Export (0) Print
Expand All
Expand Minimize

Set-MsolCompanySettings

Published: March 22, 2013

Updated: December 18, 2014

Applies To: Azure, Office 365, Windows Intune

noteNote
  • This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

  • The Microsoft Azure Active Directory Module for Windows PowerShell cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets.

The Set-MsolCompanySettings cmdlet is used to set company-level configuration settings.

Set-MsolCompanySettings [-SelfServePasswordResetEnabled <Boolean>] [-UsersPermissionToCreateGroupsEnabled <Boolean>] [-AllowAdHocSubscriptions <Boolean>] [-AllowEmailVerifiedUsers <Boolean>] [-DefaultUsageLocation] [-UsersPermissionToCreateLOBAppsEnabled <Boolean>] [-UsersPermissionToReadOtherUsersEnabled <Boolean>] [-UsersPermissionToUserConsentToAppEnabled <Boolean>] [-TenantId <Guid>] [<CommonParameters>]

    -SelfServePasswordResetEnabled <Boolean>
        Indicates whether to allow the use of the self-service password reset 
        feature.  This setting is applied company-wide.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - UsersPermissionToCreateGroupsEnabled <Boolean>
        Indicates whether to allow users to create groups. 
        This setting is applied company-wide. Set to False to disable users’ ability to create groups. 
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - AllowAdHocSubscriptions <Boolean>
        Indicates whether to allow users to sign up for email-based subscriptions as individuals, such as signing up RMS for individuals. 
        This setting is applied company-wide. Set to False to block users from signing up for email-based subscription as individuals. 
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - AllowEmailVerifiedUsers <Boolean>
        Indicates whether users can join a tenant by email validation. The user must have an email address in a domain that matches one of the verified domains in the tenant. 
        This setting is applied company-wide. Set to False to block users from joining the tenant by email validation. 
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - DefaultUsageLocation <Boolean>
        Indicates the value that will be applied to the User.UsageLocation attribute if none is present when assigning licenses to Microsoft products. If the default value is null, then the location value for the tenant is used. 
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - UsersPermissionToCreateLOBAppsEnabled <Boolean>
        Indicates whether to allow users to create new applications. 
        This setting is applied company-wide. Set to False to disable users’ ability to create new applications for their organization.
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - UsersPermissionToReadOtherUsersEnabled <Boolean>
        Indicates whether to allow users to view the profile info of other users in their company. 
        This setting is applied company-wide. Set to False to disable users’ ability to use the Azure AD module for Windows PowerShell to access user information for their organization. 
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    - UsersPermissionToUserConsentToAppEnabled <Boolean>
        Indicates whether to allow users to consent to apps that require access to their cloud user data, such as directory user profile or Office 365 mail and OneDrive for business. 
        This setting is applied company-wide. Set to False to disable users’ ability to grant consent to applications.
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -TenantId <Guid>
        The unique ID of the tenant to perform the operation on. If this is 
        not provided, then the value will default to the tenant of the current 
        user. This parameter is only applicable to partner users.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

The following command enables the self-serve password reset feature for all users in the company.

Set-MsolCompanySettings -SelfServePasswordResetEnabled $true

The following command disables the ability of users to consent to apps.

Set-MsolCompanySettings - UsersPermissionToUserConsentToAppEnabled $false

The following command disables the ability of users to see the profile info of other users in the company. Users can see only their own profile info.

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

The following command disables the ability of users to create new applications or consent to applications. Users can create groups.

Set-MsolCompanySettings -UsersPermissionToCreateLOBAppsEnabled $false
-UsersPermissionToUserConsentToAppEnabled $false -UsersPermissionToReadOtherUsersEnabled $false -UsersPermissionToCreateGroupsEnabled $true


The following command allows users to join a tenant by email validation and sign up for email-based subscriptions as an individual. For example, a user with the email address Dan@Contoso.com responds to an offer to sign up for Office 365 Education as an individual. Dan does not yet have an account in Azure AD directory for Contoso.com. In that case, the following command allows Dan to sign up for Office 365 Education as an individual and have an account provisioned in the Contoso.com directory.

Set-MsolCompanySettings -AllowEmailVerifiedUsers $true -AllowAdHocSubscriptions $true

The following command allows users to sign up for email-based subscriptions, but only if the user accounts already exist in Azure AD. For example, a user with the email address Dan@Contoso.com responds to an offer to sign up for RMS for individuals. Dan has an account in the Azure AD directory for Contoso.com that was either created by the Azure AD global administrator or it was synchronized with Azure AD from an on-premises directory. In that case, the following command allows Dan to sign up for RMS for individuals by responding to an email-based subscription offer.

Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true

The following command prevents users from signing up for email-based subscriptions for individuals.

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

The following command prevents users from joining the directory by email-based validation.

Set-MsolCompanySettings -AllowEmailVerifiedUsers $false

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft