The

Office 365 PowerShell Reference

Manual for IT Super Hero’s
By
Ian John Waters

COPYRIGHT @ 2016
ALL RIGHTS RESERVED

No part of this publication may be reproduced, distributed or transmitted in any form or by any means, including but not
limited to photocopying, recording, or other electronic or mechanical methods, without proper written permission of the
publisher except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses
permitted by copyright law.
This publication contains materials design to assist readers in learning to use PowerShell. While the author has made
every attempt to verify that the information provided is correct and up to date, the author assumes no responsibility for
any error, inaccuracy or omission.

Contents
Introduction
Required Tools
Connecting to Office 365
Subscriptions
List Subscriptions
Purchase Subscription
Remove Subscription
Billing Notifications
List Users Who Receive Billing Invoices
Update Alternative Address
Get Company Information
Change technical contact
Licenses
List Licensed Users
Get Licenses Assigned to a User
 Add Licenses
Remove Licenses
Switch Licenses
User Management
User Attributes
List Users
Add Users
Add Users in Bulk
Block Users
Remove Users
Remove One User from The Recycle Bin
Remove All the Users from the Cloud
Remove All the Users from the Recycle Bin
Password Management
Get Password Policy
Set Password Policy
Set Password
Get Password
Get Users Password Policy
Set Password to not Expire
Roles
List roles
List Role Members
Add Role Member
Remove Role Member
Exchange Management
List users, groups and contacts E-Mail addresses and Alias
Add E-Mail Address
Add only an Alias
Remove E-Mail Address
List Mailboxes
 List Mailboxes with a forward
Archive Mailboxes
Enable Archive
List Size of Mailboxes
Resources
Room Mailboxes
Equipment Resources
Malbox Permissions
Get Permissions
Grant Full Access to Mailbox
Send As Permission
Shared Mailboxes
List Shared Mailboxes
Add Shared Mailbox
Set Permissions
Remove Shared Mailbox
Convert Mailbox to Shared Mailbox
Convert Shared Mailbox to Full Mailbox
Get shared mailbox permissions
Group Management
List Groups
Add Group
Accept External Senders
Add Email to Group
Remove Group
List Group Members
Add User to Group
Remove User from Group
Contact Management
List Contacts
Add Contact
 Remove Contact
Update Contact
Public Folders
List Public Folder Mailboxes
Create Public Folder Mailbox
Remove Public Folder Mailbox
List Public Folders
Add Public Folder
Remove Public Folder
Public Folder Permissions

Introduction
Hi I’m Ian Waters, technical director for Southern IT Networks Ltd. I’ve been using
Office 365 since its launch and myself along with my colleagues have been creating and
managing accounts for our clients ever since. Over the years we have done it all (well
almost!) and I’ve learned a lot from my mistakes. One of them is wasting time looking for
solutions to problems or answers to questions and this was one of the reasons I wanted to
put this reference manual together. I wanted to create something you and I can pick up
when we need it and quickly get the PowerShell commands needed and see the results of
running them. If you want to be the go to guy or gal for PowerShell, then keep this manual
handy. Spend some time flicking through these pages for ideas and pick up a few tips and
tricks along the way.
Let this book be your starting point into Office 365 administration using PowerShell.
If you love PowerShell, then have some fun and register to try my next book

Grab the details here:

http://www.slashadmin.co.uk/GetIt/old-school-games-programming-using-powershell/
Required Tools
In order for you to manage your Office 365 account, you will need to download and install
a few tools. You can manage your account from any Windows PC, you don’t need to
install them to a server so can manage accounts directly from your PC or laptop.
Download and install each of the following tools:
Microsoft Online Services Sign-in Assistant
http://www.microsoft.com/en-us/download/details.aspx?id=41950
Azure Active Directory Module
http://go.microsoft.com/fwlink/p/?linkid=236297
SharePoint Online Module
https://www.microsoft.com/en-us/download/details.aspx?id=35588
Skype for Business Online Module
http://www.microsoft.com/en-us/download/details.aspx?id=39366







Once everything is installed open up Windows PowerShell from the start menu and run it
as administrator.

The PowerShell window opens up and we’re in business!

Connecting to Office 365
When you start out you only need three commands to connect to the 365 portal. The first
will prompt you for the login details of a global administrator and save them into the
$credential variable, the second will import the basic 365 PowerShell commands and the
third will connect you up using the saved login credentials.
$credential = Get-Credential
Import-Module MSOnline
Connect-MsolService -Credential $credential

If you want to manage Skype for Business Online, you will need to import the Lync
Online module and import the session.

Import-Module LyncOnlineConnector
$session = New-CsOnlineSession -Credential $credential
Import-PSSession $session

If you want to manage SharePoint you will need to run the following:

Import-Module Microsoft.Online.Sharepoint.PowerShell
Connect-SPOService -url https://office365laba-admin.sharepoint.com -Credential $credential

And finally if you want to manage Exchange online you will need to run the following to
create and import an Exchange session.

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
“https://outlook.office365.com/powershell-liveid/” -Credential $credential -Authentication “Basic” –AllowRedirection

Import-PSSession $session



Once you have all of the modules loaded you can list all of the available commands by
running: Get-Command it’s a good idea to browse over the available commands and
familiarize yourself with them. There have been plenty of times where I’ve seen a
command that looks interesting and then I go on to use it in a script.

