Deep Dive Into Office 365 PowerShell Cmdlets (Part 7)

by [Published on 11 Jan. 2017 / Last Updated on 11 Jan. 2017]

As explained in the part 6 of this article series, Office 365 provides various user roles which you can use to manage different aspects of an Office 365 Tenant. For example, the members of Company Administrator role can manage almost every aspect of an Office 365 Tenant. Similarly, the User Management Administrator role is designed to manage users in Office 365 Tenant. Members of User Management Administrator user role can manage user accounts, reset passwords, monitor Office 365 services health, and manage user groups and service requests. You may not want to put your business at risk by adding unnecessary people to these Office 365 user roles. We explained that by using Get-MsolUser PowerShell with Get MsolUserRole you can get a list of users that are added to each admin role.

If you would like to read the other parts in this article series please go to:

In the part 7 of this article series, we are going to give an overview of different types of operations performed by the Office 365 PowerShell cmdlets and then learn how to collect group information from Office 365 Tenant. We will also explain the use of Set-MsolUser cmdlet that you can use to change properties of Office 365 users.


Office 365 PowerShell Cmdlet Operations

By using the Office 365 PowerShell cmdlets, you can perform four types of operations as explained below:

  • Collect: A “collect” operation allows you to collect information from the target systems such as collecting Office 365 users, domains, and service information from an Office 365 Tenant.

  • Create: A“create” operation allows you to create an item or object in Office 365 Tenant such as creating an Office 365 user or group.

  • Remove:A “remove” operation helps you remove an object such as removing an Office 365 user or group.

  • Modify: The “Modify” operation, as the name suggests, can be used to modify the object properties such as modifying an Office 365 user to use a different department.

You might have noticed that Microsoft PowerShell developers follow a consistent naming convention for most of the PowerShell cmdlets that have designed so far. For create operations, most of the PowerShell cmdlets start with “New” or “Add” word. For PowerShell cmdlets that can be used to modify an object start with the word “Edit” or “Set” and for PowerShell cmdlets that perform a remove operation might have a “Remove” word in it.

You can get a list of PowerShell cmdlets available in “Windows Azure Active Directory Module for Windows PowerShell” by executing the Get-Command command. For example, to get a list of PowerShell cmdlets that can be used to perform a “create” operation, you can execute below commands:

  • Get-Command New-MSol* | Select-Object Name

  • Get-Command Add-MSol* | Select-Object Name

The above commands return a list of all the PowerShell modules that support performing a “create” operation as shown in the screenshots below:


Figure 1.0 – Getting List of PowerShell Cmdlets that start with “New” word


Figure 1.1 – Getting List of PowerShell Cmdlets that start with “Add” word

Similarly, to get Office 365 PowerShell cmdlets that support modify and remove operations, execute below commands:

  • Get-Command Remove-MSol* | Select-Object Name

  • Get-Command Set-MSol* | Select-Object Name

So far, we have been performing “collect” operation by using the “Get-MsolUser” PowerShell cmdlet to collect Office 365 users and user properties and using Get-MsolRoleUser cmdlet with Get-MsolUser to retrieve the users assigned to Office 365 admin roles. As stated earlier in this article, PowerShell cmdlets that start with “Get” word can be used to collect information from an Office 365 Tenant. For example, Get-MsolAccountSku, Get-MsolUser, Get-MsolGroup, Get-MsolDomain, Get-MsolSubscription are used to collect required information from an Office 365 Tenant.


Using Office 365 Get-MsolGroup PowerShell Cmdlet

In Office 365, you can manage five types of groups; Office 365 group, Distribution list, Shared mailboxes, Security group and mail-enabled security groups. There are two important PowerShell cmdlets that you can use to collect group information from an Office 365 Tenant; Get-MsolGroup and Get-MsolGroupMember cmdlet. Get-MsolGroup cmdlet provides you the list of group name, group type and group description. Get-MsolGroupMember cmdlet can be used to retrieve the members of groups. Let’s see some examples using Get-MsolGroup and Get-MsolGroupMember cmdlet.

To get a list of groups created in an Office 365 Tenant, execute below command:

  • Get-MsolGroup -All

To get only a list of groups of a specific type:

  • Get-MsolGroup –GroupType DistributionList

GroupType” parameter supports one of three values; DistributionList, MailEnabledSecurity and Security groups as shown in the screenshot below:


Figure 1.2 – “GroupType” Parameter with Get-MsolGroup PowerShell Cmdlet

 Apart from “-GroupType” parameter, Get-MsolGroup cmdlet supports other parameters are “-SearchString”, and “-UserPrincipalName” parameters. You can use “-SearchString” parameter to show only group that starts with the display name or email address entered in the search string. When used “-UserPrincipalName” parameter with Get-MsolGroup cmdlet, the command returns the list of groups that the specified user belongs to. However, “-UserPrincipalName” parameter can only be used for users that belong to a Partner group.


Get a list of Groups that have synced from On-Premises

Similar to users, Active Directory groups can also be synced from On-Premises Active Directory to Office 365 WAAD. If you wanted to get a list of groups that have been synced from On-Premises, you can check the “LastDirSyncTime” property of the group as shown in the command below:

  • $AllGroups = Get-MsolGroup –All

  • $AllGroups | Where-Object {$_.LastDirSyncTime –ne “”}

And to get only the groups that have been created in an Office 365 Tenant can easily be retrieved by using the below command:

  • $AllGroups = Get-MsolGroup –All

  • $AllGroups | Where-Object {$_.LastDirSyncTime –ne “”}

 Note the use of “-ne” and “-eq” parameter in both the commands. A group that has not been synced from On-Premises will have LastDirSyncTime set to $NULL and this is what we are querying as part of the last command in the above PowerShell statements.


In this part, we explained four operations that are performed by Office 365 PowerShell cmdlets and how to retrieve a list of PowerShell cmdlets that perform a specific type of operation. We also explained the use of Get-MsolGroup PowerShell cmdlet to retrieve the list of Office 365 groups.

In the next part, we will explain the use of Get-MsolGroup PowerShell cmdlet with Get-MsolGroupMember to retrieve membership of Office 365 groups and other group data. We will also provide a simple script that you can use to get a summary on Office 365 groups.





See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.