Using Delegated Access Permissions in PowerShell to Manage all Microsoft 365 Services

I recently posted about how we can use Delegated Access Permissions via a partner relationship to connect to an Exchange Online organization through PowerShell. This is a fantastic piece of functionality for MSPs and CSPs to manage multiple tenancies securely without having managing a set of admin identities for all of their customers.

To expand on the previous post, I thought I would put together each of the PowerShell modules that support delegated admin permissions in one place and also highlight any that I feel are missing.

In this post I will go through the connection methods (where available) using DAP for each of the below modules:

  • ExchangeOnline
  • MSOnline
  • Azure AD
  • MicrosoftTeams
  • Skype for Business
  • SharePoint Online
  • Security & Compliance Center

Exchange Online Module (v2)

I’ve gone through this one recently in another post so full information is available there. In short, we cann connect to Exchange Online Powershell using the Exchange Online (v2) PowerShell Module by specifying the tenant domain in our connection command.

First, install the module as normal:

Install-Module ExchangeOnline

Once installed, restart PowerShell and connect using the customer tenancy domain:

Connect-ExchangeOnline -DelegatedOrganization <customerdomain.onmicrosoft.com>

MS Online Module

The MS Online Module works a little differently in that we don’t connect directly to our customer tenancy, we specify the tenancy in our commands.

We install the module with:

Install-Module MSOnline

Then we connect to our own service as normal:

Connect-MsolService

Once we are connected, we need to locate the Tenant ID of our target organization. If we don’t have it to hand we can find it using the tenant domain in the below command:

Get-MsolPartnerContract -DomainName <customerdomain.onmicrosoft.com> | Select-Object TenantID

Once we have the TenantID output (which will be a GUID), we can run commands against the tenant as below, using the -TenantID flag:

Get-MsolUser -All -TenantId <TenantID>

Azure AD Module

To connect to Azure AD, we need the Tenant ID from above to use in our connection. We can install the AzureADPreview Module:

Install-Module AzureADPreview

We then connect using our Tenant ID with the below command:

Connect-AzureAD -TenantId <TenantID>

Microsoft Teams Module

For Microsoft Teams we use the Tenant ID again. Install with:

Install-Module MicrosoftTeams

And then we connect with the Tenant ID as below:

Connect-MicrosoftTeams -TenantId <TenantID>

Skype for Business Module

The Skype for Business Module is interesting in that a lot of organizations have moved off Skype to use Microsoft Teams. The Skype module is still required to manage certain aspects of Teams though. The connection to the module is equally as strange. Once we have connected to Teams as above, we then new to create out connection to Skype using the below commands to create the session and then import it:

$session = New-CsOnlineSession
Import-PSSession $session

This will connect our existing Teams session to the Skype for Business module!

SharePoint Online Module

Unfortunately the SharePoint Online Module does not support DAP at the moment. I will update this post when/if it becomes available.

Security & Compliance Center Module

The Security and Compliance Center Module is installed as part of the Exchange Online (v2) module and allows connection to services such as DLP and Information Protection.

To connect to the Security & Compliance Center we can install the Exchange Online (v2) module as above and use the -DelegatedOrganization flag to specify our customer domain:

Connect-IPPSSession -DelegatedOrganization <CustomerDomain>

And that’s it, that’s pretty much all the modules I use on a daily basis, I will update this post as/when more updates or modules are available.

Managing Office 365 Integrated Apps From The Admin Center

For all the cool features of Office 365 and the Office suite, there are always use cases for third party integrations. These apps provide an extension to the Office platform and add some specific functionality that might not be something that Microsoft can, or want to deliver to the entire platform.

These apps are hosted on the AppSource catalog where they can be searched and deployed to users by an admin. Now, this functionality has been given a new home directly on the Admin Center in the Settings section.

Deploy An Integrated App

In this section we will deploy the Outlook “Report Message” add-on from Microsoft. I tend to deploy this for almost all modern Office 365 builds as it allows users to directly report spam and phishing attempts to Microsoft, helping to improve the overall message filtering backend while also cutting down on support tickets by given the power directly to end users.

To deploy our first app, click the “Get apps” option to open the AppSource menu.

From here we can search for the app we want and get ready to deploy by clicking “Get it now”

Now we can configure our deployment scope, for the Report Message Add-On, I’ll deploy to all users by selecting “Entire organization”.

Finally, we verify the permissions we will be giving the app and deploy it when we are happy.

Now with the app deployed, we can return to modify it any time from the integrated apps section.

Office 365 End Of Support For Office 2013 Is Near

As announced last year by Microsoft, Office 365 support for Office 2013 is ending very soon. From October 12th 2020, the Office 2013 suite will no longer be directly supported for use with Office 365.

What does this mean?

Essentially, the end of support for Office 2013 does not mean that Office 2013 will stop working from that date. It means that Office 2013 will not be a consideration when Microsoft are developing and upgrading the Office 365 platform. If Office 2013 doesn’t work with a particular feature, the only resolution will be to upgrade to Office 2016/19 or Microsoft 365 Apps for Business (formerly Pro Plus).

What can I do to get ready?

Luckily, for business customers there are many ways to upgrade. The below are all viable options that can suit many configurations:

  • Apps package available directly to users via the Office Portal
  • Endpoint Manager (SCCM) Microsoft 365 Apps deployment
  • Endpoint Manager (Intune) Microsoft 365 Apps deployment
  • Third party configuration management tool deployment
  • GPO deployment of Office

All of this can be made better using the Microsoft 365 Apps Admin Center which can allow you to create custom packages of Microsoft 365 Apps complete with update policy and even allow cloud policy to control how the Office apps work and configure some GPO style settings on all apps linked to an account in your tenant.

What about my Macros and Plugins?

When preparing to update Office across the business, a key consideration in large organizations is Macros and Plugins which interact with Office. Knowing how they will perform and assessing compatibility is key to a successful deployment and remediation of any potential compatibility problems. While a pilot upgrade is still very much recommended as part of any upgrade, Microsoft have also made available the Readiness Toolkit for Microsoft 365 Apps.

The Readiness Toolkit will help to assess and highlight potential issues with VBA Macros and Plugins. It’s very common for the compatibility problem to not be as widespread as you might first think so this is a fantastic tool to assess the environment and call out remediation that needs to take place before migrating. Given that a lot of these tools have become part of integral business processes, assessing and preventing issues is always better than fixing post rollout.

Upgrade Now!

With the tools available to administrators, it’s never been easier to plan and perform this type of upgrade, minimizing risk as much as possible. If you are still using Office 2013 in your business, while it won’t just stop working in the coming weeks, you need to upgrade before you experience problems.

By the way, if you’re still using Office 2010, then this is even more of a priority as Office 2010 is fully out of support and not capable of providing a secure authentication experience through Modern Authentication – putting your users and data at risk!

Happy Upgrading!