Manage Microsoft 365 tenants with Windows PowerShell for Delegated Access Permissions (DAP) partners
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
Windows PowerShell allows Syndication and Cloud Solution Provider (CSP) partners to easily administer and report on customer tenancy settings that aren't available in the Microsoft 365 admin center. Administer on Behalf Of (AOBO) permissions are required for the partner administrator account to connect to its customer tenancies.
Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They're frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they're automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.
What do you need to know before you begin?
The procedures in this topic require you to connect to Connect to Microsoft 365 with PowerShell.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
You also need your partner tenant administrator credentials.
What do you want to do?
List all tenant IDs
Note
If you have more than 500 tenants, scope the cmdlet syntax with either -All or -MaxResultsParameter. This applies to other cmdlets that can give a large output, such as Get-MsolUser.
To list all customer tenant Ids that you have access to, run this command.
Get-MsolPartnerContract -All | Select-Object TenantId
This displays a listing of all your customer tenants by TenantId.
Note
PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with Msol in their name. To continue using these cmdlets, you must run them from Windows PowerShell.
Get a tenant ID by using the domain name
To get the TenantId for a specific customer tenant by domain name, run this command. Replace <domainname.onmicrosoft.com> with the actual domain name of the customer tenant that you want.
Get-MsolPartnerContract -DomainName <domainname.onmicrosoft.com> | Select-Object TenantId
List all domains for a tenant
To get all domains for any one customer tenant, run this command. Replace <customer TenantId value> with the actual value.
Get-MsolDomain -TenantId <customer TenantId value>
If you have registered additional domains, this returns all domains associated with the customer TenantId.
Get a mapping of all tenants and registered domains
The previous PowerShell for Microsoft 365 commands showed you how to retrieve either tenant IDs or domains but not both at the same time, and with no clear mapping between them all. This command generates a listing of all your customer tenant IDs and their domains.
$Tenants = Get-MsolPartnerContract -All; $Tenants | foreach {$Domains = $_.TenantId; Get-MsolDomain -TenantId $Domains | fl @{Label="TenantId";Expression={$Domains}},name}
Get all users for a tenant
This displays the UserPrincipalName, the DisplayName, and the isLicensed status for all users for a particular tenant. Replace <customer TenantId value> with the actual value.
Get-MsolUser -TenantID <customer TenantId value>
Get all details about a user
If you want to see all the properties of a particular user, run this command. Replace <customer TenantId value> and <user principal name value> with the actual values.
Get-MsolUser -TenantId <customer TenantId value> -UserPrincipalName <user principal name value>
Add users, set options, and assign licenses
The bulk creation, configuration, and licensing of Microsoft 365 users is particularly efficient by using PowerShell for Microsoft 365. In this two-step process, you first create entries for all the users you want to add in a comma-separated value (CSV) file and then import that file by using PowerShell for Microsoft 365.
Create a CSV file
Create a CSV file by using this format:
UserPrincipalName,FirstName,LastName,DisplayName,Password,TenantId,UsageLocation,LicenseAssignment
where:
UsageLocation: The value for this is the two-letter ISO country/region code of the user. The country/region codes can be looked up at theISO Online Browsing Platform. For example, the code for the United States is US, and the code for Brazil is BR.
LicenseAssignment: The value for this uses this format:
syndication-account:<PROVISIONING_ID>. For example, if you're assigning customer tenant users O365_Business_Premium licenses, the LicenseAssignment value looks like this: syndication-account:O365_Business_Premium. You'll find the PROVISIONING_IDs in the Syndication Partner Portal that you have access to as a Syndication or CSP partner.
Import the CSV file and create the users
After you have your CSV file created, run this command to create user accounts with non-expiring passwords that the user must change at first sign-in and that assigns the license you specify. Be sure to substitute the correct CSV file name.
Import-Csv .\FILENAME.CSV | foreach {New-MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -Password $_.Password -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $_.TenantId}
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for