Export (0) Print
Expand All

Manage Remote PowerShell Access in Exchange Online

Exchange Online
 

Applies to: Exchange Online

Topic Last Modified: 2013-02-18

Remote PowerShell enables you to manage your Exchange Online organization from the command line. By default, all accounts you create in Exchange Online are allowed to use the remote Shell to access your Exchange Online organization. You can enable or disable a user’s ability to connect to your Exchange Online organization using remote Shell. Note that remote Shell access to your organization doesn't give users extra administrative powers. A user's capabilities are still defined by role based access control (RBAC) and the roles assigned to them.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

To enable or disable remote Shell for a user, use the following syntax.

Set-User <UserIdentity> -RemotePowerShellEnabled <$true | $false>

This example enables remote Shell for the user david@contoso.com.

Set-User david@contoso.com -RemotePowerShellEnabled $true

This example disables remote Shell for the user david@contoso.com.

Set-User david@contoso.com -RemotePowerShellEnabled $false

To prevent remote Shell access for a specific group of existing users, you have the following options:

  • Filter users based on an existing attribute   This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users. Some attributes, such as Title, Department, address information, and telephone number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-15, are visible only when you use the Get-Mailbox cmdlet.
  • Use a list of specific users   After you generate the list of specific users, you can use that list to disable remote Shell access.

To disable remote Shell access for users based on an existing attribute, use the following syntax.

<Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

This example removes remote Shell access for all users whose Title attribute contains the value "Sales Associate".

Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales Associate*')} | Set-User -RemotePowerShellEnabled $false

To disable remote Shell access for a list of specific users, use the following syntax.

Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their email addresses. The text file must contain one email address on each line as follows:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

After you populate the text file with the user accounts you want to update, run the following command.

Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false

To view the remote Shell access status for a specific user, use the following syntax.

Get-User <UserIdentity> | Format-List RemotePowerShellEnabled

This example displays the remote Shell access status of a user named Sarah Jones.

Get-User "Sarah Jones" | Format-List RemotePowerShellEnabled

To display the remote Shell access status for all users, run the following command.

Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

To display only those users who don't have access to remote Shell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}

To display only those users who have access to remote Shell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft