertermines the Licenses paths (Direct or Inherited).

function Get-LicensePlan {

    param (

        [Parameter(Mandatory=$true)]
        [String]$SkuId,
        [Parameter(mandatory=$true)]
        [String]$TenantName

    )

    Switch($SkuId){

                      "$($TenantName):AAD_PREMIUM" {return "AAD Premium P1"}
                   "$($TenantName):AX7_USER_TRIAL" {return "D_AX7.0 TRIAL"}
          "$($TenantName):DYN365_ENTERPRISE_P1_IW" {return "D365 ETR P1"}
              "$($TenantName):DYN365_RETAIL_TRIAL" {return "D365 CRM TRIAL"}
                              "$($TenantName):EMS" {return "EMS_E3"}
                       "$($TenantName):EMSPREMIUM" {return "EMS_E5"}
                     "$($TenantName):DESKLESSPACK" {return "F1"}
                     "$($TenantName):STANDARDPACK" {return "E1"}
                   "$($TenantName):ENTERPRISEPACK" {return "E3"}
                "$($TenantName):ENTERPRISEPREMIUM" {return "E5"}
                        "$($TenantName):FLOW_FREE" {return "FLOW FREE"}
                      "$($TenantName):INTUNE_A_VL" {return "INTUNE"}
                       "$($TenantName):MCOMEETADV" {return "SFB PSTN Conf"}
        "$($TenantName):MICROSOFT_BUSINESS_CENTER" {return "MBC"}
                     "$($TenantName):POWER_BI_PRO" {return "PBI PRO"}
                "$($TenantName):POWER_BI_STANDARD" {return "PBI STD"}
        "$($TenantName):POWERAPPS_INDIVIDUAL_USER" {return "PAPPS IND User"}
                  "$($TenantName):POWERAPPS_VIRAL" {return "PAPPS and LOGIC FLOW"}
                   "$($TenantName):PROJECTPREMIUM" {return "PJ Online"}
                           "$($TenantName):STREAM" {return "STREAM"}
                "$($TenantName):VISIOONLINE_PLAN1" {return "VISIO P1"}
              "$($TenantName):WACONEDRIVESTANDARD" {return "OD P1"}
                      "$($TenantName):WIN_DEF_ATP" {return "WDF ATP"}
                                           default {return $SkuId.Replace("$($TenantName):","")}
    }

}

With the function Get-LicensePlan, we know what licenses are assigned to a user based on the SkuId. The following second function Get-LAPATH (Get-LicenseAssingmentPaths) will tell us if the licenses are Direct assigned or Inherited from a group.

 

function Get-LAPATH{

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true, ValueFromPipeline=$true)]
        [string]$UPN
    )

    Begin{
        Get-Date
        Write-Host "## Data processing stated at $(Get-date)" -ForegroundColor Yellow
        Write-Host ""
        $TenantName = ((Get-MsolAccountSku).AccountSkuId[0] -split(':'))[0]
    }

    Process{
        
        Write-Host ""
        Write-Host "Working on $UPN" -ForegroundColor Green
        $User = Get-MsolUser -UserPrincipalName $UPN

        #Getting assignment paths
        $LicensesTab = $null
        $LicensePlan = $null
        $LicTabCount = 0
        $LicensesTab = $User.Licenses | Select-Object AccountSkuId, GroupsAssigningLicense

        if($LicensesTab){

            Write-Host "License Enabled : True" -ForegroundColor Yellow

            $i = 0 #(Measure-Object -InputObject $LicensesTab).Count
            $LicTabCount = $LicensesTab.AccountSkuId.Count

            Do{

                #Getting License Plan
                $LicensePlan = Get-LicensePlan -SkuId $LicensesTab[$i].AccountSkuId -TenantName $TenantName

                #Getting License Paths
                [System.Collections.ArrayList]$LicensePath = @()

                if($LicensesTab[$i].GroupsAssigningLicense){

                    foreach ($Guid in $LicensesTab[$i].GroupsAssigningLicense.guid){

                        if($Guid -eq $User.ObjectId.Guid){
                            $LicensePath.Add("Direct") | Out-Null
                        }
                        else{
                            $LicensePath.Add((Get-MsolGroup -ObjectId $Guid).DisplayName) | Out-Null
                        }

                    }
                }
                else{
                    $LicensePath.Add("Direct") | Out-Null
                }

