Did you ever want to know what’s behind the properties which are displayed for a user account in the Azure AD admin portal? Here we go: This blog post describes how to get or set these information by PowerShell scripting. It is the first part of a series of blog posts about how to script all the things that you see in the Azure AD Portal – this time we concentrate on user profile elements.
Lets just start with a view of a normal example user account – you see this if you go to the user list in the Azure AD admin portal as an Azure AD user administrator and open one of the users there in the list. If you want to know more about a specific property, just click on it:
AccountEnabled
This is a boolean property that indicates whether an account has been blocked administratively. The usual term for this in the different admin portals is “Block sign-in”. If you set this property to TRUE, then the user cannot logon to any Azure AD / O365 application, service, or portal, nor to any application which is SSO federated to the Azure AD account (like Salesforce, ServiceNow, Successfactors, etc.). If you sync your account from a local Active Directory with AADC, then the account disabled/enabled status from a classic AD (in the userAccountControl attribute) will be synced to the AccountEnabled property.
This is how you check if an Azure AD user is enabled, or disable/enable a user account by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select AccountEnabled
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).AccountEnabled
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -AccountEnabled $false
By the way, if you have a security incident emergency situation and you want to immediately block the activities of a certain account, it is not enough to block the account sign-ins! In this case, you also want to invalidate the current connections, you will need Revoke-AzureADUserAllRefreshToken:
Revoke-AzureADUserAllRefreshToken -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004
Important Note: In case you use the MSOnline (MSOL) API, there is no ‘AccountEnabled’ property, you have to use ‘BlockCredential’ instead. Obviously, this property has the opposite behavior: AccountEnabled=$false means BlockCredential=$true.
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select BlockCredential
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").BlockCredential
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -BlockCredential $true
AgeGroup
The AgeGroup property is an optional property. Basically, AgeGroup specifies whether the user is an adult or a minor. You only need it in situations where you use age gating – that means Azure AD administrators want to ensure that account use is properly handled based on the age-related regulations for the user’s country or region. Often this is the case when you develop your own applications and want to use the Azure B2C framework. Together with the property ConsentProvidedForMinor, the system calculates automatically the value of LegalAgeGroupClassification, which you can use in age gating decisions.
The default setting for the AgeGroup property is to be empty. If it’s not empty, only following values are allowed:
| Minor | The user is considered to be a minor. |
| Adult | The user should be treated as an adult. |
| NotAdult | The user is from a country that has statutory regulations United States, United Kingdom, European Union, or South Korea) and user’s age is more than the upper limit of kid age (as per country) and less than the lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as NotAdult in regulated countries. |
| Undefined | No AgeGroup is specified. Basically the same as an empty value. |
This is how you can get and set the AgeGroup property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select AgeGroup
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).AgeGroup
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -AgeGroup "Adult"
If you want to remove the AgeGroup property or set it’s value to ’empty’, you have to do this:
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -AgeGroup $null
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use AgeGroup, ConsentProvidedForMinor, and LegalAgeGroupClassification, then you have to stay with the AzureAD API!
City
This is an optional property for address information. Azure AD allows a maximum length of 128 characters here.
This is how you can get and set the City property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select City
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).City
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -City "Auckland"
In case you use the MSOnline (MSOL) API, you can also access the City property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select City
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").City
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -City "Auckland"
CompanyName
This is an optional property for organizational information. Azure AD allows a maximum length of 64 characters here.
This is how you can get and set the CompanyName property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select CompanyName
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).CompanyName
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -CompanyName "CerroTorre Software"
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use CompanyName, then you have to stay with the AzureAD API!
ConsentProvidedForMinor
The ConsentProvidedForMinor property is an optional property. When the user is a minor and requires parental consent to use an AzureAD account, the ConsentProvidedForMinor property can indicate whether this consent has been obtained or not. You only need it in situations where you use age gating – that means Azure AD administrators want to ensure that account use is properly handled based on the age-related regulations for the user’s country or region. Often this is the case when you develop your own applications and want to use the Azure B2C framework. Together with the property AgeGroup, the system calculates automatically the value of LegalAgeGroupClassification, which can be used in age gating decisions.
The default setting for the ConsentProvidedForMinor property is to be empty. If it’s not empty, only following values are allowed:
| Granted | Consent has been obtained for the user to have an account. |
| Denied | Consent has not been obtained for the user to have an account. |
| NotRequired | The user is from a location that does not require consent. |
This is how you can get and set the ConsentProvidedForMinor property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select ConsentProvidedForMinor
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).ConsentProvidedForMinor
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -ConsentProvidedForMinor "Adult"
If you want to remove the ConsentProvidedForMinor property or set it’s value to ’empty’, you have to do this:
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -ConsentProvidedForMinor $null
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use AgeGroup, ConsentProvidedForMinor, and LegalAgeGroupClassification, then you have to stay with the AzureAD API!
