[Tool] Create and Configure Active Directory and Office 365 Users at Once.
Table of Contents
One of the things IT Administrators look to automate first is the new user creation process. I recently was going through the process of creating a new hires Active Directory login, Office 365 mailbox, and their Office 365 user account, and I wondered how I could make the process easier and quicker.
My focus was geared towards Managed Service Providers (MSP’s), Human Resource (HR) departments and general Help Desk Technicians. For MSP’s I wanted to create a tool that they could easily use across all of their clients because they may not spend the time to automate new user creations because they have hundreds, if not thousands of clients to tend to, and each client is unique so you can’t just copy the same automation script from one client to another. This would also be a huge asset for Help Desk technicians because they are more often than not the ones creating new users. This would speed up the entire process of making new hires AD logins as well as their Office 365 accounts. Lastly, I wanted to make a tool that was incredibly easy to use that it can be given to an HR department so they can create new users and Office 365 mailboxes without ever having to contact the IT department at all.
I also wanted to be able to have the option of creating just an Active Directory user, just an Office 365 user, or both.
When making a new user in Active Directory Users and Computers you can enter the following information:
- First name
- Initials
- Last name
- Full name
- User logon name
If you want to enter items like E-Mail, password, group permissions, login scripts, home drive, etc. you would have to complete the new user wizard, find and then edit your user in Active Directory, and then fill in the necessary information. But what if we could enter all that information during the user creation process? We could add the user to groups, give them profile information, address, company info, enable multi-factor authentication and more, all without having to leave the new user wizard.
User Interface
New Active Directory User
[five_sixth][/five_sixth][five_sixth_last]
[/five_sixth_last]
In the picture you can see the new Active Directory user creation wizard which lets you configure the following:
- First Name
- Initials
- Last Name
- Display Name
- Description
- Office
- Password (confirm your password and even generate a random password)
- Telephone Number
- Web Page
- UserPrincipalName
- Specify an OU to place the new user in
- Password settings (change password, disabled, never expires, etc)
- Address (street, PO box, city, state, zip)
- Add your user to certain security groups
- Job Title
- Department
- Company
- Profile Path
- Logon Script
- Home Folder (drive letter and location)
- ProxyAddresses
Off the bat, you can configure much more options for your new users than if you created them in Active Directory Users and Computers.
New Office 365 User
[five_sixth][/five_sixth][five_sixth_last]
[/five_sixth_last]
Pictured is the new Office 365 user creation wizard which is a tab over from the Active Directory User wizard. One of the features included is to copy the attributes you entered for your Active Directory user to the Office 365 User wizard. This is beneficial if you don’t have ADSync set up and you create users manually. If ADSync is set up and found locally on the system, the manual user creation portion will be disabled and the checkbox to run a DirSync upon user creation will be enabled which will run a DirSync right after the Active Directory user gets created.
The Office 365 new user wizard will let you configure the following:
- First Name
- Last Name
- Display Name
- License
- Password (confirm your password and even generate a random password)
- UserPrincipalName
- Country Code
- Multi-Factor Authentication
- Alias E-Mail Addresses
- Password Settings (change password at next logon, never expires, disabled)
- Address (street, city, state, zip code)
- Mail Groups (add your user to distribution groups, office 365 groups and mail-enabled security groups)
- Security Groups (add your user to security groups)
- Shared Mailboxes (grant your user Full Access, Send-As or Send on Behalf permissions on Shared Mailboxes, configure AutoMapping)
- Hide from Global Address List
Features
Full Logging
The console log will display everything it’s working on every step of the way. It will also display the PowerShell cmdlets, warnings and error messages.
Passwords
When creating your new user (AD or O365) you can either generate a random password or manually enter one in. PowerShell checks both strings and will not let you create your user if both passwords do not match. This ensures that it is entered correctly the first time.
Organizational Unit
When you create your Active Directory User you can specify which OU you want them to reside in by using the drop-down. If nothing is selected it will place them in whichever OU you configured new User objects to be placed in.
