Skip to content

Month: July 2020

[Powershell] Create Microsoft 365 admin account on all managed tenants

I received a question from a customer asking me for a way to create MFA-enabled administrator accounts on all Microsoft 365 tenants managed through the Partner portal, without having to manually go to each tenant and creating them. To solve this, I threw together a quick script that imports a .CSV file containing the DisplayName, UserPrincipalName and Password and then goes through every managed tenant to create the accounts and enables MFA on the newly created accounts.

As an extra bonus, I’ve also provided a script that could be used to remove the accounts on all managed tenants.

Enjoy!

Account Creation

<#
.Description
	This script is used for creating (multiple) Microsoft 365 tenant administrator accounts for all tenants managed by your MSP.
	Current Version: 1.1
	
	Version History:
   ---------------- 
   v1.0: First release.
   v1.1: Fixed a bug that caused trouble when adding roles.
   
	By: Stefan van Bruggen, Open ICT
		[email protected]

#>




# Connect to Microsoft 365 using your partner account credentials.

Connect-MsolService

# Get managed tenant IDs and prefixes.

Get-MsolPartnerContract -All | ForEach {
    $TenantPrefix = [string]$_.DefaultDomainName
    $TenantId = [string]$_.TenantId.Guid
      
		# Define administrator roles to be granted to the user.
      
		$Roles = "Authentication Administrator","Azure Information Protection Administrator","Company Administrator","Conditional Access Administrator","Directory Readers","Directory Synchronization Accounts","Directory Writers","Exchange Service Administrator","Helpdesk Administrator","Hybrid Identity Administrator","Intune Service Administrator","Kaizala Administrator","License Administrator","Message Center Privacy Reader","Message Center Reader","Partner Tier1 Support","Partner Tier2 Support","Password Administrator","Privileged Authentication Administrator","Privileged Role Administrator","Reports Reader","Service Support Administrator","SharePoint Service Administrator","Teams Communications Administrator","Teams Communications Support Engineer","Teams Communications Support Specialist","Teams Service Administrator","User Account Administrator"
    
		# Import users from .csv and create new user account, the .csv should have the following fields: DisplayName,UserPrincipalName,Password
      
		Import-Csv .\users.csv | ForEach {
        $newUPN = $_.UserPrincipalName + "@" + $TenantPrefix
        $newUPN = [string]$newUPN
        New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $newUPN -Password $_.Password -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $TenantId 
        
        # Add newly created user account to previously defined administrator roles

        ForEach($role in $roles){
            Add-MsolRoleMember -TenantId $TenantId -RoleName $role -RoleMemberEmailAddress $newUPN
      }
    
    }  
      
      # Set required variables for MFA.
      
      $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
      $st.RelyingParty = "*"
      $st.State = "Enabled"
      $sta = @($st)
      
      # Enable MFA.
      
      Set-MsolUser -TenantId $TenantId -UserPrincipalName $newUPN -StrongAuthenticationRequirements $sta
}

Account Removal

<#
.Description
	This script is used for removing (multiple) Microsoft 365 tenant administrator accounts for all tenants managed by your MSP.
	Current Version: 1.0
   
	By: Stefan van Bruggen, Open ICT
		[email protected]

#>


# Connect to Microsoft 365 using your partner account credentials.

Connect-MsolService

# Get managed tenant IDs and prefixes.

Get-MsolPartnerContract -All | ForEach {
    $TenantPrefix = [string]$_.DefaultDomainName
    $TenantId = [string]$_.TenantId.Guid
	
# Import list of users that need to be removed from .csv and remove the accounts, the .csv should have the following fields: UserPrincipalName
	
	Import-Csv .\delete-users.csv | ForEach {
        $UPN = $_.UserPrincipalName + "@" + $TenantPrefix
        $UPN = [string]$UPN
        Remove-MsolUser -UserPrincipalName $UPN -TenantId $TenantId -Force
    }
	
}
Stefan van Bruggen - 2019