This article provides some useful PowerShell commands for managing an Office 365 integration. 

• Microsoft Office 365 (O365 / M365)

• PowerShell

Before performing any of these commands, reading Microsoft's documentation can provide a better understanding of their use and capabilities.

Get-MsolUser

When ran with no parameters, this command will simply list all Office 365 users and display their UserPrincipalName, Display Name and whether they have any assigned Office 365 licenses.

• Get-MsolUser -UnlicensedUsersOnly - displays all users who currently do not have an Office 365 license assigned. This can be useful for account cleanup or license management

• Get-MsolUser -UserPrincipalName <user@domain.com> | FL Immut* - useful when troubleshooting syncing issues between an Okta user and its corresponding Office 365 user, as it can help to ensure that the Office 365 user's immutable ID matches the Okta user's value. If the values do not match, perform the set-MsolUser command as discussed below.

• Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser –RemoveFromRecycleBin –Force - this will remove all deleted users from the Office365 recycle bin. This is very useful when attempting to provision a new Office 365 user, but the UPN is in use by a user account in the recycle bin.

Update-MgUser

• Update-MgUser -UserId <user@domain.com> -OnPremisesImmutableId ImmutableId updates the immutableID to a specified value. This can be used to replace the Office365 immutableID with the value indicated in the user's Okta profile

Set-MsolUser

• set-MsolUser -userprincipalname <user@domain.com> -immutableID <ImmutableID> - changes the immutableID to a specified value. This can be used to replace the Office365 immutableID with the value indicated in the user's Okta profile

• Set-MsolUser -UserPrincipalName <user@domain.com> -StsRefreshTokensValidFrom ("current date") - clears cached ActiveSync tokens. Enter the current date in MM/DD/YYYY format.

Remove-MsolUser

• Remove-MsolUser -UserPrincipalName <user@domain.com> - deletes a user.  This is useful when the Office365 Admin Console will not allow the deletion of a federated (or formerly federated) user. Note that this command places the user into the recycle bin

Get-MsolDomain

When run with no parameters, this command will list all domains in the Office 365 tenant and will indicate which ones are federated 

Get-MsolAccountSku

When run with no parameters, this command will display each of the Office 365 licenses that are available ("ActiveUnits") and in use ("ConsumedUnits")

Set-MsolUserPrincipalName

• Set-MsolUserPrincipalName -UserPrincipalName <user@domain.com> -NewUserPrincipalName <user@domain.onmicrosoft.com> - renames a user. This will change a federated user from the _____.com domain to Microsoft's default _____.onmicrosoft.com domain.

Convert-MsolDomainToStandard

• Convert-MsolDomainToStandard -DomainName <string> -PasswordFile <string> -SkipUserConversion <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]  - converts a federated domain to a standard domain (for example, contoso.com to contoso.onmicrosoft.com). Also generates a file that contains each user's newly-generated password required to log into Office 365.

Get-OrganizationConfig

This is an Exchange Online PowerShell Module cmdlet, which can be accessed by following
these directions.

• Get-OrganizationConfig | ft name, *OAuth* - indicates whether Office 365 has OAuth (also known as "Modern Authentication") enabled. If it returns a result of False, its possible to enable OAuth by running this command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true.