Microsoft designed Windows Azure AD identity and management service which lets you manage user, group accounts, domains, and authentication for the applications. Windows Azure AD, sometimes referred to as WAAD, is closely integrated with Microsoft Online Services. The WAAD provides the core directory and identity management capabilities for most of Microsoft’s cloud services such as Azure, Microsoft Office 365, Microsoft Dynamics CRM Online, and Windows Intune. By default, when you subscribe for Windows Azure, you are given a default WAAD.
Two ways to Manage WAAD
There are two ways to manage Microsoft Azure Active Directory. You can either use web portals or PowerShell. If you are subscribed to one or more Microsoft Cloud services, you can use portals such as Azure Management, Office 365 Admin Center, and Windows Intune to manage your directory data. Most of the tasks such as creating and managing user and group accounts, managing cloud services, cloud subscriptions, and setting up on-premise integration with your active directory can be performed either using these administrative web portals or PowerShell. Like any other Azure resources, Azure AD can also be managed using PowerShell, but that is using its own module called “Microsoft Azure Active Directory Module for Windows PowerShell”.
It is important to understand that these portals and PowerShell cmdlets all read and write to a single shared instance of WAAD that is actually associated with your organization’s directory. These portals and PowerShell act as a front end to modify your directory data. Whether you use web portals or PowerShell cmdlets, you are going to work with your default organization’s active directory. In this article, we are going to learn how to manage WAAD using Microsoft Azure Active Directory Module for Windows PowerShell.
You cannot manage WAAD using Azure PowerShell modules. Azure PowerShell modules help you manage other Azure resources such as web sites, cloud services, virtual machines, etc.
Requirements for managing WAAD using PowerShell
You can use the Microsoft Azure Active Directory Module for Windows PowerShell to accomplish many Azure AD tenant-wide administrative tasks such as user management, domain management, configuring single sign-on, user licensing, and creating reports. The Microsoft Azure Active Directory Module was previously known as the Microsoft Online Services Module for Windows PowerShell. Before you can manage Azure AD using PowerShell, you need to make sure the following requirements are met:
- A computer running Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
- A default version of .NET Framework and PowerShell installed on the computer.
- Microsoft Online Services Sign-In Assistant, MOS SIA in short, is a client component that allows common applications such as Microsoft Outlook and Lync to authenticate to Microsoft Online Services.
Installing Azure Active Directory Modules for Windows PowerShell
Once the above requirements are met, download and install the Microsoft Azure Active Directory Module for Windows PowerShell. There are two types of downloads available depending on your Operating System architecture; 32 bit and 64-bit downloads. Since Microsoft has discontinued the 32-bit version of Microsoft Azure Active Directory Module, you will need to download the 64-bit version.
After installing the Azure AD Module, launch “Microsoft Azure Active Directory Module for Windows PowerShell” shortcut to open a PowerShell Window that has the necessary cmdlets to connect and manage Azure AD resources. You can find the shortcut by searching for “Azure PowerShell” in the Start Screen as shown in the screenshot below:
The required PowerShell modules for Azure AD might not be imported successfully in some cases. If that is the case, use “Import-Module MSOnline” in the PowerShell window session.
Connecting to Microsoft Online Account
Before you can start managing Azure AD resources, you must connect to your online account. Once you are connected to Azure AD Online service, you can perform several common operations. For example, you can create a new user, check the status of the user and licenses, etc.
You can execute the below PowerShell commands to connect to the online account:
- $MyOnlineCred = Get-Credential
- Connect-MsolService -Credential $MyOnlineCred -WarningAction SilentlyContinue
The first command stores your online credentials in the $MyOnlineCred variable and the next command connects to Microsoft Online Services using the Connect-MsolService PowerShell cmdlet. The Connect-MsolService PowerShell cmdlet is designed to connect to your Microsoft online account.
How Many PowerShell cmdlets are available?
There are about 130 PowerShell cmdlets available which you can use to manage several Azure AD resources, including users, groups and membership, service principals, Azure domains, single-sign on, subscriptions and licenses, and organization information and services.
In case you need to see the list of all PowerShell cmdlets available with Azure Active Directory Module, execute “Get-Help msol | more” command in the PowerShell window as shown in the screenshot below:
If you need to know all PowerShell cmdlets available to manage Azure AD user accounts, run “Get-Help User | more” command in the PowerShell window session. You will be presented with a list of user-based cmdlets as shown in the below screenshot:
Using Azure Active Directory PowerShell cmdlets
If you need to create a user quickly, you can do so by executing the New-MsolUser PowerShell cmdlet as shown in the below command:
- New-MsolUser -UserPrincipalName [email protected] -DisplayName "Nirmal Sharma" -FirstName "Nirmal" -LastName "Sharma" -UsageLocation "US" -LicenseAssignment "TechGenix:BPOS_Standard"
The above command creates a user and also assigns a license for TechGenix.com domain. Similarly, you can script this task in a PowerShell script to create multiple user accounts and assign them the required license.
If you need to perform a variety of tenant and domain management tasks, such as verifying tenant and domain status, checking to see if SSO is enabled or not, checking the ownership of the domain, checking password synchronization status, you can use tenant and domain management cmdlets. For example, you can create a new domain using New-MsolDomain cmdlet, and to verify the status and ownership of the domain you can use Get-MsolDomain as shown in the below examples:
To list all domains for the company which includes all verified and unverified domains, execute:
To list all domains for the company which includes only verified domains:
- Get-MsolDomain –Status Verified
To check and confirm the ownership of the domain, use Confirm-MsolDomain cmdlet:
- Confirm-MsolDomain -DomainName TechGenix.com
The domain verification is done by checking the DNS records. These DNS records must be set up first. If you are not sure of the DNS records which need to be set up, you can always run Get-MsolDomainVerificationDns cmdlet.
Another common operation you perform is to check if WAAD synchronization is being used. The Get-MsolUser cmdlet supports –Synchronized parameter which you can use to check if users have been synchronized or not. For example, to list all users with synchronized status, execute the below command:
- Get-MsolUser –All –Synchronized
If no users are returned that means the directory synchronization is not in use.
There are various parameters available with each PowerShell cmdlet. It actually depends on what you want to accomplish. Apart from managing domains and users, you can use other cmdlets to perform tasks related to single-sign on, such as adding a new single-sign on domain to WAAD, managing subscriptions, accounts and licenses.
While portals are user-friendly, the PowerShell provides the power to configure and manage resources in an easy way. The information supplied in this article can be useful if you manage your organization’s Microsoft Online Services components. Azure AD PowerShell cmdlets can help you automate repeated tasks and increase productivity.