                Write-Host "$LicensePlan : $([String]::Join(",",$LicensePath.ToArray()))" -ForegroundColor Yellow
                $i++

            }
            While ($i -ne $LicTabCount)
        }
        else {
            Write-Host "License Enabled : false" -ForegroundColor Red
        }
    }

    End{
        Write-Host ""
        Write-Host "## Data Processing ended on $(Get-Date)" -ForegroundColor Yellow
    }

}

Now that everything is set, let’s talk about how to use this script to achieve your goal. Of course, for running this script, you need to have Microsoft Online Services PowerShell installed on your computer (PowerShell Module For Office 365) and a read access permissions on your Office 365 Admin portal to see users configuration,  ideally User Management Role.

  • To see Office 365 license assginment paths for one user
"<UserPrincipalName>" | Get-LAPATH

Get-LAPATH_multiples_One

The user james.bond@acidalien.fr has 3 licenses plans assigned:

  1. FLOW FREE inherited from the license group GRP-FLOW-FREE
  2. FLOW FREE directly assigned
  3. DEVELOPERPACK directly assigned
  • To see Office 365 license assignment paths for several users 

From a Powershell table

"<User1 upn>" ,"<User2 upn>","..." | Get-LAPATH

Get-LAPATH_multiples_2

From a file containing the list of UserPrincipalName :

Get-LAPATH_multiples_File

Get-Content -Path <File path.txt> | Get-LAPATH

Get-LAPATH_multiples

Et voilà 🙂

Jean-Marie AGBO 11:01 am on 10 May 2019
Tags: ,   

Exchange Online Powershell module installation error – Application cannot be started. Contact the application vendor

This morning when trying to install the PowerShell Module for Exchange Online from the ECP,

Install Exchange Online PowerShell

I came accross this error message

Exchange Online - Cannot Start Application

Even though this is not a very serious issue, it may cause you lose your time.

So to avoid this error message, use INTERNET EXPLORER to connect to the ECP and then the INSTALLATION WILL BE POSSIBLE.

Thank you.

Jean-Marie AGBO 10:21 pm on 31 January 2019
Tags: ,   

Check if an email address or a UserPrincipalName is already used by an account in your Office 365 tenant

Did you ever need to find in your Office 365 tenant :

  • What object is using a specific email address or UserPrincipalName ?
  • What object is preventing an Active Directory account from syncing because of duplicated email address or UserPrincipalName ?
  • Where are them located in your tenant : in Users, in Contacts or in Deleted users ?

If yes, this article may help you achieve your goal. Find below how to process. To install the Microsoft Online Service Module for Powershell, please follow the instruction in the paragraph Connect with the Microsoft Azure Active Directory Module for Windows PowerShell of this link :

https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell

When you are ready, open a Powershell console and Sign in to your Office 365 tenant with an Admin Account using this command line

Connect-MsolService

Run the below Powershell fonction :

function Get-ConflictingAttributes {

  [Cmdletbinding()]
  param (
    [Parameter(mandatory=$true)]
    [String]$SearchValue
  )

  $SearchTable = @{}
  Write-Host "Searching began :" $(Get-Date) -ForegroundColor Green

  #Searching in all ProxyAddresses
  Write-Host "Searching User and Guest accounts" $(Get-Date) -ForegroundColor Yellow
  $User = Get-MsolUser -All | Where-Object {($_.UserPrincipalName -match $SearchValue) -or ($_.ProxyAddresses -match $SearchValue)}

  #Searching in all deleted users
  Write-Host "Searching Deleted accounts" $(Get-Date) -ForegroundColor Yellow
  $Del = Get-MsolUser -All -ReturnDeletedUsers | Where-Object {($_.UserPrincipalName -match $SearchValue) -or ($_.ProxyAddresses -match $SearchValue)}

  #Searching in contacts
  Write-Host "Searching Contacts" $(Get-Date) -ForegroundColor Yellow
  $Contact = Get-MsolContact -All | Where-Object {$_.EmailAddress -match $SearchValue}

  Write-Host "Searching ended :" $(Get-Date) -ForegroundColor Green

  if ($User){
    $SearchTable.Add($User.UserType,$User) | Out-Null
  }

  if ($Del){
    $SearchTable.Add($Del.UserType,$Del) | Out-Null
  }

  if ($Contact){
    $SearchTable.Add("Contact",$Contact) | Out-Null
  }

  return $SearchTable

}

Now, suppose that you want to know which account in your Office 365 tenant is using the email address john.doe@koafric.com, it’ simple, run this command line in the Powershell console you previously opened :

$Result = Get-ConflictingAttributes -SearchValue "john.doe@koafric.com"

To see the result :

Get-ConflictingAttributes

We can see that the object using the value “john.doe@koafric.com” is a contact and this value is set on his EmailAddress.