Country
This is an optional property for setting the country or region of an account. Azure AD allows a maximum length of 64 characters here. You are not bound to any fixed conventions, you could set this for example to “Germany” as well as “DE” or “EMEA”.
This is how you can get and set the Country property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select Country
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).Country
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -Country "New Zealand"
In case you use the MSOnline (MSOL) API, you can also access the Country property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select Country
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").Country
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -Country "New Zealand"
Department
This is an optional property for organizational information. Azure AD allows a maximum length of 64 characters here.
This is how you can get and set the Department property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select Department
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).Department
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -Department "CR/IR"
In case you use the MSOnline (MSOL) API, you can also access the Department property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select Department
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").Department
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -Department "CR/IR"
DisplayName
The DisplayName property is not just used in the global address list in Exchange Online mail clients. Actually, the DisplayName is the name that is used to identify the user account in any portal, report, list, or other Azure AD and O365 outputs. But because it is allowed to assign two identical DisplayNames in a tenant, we have to fall back on other properties if we want to uniquely identify a user account (ObjectID or UserPrincipalName).
This is how you can get and set the DisplayName property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select DisplayName
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).DisplayName
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -DisplayName "Alice Allison"
In case you use the MSOnline (MSOL) API, you can also access the DisplayName property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select DisplayName
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").DisplayName
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -DisplayName "Alice Allison"
EmployeeID
You can use the employeeId property to store an employee ID or other kind of organizational information about an account. Please note that is intentional that the property name ’employeeId’ starts with lower case letters here, and has a strange capital letter in the middle of the name (so-called ‘camel notation’).
The reason: The employeeId is an extension attribute – it was not part of the initial default property set and was added later in the extension property set of Azure AD user accounts. So it must be treated a bit differently than a ‘normal’ property – above all you have to remember that the usage of these extension properties is normally case sensitive in PowerShell cmdlets.
Please note the handling of this property in the PowerShell cmdlets is case sensitive! This is how you can get and set the employeeID property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select -ExpandProperty ExtensionProperty
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).ExtensionProperty.employeeId
Set-AzureADUserExtension -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -ExtensionName "employeeID" -ExtensionValue "505140"
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use employeeID, then you have to stay with the AzureAD API!
GivenName
The GivenName property can be filled by a string with a maximum length of 64 characters. In the Azure AD admin portal (and in the older MSOL API), the property is referred to as ‘First Name’.
This is how you can get and set the GivenName property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select GivenName
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).GivenName
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -GivenName "Alice"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘FirstName‘ instead of ‘GivenName‘:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select FirstName
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").FirstName
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -FirstName "Alice"
JobTitle
This property can be a string with a maximum length of 128 characters.
This is how you can get and set the JobTitle property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select JobTitle
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).JobTitle
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -JobTitle "Senior Manager SecOps"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘Title‘ instead of ‘JobTitle‘:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select Title
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").Title
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -Title "Senior Manager SecOps"
LegalAgeGroupClassification
The LegalAgeGroupClassification property is a read-only property. It is automatically calculated based on the two optional properties AgeGroup and ConsentProvidedForMinor. You only need it in situations where you use age gating – that means Azure AD administrators want to ensure that account use is properly handled based on the age-related regulations for the user’s country or region. Often this is the case when you develop your own applications and want to use the Azure B2C framework. So if the ‘AgeGroup’ is set and ‘ConsentProvidedForMinor’ indicates whether the parental consent has been obtained, then you can use the LegalAgeGroupClassification to block invalid minor access to the system.
If AgeGroup or ConsentProvidedForMinor is empty, the value of LegalAgeGroupClassification is empty ($null) or ‘Undefined’. The other possible values:
| Adult | The user considered an adult based on the age-related regulations of their country or region. |
| MinorNoParentalConsentRequired | The user is a minor but is from a country or region that has no age-related regulations. |
| MinorWithoutParentalConsent | The user is considered to be a minor which is to be blocked by age gating. |
| MinorWithParentalConsent | The user is considered a minor based on the age-related regulations of their country or region and the administrator of the account has obtained appropriate consent from a parent or guardian. |
| NotAdult | The user is from a country or region that has additional age-related regulations (such as the United States, United Kingdom, European Union or South Korea), and the user’s age is between a minor and an adult age (as stipulated based on country or region). Generally, this means that teenagers are considered as ‘NotAdult’ in regulated countries. |
| Undefined | One of the basic values ‘AgeGroup’ is set and ‘ConsentProvidedForMinor’ is empty. The fact that the value is not empty indicates that there were both basic values were set before but now one of them or both were removed again. |
This is how you can get the read-only LegalAgeGroupClassification property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select LegalAgeGroupClassification
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).LegalAgeGroupClassification
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use AgeGroup, ConsentProvidedForMinor, and LegalAgeGroupClassification, then you have to stay with the AzureAD API!
