azure-active-directorymicrosoft-office-365powershell
Is it possible to find out from on-premise AD whether user is synchronized with AzureAD (Office 365) or not? And whether when the sync for that user happened?
I am aware you can see that on Office 365 but I would like to try and find it internally.
Get-AdUser -Properties * -Filter *
You definitely want to use a for-each loop to enumerate each user and apply the license. The loop needs to call up the .UserPrincipalName from each object returned in your Get-ADUser query, as Office365 needs to work with that value when setting licenses:
Get-ADUser | %{ Set-MSOLUserLicense -UserPrincipalName $_.UserPrincipalName }
I have created my own answer here to explain a common case that I think you're describing in your question: You don't want to blanket apply the same license options to everyone.
A TechNet Blog on this matter is immensely helpful. You may not want to give your Finance team access to SharePoint Online/OneDrive for Business for data leakage reasons, or you may have a call center who you don't want to enable for Lync/Skype for Business.
To get information on your tenant, start at the top:
Get-MSOLAccountSku
This will return the license packs you have in your tenant. Some common SKUs are ENTERPRISEPACK and DESKLESSPACK. These will be listed by yourorg:LICENSEPACK under AccountSkuId.
It is important to note that each of these License packs can have features disabled from them when you apply via PowerShell (similarly, you can choose to check/uncheck option boxes in the Admin Center).
To create this subset of license options, create a new variable and leverage the New-MSOLLicenseOptions cmdlet:
$LicOpt = New-MsolLicenseOptions -AccountSkuId "yourorg:ENTERPRISEPACK" -DisabledPlans OFFICESUBSCRIPTION,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,RMS_S_ENTERPRISE
(The above options would correspond to the screenshot above, I'm sure you could guess that I totally pulled it from a provisioning script.)
Finally, we can tie this back to your Set-MsolUserLicense in your ForEach loop:
$LicOpt = New-MsolLicenseOptions -AccountSkuId "yourorg:ENTERPRISEPACK" -DisabledPlans OFFICESUBSCRIPTION,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,RMS_S_ENTERPRISE
Get-ADUser | %{ Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses "yourorg:ENTERPRISEPACK" -LicenseOptions $LicOpt }
As always, your tenant may vary. I hope I've given enough info for you to discover the options available and apply appropriately!
I've the same problem in my domain. Someone manually create the o365 mailbox for users who already have an on-premise mailbox
I've found this way to fix it:
Remove-MsolUser -UserPrincipalName youruser@youroffice365domain.com -ForceRemove-MsolUser -UserPrincipalName youruser@youroffice365domain.com -RemoveFromRecycleBin -ForceI think is more simple and straightforward. You can also re-migrate your mailbox on-prem (offboarding) if you need it.
Best Answer
I think the closest way to get what you want is the Azure Powershell module. You could use that scripted and locally to check if the user is online. The properties in the local active directory that Azure writes to is limited to group membership and password hashes. I don't believe the information you are looking for is stored on premise.