Jean-Marie AGBO 12:02 pm on 28 December 2018
Tags: , OneDrive, SharePoint Online   

Change OneDrive For Business locale

Hello, here I am back with another script to share with you. Recently a client asked me how to change locale of OneDrive in bulk for his Office 365 users. The thing is that his Office 365 tenant has been created with french as default language, whereas there are many englishspeaking people in the company.

All Excel files created in OneDrive online show formula in French. Really embarrassing for some users.

Excel issue0.png

Of course you can change this default language through OneDrive online site settings > Regional settings

Change OD4B locale3

But the big deal is how to manage it for more than twenty thousand users ? This is where you can leverage on the power of PowerShell. Here is a script to help you achieve this goal.

<#
.SYNOPSIS
    This script allows you to change regional settings in Office 365 OneDrive For Business.
.DESCRIPTION
    This script allows you to change regional settings in Office 365 OneDrive For Business.
.PARAMETER UpnPath
    Full path to upns TXT or CSV file (without header), one UserPrincipalName (upn) per line.
.PARAMETER creds
    Specify Admintrator UserPrincipalName
.PARAMETER SiteURL
    Specify SharePoint Admin site url : "https://<yourtenant>-admin.sharepoint.com/", replace <tenant> with your tenant name
.PARAMETER ODUrl
    Specify OneDrive For Business url : "https://<yourtenant>-my.sharepoint.com/Personal/, replace <tenant> with your tenant name
.PARAMETER LocaleID
    Specify the Locale ID. The locale ID for US english (en-us) is 1033
.EXAMPLE
    Set-OD4BLocale -UpnPath "C:\upns.txt" -creds "admin@mytenant.onmicrosoft.com" -SiteURL "https://mytenant-admin.sharepoint.com/" -ODUrl "https://mytenant-my.sharepoint.com/Personal/" -LocaleID 1033
.NOTES
    Version :          1.0
    Auteur :           Jean-Marie AGBO
    Date de création : 04/12/2018
    Version 1.0 :  Développement initial        
#>

Function Set-OD4BLocale{
  [CmdletBinding()]
  Param(                        
        [parameter(Mandatory=$true)]
        [String]$UpnPath,                                                           

        [parameter(Mandatory=$true)]
        [PSCredential]$creds,                                              

        [parameter(Mandatory=$true)]
        [string]$SiteURL,            

        [parameter(Mandatory=$true)]
        [string]$ODUrl, 

        [parameter(Mandatory=$false)]
        [string]$LocaleID = "1033"    
  )

  #Connect msol service
  Connect-SPOService -Url $SiteURL -Credential $creds

  #Add references to SharePoint client assemblies and authenticate to Office 365 site - required for CSOM
  Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
  Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.UserProfiles.dll"
     
  #Import upn file
  $Upns = Get-Content -Path $UpnPath

  foreach ($upn in $Upns){      
    #Building user ODrive Full Url
    Write-Host "Building ODrive Full Url for $upn" -ForegroundColor Yellow
    $ODriveFullUrl = $ODUrl +  $Upn.Replace("@","_").replace('.','_') 
    
    #Adding Admin access to user OneDrive
    Write-Host "Adding Admin access to $upn OneDrive" -ForegroundColor Yellow
    Set-SPOUser -Site $ODriveFullUrl -LoginName $creds.UserName -IsSiteCollectionAdmin $true | Out-Null 
     
    #Bind to OD4B Site and change locale
    Write-Host "Changing Locale for $upn" -ForegroundColor Yellow 
    $spocreds = [Microsoft.SharePoint.Client.SharePointOnlineCredentials]::new($Creds.UserName,$creds.Password)
    $Context = New-Object Microsoft.SharePoint.Client.ClientContext($ODriveFullUrl)
    $Context.Credentials = $spocreds
    $Context.ExecuteQuery()
    $Context.Web.RegionalSettings.LocaleId = $Locale                  
    $Context.Web.Update()
    $Context.ExecuteQuery()
     
    #Removing Admin access from User OneDrive
    Write-Host "Removing Admin access from $upn OneDrive" -ForegroundColor Green
    Set-SPOUser -Site $ODriveFullUrl -LoginName $creds.UserName -IsSiteCollectionAdmin $false | Out-Null 
  }
}

How to run the script ?

