SOLVED

Delegated Admin tenants and adding a list of the same users across multiple tenants PowerShell

Brass Contributor

Hello 

 

To the point: 

 

We are managing clients tenants through Partner Centre - However, there is limited controls. i.e. Cannot properly manage SharePoint, Convert users mailboxes to Shared Mailboxes, manage Teams etc. Therefor the only way around this that I can tell is to create all our service desk users as users in each client tenant. Then assign the appropriate admin roles they require 

Through PowerShell, we can create users using Delegated Access, creating a CSV listing: 

 

 

UserPrincipalName,FirstName,LastName,DisplayName,Password,TenantId,UsageLocation,LicenseAssignment

 


Then in PowerShell - we can get a list of all our clients "Tenant ID's" then substitute them into the CSV

And we require to add each users UPN to match the clients active domain name. i.e. contoso.onmicrosoft.com



We then can run the following for a single client tenant and it will create the users 

 

Import-Csv .\FILENAME.CSV | foreach {New-MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -Password $_.Password -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $_.TenantId}

 

 

When a user leaves, we simple run a removal script to remove the service desk user from the client's Microsoft tenant. 

 

The Problem

We have almost 90 clients we are managing from our service desk, we want to be able to have 1 list of our users and run the script to loop through each tenant ID and create the users.

 

We seem to have this almost down, however the UPN bit is what is catching us. 

 

When creating a New-MsolUser when you get to the -UserPrincipleName we not sure how to automate and append each clients "@contoso.onmicrosoft.com" address to each user in our user list. 

 

-- Currently we have it like this: (may still not be right but just trying to fudge the idea together to perhaps find a way of doing it: 

 

 

$cred = Get-Credential
Import-Module MsOnline
Connect-MsolService -Credential $cred

Get-MsolPartnerContract -All | ForEach {
    Import-Csv -Path <Input CSV File Path and Name> | foreach -TenantId $_.TenantId.Guid {New-MsolUser -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation -LicenseAssignment $_.AccountSkuId -Password $_.Password -ForceChangePassword:$true -PasswordNeverExpires:$true}
}

 

any ideas or clues would be great, we've referenced this so far:  https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-tenants-with-wind...

 

 

3 Replies

It's been a long time since I had a partner account, but you should be able to get the domain name from the output of Get-MsolPartnerContract, or just call Get-MsolDomain for each tenant? Then append to the UPN.

Thanks, @Vasil Michev 

 

I thought this too but I get all the clients domains, if I filter by -Match ".onmicrosoft.com" I get mostly 2 returns. 

 

contoso.mail.onmicrosoft.com and contoso.onmicrosoft.com  

 

 

best response confirmed by Adam Weldon-Ming (Brass Contributor)
Solution

Worked it out :D 

 

 

Get-MsolPartnerContract -All | ForEach {
    $tenantprefix = [string]$_.DefaultDomainName
    $TenantId = [string]$_.TenantId.Guid

    Import-Csv .\users1.csv | foreach {
        $newUPN = $_.UserPrincipalName + "@" + $tenantprefix
        $newUPN = [string]$newUPN
        New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $newUPN -Password $_.Password -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $TenantId 
    }
}

 

 

1 best response

Accepted Solutions
best response confirmed by Adam Weldon-Ming (Brass Contributor)
Solution

Worked it out :D 

 

 

Get-MsolPartnerContract -All | ForEach {
    $tenantprefix = [string]$_.DefaultDomainName
    $TenantId = [string]$_.TenantId.Guid

    Import-Csv .\users1.csv | foreach {
        $newUPN = $_.UserPrincipalName + "@" + $tenantprefix
        $newUPN = [string]$newUPN
        New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $newUPN -Password $_.Password -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $TenantId 
    }
}

 

 

View solution in original post