[Tool] Create and Configure Active Directory and Office 365 Users at Once.

[Tool] Create and Configure Active Directory and Office 365 Users at Once.

One of the things IT Administrators look to automate first is the new user creation process. I recently was going through the process of creating a new hires Active Directory login, Office 365 mailbox, and their Office 365 user account, and I wondered how I could make the process easier and quicker.

My focus was geared towards Managed Service Providers (MSP’s), Human Resource (HR) departments and general Help Desk Technicians. For MSP’s I wanted to create a tool that they could easily use across all of their clients because they may not spend the time to automate new user creations because they have hundreds, if not thousands of clients to tend to, and each client is unique so you can’t just copy the same automation script from one client to another. This would also be a huge asset for Help Desk technicians because they are more often than not the ones creating new users. This would speed up the entire process of making new hires AD logins as well as their Office 365 accounts. Lastly, I wanted to make a tool that was incredibly easy to use that it can be given to an HR department so they can create new users and Office 365 mailboxes without ever having to contact the IT department at all.

I also wanted to be able to have the option of creating just an Active Directory user, just an Office 365 user, or both.

When making a new user in Active Directory Users and Computers you can enter the following information:

  • First name
  • Initials
  • Last name
  • Full name
  • User logon name
Active Directory Users and Computers new User wizard

If you want to enter items like E-Mail, password, group permissions, login scripts, home drive, etc. you would have to complete the new user wizard, find and then edit your user in Active Directory, and then fill in the necessary information. But what if we could enter all that information during the user creation process? We could add the user to groups, give them profile information, address, company info, enable multi-factor authentication and more, all without having to leave the new user wizard.

 


User Interface

New Active Directory User

[five_sixth][/five_sixth][five_sixth_last]

[/five_sixth_last]

In the picture you can see the new Active Directory user creation wizard which lets you configure the following:

  • First Name
  • Initials
  • Last Name
  • Display Name
  • Description
  • Office
  • Password (confirm your password and even generate a random password)
  • Telephone Number
  • E-Mail
  • Web Page
  • UserPrincipalName
  • Specify an OU to place the new user in
  • Password settings (change password, disabled, never expires, etc)
  • Address (street, PO box, city, state, zip)
  • Add your user to certain security groups
  • Job Title
  • Department
  • Company
  • Profile Path
  • Logon Script
  • Home Folder (drive letter and location)
  • ProxyAddresses

Off the bat, you can configure much more options for your new users than if you created them in Active Directory Users and Computers.

New Office 365 User

[five_sixth][/five_sixth][five_sixth_last]

[/five_sixth_last]

Pictured is the new Office 365 user creation wizard which is a tab over from the Active Directory User wizard. One of the features included is to copy the attributes you entered for your Active Directory user to the Office 365 User wizard. This is beneficial if you don’t have ADSync set up and you create users manually. If ADSync is set up and found locally on the system, the manual user creation portion will be disabled and the checkbox to run a DirSync upon user creation will be enabled which will run a DirSync right after the Active Directory user gets created.

The Office 365 new user wizard will let you configure the following:

  • First Name
  • Last Name
  • Display Name
  • License
  • Password (confirm your password and even generate a random password)
  • UserPrincipalName
  • Country Code
  • Multi-Factor Authentication
  • E-Mail
  • Alias E-Mail Addresses
  • Password Settings (change password at next logon, never expires, disabled)
  • Address (street, city, state, zip code)
  • Mail Groups (add your user to distribution groups, office 365 groups and mail-enabled security groups)
  • Security Groups (add your user to security groups)
  • Shared Mailboxes (grant your user Full Access, Send-As or Send on Behalf permissions on Shared Mailboxes, configure AutoMapping)
  • Hide from Global Address List

Features

 

Full Logging

The console log will display everything it’s working on every step of the way. It will also display the PowerShell cmdlets, warnings and error messages.

Passwords

When creating your new user (AD or O365) you can either generate a random password or manually enter one in. PowerShell checks both strings and will not let you create your user if both passwords do not match. This ensures that it is entered correctly the first time.

Organizational Unit

When you create your Active Directory User you can specify which OU you want them to reside in by using the drop-down. If nothing is selected it will place them in whichever OU you configured new User objects to be placed in.

Active Directory Groups

You can check which groups you want your user to be a member of. This allows you to configure things such as permissions during the new user creation process instead of after.