Active Directory Groups
You can check which groups you want your user to be a member of. This allows you to configure things such as permissions during the new user creation process instead of after.
Office 365 Friendly License Name and Assignment
When creating an Office 365 user you can assign them a license right away. AccountSKUs are converted to friendly names to make picking out a license easier.
Multi-Factor Authentication
If you set Multi-Factor Authentication to True then MFA will be turned on when the user signs in for the first time. They will be prompted to set up MFA (they can enter their cell phone number to receive the MFA token via text) upon their first logon.
Mail Groups
You can add your user to Distribution Groups, Mail-Enabled Security Groups or even Office 365 Groups in the Mail Groups tab.
Security Groups
To add your user to regular Security Groups in Office 365 just check the security group and they will automatically be a member.
Shared Mailboxes
In the Shared Mailboxes tab, you can grant your user Full Access, Send-As, or Send on Behalf of permissions on Shared Mailboxes. If you select Full Access you can also configure AutoMapping (if the mailbox will automatically appear in the users Outlook).
Dynamic Pre-Reqs
Certain fields are required prior to creating your user. These fields will have an asterisk and be in red. Once they have enough valid data the field will change to black and the asterisk will be removed. The “Create User” button will remain disabled until you have met all the pre-reqs to ensure your user is created without issues.
ADSync
If you have ADConnect/ADSync configured for your Office 365 tenant you can run it locally or against a remote server. ADSync will disable the manual user creation for Office 365 to allow you to automatically run an ADSync once your Active Directory User has been created.
Copy Attributes
When you go to create an Office 365 user, you have the option of copying the attributes you just entered for your Active Directory user. This is extremely beneficial in environments that do not have ADSync set up. Instead of entering everything twice, you can just click a button and everything will copy over.
Account Lockout
You can specify the exact time and date you want an account to be disabled. The application will also do DateMath to let you know how long until that account expires.
Prerequisites
- PowerShell v3 or higher with Execution policy set to RemoteSigned or Unrestricted
- MSOnline Module (If configuring O365 User)
- Active Directory Module (If configuring AD Users, It can run on a domain joined machine with RSAT tools installed as well as on domain controllers)
Source and Download
The program and script are all open sourced and hosted on GitHub. If you would like to just download the .exe file you can find it here.
https://github.com/bwya77/Master-User-Creator
My name is Bradley Wyatt; I am a 5x Microsoft Most Valuable Professional (MVP) in Microsoft Azure and Microsoft 365. I have given talks at many different conferences, user groups, and companies throughout the United States, ranging from PowerShell to DevOps Security best practices, and I am the 2022 North American Outstanding Contribution to the Microsoft Community winner.
58 thoughts on “[Tool] Create and Configure Active Directory and Office 365 Users at Once.”
I was curious about one of the prerequisites that appears to be missing.
Scenario: Company is using Exchange Online for email and is currently using Azure AD Connect to synchronize their users with Azure Active Directory. I don’t see where you mention the requirement for an on-premises Exchange server(s) in order to be supported in the creation and management of remote mailboxes.
Microsoft is very clear that using the attribute editor (ADSI Edit) tab is not supported for the creation and management of users. https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange
I really like the concept of a partially automated option as Microsoft Identity Management is focused on full automation.
The hardest part about creating this tool is the fact that environments can be configured in probably 5-10 different ways which means things need to be done a certain way per setup and getting that all in one simple tool is not an easy task.
MSFT recommends keeping Exchange Management tools or configure the sync via essentials to assist with configuring your AD-Synced objects. If you are AD-Synced the option to manually create an O365 user will be disabled. I went the route of modifying AD Attributes in one area I believe (proxyaddresses) simply because I did not have Exchange cmdlets to work with. You are correct that there are multiple ways to accomplish the same task, luckily everything is open-sourced so admins can configure it to fit their needs.
Brad this is better than the weak POSH script I had written. Thank you for sharing. -Derek
This looks incredible and I will definitely give this a try once i’m back in the office. Thanks a ton for all the work that went into this.
