Useful Powershell Commands for Managing Your Okta-Office365 Integration Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Useful Powershell Commands for Managing Your Okta-Office365 Integration
Published: Sep 6, 2017   -   Updated: Jun 22, 2018

Though most Office365 operations can be performed via the Office365 Admin Console, some operations (such as moving federated users to a non-federated domain) can only be performed through Microsoft Powershell commands. Some cmdlets can be essential when troubleshooting various issues in your Oktta-Office365 integration. Powershell also provides some cmdlets that are useful for information-gathering purposes, such as quickly determining what licenses you have in place.

Here is a brief list of Office365 cmdlets that we find particularly useful. If you haven't yet used the Office365 Powershell Module you will likely need to install some components first. Refer to the Connect to Office 365 PowerShell guide to get started.

Note: Use these commands at your own risk. Before performing any of the below commands, we highly recommend reading Microsoft's documentation to gain a better understanding of their use and capabilities.


When run with no parameters, this command will simply list all O365 users and display their UserPrincipalName, Display Name and whether they have any assigned Office365 licenses.

Get-MsolUser -UnlicensedUsersOnly - displays all users who currently do not have an Office365 license assigned. This can be useful for account cleanup or license management
Get-MsolUser -UserPrincipalName | FL Immut* - useful when troubleshooting syncing issues between an Okta user and its corresponding Office365 user, as it can help to ensure that the Office365 user's immutable ID matches the Okta user's value. If the values do not match, perform the set-MsolUser command as discussed below.
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser –RemoveFromRecycleBin –Force - this will remove all deleted users from the Office365 recycle bin. This is very useful when attempting to provision a new Office365 user, but the UPN is in use by a user account in the recycle bin.


set-MsolUser -userprincipalname -immutableID ImmutableID - changes the immutableID to a specified value. This can be used to replace the Office365 immutableID with the value indicated in the user's Okta profile
Set-MsolUser -UserPrincipalName -StsRefreshTokensValidFrom ("current date") - clears cached ActiveSync tokens. Enter the current data in MM/DD/YYYY format.


Remove-MsolUser -UserPrincipalName - deletes a user.  This is useful when the Office365 Admin Console will not allow you to delete a federated (or formerly federated) user. Note that this command places the user into the recycle bin


When run with no parameters, this command will list all domains in your Office365 tenant, and will indicate which ones are federated 


When run with no parameters, this command will display each of the Office365 licenses that are available ("ActiveUnits") and in use ("ConsumedUnits")


Set-MsolUserPrincipalName -UserPrincipalName -NewUserPrincipalName - renames a user. This allows you to change a federated user from your domain to Microsoft's default domain.


Convert-MsolDomainToStandard -DomainName <string> -PasswordFile <string> -SkipUserConversion <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]  - converts a federated domain to a standard domain (ie to Also generates a file that contains each user's newly-generated password required to log into Office365.


This is an Exchange Online Powershell Module cmdlet, which can be accessed by following these directions.

Get-OrganizationConfig | ft name, *OAuth* - indicates whether your Office365 has OAuth (also known as "Modern Authentication") enabled. If it returns a result of False, you can enable OAuth by running this command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true