I recently posted about how we can use Delegated Access Permissions via a partner relationship to connect to an Exchange Online organization through PowerShell. This is a fantastic piece of functionality for MSPs and CSPs to manage multiple tenancies securely without having managing a set of admin identities for all of their customers.
To expand on the previous post, I thought I would put together each of the PowerShell modules that support delegated admin permissions in one place and also highlight any that I feel are missing.
In this post I will go through the connection methods (where available) using DAP for each of the below modules:
- Azure AD
- Skype for Business
- SharePoint Online
- Security & Compliance Center
Exchange Online Module (v2)
I’ve gone through this one recently in another post so full information is available there. In short, we cann connect to Exchange Online Powershell using the Exchange Online (v2) PowerShell Module by specifying the tenant domain in our connection command.
First, install the module as normal:
Once installed, restart PowerShell and connect using the customer tenancy domain:
Connect-ExchangeOnline -DelegatedOrganization <customerdomain.onmicrosoft.com>
MS Online Module
The MS Online Module works a little differently in that we don’t connect directly to our customer tenancy, we specify the tenancy in our commands.
We install the module with:
Then we connect to our own service as normal:
Once we are connected, we need to locate the Tenant ID of our target organization. If we don’t have it to hand we can find it using the tenant domain in the below command:
Get-MsolPartnerContract -DomainName <customerdomain.onmicrosoft.com> | Select-Object TenantID
Once we have the TenantID output (which will be a GUID), we can run commands against the tenant as below, using the -TenantID flag:
Get-MsolUser -All -TenantId <TenantID>
Azure AD Module
To connect to Azure AD, we need the Tenant ID from above to use in our connection. We can install the AzureADPreview Module:
We then connect using our Tenant ID with the below command:
Connect-AzureAD -TenantId <TenantID>
Microsoft Teams Module
For Microsoft Teams we use the Tenant ID again. Install with:
And then we connect with the Tenant ID as below:
Connect-MicrosoftTeams -TenantId <TenantID>
Skype for Business Module
The Skype for Business Module is interesting in that a lot of organizations have moved off Skype to use Microsoft Teams. The Skype module is still required to manage certain aspects of Teams though. The connection to the module is equally as strange. Once we have connected to Teams as above, we then new to create out connection to Skype using the below commands to create the session and then import it:
$session = New-CsOnlineSession Import-PSSession $session
This will connect our existing Teams session to the Skype for Business module!
SharePoint Online Module
Unfortunately the SharePoint Online Module does not support DAP at the moment. I will update this post when/if it becomes available.
Security & Compliance Center Module
The Security and Compliance Center Module is installed as part of the Exchange Online (v2) module and allows connection to services such as DLP and Information Protection.
To connect to the Security & Compliance Center we can install the Exchange Online (v2) module as above and use the -DelegatedOrganization flag to specify our customer domain:
Connect-IPPSSession -DelegatedOrganization <CustomerDomain>
And that’s it, that’s pretty much all the modules I use on a daily basis, I will update this post as/when more updates or modules are available.