Step by Step Directions for Techs

Category Archives: Office 365

How to Add Azure Active Directory User to Local Admins

I keep running into this so I thought I would put it up here.

If you have a customer without on-premise Active Directory and they use Office 365, you can leverage that with Windows 10.  It is a bit cumbersome for some things, like adding users to the admin group.  Here is a workaround:

  1. Login as the AzureAD / Office 365 user you want to be a local admin. This introduces that user’s GUID to the system.
  2. Log out and login as a local admin user.
  3. Open a command prompt as Administrator and use this command, replacing the username:
    net localgroup administrators AzureAD\JohnSmith /add

Regarding the user name:  It isn’t the name they login in with.   This is the display name all run together.  For example, if they are listed as “Bill Jones” in the directory and they login as “bill_jones”, it would be “BillJones”.  If they are listed in the directory as “William Jones” (again the display name) but login as “bill_jones”, it would be “WilliamJones”.


Set Office365 Password To Not Expire

I know there have to be thousands of these articles, but I can never find the information when I need it. So here it is:

Get-MSOLUser -UserPrincipalName | Select PasswordNeverExpires



You need a couple things (from

These steps are required once on your computer, not every time you connect. However, you’ll likely need to install newer versions of the software periodically.

1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.

2.Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version).

DirSync Setup Tips for Office 365

For as simple as the software seems to be, there are some things to watch out for:

  1. Disable password expiration for the DirSync service account.  If you don’t do this, the service will stop working in 90 days until you reset the password on the portal and reconfigure DirSync.
    • Import-Module msonline
    • $cred = Get-Credential
      This will prompt you for credentials for an admin account.  You can use the DirSync account.
    • Connect-MsolService -cred $cred
    • Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true
  2. DirSync does not automatically assign licenses to the accounts it copies.
  3. Initiating a Full Sync in DirSync does NOT initiate a full password sync. 
    • Open “C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1”
    • Run “Set-FullPasswordSync”
  4. If you want to do a quick sync for accounts, don’t do it from miisclient.  Do it from PowerShell. 
    • Open “C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1”
    • Run “Start-OnlineCoexistenceSync”
  5. DirSync only allows for 15,000 accounts to be sync’d unless you call Microsoft first.  This includes containers, groups, and users.  If you hit this limit, you can filter what goes up to Azure.


How to automatically assign licenses in Office 365

Well, you can’t.  Have a great day!

Aside from this being super helpful, I have a workaround for you based on this post from Microsoft (it has a few minor errors) – 

This file (rename it to ZIP) has the Powershell files: O365LicenseScripts

This assumes that you have the MS Online Services Sign-In Assistant (you already have this if DirSync is installed) and Microsoft Online Services Module for PowerShell (found here

How to get it working:

  • Unzip the files to C:\O365LicenseScripts (or where you keep your scripts).  You can also recreate the scripts from the MSFT post, but there are a few issues with spaces, file names, and it doesn’t set a location for the users before assigning the license.
  • Open Powershell
  • CD to C:\O365LicenseScripts
  • Run .\SetupScript.ps1
    • [Office 365 directory sync account – using the address]
    • [Password for account]
    • Y
    • Y
    • extensionAttribute14
      This is the attribute in AD you are using to identify which users get licenses
    • Office365
      Value that the users will have if in AD they are supposed to have the license
    • extensionAttribute15
      The attribute in AD that has the license name, like OFFICESUBSCRIPTION for Office.
  • This will create several scripts from the TMP files and some text files.

If you run Get-LicensingInputFromAD.ps1, you will see what the system thinks the users should be and their corresponding licenses.

If you run AssignLicense.ps1, it will assign the licenses based on what the Get-LicensingInputFromAD.ps1 script output was (stored in the queuedLicense folder created during setup).

If you want to schedule it, you can use the Schedule.ps1 script.  I won’t go too  far into the weeds, but the command is “powershell.exe” (without the quotes) and the arguement is “-file C:\O365LicenseScripts\Schedule.ps1” (without the quotes).

There is one difference in my scripts.  You will find 2 lines that are commented out in case you don’t want to set the license type in Active Directory.  I often find that most customers only use one license type, so I put in an attribute to say which accounts get the license and then hard set the license in the script (set it in the TMP file otherwise the setup script will delete your work!).

Good luck!

Limit what DirSync… um… syncs

Who really wants to see all those pesky accounts and groups up in Office 365?  Not me (and probably not you if you are reading this).  I want to see accounts that I need to give licenses to.

Disclaimer – you can really mess up Office 365.  Be careful!

  1. In Windows Explorer, navigate to “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell7”.
  2. Double click miisclient.exe to open this window
  3. Click on “Management Agents” on the toolbar.
  4. This is where the magic happens.  Right click the “Active Directory” agent and choose properties.
  5. Select “Configure Connector Filter”.
  6. Select “user” by scrolling down in the right pane to view the filters for this object.
  7. Add your filters!

But wait!

These filters are for things you don’t want.  As you can see in the image above, I am filtering for users that DO NOT contain “365” in the ExtensionAttribute15 (you can edit that in Active Directory).  By using this, I will only get users that have it.  Consider it a “negative filter”.

Now, before you work on this too long, let me give you some hints:

  1. You can’t filter users based on their group membership.  It has to be an attribute that is in their user account (think about what you can see in Active Directory).
  2. You cannot see attributes that you put in by extending the schema, so you can’t filter on those either.
  3. If you don’t want to sync other objects, like groups, don’t uncheck the object types or delete the joins or anything else like that.  It breaks the sync with Office 365.  Instead filter all the objects out by choosing something that you know every object has.  In this situation, I didn’t want to replicate the groups to O365, so I filtered for every group object that had a GUID:
  4. If you really mess something up, delete the Azure agent and the AD agent and re-run the DirSync configuration.  It will recreate the agents in their vanilla form.  If you messed up Office 365, this may or may not fix it.

That should get you going.  Good luck!

Force DirSync to perform an immediate directory synchronization

If you need DirSync to initiate a directory synchronization immediately, you can perform the following procedure:

  1. Open Powershell
  2. Navigate to the Windows Azure Active Directory Sync directory
    1. cd “C:\Program Files\Windows Azure Active Directory Sync\”
  3. Launch the config shell 
    1.  .\DirSyncConfigShell.psc1
  4. A new window will open.  Type “Start-OnlineCoexistenceSync” (without the quotes)
    (if that command gets too long, don’t forget that pressing the TAB key will complete your commands in PowerShell!)

That’s it.  I know it isn’t very impressive.  Where is the status?  How do you know if it worked?  I will show you that too!

  1. In Windows Explorer, navigate to “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell”
  2. Double click on miisclient.exe to open this window:

This gives you the status of all of your jobs that have ran, including the current one that was initiated from the script!