Subscriptions
Subscriptions in Office 365 define the features and services available and how many
licenses you have available to issue to user accounts. Each subscription has its own
Account SKU ID such as ENTERPRISEPREMIUM for E3 subscriptions.
When you reference a subscription ID in PowerShell you will need to prefix it with your
365 tenant name. This is the part before your onmicrosoft.com address you chose when
creating your account. Our test lab was created as office365laba.onmicrosoft.com so
office365laba is our tenant name.
List Subscriptions
To return a list of available subscriptions and the number of licenses in your tenant run the
following command:
Get-MsolAccountSku

If you want to return a more detailed list, you can add | FL to the command which will
show all attributes associated with a returned object in a formatted list (FL).
Get-MsolAccountSku | FL

Purchase Subscription
Purchasing subscriptions via PowerShell is currently not possible.

Remove Subscription
Removing subscriptions via PowerShell is currently not possible.



Billing Notifications
List Users Who Receive Billing Invoices
Retrieving a list of users who receive billing notifications is a twostep process. First we
have to return the role object with the name “Company Admistrator” then return the
members of that role by passing in the roles object ID.
$role = Get-MsolRole -RoleName “Company Administrator”
Get-MsolRoleMember -RoleObjectId $role.ObjectId

Update Alternative Address

Company administrators require alternative email addresses just in case they get locked
out of their account and need to reset their passwords.
Get-MsolUser -UserPrincipalName ian.waters@office365lab.co.uk | Set-MsolUser –AlternateEmailAddresses
ian.waters@outlook.com
Get Company Information
Using this single command, you can retrieve the name of the tenant, address and contact
details. You can also see information showing if AD Connect is being used to synchronize
the user accounts with an on premises Active Directory. You can also see if password
Synchronization has been enabled or not.
Get-MsolCompanyInformation

Change technical contact
If you need to update the contact email address to change who receives notifications about
the tenant run the following command:
Set-MsolCompanyContactInformation -TechnicalNotificationEmails “ian.waters@office365lab.co.uk”


Licenses
List Licensed Users
A very common requirement is to list all users who are licensed, this list can then be used
to see if there are any user accounts who no longer require one. We can use the Get-
MsolUser cmdlet to retrieve users and use a search query to find all users where the
IsLicensed parameter is equal to true.
Get-MsolUser -All | where {$_.IsLicensed -eq $true }

Get Licenses Assigned to a User

Using the previous command, we can see if a user is licensed but how to we find out
exactly what license they have assigned? We can use the Get-MsolUser cmdlet to return
the AccountSkuId.
Here we can see the account ian.waters@office365lab.co.uk has been assigned
‘ENTERPRISEPACK’ which we can see from the table means this user is assigned an E5
license.
(Get-MsolUser –UserPrincipalName ian.waters@office365lab.co.uk).Licenses

If you have just assigned a license to a user, it can take a few minutes to provision all of
the services available for use. Each license contains a set of features such as Sway, Office,
Sharepoint etc. To see the status of each service as it activates we can return the
ServiceStatus object. You will notice the Licenses object is an array which holds a list of
assigned licenses. In Office 365 users can be assigned multiple licenses and each license
will have its own set of features so we can return the ServiceStatus of each license. Here
we are returning the first license assigned to the user account. If the user has a second
license assigned use .Licenses[1].ServiceStatus to view the results.
(Get-MsolUser -UserPrincipalName ian.waters@office365lab.co.uk).Licenses[0].ServiceStatus
If you want to return a list of all users and their assigned licenses use Get-MsolUser and
return a formatted list including only the Display names and Licenses.
Get-MsolUser | Format-List DisplayName,Licenses

Add Licenses
You can add a license to a user using the Set-MsolUserLicense cmdlet. All we need to do
is specify the User Principal Name (UPN) AKA user logon name and the SKU ID of the
license we wish to assign. Just remember that the SKU ID needs to be in the form of
<Tennant Name>:<Account SKU ID>.
Here we assign Tom an E5 license.
Set-MsolUserLicense -UserPrincipalName Tom.owers@office365lab.co.uk -AddLicenses
Office365LabA:ENTERPRISEPREMIUM

Remove Licenses
Removing licenses is just as easy as adding one the only difference is we specify the –
RemoveLicenses switch.
Be careful when removing licenses because data will be stored for 30 days before it’s
deleted from the system which includes items such as emails, contacts, calendars and One
drive documents.
Set-MsolUserLicense -UserPrincipalName tom.owers@office365lab.co.uk -RemoveLicenses
Office365LabA:ENTERPRISEPREMIUM
Switch Licenses
Switching licenses involves adding a new licenses and removing the old one in one
command. If you find this command fails, it could be due to the fact that some licenses
can’t be used together. You may have to run two separate commands to first remove the
licenses and a second to add the new one.
Set-MsolUserLicense -UserPrincipalName ian.waters@office365lab.co.uk -AddLicenses
Office365LabA:ENTERPRISEPREMIUM –RemoveLicenses Office365LabA:ENTERPRISEPACK
User Management
User Attributes
Each user contains a number of attributes defining their settings and personal information
such as phone number Department name, the date they last changed their password. You
can export some great information into a CSV file and produce some reports in Excel
really easily. Maybe as part of a security audit you could export a list of all users who have
their password set to never expires?
To return all available attributes of a user account you can run the Get-MsolUser cmdlet,
specify the UPN of the user account and pipe the output as a formatted list.
Get-MsolUser –UserPrincipalName ian.waters@office365lab.co.uk | FL