Set-OD4BLocale -UpnPath "C:\upns.txt" -creds "admin@mytenant.onmicrosoft.com" -SiteURL "https://mytenant-admin.sharepoint.com/" -ODUrl "https://mytenant-my.sharepoint.com/Personal/" -LocaleID 1033

The upns.txt file must contain the UserPrincipalName of users you want to change the locale.

fname1@mytenant.com
fname2@mytenant.com
fname3@mytenant.com
fname4@mytenant.com

You can get help on the script. Run it and use the below PowerShell command line :

Get-Help Set-OD4BLocale -Full

After changing the default language:

Change OD4B locale2

Now, you can check your change by creating an excel file in OneDrive Online and note that the formula are in english.

Excel-issue-e1546263940174.png

Et voilà 🙂 !

 

Jean-Marie AGBO 12:36 pm on 13 September 2018
Tags: ,   

Manage Office 365 Roles membership

Hello, I’am sharing with you how to  manage Roles in Office 365 using PowerShell. It can be helpful for Office 365 administrators. The topics covered in this post are :

  • List all administrative roles of your Office 365 tenant
  • Find a user administrative role
  • List a role members
  • Add members to a role
  • Remove members from a role
  • Export Role member in a csv file

Ready, let’s go now…

First of all, connect to your Office 365 tenant

PS C:\> Connect-MsolService

If you don’t have PowerShell Module for Office 365 installed, follow this link.

List all administrative roles of your Office 365 tenant

PS C:\> Get-MsolRole

ObjectId                               Name                             Description                                                                                                         
--------                               ----                             -----------                                                                                                         
729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator           Can reset passwords for non-administrators and Helpdesk Administrators.                                             
f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    Can read service health information and manage support tickets.                                                     
b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Can perform common billing related tasks like updating payment information.                                         
4ba39ca4-527c-499a-b93d-d9b492c50246   Partner Tier1 Support            Do not use - not intended for general use.                                                                          
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8   Partner Tier2 Support            Do not use - not intended for general use.                                                                          
88d8e3e3-8f55-4a1e-953a-9b9898b8876b   Directory Readers                Can read basic directory information. For granting access to applications, not intended for users.                  
29232cdf-9323-42fd-ade2-1d097af3e4de   Exchange Service Administrator   Can manage all aspects of the Exchange product.                                                                     
75941009-915a-4869-abe7-691bff18279e   Lync Service Administrator       Can manage all aspects of the Skype for Business product.                                                           
fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       Can manage all aspects of users and groups, including resetting passwords for limited admins.                       
9360feb5-f418-4baa-8175-e2a00bac4301   Directory Writers                Can read and write basic directory information. For granting access to applications, not intended for users.        
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.                             
f28a1f50-f6e7-4571-818b-6a12f2af6b6c   SharePoint Service Administrator Can manage all aspects of the SharePoint service.                                                                   
d405c6df-0af8-4e3b-95e4-4d06e542189e   Device Users                     Device Users                                                                                                        
9f06204d-73c1-4d4c-880a-6edb90606fd8   Device Administrators            Device Administrators                                                                                               
9c094953-4995-41c8-84c8-3ebb9b32c93f   Device Join                      Device Join                                                                                                         
c34f683f-4d5a-4403-affd-6615e00e3a7f   Workplace Device Join            Workplace Device Join                                                                                               
17315797-102d-40b4-93e0-432062caca18   Compliance Administrator         Can read and manage compliance configuration and reports in Azure AD and Office 365.                                
d29b2b05-8046-44ba-8758-1e26182fcf32   Directory Synchronization Acc... Only used by Azure AD Connect service.                                                                              
2b499bcd-da44-4968-8aec-78e1674fa64d   Device Managers                  Deprecated - Do Not Use.                                                                                            
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3   Application Administrator        Can create and manage all aspects of app registrations and enterprise apps.                                         
cf1c38e5-3621-4004-a7cb-879624dced7c   Application Developer            Can create application registrations independent of the 'Users can register applications' setting.                  
5d6b6bb7-de71-4623-b4af-96380a352509   Security Reader                  Can read security information and reports in Azure AD and Office 365.                                               
194ae4cb-b126-40b2-bd5b-6091b380977d   Security Administrator           Security Administrator allows ability to read and manage security configuration and reports.                        
e8611ab8-c189-46e8-94e1-60213ab1f814   Privileged Role Administrator    Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.                         
3a2c62db-5318-420d-8d74-23affee5d9d5   Intune Service Administrator     Can manage all aspects of the Intune product.                                                                       
158c047a-c907-4556-b7ef-446551a6b5f7   Cloud Application Administrator  Can create and manage all aspects of app registrations and enterprise apps except App Proxy.                        
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91   Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data.                                      
44367163-eba1-44c3-98af-f5787879f96a   CRM Service Administrator        Can manage all aspects of the Dynamics 365 product.                                                                 
a9ea8996-122f-4c74-9520-8edcd192826c   Power BI Service Administrator   Can manage all aspects of the Power BI product.                                                                     
95e79109-95c0-4d8e-aee3-d01accf2d47b   Guest Inviter                    Can invite guest users independent of the 'members can invite guests' setting.                                      
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9   Conditional Access Administrator Can manage conditional access capabilities.                                                                         
4a5d8f65-41da-4de4-8968-e035b65339cf   Reports Reader                   Can read sign-in and audit reports.                                                                                 
790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b   Message Center Reader            Can read messages and updates for their organization in Office 365 Message Center only.                             
7495fdc4-34c4-4d15-a289-98788ce399fd   Information Protection Admini... Can manage all aspects of the Azure Information Protection product.                                                 
4d6ac14f-3453-41d0-bef9-a3e0c569773a   License Administrator            Can manage product licenses on users and groups.                                                                    
7698a772-787b-4ac8-901f-60d6b08affd2   Cloud Device Administrator       Full access to manage devices in Azure AD.                                                                          
10dae51f-b6af-4016-8d66-8c2a99b929b3   Guest User                       Default role for guest users. Can read a limited set of directory information.

