Scenario: you are a Microsoft Cloud Partner and you want to run PowerShell commands on behalf of your Office365 customers where you are the Delegated Admin for their account.
The first step is to make sure you have the PowerShell Commandlets installed for Microsoft Online Services:
- Microsoft Online Services Module for Windows PowerShell (32-bit version)
- Microsoft Online Services Module for Windows PowerShell (64-bit version)
Once installed, when you type “PowerShell” in your Windows 7 search box, you’ll find this new entry for Microsoft Online Services Module for Windows PowerShell:
Use that one to get to a PowerShell prompt.
Set the Tennant ID GUID
The key to doing PowerShell admin on behalf of your linked clients is to retrieve the TennatID GUID.
So say you want to set one of your customer’s accounts so that the password doesn’t expire. Here are the 4 commands to run to do that:
PS C:\> Connect-MsolService
After typing the Connect-MsolService command you get the prompt to login. Log in with your own Microsoft Office 365 Hosted online services partner account username/password. (You do NOT need to log in with your customer’s account if you are a delegated admin):
Note: if after typing Connect-MsolService you see this:The term ‘Connect-MsolService’ is not recognized as the name of a cmdlet, function, script file
then you are NOT in the correct PowerShell window. Go back and run the “Microsoft Online Services Module for Windows PowerShell” from your start menu… see the top of these instructions.
$tenID=(get-msolpartnercontract -domain MyCustomer.com).tenantId.guid
This command creates a variable $tenID and sets it to the GUID for your customer.
The command: (get-msolpartnercontract -domain MyCustomer.com).tenantId.guid is what retrieves that ID.
Note that this step will only work if you’ve already sent the Delegated Administration e-mail to your customer and they’ve already added you as the partner admin. You can test that quickly by clicking the Partners tab in your Microsoft Online Services Portal (https://portal.microsoftonline.com) when signed in with your Partner Office 365 Login.
From that point on, you can run any Microsoft Online Services powershell command by passing the –tenantID $tenID parameter.
So in this example, I wanted to set the password of one of the accounts to never expire, so I ran this command:
Set-MsolUser -UserPrincipalName SomeUser@MyCustomer.com -PasswordNeverExpires $true -tenantID $tenID
Notice that the syntax is the same as the regular command only with the tenantID part added.
To verify that the setting was changed successfully I can run this command:
Get-MSolUser -UserPrincipalName SomeUser@MyCustomer.com -tenantID $tenID | select PasswordNeverExpires | format-list
Hopefully you find this information useful. If it helped you leave a comment!
I’m guessing you have to change the “mydomain.com” to the users domain?
Yes, the “MyCustomer.com” part is what you’d replace with either the customers company.onmicrosoft.com domain or if they’ve linked their real domain then whatever their internet-visible domain name is (i.e. BlueLinkERP.com)
Thank you. The Office 365 forums did not provide me with this very easy to follow instruction.
Seems like it does not work with the New-Mailbox command.
Do you have any hint for me?
A positional parameter cannot be found that accepts argument ‘-tenantID’.
+ CategoryInfo : InvalidArgument: (:) [New-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,New-Mailbox
The reason the New-Mailbox command doesn’t work is because Microsoft has not yet extended the Exchange powershell commands to be Microsoft Online Services Aware. So the -tenantID parameter is not yet supported.
In fact, you don’t even need to use the Microsoft Online Services Powershell extensions to run the Exchange related commands. I’ve submitted that feedback to Microsoft already. They say they’re considering changing this in a future release.
So we again need a licensed administrator account with the customers to do things like creating shared mailboxes. I hoped customers could save on this license….
Thanks for your quick reply.
Yes, it is annoying. What I end up doing is using the delegated admin rights, connect, create a mailbox with my company name as a global administrator, DO NOT assign any licenses to it at all. Log into the account to set the password, then, run the Exchange PowerShell commands using that account, then either delete the account, or leave it around for future use if the customer’s OK with that. (Since it doesn’t consume a license, usually they don’t object, however I tend to delete it anyway because if you’re listed as a global admin, you’ll also get every month’s billing summary from Microsoft which to me is just annoying.)
Looking forward to support for the -tenantID parameters being added to the Exchange command set.
Ups, I got lost in the first part of your solution. Can you explain that a bit more detailed?
“using the delegated admin rights, connect, create a mailbox with my company name as a global administrator,”
If you are a Microsoft Online Services Cloud Partner, then on the partner portal you’ll have the ability to offer delegated admin. Click the option to administer on behalf of your customer’s domain.
I’ll update my post to include screen captures of this shortly.
Here’s the link to the new posting:
This is clear, otherwise I would not deal with -tenantID if we would not be a delegates.
But the thing I did not get is:
“connect, create a mailbox with my company name as a global administrator,”
Connect where an how? Portal or PS?
Create mailbox with my company name? Do you mean a new (temp) user?
I’ve updated this new posting to include explicit screen captures showing how to create the account:
You could create the account from the PowerShell commands, but it’s just easier to do through the Portal in my opinion.