Friday, 31 May 2013

Get total number of Office 365 users using PowerShell

Here is a quick PowerShell command to get a total number of Office 365 users:

$allUsers = Get-MsolUser -All

Friday, 24 May 2013

How to correctly apply Directory Synchronization (DirSync) filters plus some useful observations

When applying Connector Filters to Source AD Management Agent on Directory Synchronization tool (DirSync) for Office 365, although it looks like you can put few conditions in one filter, however in practice it didn't work for me.

Here is the attempt on putting multiple conditions in one filter to apply on the user object, which didn't work:

When you apply new filters, the incremental sync normally doesn't pick up the changes. In order to force the new filters, you need to run a "Full Import Full Sync" on the source AD.

Here are the same conditions, but each created as a separate filter. This is the working configuration:

Once this was done, a Full Import Full Sync on the source AD was able to pick up the changes which can be viewed under Filtered Connectors. In my case you can see there are 89 Filtered Deletions which are basically the result of user filters applied.

Now a Full Confirming Import on the "TargetWebService" Management Agent would delete those 89 users from Office 365.

Two more observations:
1. Condition values are not case sensitive. So if you want to filter out user account which start with svc, you don't need to be worried about case sensitivity.

2. it seems to be a delay for the deleted users to actually disappear from the Office 365 portal. so if you add new filters, and confirm that filters are applied on DirSync, you may not see the changes on the Office 365 portal immediately.

Monday, 20 May 2013

80041034a error code when a federated user tries to sign in to the Office 365 portal - "Your organization could not sign you in to this service" error

When a federated user tries to sign in to Microsoft Office 365 from a sign-in webpage whose URL starts with, authentication for that user is unsuccessful. The user receives the following error message: "Your organization could not sign you in to this service"

Tried the following resolutions suggested in KB article which did not resolve the isse in my case:
  • Resolution 1: Disable Local Security Authority (LSA) credential caching on the AD FS server
  • Resolution 2: Update the relying party trust with Windows Azure AD

This issue was resolved by converting the federated domain to standard (managed), and then converting it back to federated.

I am not sure if it was relevant to this issue (as some threads suggested), but when I initially converted my domain to federated, I had -SupportMultipleDomain switch on. I am assuming that it is not relevant because I still used the switch when I converted the managed domain to federated in the second time.

Thursday, 9 May 2013

Use PowerShell to assign specific service plan licenses to Office 365 users

You can use PowerShell to create users in Office 365 and assign licenses to them.
In order to do it you will first need to see what your Account SKU IDs are by running the following command:


This will give you a list of your available SKUs in the following format:

mydomain:SKU (Example: mydomain:ENTERPRISEPACK)

Now you can use the retrieved "AccountSkuID" to assign licenses to users. Below is an example of creating a new user and assigning E3 (ENTERPRISEPACK) license:

New-MsolUser -UserPrincipalName "" -DisplayName "Amin Test1" -FirstName "Amin" -LastName "Test1" -UsageLocation "GB" -LicenseAssignment "mydomain:ENTERPRISEPACK"

You may want to assign specific licenses within a SKU rather than assigning the whole E3 license. In that case you need to create your own license assignment option. To do that we first need to see what the service plan IDs are for each individual service within the E3 SKU. 

Run the following commands to get a list of service plan IDs:

$s = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "ENTERPRISEPACK"}

As you can see, the following are the individual service plans in E3 pack:
RMS_S_ENTERPRISE                 (Windows Azure Active Directory Rights - this is new in Wave 15)
OFFICESUBSCRIPTION              (Office Professional Plus)
MCOSTANDARD                         (Lync Online)
SHAREPOINTWAC                      (Office Web Apps)  
SHAREPOINTENTERPRISE          (SharePoint Online)
EXCHANGE_S_ENTERPRISE        (Exchange Online)

Now we create our own custom plan to assign an individual service plan license to a user. In this example we are assigning SharePoint Online license:


As you can see we still set the AccountSkuId to "mydomain:ENTERPRISEPACK", however using the DisabledPlans switch we are disabling all the other service plans, leaving SharePoint Online only.

Now that we have created our own license assignment option, we can re-run the New-MsolUser command and add our own license option to it:

New-MsolUser -UserPrincipalName "" -DisplayName "Amin Test1" -FirstName "Amin" -LastName "Test1" -UsageLocation "GB" -LicenseAssignment "mydomain:ENTERPRISEPACK" -LicenseOptions $MyLicenseAssignmentOption

On the portal we can check the license assignment status of the new user that we just created and we can see only SharePoint Online license is assigned to the user: