This week my blog post will contain some PowerShell again! After almost a month finally some PowerShell on my blog again. Even though Microsoft Intune has no PowerShell support, yet, there are parts that can be managed via PowerShell already. In my blog series about how to integrate Microsoft Intune and ConfigMgr with single sign-on I already showed some related PowerShell cmdlets for adding and verifying a domain name and for enabling Active Directory synchronization.
In this post I will show how to manage the Microsoft Intune users. As in the most scenario’s the users and groups will be synchronized from the on-premises Active Directory, I won’t show how to create users and groups. Instead I will show how to get information about the users, how to license the users and how to work with role memberships for users.
Before I can start, with showing some PowerShell cmdlets for managing the users, it’s required to connect with the Microsoft Online Services and to get the licensing information.
The first prerequisite is that I have a Microsoft Intune subscription and that I’m connected to the Microsoft Online Services, via PowerShell. To connect to the Microsoft Online Services I can use the Connect-MsolService cmdlet, as shown below, and provide the Microsoft Intune subscription information in the dialog box that will show directly after.
Connect-MsolService –Credential $cred
The second prerequisite is that I have my license information available. The reason for this is simple, a part of managing users is assigning licenses and the only way to assign licenses is by knowing what’s available. To get an overview of my licenses I can use the Get-MsolAccountSku cmdlet as shown below.
During this blog post, I’m assuming that the users are synchronized from the on-premises Active Directory, via Microsoft Azure Active Directory Sync Services, to the Azure Active Directory. When this is not the case the users can be created via the New-MsolUser cmdlet, groups can be created via the New-MsolGroup cmdlet and users can be added to a group via the Add-MsolGroupMember cmdlet.
The first thing I would like to do is to check my users to see if they’re licensed and, if required, even more details about that user. To get the basic information about the user, I can use the Get-MsolUser cmdlet as shown below. In case it’s required to get more details about the user pipe the output through a Format-List.
Get-MsolUser -UserPrincipalName firstname.lastname@example.org
I can now see that this user is not licensed. There are two methods to provide this user with a license. The first method is via the Microsoft Intune Account Portal and the second method is via PowerShell. Of course I will do this via PowerShell. To add a license to this user I need the AccountSkuId and with that information I can use the Set-MsolUserLicense cmdlet as shown below.
Set-MsolUserLicense -UserPrincipalName ` email@example.com -AddLicenses "myintunecloud:INTUNE_A"
When I would now run the Get-MsolUser cmdlet again, the isLicensed value will be set to True. Also, running the Get-MsolAccountSku cmdlet again would show that the ConsumedUnits value is set to 25. To remove the license again, I can simply use the Set-MsolUserLicense cmdlet again and replace the AddLicenses parameter with the RemoveLicenses parameter.
Another thing I would like to do is assign roles to my users. Roles are used to provide a user with specific administrative permissions within the Microsoft Intune subscription. One thing to keep in mind, with working with the different roles, is that the role names used within PowerShell are slightly different from how they are displayed in the Microsoft Intune Account Portal. The following table shows the minor differences between the role names.
|User Account Administrator||User management administrator|
|Service Support Administrator||Service Support Administrator|
|Helpdesk Administrator||Password Administrator|
|Company Administrator||Global Administrator|
|Billing Administrator||Billing Administrator|
Now I want to add this user to the Password Administrator role. To add the user to this role I can use the Add-MsolRoleMember cmdlet as shown below.
Add-MsolRoleMember -RoleName "Helpdesk Administrator" ` -RoleMemberEmailAddress "firstname.lastname@example.org"
After this I would like to verify if the user is indeed a member of the Password Administrator role. To check the members of a role I can use the Get-MsolRoleMember cmdlet as shown below. One thing to keep in mind here is that this specific cmdlet requires the ObjectId of a role to be used as input parameter.
Get-MsolRoleMember -RoleObjectId ` (Get-MsolRole -RoleName "Helpdesk Administrator").ObjectId
To remove an user from a role, I can do the same as with adding a user to a role. The only difference would be that the Remove-MsolRoleMember cmdlet needs to be used. The parameters are the same.
A while ago my colleague Ronny de Jong did a blog post about a closer look at the user provisioning of Microsoft Intune. This is a very good read that describes the flow of the the user provisioning when using Microsoft Intune integrated with ConfigMgr. That post also shows how users are licensed in that scenario.
11 thoughts on “Manage Microsoft Intune users via PowerShell”
I would recommend adding to the prerequisites. The user will need first, the Microsoft Online Services Sign-In Assistant for IT Professionals, they will need to install the Azure Active Directory Module for Windows PowerShell. It might be easier to follow if you add those steps 🙂
Thanks for the feedback Stephen!
Hi Peter – nice article and I will be using some of this to prepare our enrolment of users for a deployment we’re doing. Do you know if there’s any work been done on migrating users/devices out of Airwatch and into Intune?
I’m not aware of anything specific in regards to migrating from AirWatch to Microsoft Intune. Right now I can’t say much more then that the users will have to re-enroll their device…
How to extend a subscription by powershell? what is the command?
To my knowledge you can’t extend subscriptions with PowerShell, at this moment.
Hi Peter, do you know a Workaround for Conditional Access to work with the Outlook app and an Exchange On-Premise in Hybrid Intune? Thanks
The Outlook app is not supported with conditional access, so I’m not sure what kind of workaround you’re looking for..
Hi Peter, thanks for your quick response. Perhaps my idea was Powershell – check if the device which wants ActiveSync is enrolled. But I guess this is not possible otherwise Conditional Access would be supported right? Or drop some reports via Powershell and find not enrolled devices. Thanks
Sorry, but at this moment there is no support for PowerShell and custom reports with Microsoft Intune.
i test cmdlet for role assignment “Helpdesk Administrator”, but it configure role in Azure AD and not in Intune console. there is a command that permit to add a service administration console account?