The Get-MsolUser is one of the prominent cmdlets in the MSOnline V1 PowerShell module for Azure Active Directory. This cmdlet lets you view the properties of one or several Microsoft 365 accounts, similar to the Get-ADUser cmdlet for getting on-premises Active Directory user attributes.
In this article, we’ll show you how to get Microsoft 365 user account details using the Get-MsolUser cmdlet and some examples of manipulating the cmdlet and its output.
Table of Contents
Installing the MSOnline PowerShell Module
Before you can use the Get-MsolUser command, you must install its parent module. The MSOnline PowerShell module can be installed from the PowerShell Gallery through the Install-Module cmdlet.
Microsoft has stopped developing this module, and the most recent version, 1.1.183.66, was released on November 15, 2021. The MSOnline module is designed to work with Windows PowerShell (2.0 – 5.1) and not for PowerShell Core. Nevertheless, it is still functional and valuable in most use-case scenarios.
First, check whether you have installed the MSOnline module on your computer. To do so, run the following command in Windows PowerShell.
Get-Module -Name MSOnline -ListAvailable
If the module is installed, the result will be similar to the screenshot below.
If the module is not installed, there will be no output, and you can install it using this command.
## Install for the current user profile
Install-Module -Name MSOnline -Scope CurrentUser
## Install for all users (requires elevation)
Install-Module -Name MSOnline -Scope AllUsers
Connecting to Azure AD
Once you’ve installed the MSOnline module, it includes a cmdlet that lets you connect and authenticate to Azure AD called Connect-MsolService.
Depending on whether your account is MFA-enabled, There are two ways to connect to Azure AD using the Connect-MsolService command.
For non-MFA accounts, you can store your credentials to a variable ahead and then pass it to the -Credential parameter.
$credential = Get-Credential
Connect-MsolService -Credential $credential
You cannot use the previous method for an MFA-enabled account because the authentication process would present an MFA challenge that you would have to complete. Instead, you can run the Connect-MsolService independently and log in interactively.
Get-MsolUser: Get All or Specific Users
Without parameters, the Get-MsolUser command will return up to 500 users.
Get-MsolUser
To increase the results, specify the maximum to the -MaxResults parameter. For example, this command returns up to 3000 users.
Get-MsolUser -MaxResults 3000
Note. There’s no documented arbitrary maximum value for the -MaxResults parameter.
To return all users with no additional filtering, specify the -All:$true parameter instead.
Get-MsolUser -All:$true
To view one user’s attributes, you can specify the user’s identity using the -UserPrincipalName or -ObjectId parameters.
Get-MsolUser -UserPrincipalName MeganB@lazyexchangeadmin.cyou
Get-MsolUser -ObjectID a6a80171-478a-465d-8dfd-d55928a2ce2d
The default result view shows only the UserPricipalName, DisplayName, and isLicensed attributes. You can view all properties by piping the result to the Format-List cmdlet.
Get-MsolUser -UserPrincipalName MeganB@lazyexchangeadmin.cyou | Format-List *
You can also select which attributes to return by piping the results to the Select-Object parameter.
Get-MsolUser -UserPrincipalName MeganB@lazyexchangeadmin.cyou | Select-Object UserPrincipalName, DisplayName, Title, State
Get-MsolUser: Filter Results by User Attributes
The Get-MsolUser cmdlet does not support server-side filtering, unlike its successor, the Get-AzureAD command, which is part of the Azure AD V2 module. We can filter the results locally with the Where-Object cmdlet. Let’s look at some examples.
Get Licensed or Unlicensed Users
This example retrieves all licensed users by filtering the isLicensed property.
Get-MsolUser -All:$true | Where-Object {$_.isLicensed}
In contrast, the following example returns only unlicensed users, excluding guests.