I haven’t had a chance to try it yet but I don’t see it mentioned in the article, is there a way to change a users primary group in AD or just add them to groups? That’s something I have to do fairly often with some special class of users and would be something I would kill for. My PoSh attempts at automating those users have failed miserably.
Yes this is possible and a great idea I will add it to the GitHub requests
Edit: I added this
v1.0.4
ADDED:
– Set AD Users Primary Group
– Primary Group combobox items will be Domain Users + selected AD Groups
– Primary Groups by default will be Domain Users
Weird error. I have the Exchange Online PS Module installed and am trying to create a user with MFA enabled. When I attempt to connect to O365 I get an error stating “Exchange Online MFA Module was not found…”. Upon looking in the logs it appears that it is trying to run the command “Get-ChildItem $Env:LOCALAPPDATA\Apps\2.0\*\CreateExoPSSession.ps1 -Recurse | Select-Object -ExpandProperty Target -First 1” which is a producing the following error when I run that command manually
“Select-Object : Property “Target” cannot be found.”
v1.0.5 should fix this! It’s looking for the module by doing the following:
$((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)Brad this is awesome, thank you. I haven’t used it yet, but I’ll give it a go for the next onboarding.
Quick suggestion, if at all possible- I have many many groups in my environment. Would it be possible to implement a “Copy User” function for that? (On the AD side).
I have a quick script that I use to do this, without actually making a copy of the AD object.
Get-ADUser -identity $UserWithGroups -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $UserNeedsGroups
Hi, someone requested this feature (create user from template) on GitHub so I am looking to implement it 🙂
I get this WARN error and from the looks of it the account gets created but the only issue I see is it wont add the groups and or the email in the proxyadress. Any tips?
I will open a GitHub issue to investigate
or maybe a option for department with fixed settings eg addresss, groups etc saved in external file.
I am on an AAD joined pc, and I open powershell as admin and install-module msonline, then connect-msolservice ok.
How do then run this tool and import my session? i try and open it and doesnt even see my AAD domain, is there a way to trigger a connection/manually specifiy fqdn etc.?
“WARN: No Active Directory Forest was found”
You need RSAT tools installed on your PC so it has access to Active Directory
Hi Brad,
Would it be possible to add the extensionAttribute fields to this? We use several of them to generate our o365 email accounts and to control licensing. For our needs it’s 1, 3 and 10
Also, Templates with pre-populated addresses for different office locations would be very helpful.
Thanks!
Chris
I’m a consultant and am constantly working in different environments, doing migrations, etc. It would be nice if this tools supported the following items.
– Ability to connect to a different forest/domain than the one the computer is connected to where the tool is run from.
– Ability to enter a password when creating an account. The randomly generated password is nice however it isn’t long enough for some of the banks I work with.
– Ability to create a “new user” PDF that contains all the user’s information. This should be customizable so client specific information can be added (portal URLs, min/max password requirements, etc.).
– Ability to create multiple accounts by importing a list (CSV?) that contains all the required fields. This should also have a preview section to show what is going to be created based on the imported file.
– In the Settings tab, under the Active Directory and Office 365 sections, it would be nice if there was an option to set and test credentials & connectivity.
It would be nice if there was a “check for updates” option.
Nice stuff, i’m working on the opposite, disabling users in AD and Office 365 when they are set on vacation o fired in the HR app. It works as a schedule task.
But your code is way more mature 🙂
Hi Brad,
Firstly, awesome work on this! Thanks
We have AD Sync enabled and currently we need to create the user in AD, sync to Azure and then configure in Azure. What I’d like to be able to do is do all the config through the tool. Is that possible?
I’ve tried using your tool to allow me to do this all in one interface but cant work out how to do it. If I don’t run the sync I end up having to populate the 365 user with the same groups as the AD user which doesnt seem correct.
Kind Regards,
Greg
what are you configuring for your users in Azure when the user is synced with on-prem AD.
I believe you can remedy the problem of adding the user to groups by modifying the line from
#Add-ADGroupMember -Identity $Group -Members $User
to
Add-ADGroupMember -Identity (Get-ADGroup -Filter { (Name -eq $Group) } | Select -expandProperty SamAccountName) -Members $User
Hi, I found a bug with the tab “Active Directory User”,”Attributes” option. When I click to the “Create User” button, the background powershell Set-ADUser command use default CN=Users,DC=contoso,DC=dom and not the customized Organizational Unit in the “Account” tab. That generate a powershell error and the attribute is not define. To bypass this problem, I leave the box “Organizational Unit” by defaut and move manualy the user in the correct OU, but it’s not practical… Thank you.
Thanks I will fix this
This tool is freakin brilliant! Had no issue creating an AD User and running AD Sync on this tool from my workstation.
1 request I’d like to make is the addition of the “targetAddress” attribute. We needed to use this as we began migrating on-prem to O365 since we had on-prem mailbox accounts syncing to O365 with AD Connect.
Thank you Brad for this tool. works really well.
To help my first line guys, did you manage to get the “Copy User” function as suggested by Dom in August? Thanks
No sorry haven’t had time. Got married! I believe its a GitHub request you can follow
Grats on the marriage! Enjoy 🙂
HI,
Thanks for sharing such a great tool. There really isn’t many options out there.
I’ve recently used Zhire which has served us well, however they have recently tripled the cost making it unreachable for some.
One of the features however that makes Zhire so good the ability to save templates. We use templates as we have many regions across the world making the user creation process very quick, only having to enter dynamic information such as username, job title etc.. Was wondering if your working on the type of system?
Thanks again.
Yes I plan on making that once I get some free time. Wont be too hard, it will be a flag set and then ask for the template file. Can also store in reg
Please add an option to clone users.
already working on it
Sorry but do you know when you would be releasing that feature?
hopefully in the next week or so. Here is what I have so far as well
ADDED:
– Copy attributes from a current Active Directory user
– If trying to copy AD attributes from a current AD User and AD module is not found it will error and close that form
– Friendly warning if no AD Users were returned
– Configurable Title Case for Active Directory attributes
– Configurable Title Case for Office 365 attributes
– Added Options menu to configure application specific options
– Registry string shown to users where options are stored
– Added dictionary based passwords
– Password options for pronounceable password or random character password
– Added option to reset form after user creation
– Reset form changed to PS Function
– Ability to live filter and unfilter AD groups!
– Ability to live filter and unfilter O365 Mail groups!
– Ability to live filter and unfilter O365 Security groups!
– Added employeeType attribute for new AD Users
CHANGED:
– If trying to create an Active Directory user and ActiveDirectory module is not present it will stop and error as well as uncheck create an AD user checkbox
– Changed how it will try and find ADSync module, improving performance
– Moved load events to show events to improve application performance
– Changelog textbox is read only
Awesome. I might not be clear earlier. Could you please add ability to clone office 365 only users. Copy licenses, ad groups, address info, title of a current user and just enter the name and ability to edit everything else.
You can follow the progress of your request here: https://github.com/bwya77/Master-User-Creator/issues/23
Thank You Brad!
hi Brad,
Really looking forward to version 2.0
Copy current AD member is the biggest thing that is missing now. When will you release it?
thanks for your great work regardless!
BatInDaCave
This week, hopefully tomorrow
Hi Brad,
I believe you made it from PowerShell Studio, I was wondering if there is any chance you can share your original code in .psf format? I checked but none of the code files on Github is the actual code. (or am I missing something)
I would like to start to make a similar tool for my own environment, but I am only at the entry level of Powershell as well as Powershell Studio. After days of playing around with the software, there are still many areas I cannot figure it out.
Thanks in advance!
Its PowerShell Studio Project (multi form) so its a psproj file
Just stumbled across your post/github while looking for powershell scripts to modify/ways to make my life easier, and this looks like awesome project!
Thanks for sharing it out and being so responsive! I look forward to trying it out!
Hi Brad,
Do you have a new date as to when you would be releasing 2.0? Really looking forward to it.
Hi Navin, tomorrow morning, I am in central time
Hi Brad,
This is an awesome tool, really looking forward to version 2.0.
Any hints on a timeline for release?
I’d like to not pay for another year on the product I currently use, they keep putting their prices up and it’s getting a bit ridiculous.
Thanks for investing your time into this so we can all save some of ours.
Hi Tom, I will be publishing it tomorrow morning (central)
Hi Brad,
Congrats on getting married last year and amazing work on this tool.
I am hitting a problem though – when I hit Connect To Office 365 I am able to authenticate successfully (either with or without MFA) but then I get an error;
[11:57:11] – LOG: Checking MFA Status
[11:57:11] – LOG: Gathering credentials to connect to Office 365
[11:57:11] – CMD: Get-Credential -Message “Please enter your Office 365 credentials to connect to Exchange Online and MSOnline”
[11:57:27] – LOG: Done
[11:57:27] – LOG: Connecting to Office 365
[11:57:27] – CMD: Connect-MsolService -Credential $credential
[11:57:31] – LOG: Done
[11:57:31] – LOG: Connecting to Exchange Online
[11:57:31] – CMD: Import-PSSession $exchangeSession -AllowClobber
[11:57:43] – LOG: Done
[11:57:43] – LOG: Checking to see if we are connected to Office 365
[11:57:43] – CMD: (Get-MsolDomain -ErrorAction SilentlyContinue) -ne $null
[11:57:44] – WARN: Not connected to Office 365!
Any ideas?
im checking for connection by doing a domain lookup. Do you have a verified domain in your tenant. Also make sure you have the MSOnline PSModule
Hi Brad,
Just found your tool last night and I’m playing around with it today. One thing I didn’t see in the comments or if I did, my apologies for the duplicate request/question.
When creating a new user and then syncing them to 365, I would still need to enable the remote mailbox so my hybrid will be able to manage that user.
Do you see any updates where you can add that command to the tool?
Enable remote mailbox
Enable-RemoteMailbox -Identity [email protected] -RemoteRoutingAddress [email protected]
Thank you sir!
JJ
Someone on Reddit has as similar set and request. I made a GitHub feature request and will be implementing it
I figured I wasn’t the only one. 🙂
Thank you sir!
Wow, I sure hope this progresses to become a solid competitor to Z-Hire and Z-Term. We’ve been using those Zohno products for many years, but their cost suddenly more than tripled and the product stops working each year when the license expires. So they have their customers over a barrel, like a drug dealer– they know you need it. Worse for us, when they tripled the price, they also eliminated all discounts for 501(c)(3) non-profits, which is a double-whammy. I’m desperately looking for a replacement that won’t bleed our humble budget dry. Being able to create users according to departmental templates (group memberships, OU, etc.) would be huge, and so would a termination utility that strips away group memberships, disables the account, hides from Exchange address book, and moves their network profile folder to another location for archiving.
Looking forward to watching this utility grow.
Master User Creation Tool 2.0.1
Hey Bradley, thought I’d let you know the troubles I am having with your tool, some of them are:
Shared Mailboxes are not showing and I’m not sure if this is something to do with my 2FA setup on my account?
Manager Field is not present, didn’t someone request this as a feature?
How do I connect to the domain if I’m running your tool locally?
Thanks
if shared mbx are not showing you may not be connected to O365, make sure you press the “Connect to O365” button. I will work on managers. By connect to the domain do you mean pull ADInfo from a DC? I will have to add a option to specify a DC to run this against
I connected successfully to O365 it was just that the shared mailboxes didn’t appear, not sure if it’s something to do with my 2FA?
Adding an option to specify which DC to run against will be sick!
Thanks
Forgot to add
Display Name has a two space character instead of one?
Can you change the e-mail format or have a button to change th e-mail format to [email protected]
Add the managers field to AD 😉
Brad, Wow! This is just awesome. I see there’s Master User Creator.exe . I am looking for underlying the source code and can’t seem to find it. Is it not available or am I looking in the wrong place?
its all in my github but since it was made with PowerShell studio you wont be able to modify the form without it