List Users
The easiest way to return a list of all users is to run the Get-MsolUser comamndlet. By
default, it will return only the UPN, Display name and the isLicensed attributes.
Get-MsolUser
Add Users
Adding users is done using the New-MsolUser cmdlet and due to the number of attributes
you can set these commands can become very long. Here we will use the bare minimum to
setup a user and assign a user a license in come command. Here we specify the
DisplayName, FirstName, LastName, UserPrincipalName, UsageLocation and
LicenseAssignment.
New-MsolUser -DisplayName “Nic Horrocks” -FirstName Nic -LastName Horrocks -UserPrincipalName
nic.horrocks@office365lab.co.uk -UsageLocation GB –LicenseAssignment Office365LabA:ENTERPRISEPREMIUM

Add Users in Bulk

One of the easiest ways to import users in bulk when not using AD Connect to
synchronize an on-premises Active Directory is to use a CSV file. Create a new text file
and copy in the following text and save the file as users.csv. Use these entries as an
example and modify them to match your own requirements.
DisplayName,FirstName,Last Name,UserPrincipalName,UsageLocation,AccountSkuId

Ian Waters,Ian,Waters,ian.waters@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPREMIUM
Michael Freeman,Michael,Freeman,michael.freeman@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPREMIUM

Andy Waters,Andy,Waters,andy.waters@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPREMIUM

Nic Horrocks,Nic,Horrocks,nic.horrocks@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPACK
Tom Owers,Tom,Owers,tom.owers@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPACK

Fay Williams,Fay,Williams,fay.williams@office365lab.co.uk,GB,Office365LabA:ENTERPRISEPACK

You can also use Excel to build your user list as shown below, just remember to save it as
a Comma Separated Value (CSV) file.

Import-Csv -Path “C:\Users.csv” | ForEach {New-MsolUser -DisplayName $_.DisplayName -FirstName $_.FirstName -

LastName $_.LastName -UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation -
LicenseAssignment $_.AccountSkuId} | Export-Csv -Path “C:\Results.csv”
After a few seconds the script will save the results in the CSV file which will include the
password for each user.
Block Users
Sometimes you may be asked to stop a user from logging in but retain their data. This may
happen if someone has been called into a HR meeting where they may not return. If
everything works out fine you can unblock their account and keep their data and password
intact. The alternative is to change their password but why bother the user with having to
call support to have their password changed when we can just block them.
Set-MsolUser -UserPrincipalName tom.owers@office365lab.co.uk -blockcredential $true

Remove Users
Removing user accounts is an easy process but you must remember that once a user
account has been deleted you have 30 days to restore the account and data. After 30 days
the account and all user data will be permanently deleted.
Remove-MsolUser –UserPrincipalName fay.williams@office365lab.co.uk

Remove One User from The Recycle Bin

If you want to be extra tidy you can remove items from the recycle bin. Normally a
deleted user account will automatically be cleared after 30 days but you can manually
clear the account from the recycle bin. Just be aware that doing this will permanently
delete all data associated with the account instantly. Here we remove a specific account by
using their UPN.
Remove-MsolUser –UserPrincipalName andy.waters@office365lab.co.uk –RemoveFromRecycleBin

Remove All the Users from the Cloud

If you’ve been experimenting with an Office 365 trial account, you may want to clear all
user accounts in one go ready to move from a trial to a production account. We can easily
do this by piping two commands together, the first returns all user accounts which then get
piped into the Remove-MsolUser cmdlet which removes the account.
Get-MsolUser | Remove-MsolUser –Force

In the screen shot below you will see an error message letting us know that we can’t
remove the account that we are logged in with.

Remove All the Users from the Recycle Bin

If you’ve deleted an account by mistake or someone in the company needs to access their
mailbox (We’ve all been there!) you can remove the user from the recycle bin and recover
all of their data so long as it’s within the 30-day retention period. Here we use the Get-
MsolUser cmdlet specifying the ReturnDeletedUsers switch, then we pipe the results into
the Remove-MsolUser command explicitly specifying we want to clear the users from the
recycle bin using the RemoveFromRecycleBin switch.
Get-MsolUser –ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force
Password Management
Get Password Policy
We can set password policies at the domain level so when using the Get-
MsolPasswordPolicy cmdlet we have to specify a domain we want to see the settings for.
Here we run the command specifying our lab domain office365lab.co.uk.
Get-MsolPasswordPolicy -Domain office365lab.co.uk

Password policies are pretty basic we can specify the number of days before the
passwords expire (NotificationDays) that the users will start to be reminded to change
their password. The second setting is ValidityPeriod which specifices how many days can
pass before the password needs changing. Here we see the ValidityPeriod is set to 730
days which is 2 years!
Move on and set those values to something more secure quickly by setting your own
values for the policy!
Set Password Policy
Your organization will have their own password policy but if not chose some values which
balance security and user inconvenience. In our test lab we are using password complexity
so our passwords are at least 10 characters long, using upper and lower case letters,
numbers and special characters so we have chosen to set our ValidityPeriod to 180 days.
Set-MsolPasswordPolicy -DomainName office365lab.co.uk -NotificationDays 10 -ValidityPeriod 180