Get-MsolUser -All:$true | Where-Object {!$_.isLicensed -and $_.UserType -eq 'Member'} | Select-Object UserPrincipaName, IsLicensed, UserType
Alternatively, the -UnlicensedUsersOnly switch lets you achieve the same result more efficiently, as you don’t need to filter the results locally.
Get-MsolUser -All:$true -UnlicensedUsersOnly | Select-Object UserPrincipalName, IsLicensed, UserType
Get Users by Location
An Azure AD user object has location-specific attributes, such as City, State, Country, PostalCode, and Office. Knowing these attributes exist, you can use them to filter the Get-MsolUser result.
To get all users in the United States:
Get-MsolUser -All:$true | Where-Object {$_.Country -eq 'United States'} | Select-Object UserPrincipalName,Country
Or you may need to know which user accounts were provisioned without a country.
Get-MsolUser -All:$true | Where-Object {!$_.Country -and $_.UserType -eq 'Member'} | Select-Object UserPrincipalName, Country
How about if you want to know which City most of your users are from and who those users are?
# Get all users
$allUsers = Get-MsolUser -All:$true
# Group by City, sorted by count.
$allUsers | Group-Object City | Sort-Object Count -Descending
This result shows, in descending order, the number of users per city. You can see that most users don’t have a value in their City attribute.
The city with the most users in this example is Tulsa. Let’s run the command to show all users from Tulsa.
$allUsers | Where-Object {$_.City -eq 'Tulsa'} | Select-Object UserPrincipalName, City, State
Get-MsolUser: Built-in Filter Switches
The Get-MsolUser cmdlet has several switches meant for filtering results. You can specify these switches depending on your intended query.
|
Switch/Parameter |
Effect |
|---|---|
|
-ReturnDeletedUsers |
Return only the users in the Azure AD recycle bin. |
|
-HasErrorsOnly |
Return only the users with validation errors. |
|
-LicenseReconciliationNeededOnly |
Return only the users that require license reconciliation. |
|
-City |
Filter the result by City |
|
-State |
Filter the result by State |
|
-Country |
Filter the result by Country |
|
-Department |
Filter the result by Department |
|
-DomainName |
Filter the result by the Domain name. The domain name must be verified by the tenant. |
|
-EnabledFilter <All |
EnabledOnly |
Get-MsolUser: Get Users with Old Password
While there’s no unanimous consensus on whether passwords should expire, it’s still good practice to know whether users have not been changing their passwords or if their password age is reaching the threshold. The Get-MsolUser cmdlet can do that!
This script retrieves all enabled users and filters those with passwords over 90 days.
Get-MsolUser -All:$true -EnabledFilter EnabledOnly | Where-Object { $_.LastPasswordChangeTimestamp -lt (Get-Date).AddDays(-90) } | Select-Object UserPrincipalName, LastPasswordChangeTimestamp, @{n = 'PasswordAgeInDays'; e = { $((New-TimeSpan -Start $_.LastPasswordChangeTimestamp).Days) }}
💡 Related post. How to Send Office 365 Password Expiration Notification
Get-MsolUser: Generate an Office 365 User License Report
One tenet of Microsoft 365 user administration is license management. Administrators can benefit from knowing what licenses are assigned to users in a convenient list. Luckily, the Get-MsolUser cmdlet result includes the LicenseAssignmentDetails with the licenses assigned to the user.
To be clear, we are referring to the license, not the included service plans. The table below shows the license name (Office 365 F3), its part number (DESKLESSPACK), and the service plans included.
|
License |
Included Service Plan |
|---|---|
|
Office 365 F3 (DESKLESSPACK) |
Common Data Service – O365 F1 |
Common Data Service For Teams_F1 Exchange Online Kiosk Microsoft Azure Rights Management Service Microsoft Bookings Microsoft Forms (Plan F1) Microsoft Kaizala Pro Plan 1 Microsoft Planner Microsoft Search Microsoft Staffhub Microsoft Stream For Office 365 F3 Microsoft Teams Mobile Device Management For Office 365 Office For The Web Office Mobile Apps For Office 365 Power Apps For Office 365 F3 Power Automate For Office 365 F3 Power Virtual Agents For Office 365 F1 Project For Office (Plan F) Sharepoint Kiosk Skype For Business Online (Plan 1) Sway Vivaengage_Core Whiteboard Yammer Enterprise |
So, what we want to know is the user’s assigned licenses, not the service plans. Moreover, the report should include the license name (Office 365 F3), not its part number (DESKLESSPACK).
To achieve that, let’s first install the script that retrieves the Office 365-friendly license names directory from the Product names and service plan identifiers for licensing.
Install-Script -Name Get-m365ProductIDTable
Next, copy this script and save it to your computer as Get-MsolUserLicenseDetails.ps1.
# Get all licensed users.
$licensedUsers = Get-MsolUser -All:$true | Where-Object { $_.isLicensed -and $_.UserType -eq 'Member' }
# Retrieve all license friendly names from the official Microsoft documentation.
$licenseFriendlyNames = Get-m365ProductIDTable -TitleCase | Select-Object SkuName, SkuPartNumber
# Initialize a generic list as a placeholder for the report.
$licenseReport = New-Object 'System.Collections.Generic.List[System.Object]'
# Process each user
foreach ($user in $licensedUsers) {
# Aggregate the user's license assignment details.
$license = @(
foreach ($licenseItem in $user.LicenseAssignmentDetails) {
if ($licenseItem.AccountSku.SkuPartNumber -in $licenseFriendlyNames.SkuPartNumber) {
# If the license part number (eg. DESKLESSPACK) exists in the $licenseFriendlyNames, return the friendly name.
($licenseFriendlyNames | Where-Object { $_.SkuPartNumber -eq $licenseItem.AccountSku.SkuPartNumber }).SkuName
}
else {
# If not, return the license part number.
$licenseItem.AccountSku.SkuPartNumber
}
}
)
# Add the user's license information to the collection
$licenseReport.Add(
$(
New-Object psobject -Property $(
[ordered]@{
UserPrincipalName = $user.UserPrincipalName
License = $license -join ", "
}
)
)
)
}
# Return the license report
$licenseReport
Once you saved it, open Windows PowerShell, change the working directory to where you saved the script, and run it.
.\Get-MsolUserLicenseDetails.ps1
As you can see below, this script outputs two properties: the user’s UserPrincipalName and a command-separated list of License names.
You can also pipe the result to Export-Csv to report the report to a CSV file.
.\Get-MsolUserLicenseDetails.ps1 | Export-Csv -Path .\UserLicenseReport.csv -NoTypeInformation
Conclusion
In conclusion, the Get-MsolUser cmdlet is a powerful tool within the MSOnline PowerShell module for Azure Active Directory that allows administrators to retrieve and analyze user account details in Microsoft 365 environments. Despite discontinuing the module’s development, it remains functional and valuable for various use cases.
By installing the necessary module and connecting to Azure AD, administrators can access a wealth of user attributes, enabling them to tailor their queries and reports according to their specific needs. The cmdlet’s flexibility is demonstrated through its ability to retrieve all users and specific users or apply various filters to sort and group users by attributes such as location, license status, and password age.
The script examples in this article showcase the cmdlet’s versatility in generating reports, such as identifying users with old passwords, listing licensed users, and even creating detailed license reports that consolidate information for efficient management.
In a Microsoft 365 environment, where user management and license allocation are crucial aspects of administration, the Get-MsolUser cmdlet proves to be an indispensable asset, streamlining the process of retrieving, analyzing, and reporting user account details. Despite its limitations, the cmdlet remains a valuable tool in the arsenal of administrators seeking to manage their Microsoft 365 user base efficiently.
1 comment
Hi,
is it possible to somehow display user principal and SKUid/GUID/license like one table?
I would like to connect user and part number via SKUid/GUID for reporting.
Regards,
IM