Deep Dive Into Office 365 PowerShell Cmdlets (Part 9)

by [Published on 1 March 2017 / Last Updated on 1 March 2017]

This is Part 9 of our “Deep Dive into Office 365 PowerShell Cmdlets” article series.

In Part 8 of this article series, we provided two PowerShell scripts. PowerShell Script “Reporting Office 365 Groups Summary” can be used to collect a Group summary from an Office 365 Tenant and second PowerShell script can be used to report on Groups that do not have a description text set. So far we have been explaining as to how to interact with WAAD (Windows Azure Active Directory) by using the PowerShell Modules for Windows Azure Active Directory. We explained the use of PowerShell cmdlets such as Get-MsolUser, Get-MsolGroup, Get-MsolGroupMember and other cmdlets as we think are appropriate and can save a lot of time when interacting with WAAD.

As you might be knowing Office 365 can be implemented in three identity models; Cloud Identity, Synchronized Identity and Federated Identity models. In Cloud Identity model, accounts such as users and groups are managed by the WAAD integrated with Office 365 Tenant. In other words, any user or group accounts that you. In Synchronized Identity model, accounts such as users and groups are synced from On-Premises Active Directory, but management of users and groups are done at On-Premises Active Directory. In case of Federated Identity model, users and groups are synced from On-Premises Active Directory and users passwords are also synced to allow users to use the same password to access On-Premises and Cloud resources.

If you have implemented either Synchronized or Federated Identity models, you may want to ensure that each of your objects sync properly and this is where the Part 9 of this article comes handy. In Part 9 of this article series, we will continue to provide some more examples of Get-MsolGroup PowerShell cmdlet, but this time we will explain how you can use Get-MsolGroup cmdlet to report on Groups that are synced from Active Directory running On-Premises and health status of each Group.


Reporting Office 365 Groups Synced from On-Premises and Health Status

Not many Office 365 Administrators know that Office 365 provides a quick way to check health status of groups that sync from On-Premises Active Directory. Although Get-MsolGroup PowerShell cmdlet implements many other properties that you might find useful, but the properties that you can use to report on the health status of Groups that sync from Active Directory On-Premises are “ValidationStatus”, “DirSyncProvisioningErrors”, and “LastDirSyncTime” properties.

  • Get-MsolGroup cmdlet provides two properties; “ValidationStatus” and “DirSyncProvisioningErrors”. “ValidationStatus” property stores the health status of a Group and “DirSyncProvisioningErrors” property stores that value that indicates if any errors that were occurred when syncing the group.
  • LastDirSyncTime Property: When a Group syncs from On-Premises Active Directory successfully, it stores the last synchronization date and time in “LastDirSyncTime” property. We use “LastDirSyncTime” property to report on the last synchronization date and time of each Group. In case any Group has any synchronization errors, you must look at the LastDirSyncTime value as to know when was the last time the Group was synchronized successfully.


In case you need to retrieve a list of Office 365 groups synced from On-Premises Active Directory and their health status, you can use below PowerShell script. Below script traverses through each Office 365 group, checks if the group was synced from On-Premises or not. If it finds that a Group is synced from On-Premises Active Directory, checks both the ValidationStatus and DirSyncProvisioningErrors properties and look for “Healthy” value. If script doesn’t find “Healthy” value in the “ValidationStatus” property, it reports the Group name and their current status in the CSV file.

### Script Starts here ###


$Result = "C:\Temp\Office365GroupsStatus.CSV"
IF (Test-Path $Result)
{
    Remove-item $Result
}
$STR = "Group Name, Last Synced, ValidationStatus, DirSyncProvisioningErrors"
Add-Content $Result $STR
$FinalStatus="Ok"
$Error.Clear()
$AllGroups = Get-Msolgroup -MaxResults 200 | Where-Object {$_.LastDirSyncTime –ne $null}
IF ($Error.Count -eq 0)
{     
  ForEach ($EachGroup in $AllGroups)
    {
        $ValProp = $EachGroup.ValidationStatus
        $DisProp = $EachGroup.DirSyncProvisioningErrors
        IF ($ValProp -eq "Healthy" -and $DisProp -eq $null)
        { 
        }
        else
        {
       $STRNew = $EachGroup.DisplayName+","+$EachGroup.LastDirSyncTime+","+$EachGroup.ValidationStatus+","+$EachGroup.DirSyncProvisioningErrors
       Add-Content $Result $STRNew
       $FinalStatus = "NOTOK"
     } 
  }
    IF ($FinalStatus -eq "Ok")
    {
Write-Host "All Office 365 Groups are healthy. No Sync errors were reported."
    }
    else
    {
     Write-Host "Some Office 365 Groups are NOT healthy. Please check result in $Result                         file"
     Write-Host "Results saved in $Result"
   }
}
else
{
Write-Host "Some Errors occurred running Get-MsolGroup command"
}


### Script Ends here ###

Once above script is executed for all Groups for an Office 365 Tenant, a report will be generated in the C:\Temp\Office365GroupsStatus.CSV file as shown in the Figure 1 below.
 
Image

As you can see in the output above, script reported errors for two Groups that sync from On-Premises Active Directory. Groups “Group4” and “Group5” have some errors. The ValidationStatus Property of the group holds the validation status for the group that we are collecting by using the script explained above.


Summary

In this part, we explained how you can use Get-MsolGroup PowerShell cmdlet to report on the health status of Groups that sync from On-Premises Active Directory. As we explained, script primarily uses “ValidationStatus” property to check for “Healthy” value for each Group and then report the health status of the group in the CSV file. Script also collects last time a group was synced successfully and if any errors occurred when synchronizing are returned in the DirSyncProvisioningErrors column. In the next part of this article series, we will explain some more examples of using Get-MsolGroup PowerShell cmdlet.


See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.