Set Password
We can set user passwords using the Set-MsolUserPassword cmdlet, specifying the users
UPN and password along with NewPassword and ForceChangePassword switches. If you
want to set the users password and have them change it when they first log on use $true
with the ForceChangePassword switch, If you want to set it yourself use $false.
Set-MsolUserPassword -UserPrincipalName ian.waters@office365lab.co.uk –NewPassword T0ffeeAppl@s19# -
ForceChangePassword $false
Get Password
Get Users Password Policy
At the user level we can set passwords to never expire if required. If you need to check a
specific user, you can run the Get-Msoluser cmdlet and use Select to return only the
PasswordNeverExpires attribute.
Get-MsolUser -UserPrincipalName ian.waters@office365lab.co.uk | Select PasswordNeverExpires

Because this is a potential security issue you may want to return a list of all accounts to
review which accounts have their password set to never expire. Use Get-MsolUser and
pipe the results into a formatted list specifying DisplaName and PasswordNeverExpires
attributes of the user objects.
Get-MsolUser | ft DisplayName, PasswordNeverExpires

Set Password to not Expire

There may be some cases where you are asked to break company policies and set an
account to never expire. In smaller organizations this usually comes from executives but
try and resist for their own good. If you need to then we use the Get-MsolUser cmdlet and
pipe the user into the Set-MsolUser commandset to set the user attribute to $True but you
can always change it back by running the command again specifying $False.
Get-MsolUser –UserPrincipalName ian.waters@office365lab.co.uk | Set-MsolUser –PasswordNeverExpires $True

If you really, really have to you can set all user passwords to never expire as follows:
Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True
Roles
Office 365 comes with a set of user roles which allow specific users or devices to perform
extra functions. Any users who have the Company Administrator role assigned can do
anything they wish in the Office 365 account, both good and bad so be careful which roles
you assign to users.
List roles
You can return a list of all roles using the Get-MsolRole cmdlet. In the screen shot below
the description is cut off due to the size of the PowerShell window. Make your window
full screen and run the command again to see the description if needed.
Get-MsolRole

List Role Members

Viewing the members of a role requires us to run two separate commands, the first will
load the role object into a variable and the second will return the members of the role
using the ObjectId attribute. It’s a shame we can’t pipe these commands and run a single
command.
$role = Get-MsolRole -RoleName “Company Administrator”
Get-MsolRoleMember -RoleObjectId $role.ObjectId

Add Role Member

You can use the Add-MsolRoleMember cmdlet to assign a user or device a specified role.
Here we add Michael to the Company Administrator role. Beware of adding users to
groups where they are granted more rights than they really need. Consider using
“Helpdesk Administrator” if you need a user to assist with user administration within
Office 365.
Add-MsolRoleMember -RoleName “Company Administrator” -RoleMemberEmailAddress
michael.freeman@office365lab.co.uk

Remove Role Member

Remove-MsolRoleMember -RoleName “Company Administrator” -RoleMemberType User -RoleMemberEmailAddress
michael.freeman@office365lab.co.uk

Exchange Management
I spend most of my time administering the Exchange side of Office 365 so it pays spend
some time experimenting with the commands. The more proficient you are using them the
easier your job becomes especially when you need to do something a little more than the
web portal is capable of.
List users, groups and contacts E-Mail addresses and Alias
If you need to generate a list of all email recipients whether they be users, groups, or
contacts you can use the Get-recipient cmdlet. This command by default will only return
the name and RecipientType attributes. We can return the list of Email Addresses by
piping the objects into the Select statement and choose to return the Displayname,
RecipientType and EmailAddresses attributes. Although not shown here the command will
also return the types ‘MailContact’ which are email contacts and
‘MailUniversalDistributionGroup’ witch are email distribution groups.
Get-Recipient | Select DisplayName, RecipientType, EmailAddresses

Sometimes it’s easier to export the results to a csv file due to the number of email
addresses users and groups can have assigned. Once exported you can manipulate or
search the information using Excel.
Get-Recipient | Select DisplayName, RecipientType, EmailAddresses | Export-Csv EmailAddresses.csv

If you are only interested in the primary email address, then use Select to return the
DisplayName and PrimarySmtpAddress attributes.
Get-Mailbox |Select-Object DisplayName,PrimarySmtpAddress

Add E-Mail Address
Here we get into the most commonly requested actions when administering Office 365
adding and updating email addresses. Here we can add a new email address and set it as
the primary address using the Set-Mailbox command. The previous primary address will
them become an alias of the account.
Set-Mailbox ian.waters@office365lab.co.uk -EmailAddress ian@office365lab.co.uk

Before we run the command in the lab let’s take a look at the users account in the web
portal. We can see the primary address is ian.waters@office365lab.co.uk and there are no
alias addresses.

Let’s run the command.