Office 365 Friendly License Name and Assignment

When creating an Office 365 user you can assign them a license right away. AccountSKUs are converted to friendly names to make picking out a license easier.

Multi-Factor Authentication

If you set Multi-Factor Authentication to True then MFA will be turned on when the user signs in for the first time. They will be prompted to set up MFA (they can enter their cell phone number to receive the MFA token via text) upon their first logon.

Mail Groups

You can add your user to Distribution Groups, Mail-Enabled Security Groups or even Office 365 Groups in the Mail Groups tab.

Security Groups

To add your user to regular Security Groups in Office 365 just check the security group and they will automatically be a member.

Shared Mailboxes

In the Shared Mailboxes tab, you can grant your user Full Access, Send-As, or Send on Behalf of permissions on Shared Mailboxes. If you select Full Access you can also configure AutoMapping (if the mailbox will automatically appear in the users Outlook).

Dynamic Pre-Reqs

Certain fields are required prior to creating your user. These fields will have an asterisk and be in red. Once they have enough valid data the field will change to black and the asterisk will be removed. The “Create User” button will remain disabled until you have met all the pre-reqs to ensure your user is created without issues.

ADSync

If you have ADConnect/ADSync configured for your Office 365 tenant you can run it locally or against a remote server. ADSync will disable the manual user creation for Office 365 to allow you to automatically run an ADSync once your Active Directory User has been created.

Copy Attributes

When you go to create an Office 365 user, you have the option of copying the attributes you just entered for your Active Directory user. This is extremely beneficial in environments that do not have ADSync set up. Instead of entering everything twice, you can just click a button and everything will copy over.

Account Lockout

You can specify the exact time and date you want an account to be disabled. The application will also do DateMath to let you know how long until that account expires.


Prerequisites

  1. PowerShell v3 or higher with Execution policy set to RemoteSigned or Unrestricted
  2. MSOnline Module (If configuring O365 User)
  3. Active Directory Module (If configuring AD Users, It can run on a domain joined machine with RSAT tools installed as well as on domain controllers)

Source and Download

The program and script are all open sourced and hosted on GitHub. If you would like to just download the .exe file you can find it here.

 

My name is Bradley Wyatt; I am currently a Technology Specialist at Porcaro Stolarek Mete Partners which is headquartered in Chicago, Illinois. At PSM we provide solutions which are custom designed around the specific needs of each client.

26 thoughts on “[Tool] Create and Configure Active Directory and Office 365 Users at Once.

  1. I was curious about one of the prerequisites that appears to be missing.

    Scenario: Company is using Exchange Online for email and is currently using Azure AD Connect to synchronize their users with Azure Active Directory. I don’t see where you mention the requirement for an on-premises Exchange server(s) in order to be supported in the creation and management of remote mailboxes.

    Microsoft is very clear that using the attribute editor (ADSI Edit) tab is not supported for the creation and management of users. https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange

    I really like the concept of a partially automated option as Microsoft Identity Management is focused on full automation.

    The hardest part about creating this tool is the fact that environments can be configured in probably 5-10 different ways which means things need to be done a certain way per setup and getting that all in one simple tool is not an easy task.

    1. MSFT recommends keeping Exchange Management tools or configure the sync via essentials to assist with configuring your AD-Synced objects. If you are AD-Synced the option to manually create an O365 user will be disabled. I went the route of modifying AD Attributes in one area I believe (proxyaddresses) simply because I did not have Exchange cmdlets to work with. You are correct that there are multiple ways to accomplish the same task, luckily everything is open-sourced so admins can configure it to fit their needs.

  2. This looks incredible and I will definitely give this a try once i’m back in the office. Thanks a ton for all the work that went into this.

    I haven’t had a chance to try it yet but I don’t see it mentioned in the article, is there a way to change a users primary group in AD or just add them to groups? That’s something I have to do fairly often with some special class of users and would be something I would kill for. My PoSh attempts at automating those users have failed miserably.

    1. Yes this is possible and a great idea I will add it to the GitHub requests

      Edit: I added this

      v1.0.4
      ADDED:
      – Set AD Users Primary Group
      – Primary Group combobox items will be Domain Users + selected AD Groups
      – Primary Groups by default will be Domain Users

  3. Weird error. I have the Exchange Online PS Module installed and am trying to create a user with MFA enabled. When I attempt to connect to O365 I get an error stating “Exchange Online MFA Module was not found…”. Upon looking in the logs it appears that it is trying to run the command “Get-ChildItem $Env:LOCALAPPDATA\Apps\2.0\*\CreateExoPSSession.ps1 -Recurse | Select-Object -ExpandProperty Target -First 1” which is a producing the following error when I run that command manually

    “Select-Object : Property “Target” cannot be found.”

    1. v1.0.5 should fix this! It’s looking for the module by doing the following:

      $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|?{$_ -notmatch "_none_"}|select -First 1)

  4. Brad this is awesome, thank you. I haven’t used it yet, but I’ll give it a go for the next onboarding.

    Quick suggestion, if at all possible- I have many many groups in my environment. Would it be possible to implement a “Copy User” function for that? (On the AD side).

    I have a quick script that I use to do this, without actually making a copy of the AD object.
    Get-ADUser -identity $UserWithGroups -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $UserNeedsGroups

    1. Hi, someone requested this feature (create user from template) on GitHub so I am looking to implement it 🙂

  5. I get this WARN error and from the looks of it the account gets created but the only issue I see is it wont add the groups and or the email in the proxyadress. Any tips?

  6. I am on an AAD joined pc, and I open powershell as admin and install-module msonline, then connect-msolservice ok.
    How do then run this tool and import my session? i try and open it and doesnt even see my AAD domain, is there a way to trigger a connection/manually specifiy fqdn etc.?
    “WARN: No Active Directory Forest was found”

  7. Hi Brad,

    Would it be possible to add the extensionAttribute fields to this? We use several of them to generate our o365 email accounts and to control licensing. For our needs it’s 1, 3 and 10

    Also, Templates with pre-populated addresses for different office locations would be very helpful.

    Thanks!
    Chris

  8. I’m a consultant and am constantly working in different environments, doing migrations, etc. It would be nice if this tools supported the following items.

    – Ability to connect to a different forest/domain than the one the computer is connected to where the tool is run from.

    – Ability to enter a password when creating an account. The randomly generated password is nice however it isn’t long enough for some of the banks I work with.

    – Ability to create a “new user” PDF that contains all the user’s information. This should be customizable so client specific information can be added (portal URLs, min/max password requirements, etc.).

    – Ability to create multiple accounts by importing a list (CSV?) that contains all the required fields. This should also have a preview section to show what is going to be created based on the imported file.

    – In the Settings tab, under the Active Directory and Office 365 sections, it would be nice if there was an option to set and test credentials & connectivity.

  9. Nice stuff, i’m working on the opposite, disabling users in AD and Office 365 when they are set on vacation o fired in the HR app. It works as a schedule task.

    But your code is way more mature 🙂

  10. Hi Brad,

    Firstly, awesome work on this! Thanks

    We have AD Sync enabled and currently we need to create the user in AD, sync to Azure and then configure in Azure. What I’d like to be able to do is do all the config through the tool. Is that possible?

    I’ve tried using your tool to allow me to do this all in one interface but cant work out how to do it. If I don’t run the sync I end up having to populate the 365 user with the same groups as the AD user which doesnt seem correct.

    Kind Regards,
    Greg

  11. I believe you can remedy the problem of adding the user to groups by modifying the line from

    #Add-ADGroupMember -Identity $Group -Members $User

    to
    Add-ADGroupMember -Identity (Get-ADGroup -Filter { (Name -eq $Group) } | Select -expandProperty SamAccountName) -Members $User

  12. Hi, I found a bug with the tab “Active Directory User”,”Attributes” option. When I click to the “Create User” button, the background powershell Set-ADUser command use default CN=Users,DC=contoso,DC=dom and not the customized Organizational Unit in the “Account” tab. That generate a powershell error and the attribute is not define. To bypass this problem, I leave the box “Organizational Unit” by defaut and move manualy the user in the correct OU, but it’s not practical… Thank you.

  13. This tool is freakin brilliant! Had no issue creating an AD User and running AD Sync on this tool from my workstation.

    1 request I’d like to make is the addition of the “targetAddress” attribute. We needed to use this as we began migrating on-prem to O365 since we had on-prem mailbox accounts syncing to O365 with AD Connect.

  14. Thank you Brad for this tool. works really well.
    To help my first line guys, did you manage to get the “Copy User” function as suggested by Dom in August? Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *