Enable or disable access to Exchange Online PowerShell

 

Applies to: Exchange Online

Topic Last Modified: 2016-06-15

Exchange Online PowerShell enables you to manage your Exchange Online organization from the command line. By default, all accounts you create in Exchange Online are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user’s ability to connect to Exchange Online PowerShell. Note that access to Exchange Online PowerShell doesn't give users extra administrative powers in your organization. A user's capabilities in Exchange Online PowerShell are still defined by role based access control (RBAC) and the roles that are assigned to them.

  • Estimated time to complete each procedure: less than 5 minutes

  • Office 365 global admins have access to Exchange Online PowerShell, and can use the procedures in this topic to configure Exchange Online PowerShell access for other users. For more information about permissions in Exchange Online, see Feature permissions in Exchange Online.

  • You can only use PowerShell to perform this procedure. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

To enable or disable access to Exchange Online PowerShell for a user, use the following syntax:

Set-User <UserIdentity> -RemotePowerShellEnabled <$true | $false>

This example disables access to Exchange Online PowerShell for the user david@contoso.com.

Set-User david@contoso.com -RemotePowerShellEnabled $false

This example enables access to Exchange Online PowerShell for the user david@contoso.com.

Set-User david@contoso.com -RemotePowerShellEnabled $true

To prevent access to Exchange Online PowerShell for a specific group of existing users, you have the following options:

  • Filter users based on an existing attribute   This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users. Some attributes, such as Title, Department, address information, and telephone number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-15, are visible only when you use the Get-Mailbox cmdlet.

  • Use a list of specific users   After you generate the list of specific users, you can use that list to disable their access to Exchange Online PowerShell.

To disable access to Exchange Online PowerShell for users based on an existing attribute, use the following syntax:

<Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

This example removes access to Exchange Online PowerShell for all users whose Title attribute contains the value "Sales Associate".

Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales Associate*')} | Set-User -RemotePowerShellEnabled $false

To disable access to Exchange Online PowerShell for a list of specific users, use the following syntax:

Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their email addresses. The text file must contain one email address on each line as follows:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

After you populate the text file with the user accounts you want to update, run the following command:

Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false

To view the Exchange Online PowerShell access status for a specific user, use the following syntax:

Get-User <UserIdentity> | Format-List RemotePowerShellEnabled

This example displays the Exchange Online PowerShell access status of the user named Sarah Jones.

Get-User "Sarah Jones" | Format-List RemotePowerShellEnabled

To display the Exchange Online PowerShell access status for all users, run the following command.

Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

To display only those users who don't have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}

To display only those users who have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}
 
Show: