Though most Office365 operations can be performed via the Office365 Admin Console, some operations (such as moving federated users to a non-federated domain) can only be performed through Microsoft Powershell commands. Some cmdlets can be essential when troubleshooting various issues in your Oktta-Office365 integration. Powershell also provides some cmdlets that are useful for information-gathering purposes, such as quickly determining what licenses you have in place.
Here is a brief list of Office365 cmdlets that we find particularly useful. If you haven't yet used the Office365 Powershell Module you will likely need to install some components first. Refer to the Connect to Office 365 PowerShell guide to get started.
Note: Use these commands at your own risk. Before performing any of the below commands, we highly recommend reading Microsoft's documentation to gain a better understanding of their use and capabilities.
When run with no parameters, this command will simply list all O365 users and display their UserPrincipalName, Display Name and whether they have any assigned Office365 licenses.
set-MsolUser -userprincipalname email@example.com -immutableID ImmutableID - changes the immutableID to a specified value. This can be used to replace the Office365 immutableID with the value indicated in the user's Okta profile
Remove-MsolUser -UserPrincipalName firstname.lastname@example.org - deletes a user. This is useful when the Office365 Admin Console will not allow you to delete a federated (or formerly federated) user. Note that this command places the user into the recycle bin
Set-MsolUserPrincipalName -UserPrincipalName email@example.com -NewUserPrincipalName firstname.lastname@example.org - renames a user. This allows you to change a federated user from your _____.com domain to Microsoft's default _____.onmicrosoft.com domain.
Convert-MsolDomainToStandard -DomainName <string> -PasswordFile <string> -SkipUserConversion <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>] - converts a federated domain to a standard domain (ie contoso.com to contoso.onmicrosoft.com). Also generates a file that contains each user's newly-generated password required to log into Office365.
Get-OrganizationConfig | ft name, *OAuth* - indicates whether your Office365 has OAuth (also known as "Modern Authentication") enabled. If it returns a result of False, you can enable OAuth by running this command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true