Find a user administrative role

PS C:\> Get-MsolUserRole -UserPrincipalName user1@mydomain.com

ObjectId                               Name                             Description                                                                                                         
--------                               ----                             -----------                                                                                                         
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.

List a role members

Get the role objectId

PS C:\> $role = Get-MsolRole -RoleName "User account Administrator"
PS C:\> $role.ObjectId 
Guid                                
----                                
fe930be7-5e62-47db-91af-98c3a49a38b1

Get role members

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId

RoleMemberType EmailAddress                   DisplayName                        isLicensed
-------------- ------------                   -----------                        ----------
User           user2@mydomain.com             user2                      	 True      
User           user3@mydomain.com             user3                    		 True      
User           user4@mydomain.com             user4                    		 False

Add member to a role

PS C:\> Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user5@mydomain.com

Remove member from a Role

PS C:\> Remove-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user3@mydomain.com

Check member removal

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId

RoleMemberType EmailAddress                   DisplayName                        isLicensed
-------------- ------------                   -----------                        ----------
User           user2@mydomain.com             user2                      	 True      
User           user4@mydomain.com             user4                    		 False      
User           user5@mydomain.com             user5                   		 False

To export Role member in a csv file, use the below command

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId | Export-Csv -Path C:\MyRoleMembers.csv -Encoding UTF8 -Delimiter ";"

Voilà 🙂

Jean-Marie AGBO 5:21 pm on 22 August 2018  

Permanently remove a guest user in Office 365

To permanently delete a guest user in your Office 365, follow the steps below.

(1) Check that the account is still active

If your guest user email address is : user1@domain.com then his UserPrincipalName is user1_domain.com#EXT#@tenant.onmicrosoft.com

To check that the guest is still active, use the command lines below

$A = user1_domain.com#EXT#@tenant.onmicrosoft.com
Get-MsolUser -UserPrincipalName $A

GuestExist

(2) How to delete guest user 

Remove-MsolUser -UserPrincipalName $A

RemoveGuest1

(3) Check that guest user account is present in recycle bin

Get-MsolUser -All -ReturnDeletedUsers | ? {$_.userPrincipalName -eq $A}

GuestAlreadyInRecycleBin

(4) How to permanently remove the guest account

Remove-MsolUser -UserPrincipalName $A -RemoveFromRecycleBin

RemoveGuestFromRecycleBin

Voilà 🙂