Manage Office 365 tenants with Windows PowerShell for Delegated Access Permissions (DAP) partners


Topic Last Modified: 2016-05-04

Summary: Use Windows PowerShell for Office 365 to manage your customer tenancies.

Windows PowerShell allows Syndication and Cloud Solution Provider (CSP) partners to easily administer and report on customer tenancy settings that are not available in the Office 365 admin center. Note that Administer on Behalf Of (AOBO) permissions are required for the partner administrator account to connect to its customer tenancies.

Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They are frequently network or telecom providers to other companies. They bundle Office 365 subscriptions into their service offerings to their customers. When they sell an Office 365 subscription, they are automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.

The procedures in this topic require you to connect to Windows PowerShell for Office 365. For instructions, see Connect to Office 365 PowerShell.

You also need your partner tenant administrator credentials.

If you have more than 500 tenants, scope the cmdlet syntax with either -All or -MaxResultsParameter. This applies to other cmdlets that can give a large output, such as Get-MsolUser.

To list all customer tenant Ids that you have access to, run this command.

Get-MsolPartnerContract -All | Select-Object -TenantId

This will display a listing of all your customer tenants by TenantId.

To get the TenantId for a specific customer tenant by domain name, run this command. Replace <> with the actual domain name of the customer tenant that you want.

Get-MsolPartnerContract -DomainName <> | Select-Object -TenantId

To get all domains for any one customer tenant, run this command. Replace <customer TenantId value> with the actual value.

Get-MsolDomain -TenantId <customer TenantId value>

If you have registered additional domains, this will return all domains associated with the customer TenantId.

The previous Windows PowerShell for Office 365 commands showed you how to retrieve either tenant IDs or domains but not both at the same time, and with no clear mapping between them all. This command generates a listing of all your customer tenant IDs and their domains.

$Tenants = Get-MsolPartnerContract -All; $Tenants | foreach {$Domains = $_.TenantId; Get-MsolDomain -TenantId $Domains | fl @{Label="TenantId";Expression={$Domains}},name}

This will display the UserPrincipalName, the DisplayName, and the isLicensed status for all users for a particular tenant. Replace <customer TenantId value> with the actual value.

Get-MsolUser -TenantID <customer TenantId value>

If you want to see all the properties of a particular user, run this command. Replace <customer TenantId value> and <user principal name value> with the actual values.

Get-MsolUser -TenantId <customer TenantId value> -UserPrincipalName <user principal name value>

The bulk creation, configuration, and licensing of Office 365 users is particularly efficient by using Windows PowerShell for Office 365. In this two-step process, you first create entries for all the users you want to add in a comma-separated value (CSV) file and then import that file by using Windows PowerShell for Office 365.

Create a CSV file by using this format:

  • UserPrincipalName,FirstName,LastName,DisplayName,Password,TenantId,UsageLocation,LicenseAssignment


  • UsageLocation: The value for this is the two-letter ISO country/region code of the user. The country/region codes can be looked up at the ISO Online Browsing Platform. For example, the code for the United States is US, and the code for Brazil is BR.

  • LicenseAssignment: The value for this uses this format: syndication-account:<PROVISIONING_ID>. For example, if you are assigning customer tenant users O365_Business_Premium licenses, the LicenseAssignment value looks like this: syndication-account:O365_Business_Premium. You will find the PROVISIONING_IDs in the Syndication Partner Portal that you have access to as a Syndication or CSP partner.

After you have your CSV file created, run this command to create user accounts with non-expiring passwords that the user must change at first sign-in and that assigns the license you specify. Be sure to substitute the correct CSV file name.

Import-Csv .\FILENAME.CSV | foreach {New-MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -Password $_.Password -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $_.TenantId}