Here you can see the changes occurred as expected. The previous primary address is now
showing as an alias. A small point to highlight but it’s worth knowing.
Now let’s say you want to update the primary address and add a number of alias addresses
using one command. Simply run the Set-Mailbox command as before specifying the
primary address but now use commas to tack on additional alias addresses. Here we set
ian@office365lab.co.uk as the primary address but at the same time we add info@ and
sales@ addresses to the account.
Set-Mailbox ian.waters@office365lab.co.uk -EmailAddress
ian@office365lab.co.uk,info@office365lab.co.uk,sales@office365lab.co.uk

Add only an Alias

If you only want to add a new alias to an account things get a little trickier because we
have to use an expression to specify we only want to add an address into the
EmailAddresses array. An array is a list of objects which in this case is a list of email
addresses.
Set-Mailbox -Identity ian.waters@office365lab.co.uk -EmailAddresses @{Add=‘accounts@office365lab.co.uk’}
Again looking at the web portal we can see the new address has been added as an alias.

Remove E-Mail Address

To remove a selected address, we use the Set-Mailbox cmdlet and use and express to
remove the address from the EmailAddresses array.
Set-Mailbox ian.waters@office365lab.co.uk -EmailAddresses @{Remove=“info@office365lab.co.uk”}

If you are going to start writing PowerShell scripts, you can return the individual entries of
the array by running a command like this:
(Get-Mailbox ian.waters@office365lab.co.uk).EmailAddresses[0]

The output will return the email address at location 0. You can run the command again by
changing 0 with 1 to return the second email address and so on.
List Mailboxes
If you want to return a quick list of mailboxes use the Get-Mailbox cmdlet which by
default will return the Nam, Alias, ServerName and ProhibitSendQuota attributes. If you
want to return the mailbox for a specific user account, use the following command:
Get-Mailbox ian.waters@office365lab.co.uk

If you want to view all of the attributes available to mailboxes run the command again by
piping the output into a formatted list (FL).
Get-mailbox ian.waters@office365lab.co.uk | FL

Get-Mailbox
List Mailboxes with a forward
If you need to list all mailboxes which are being forwarded to another email address, we
can use Get-Mailbox with a search query. This is another useful command to run during a
security audit to find users which are forwarding all of their email to a personal email
account. Below we are returning all mailboxes where the forwarding addresses are not set
to null. In other words, we are returning all mailboxes where the forwarding options have
an address set. In the example below we can see my account ian.waters is forwarding all
email to the contact “Ian Waters (SlashAdmin)”.
Get-Mailbox | Where {($_.ForwardingSMTPAddress -ne $null) -or ($_.ForwardingAddress -ne $null)} | Select Name,
ForwardingSMTPAddress, ForwardingAddress, DeliverToMailboxAndForward

Archive Mailboxes
Archives offer a way of storing emails as an Archive folder within the user’s mailbox. The
main advantages with using archiving is that any email inside the archive folder doesn’t
get cached into the Outlook OST file. The archive folder is included as part of the users
50gb mailbox limit but if enabled with a subscription which includes Exchange Online
Plan 2 the archive folder has an unlimited size.
To retrieve a list of mailboxes with archiving enabled use the Get-mailbox cmdlet with the
–Archive switch.
Get-Mailbox –Archive

Enable Archive
To enable archiving for a single use the Enable-mailbox cmdlet.
Enable-Mailbox ian.waters@office365lab.co.uk –Archive
List Size of Mailboxes
Generating a list of mailboxes along with their size is one of the most commonly run
tasks. Generate a report for maintenance purposes so you can spot potential issues before
they occur or verify if a user is suffering from performance issues due to an overloaded
mailbox. You can safely ignore any warning messages that appear due to mailboxes not
being used.
Here we pipe the output of Get-mailbox into Get-MailboxStatistics and output a formatted
table showing DisplayName and TotalItemSize attributes of the mailbox objects.
Get-Mailbox | Get-MailboxStatistics | FT DisplayName, TotalItemSize
Resources
Resources are one of those great features that you don’t see used very often yet nearly
everyone would benefit from. Resources are anything that can be used by users at any
time which may include meeting rooms, projectors, training equipment basically anything
users may want to book out to use for a short period of time. Let’s first take a look at
creating room mailboxes.

Room Mailboxes
Room mailboxes are used to coordinate their use among users. Image that you have a
meeting room and you always have issues where two or more people want to use it at the
same time. When we create a room resource so that users can book a meeting and check if
the room is available at that time. If it is they can book out the room for the require
amount of time and if it’s already booked they can see that and choose a different time for
their meeting.
Create a new room mailbox
In this example lets create a room mailbox called ‘Meeting Room 1’ set its location as
‘Ground Floor’, set the telephone number for the room and set its capacity to 10 people.
New-MailBox -Name “Meeting Room 1” -Alias “GFMeetingRoom” –Office “Ground Floor” -ResourceCapacity 10 -
Phone 01323287828 –Room

In the Exchange admin center we can now see our room under Recipients then resources.

Set rooms to automatically accept bookings
When you create a new resource it’s a good idea to enable it to automatically accept
meeting invitations especially if you want to fully automate the booking process.
Set-CalendarProcessing “Meeting Room 1” -AutomateProcessing AutoAccept
If you want to disable the AutoAccept feature set ‘AutoAccept’ to ‘None’ or set to
‘AutoUpdate’ for the default settings.
List all rooms
To return a list of all room mailboxes we use the Get-Mailbox cmdlet using a filter to only
return mailbox who’s RecipientTypeDetails attribute equals RoomMailBox. There are
several recipient types including UserMailbox, SharedMailbox and EquipmentMailbox.
Get-Mailbox -Filter ‘(RecipientTypeDetails -eq “RoomMailBox”)’ | Select Name,Alias,Office

Equipment Resources
Create an equipment resource
We can use equipment resources to allow users to book share equipment out for use for a
short period of time. Equipment is usually assigned to the user’s personal calendar entry
and the system will only allow the equipment to be used by one person at a time.
Let’s create a resource for the office projector so users can book this equipment out as
needed.
New-Mailbox -Name “Projector 1” -Alias “Projector1” –Equipment

List all equipment

To return a list of all equipment resources we use the Get-Mailbox cmdlet using a filter to
only return all mailboxes who’s RecipientTypeDetails attribute equals
EquipmentMailBox. There are several recipient types including UserMailbox,
SharedMailbox and EquipmentMailbox.
Get-Mailbox -Filter ‘(RecipientTypeDetails -eq “EquipmentMailBox”)’ | Select Name,Alias
Malbox Permissions
We can grant users access to other user’s mailboxes and is a very common administrative
task so it pays to be familiar with the MailboxPermission set of cmdlets. When we set
permissions using these comamndlets we use the AccessRights switch and set one or more
of the following rights.
FullAccess
DeleteItem
ReadPermission
ChangePermission
ChangeOwner
SendAs

Get Permissions
To view the security permissions for a single user, use the Get-mailboxPermission cmdlet.
The output will show a list of all accounts with permissions associated with that user. In
this example we can see that both Michael and Ian have FullAccess rights to Fay’s
mailbox. You will notice that We use the Select function here to return the Deny attribute.
This is because a user or group can be assigned FullAccess rights to a mailbox but still be
denied access if the Deny attribute is set. Remember a Deny will always override an allow.
Get-MailboxPermission fay.williams@office365lab.co.uk | Select User, AccessRights, Deny

Grant Full Access to Mailbox

Quite often you will be asked to grant a user full access to another user’s mailbox but
remember to always verify this action with a manager before doing so to ensure they
really are allowed to. In this example let’s grant Michael full access to Ian’s mailbox using
the Add-MailboxPermission cmdlet.
Add-MailboxPermission -Identity “ian.waters@office365lab.co.uk” -User “michael.freeman@office365lab.co.uk” -
AccessRights FullAccess -InheritanceType All
Send As Permission
Send As permissions are commonly used with Info@, Accounts@ or Sales@ addresses
where several users need to send emails out as if they were being sent from the same
account. In our example let’s give Michael SendAs rights to Ian’s mailbox so he can send
or reply to emails as him when he’s away on a
business trip. To add the SendAs access right we have to use the Add-RecipientPermission
cmdlet.
Add-RecipientPermission “ian.waters@office365lab.co.uk” -AccessRights SendAs -Trustee
Michael.freeman@office365lab.co.uk
Shared Mailboxes
Shared mailboxes are just like normal mailboxes except they are free! You can have as
many shared mailboxes as you like without having to purchase any licenses. The only
restriction is that they can only be access from a licensed user account. Shared mailboxes
are a great way to handle Accounts or Sales mailboxes because all of the emails sent to
those addresses are kept in once place and they can be accessed by multiple users.
List Shared Mailboxes
To return a list of all shared mailboxes we use the Get-mailbox cmdlet but specify the
RecipientTypeDetails attribute to equal the SharedMailbox type.
Get-Mailbox -RecipientTypeDetails SharedMailbox

Here we can see two shared mailboxes Accounts and Sales.

Add Shared Mailbox

Let’s create a new shared mailbox called Info which is assigned the info@ email address
using the New-Mailbox cmdlet.
New-Mailbox -Name “Info” –DisplayName “Info” -Alias “info” -PrimarySmtpAddress “info@office365lab.co.uk” –
Shared

We can see the shared mailbox in the 365 admin center under Users then Shared
Mailboxes.

Set Permissions
See ‘Mailbox Permissions’
Remove Shared Mailbox
To move a shared mailbox, we need to use the Remove-MsolUser cmdlet specifying the
UPN of the account. Let’s remove the Info mailbox we created earlier.
Remove-MsolUser –UserPrincipalName info@office365lab.co.uk

You will be prompted to confirm the operation by pressing Y for Yes.

Below we see the shared mailbox has disappeared from the Office 365 admin center.

Convert Mailbox to Shared Mailbox
If you need to convert a normal user mailbox which needs a license assigning to it, you
can use the set-Mailbox cmdlet and change its type to Shared.
In our example lets convert a User called Project into a shared mailbox. Here we can see
the user account listed in the admin center under users, Active Users.

We run the Set-Mailbox cmdlet to convert the user to a shared mailbox.

Set-Mailbox projects@office365lab.co.uk –Type Shared


Now we can see the account has moved into the Shared Mailboxes section of the admin
center.

Convert Shared Mailbox to Full Mailbox
To converted a shared mailbox into a normal mailbox we use the Set-mailbox cmdlet and
set its type to Regular. You must ensure a licenses are assigned to the account after doing
this otherwise the mailbox will be deleted after 30 days.
Set-Mailbox project@office365lab.co.uk –Type Regular

Get shared mailbox permissions

Just like normal user mailboxes we can get and set access rights. Let’s generate a list of all
permissions associated with the Accounts shared mailbox using the Get-
MailboxPermission.
Get-MailboxPermission Accounts | Select User, AccessRights, Deny
Group Management
Groups are used to distribute emails to multiple users but they have the drawback that
every user in the group will receive a copy of the email but they are an easy way to
communicate with a specific group of people within your organization.
List Groups
A basic list of group can be returned by calling the Get-DistributionGroup cmdlet which
will return the name, display name, type and primary email address.
Get-DistributionGroup

Add Group
To create a group, use the New-DisributionGroup cmdlet specifying the name, display
name, alias and primary SMTP address. Let’s create a new group called Contact US using
the email address contactus@office365lab.co.uk

New-DistributionGroup -Name “Contact Us” -DisplayName “Contact US” -Alias “ContactUS” –PrimarySmtpAddress
contactus@office365lab.co.uk

Accept External Senders

By default, distribution groups are created to only allow emails to be received from
internal users. To allow emails to be received by external addresses we must disable
sender authentication using the Set-DistributionGroup cmdlet. Let’s disable sender
authentication on the Contact Us distribution group.
Set-DistributionGroup contactus@office365lab.co.uk -RequireSenderAuthenticationEnabled $False

Add Email to Group

If you want to add or update the email addresses associated with a group use the Set-
DistributionGroup cmdlet and update the EmailAddresses array by specifying the SMTP
addresses. The primary address is always the first email address in the list. Additional
addresses are added by adding a command an entering the email address required. In this
example lets set the primary address to contactus@office365lab.co.uk and add a second
address contact@office365lab.co.uk.
Set-DistributionGroup “Contact US” –EmailAddresses
SMTP:contactus@office365lab.co.uk,contact@office365lab.co.uk

Remove Group
To remove a distribution group, use the Remove-DistributionGroup cmdlet specifying the
name of the group. This command will require you to confirm the removal by pressing Y
for Yes.
Remove-DistributionGroup “Contact US”

List Group Members

All groups need members to be useful, all members of a group will receive a copy of
emails sent to it. Use the Get-DistributionGroupMember cmdlet specifying the name of
the group to return a list of members. Here we list the members for the Contact US group
and you will see the output returns the name of the object and its type. In this case there
are three Usermailboxes in the group but groups can also be members of other groups
hence why the RecipientType attribute is returned by default to help identify the members.
Get-DistributionGroupMember “Contact US”
Add User to Group
Add users to a group by using the Add-DistributionGroupMember cmdlet. In this example
we add Ian to the Contact US distribution group. Here we have to use the
BypassSecurityGroupManagerCheck because it’s likely the account you are using to
administer Office 365 is not a manager of the group you are adding members to. If the
account, you’re using to run the PowerShell command is a manager of the group then this
switch isn’t needed.
Add-DistributionGroupMember “Contact US” -Member ian.waters@office365lab.co.uk -
BypassSecurityGroupManagerCheck

Remove User from Group

To remove a user from a group run the Remove-DistributionGroupMember cmdlet
specifying the name of the group and the UPN of the user to remove. Running this
command will prompt you to confirm the action by pressing Y for Yes.
Remove-DistributionGroupMember “Contact US” -Member fay.williams@office365lab.co.uk

Contact Management
Contacts are used to add external contacts to the global address list, groups or use with
forwarding rules.
List Contacts
To return a basic list of contacts use the Get-MailContact cmdlet.
Get-MailContact

When dealing with contacts we are usually interested in the external email address
assigned to it. To view the address of the contact, use the cmdlet and specify the identity
of the account you are interested in by name. In the example below we return the attributes
of the “Ian Waters (SlashAdmin) contact as a formatted list. Here we can see the
ExternalEmailAddress attribute which holds the external email address.
Get-MailContact -Identity “Ian Waters (SlashAdmin)” | FL

If you only want to see the ExternalEmailAddress attribute, then we can pipe the output
into the Select function as shown here:
Get-MailContact -Identity “Ian Waters (SlashAdmin)” | Select ExternalEmailAddress
Add Contact
To create a new Contact, use the New-MailContact cmdlet specifying the name, email
address and Alias.

New-MailContact -Name “Richard Tub (TubBlog)” -ExternalEmailAddress
richard@tubblog.co.uk –Alias “RichardTub”

Remove Contact
To remove a contact, use the Remove-MailContact cmdlet and specify the name of the
contact. Running this command will require you to confirm the removal by pressing Y for
Yes.
Remove-MailContact –Identity “Ian Waters (SlashAdmin)”

Update Contact
If you need to update the external address of a contact due to a change of address or miss
spelling use the Set-MailContact cmdlet.
Set-MailContact –Identity “Ian Waters (SlashAdmin)” –ExternalEmailAddress ian.waters@slashadmin.co.uk

Public Folders
Public folders are not enabled by default but offer an alternative way of sharing access to
emails in a structured way with several users. If your organization uses several public
email addresses that are managed by multiple users, then public folders offer a great
solution where shared mailboxes are not flexible enough for your purposes. Public folder
mailboxes are available in any subscription that includes Exchange Online Plan 1 or 2 so
are not accessible from Kiosk licenses. There is a maximum limit of 50 mailboxes which
combined must not exceed 2.5TB in size, that’s a lot of email!

List Public Folder Mailboxes
To list all available public folder mailboxes we use the Get-mailbox cmdlet using the
PublicFolder switch.
Get-Mailbox -PublicFolder

Create Public Folder Mailbox

For us to use public folders we first need to create a public folder mailbox to store all of
the folders and emails. We can use the New-Mailbox cmdlet to create a new mailbox. In
our example here we create a new public folder called PublicFolderMailbox.

New-Mailbox -PublicFolder -Name PublicFolderMailbox

Remove Public Folder Mailbox

We can remove public folder mailboxes using the Remove-Mailbox cmdlet. This
command requires you to confirm the removal by pressing Y for Yes. Remember the
mailbox and its contacts will be permanently deleted after 30 days so ensure its safe to
remove it before doing so.
Remove-Mailbox -PublicFolder –Identity “PublicFolderMailbox”

List Public Folders

To list all available public folders, we use the Get-PublicFolder cmdlet with the Recurse
switch. Running the cmdlet on its own will only return the root folder IPM_SUBTREE.
Get-PublicFolder –Recurse

In this example we can see all of the public folder names and their path relative to the root.
In this case we can see Accounts is under the root designated by the backslash. Invoices to
Pay is stored under the Accounts folder, and On Hold is stored under \Accounts\Invoices
to Pay.

Add Public Folder

To create a new public folder in the root location we can simply run the New-PublicFolder
cmdlet and specify a name for the folder. Here we create a new Public folder called
Marketing in the root of the public folder mailbox.
New-PublicFolder -Name Marketing

To fully understand how the parent path works lets create three other public folders
Accounts, Sales and CustomerServices.

New-PublicFolder -Name Accounts
New-PublicFolder -Name Sales
New-PublicFolder -Name CustomerServices

Now let’s say the accounts team need to add some sub folders to the Accounts public
folder, how to we do that? Accounts ask us to create the following folders.
\Accounts\Invoices to Pay
\Accounts\Invoices to Pay\On Hold
New-PublicFolder –Name “Invoices to Pay” –Path “\Accounts”

New-PublicFolder –Name “On Hold” –Path “\Accounts\Invoices to Pay”

Remove Public Folder

To remove a public folder, use the Remove-PublicFolder cmdlet specifying the path and
using the Recurse switch to delete all of its subfolders. We must confirm the removal by
pressing Y for Yes. In this example we want to remove the Accounts public folder and all
of its subfolders.
Remove-PublicFolder -Identity “\Accounts” –Recurse

Public Folder Permissions

By default, when new public folders are created users will only be able to see the folders
but will not be able to do anything else. When we assign permissions we need to
understand the different roles that users can have because these roles contain a subset of
all of the possible permissions available. For example, a Reviewer can see folders and
read items and a contributor can see folders and create new items. When we assign
permissions to users we assign them one of these roles which defines their level of access.

None Reviewer Contributor Non Author Editor Publishing Publishing Owner
Editing Editor Author

Author

Folder ● ● ● ● ● ● ● ● ●
Visible

Create ● ● ● ● ● ● ●
 Items

Read ● ● ● ● ● ● ●
Items

Create ● ● ●
Subfolders

Folder ●

Owner

Folder ●

Contact

Edit ● ● ● ● ●
Owned

Items

Edit ● ● ●
All
Items

Delete ● ● ● ● ●

Owned
Items

Delete ● ● ●
All

Items

Add Permissions to a Public Folder
To assign permissions to a public folder we use the Add-PublicFolderClientPermission
cmdlet specifying the Public folder path, the user we want to grant the permissions to and
the level of access they require.
In this example lets assign Ian Waters PublishingEditor access rights to the Accounts
Public folder. Note that the permissions will only apply to this folder they won’t
automatically filter down to sub folders.
Add-PublicFolderClientPermission -Identity “\Accounts” -User “Ian Waters” -AccessRights PublishingEditor

Add Permissions to a public folder and all sub folders

If you need to add permissions for a user to a public folder and all sub folders, we need to
use the Get-PublicFolder cmdlet with the Recurse switch to return the public folder and all
sub folders then pipe those objects into the Add-PublicFolderClientPermission cmdlet to
apply the required permissions to every folder. In this example lets apply PublishingEditor
permissions to Fay for the Accounts folder and all of its sub folders.

Get-PublicFolder “\Accounts” -Recurse | Add-PublicFolderClientPermission -User “Fay Williams” -AccessRights
PublishingEditor

Show Permissions
To return a list of all users and their access rights use the Get-
PublicFolderClientPermission and specify the path to the folder.
Get-PublicFolderClientPermission “\Accounts”

If you need to view all access rights for all public folders pipe the output of Get-
PublicFolder into the Get-PublicFolderClientPermission cmdlet.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission












I hope you find this Office 365 PowerShell reference manual useful on your quest to
becoming a proficient Office 365 PowerShell administrator!
Remember to succeed as an IT administrator you have to keep on learning, try out new
ideas, practice as often as you can and try to have fun in the process.
This book is just a stepping stone, so use the knowledge you’ve gained here and move on
to write scripts and automate as many tasks as possible. Automation makes your work
easier and leaves less room for error.
If you want to support other IT admins like you and you want to keep up with my
experiences with Life in IT then follow me at www.slashadmin.co.uk and subscribe to the
blog.

If you want to have some fun with PowerShell, then register to be the first to read my next
book. Learn how to write old school games using nothing more than PowerShell! We even
learn how to write multiplayer network games that you can play in the office.

http://www.slashadmin.co.uk/GetIt/old-school-games-programming-using-powershell

Many thanks for the support
I couldn’t do it without you!