Manage Microsoft 365 tenants with Windows PowerShell for Delegated Access Permissions (DAP) partners

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Windows PowerShell allows Syndication and Cloud Solution Provider (CSP) partners to easily administer and report on customer tenancy settings that are not available in the Microsoft 365 admin center. Note that Administer on Behalf Of (AOBO) permissions are required for the partner administrator account to connect to its customer tenancies.

Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They are frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they are automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.

What do you need to know before you begin?

The procedures in this topic require you to connect to Connect to Microsoft 365 with PowerShell.

You also need your partner tenant administrator credentials.

What do you want to do?

List all tenant IDs

Note

If you have more than 500 tenants, scope the cmdlet syntax with either -All or -MaxResultsParameter. This applies to other cmdlets that can give a large output, such as Get-MsolUser.

To list all customer tenant Ids that you have access to, run this command.

Get-MsolPartnerContract -All | Select-Object TenantId

This will display a listing of all your customer tenants by TenantId.

Note

PowerShell Core does not support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with Msol in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

Get a tenant ID by using the domain name

To get the TenantId for a specific customer tenant by domain name, run this command. Replace <domainname.onmicrosoft.com> with the actual domain name of the customer tenant that you want.

Get-MsolPartnerContract -DomainName <domainname.onmicrosoft.com> | Select-Object TenantId

List all domains for a tenant

To get all domains for any one customer tenant, run this command. Replace <customer TenantId value> with the actual value.

Get-MsolDomain -TenantId <customer TenantId value>

If you have registered additional domains, this will return all domains associated with the customer TenantId.

Get a mapping of all tenants and registered domains

The previous PowerShell for Microsoft 365 commands showed you how to retrieve either tenant IDs or domains but not both at the same time, and with no clear mapping between them all. This command generates a listing of all your customer tenant IDs and their domains.

$Tenants = Get-MsolPartnerContract -All; $Tenants | foreach {$Domains = $_.TenantId; Get-MsolDomain -TenantId $Domains | fl @{Label="TenantId";Expression={$Domains}},name}

Get all users for a tenant

This will display the UserPrincipalName, the DisplayName, and the isLicensed status for all users for a particular tenant. Replace <customer TenantId value> with the actual value.

Get-MsolUser -TenantID <customer TenantId value>

Get all details about a user

If you want to see all the properties of a particular user, run this command. Replace <customer TenantId value> and <user principal name value> with the actual values.

Get-MsolUser -TenantId <customer TenantId value> -UserPrincipalName <user principal name value>

Add users, set options, and assign licenses

The bulk creation, configuration, and licensing of Microsoft 365 users is particularly efficient by using PowerShell for Microsoft 365. In this two-step process, you first create entries for all the users you want to add in a comma-separated value (CSV) file and then import that file by using PowerShell for Microsoft 365.

Create a CSV file

Create a CSV file by using this format:

UserPrincipalName,FirstName,LastName,DisplayName,Password,TenantId,UsageLocation,LicenseAssignment

where:

  • UsageLocation: The value for this is the two-letter ISO country/region code of the user. The country/region codes can be looked up at theISO Online Browsing Platform. For example, the code for the United States is US, and the code for Brazil is BR.

  • LicenseAssignment: The value for this uses this format: syndication-account:<PROVISIONING_ID>. For example, if you are assigning customer tenant users O365_Business_Premium licenses, the LicenseAssignment value looks like this: syndication-account:O365_Business_Premium. You will find the PROVISIONING_IDs in the Syndication Partner Portal that you have access to as a Syndication or CSP partner.

Import the CSV file and create the users

After you have your CSV file created, run this command to create user accounts with non-expiring passwords that the user must change at first sign-in and that assigns the license you specify. Be sure to substitute the correct CSV file name.

Import-Csv .\FILENAME.CSV | foreach {New-MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -Password $_.Password -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $_.TenantId}

See also

Help for partners