The Mail property is a read-only property if you use the AzureAD or MSOL APIs in PowerShell. The value is the primary recipient address in cases where the user is mailbox-enabled or at least mail-enabled in Exchange Online. So the value is the same as you see it in the value array of ‘ProxyAddresses’ as the primary address (ProxyAddresses is not visible in the Azure AD portal GUI). If you want to set the mail address property, there are basically only two options:
- You use the Exchange Online PowerShell Module. The way is to set the ‘EmailAddresses‘ array and there specifically the primary recipient address (with the capital letter ‘SMTP:’ prefix). The Exchange Online EmailAddresses becomes then the ProxyAddresses value you see in the Azure AD PowerShells, and the primary address becomes the value of the Mail property.
- If the User is AADC-synced from a local Active Directory, then you can set the attribute ‘mail’ there (it is not read-only in the local AD) – it will be synced to the Mail property in Azure AD.
If both options are out of the question and you just want to store an email address of the user somewhere, you could use the property OtherMails, which is not read-only. Please also note that the property UserPrincipalName seem to be also mail addresses, but in fact, they are the UPN login name, the values may be identical in most cases, but not in all.
This is how you can get (not set!) the Mail property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select Mail
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).Mail
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. Although, you could read out the ProxyAddresses property there, which is available also under MSOL, and there look for the primary SMTP address (with capital letter ‘SMTP:….’):
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").ProxyAddresses
((Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").ProxyAddresses | ? {$_.StartsWith("SMTP")}).SubString(5)
Manager
Every Azure AD account can have a Manager, which is a link to another account of the same tenant. But the Manager is not a standard property that you can get or set with the normal Get-AzureADUser/Set-AzureADUser PowerShell cmdlets. Rather, you have to use the additional cmdlets like Get-AzureADUserManager and Set-AzureADUserManager. Please note that the result of reading the Manager is directly the specific account object.
This is how you can get and set the Manager property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUserManager -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004
(Get-AzureADUserManager -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).DisplayName
$managerID = (Get-AzureADUser -SearchString "Bob Bobman").ObjectID
Set-AzureADUserManager -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -RefObjectId $managerID
Important Note: In case you use the MSOnline (MSOL) API, there is no property related to age gating available. So if you want to use the Manger property, then you have to stay with the AzureAD API!
Mobile
The primary cellular telephone number for the user. This property can be a string with a maximum length of 64 characters.
This is how you can get and set the Mobile property by a script. We use here the example user account of the intial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select Mobile
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).Mobile
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -Mobile "+49 177232323"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘MobilePhone‘ instead of ‘Mobile‘:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select MobilePhone
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").MobilePhone
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -MobilePhone "+49 177232323"
ObjectId
The ObjectId is by far the most important property of an Azure AD/O365 account. It is the identifier that is globally unique across all tenants. In most Azure AD PowerShell cmdlets you can use the ObjectId to identify the accounts (as you can see in most of the example scripts in this blog post). The ObjectId is a 128 bit GUID number and it’s mostly shown in the usual GUID notation, for example like this one:
33bb18ff-75e0-4bef-a158-0bbbae3c9004
When a user account is created, the system assigns a new ObjectId to the account. The ObjectId is read-only and not change during the entire life of the object. This enables unambiguous identification, even if the display name or UPN of the account changes.
Although the ObjectId is comparable to the ObjectGUID attribute you may know from on-premises Active Directory environments, there is no technical connection between these two properties in an AADC-synced hybrid environment. The ObjectId of an Azure AD account is never the ObjectGUID of the synced local AD account. Rather, this relationship is stored in the AzureAD property Immutable ID. There is a longer blog post about the matching of AADC synced account with the ImmutableID.
This is how you can get (not set!) the ObjectId property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUSer -Filter "UserPrincipalName eq 'aa@up-in-the.cloud'"
(Get-AzureADUSer -Filter "UserPrincipalName eq 'aa@up-in-the.cloud'").ObjectId
In case you use the MSOnline (MSOL) API, you can also access the DisplayName property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select DisplayName
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").DisplayName
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -DisplayName "Alice Allison"
OtherMails
The DisplayName property is not just used in the global address list in Exchange Online mail clients. Actually, the DisplayName is the name that is used to identify the user account in any portal, report, list, or other Azure AD and O365 outputs. But because it is allowed to assign two identical DisplayNames in a tenant, we have to fall back on other properties if we want to uniquely identify a user account (ObjectID or UserPrincipalName).
This is how you can get and set the DisplayName property by a script. We use here the example user account of the initial screenshot. Please note that if you use the Select cmdlet to get the property, you should maybe use the -ExpandProperty parameter, because we deal with a multi-value attribute here.
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select OtherMails
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select -ExpandProperty OtherMails
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).OtherMails
This also has implications when you want to set the value. With a single value, you can do the usual stuff. But when you have several mail addresses to set, then build the array in front and then set it:
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -OtherMails "alice.allison@cerrotorre.de"
$others = @("aa201068@gmail.com", "lupftschlumpf@gmx.de", "alica.a@gmail.com")
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -OtherMails $others
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘AlternateEmailAddresses‘ instead of ‘OtherMails‘. But there is a bug when you want to write the AlternateEmailAddresses with an array – it only accepts single values if you want to write this property with the MSOL API. So you cannot fill this with multiple values here! Fun fact: If you want to remove it, you have to use an empty array!
Get-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select AlternateEmailAddresses
Get-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select -ExpandProperty AlternateEmailAddresses
(Get-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).AlternateEmailAddresses
Set-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -AlternateEmailAddresses "alice.allison@cerrotorre.de"
Set-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -AlternateEmailAddresses @()
PhysicalDeliveryOfficeName
This is an optional property for setting the office location in the users place of business. Azure AD allows a maximum length of 64 characters here.
This is how you can get and set the PhysicalDeliveryOfficeName property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select PhysicalDeliveryOfficeName
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).PhysicalDeliveryOfficeName
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -PhysicalDeliveryOfficeName "B28 - EG 23"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘Office‘ instead of ‘PhysicalDeliveryOfficeName‘
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select Office
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").Office
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -Office "B28 - EG 23"
PostalCode
This is an optional property for setting a postal address information for the user, for example the ZIP code. Azure AD allows a maximum length of 40 characters here.
This is how you can get and set the PostalCode property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select PostalCode
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).PostalCode
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -PostalCode "80809"
In case you use the MSOnline (MSOL) API, you can also access the PostalCode property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select PostalCode
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").PostalCode
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -PostalCode "80809"
ProxyAddresses
The Mail property is a read-only property if you use the AzureAD or MSOL APIs in PowerShell. The value contains an array with the recipient addresses of the user’s mailbox. So for a user which is not mail-enabled, the ProxyAddresses array is empty.
Each address entry in the ProxyAddresses property has a prefix that indicates the type of address, mostly “smtp:” for normal RFC 822 email addresses. The primary address which is used as the sender address in outgoing mails has a capital letter prefix “SMTP:”. If you want to set the ProxyAddresses property, there are basically only two options:
- You use the Exchange Online PowerShell Module. The way is to set the ‘EmailAddresses‘ array and there specifically the primary recipient address (with the capital letter ‘SMTP:’ prefix). The Exchange Online EmailAddresses becomes then the ProxyAddresses value you see in the Azure AD PowerShell, and the primary address becomes the value of the Mail property.
- If the User is AADC-synced from a local Active Directory, then you can set the attribute ‘proxyAddresses’ there (it is not read-only in the local AD) – it will be synced to the Mail property in Azure AD.
If both options are out of the question and you just want to store an email address of the user somewhere, you could use the property OtherMails, which is not read-only. Please also note that the property UserPrincipalName seem to be also mail addresses, but in fact, they are the UPN login name, the values may be identical in most cases, but not in all.
This is how you can get (not set!) the ProxyAddresses property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select ProxyAddresses
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select -ExpandProperty ProxyAddresses
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).ProxyAddresses
In case you use the MSOnline (MSOL) API, you can also access the DisplayName property (also read-only):
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select ProxyAddresses
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select -ExpandProperty ProxyAddresses
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").ProxyAddresses
State
This is an optional property for setting the state or province for the user. Azure AD allows a maximum length of 128 characters here.
This is how you can get and set the State property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select State
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).State
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -State "New South Wales"
In case you use the MSOnline (MSOL) API, you can also access the Stateproperty:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select State
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").State
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -State "Alice Allison"
StreetAddress
This is an optional property for setting the office location in the users place of business. Azure AD allows a maximum length of 1024 characters here. (longer than most of the other string properties….).
This is how you can get and set the State property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select StreetAddress
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).StreetAddress
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -StreetAddress "Tamaki Dr. 215"
In case you use the MSOnline (MSOL) API, you can also access the StreetAddress property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select StreetAddress
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").StreetAddress
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -StreetAddress "Tamaki Dr. 215"
Surname
The Surname property can be filled by a string with a maximum length of 64 characters. In the Azure AD admin portal (and in the older MSOL API), the property is referred to as ‘Last Name’.
This is how you can get and set the Surname property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select Surname
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).Surname
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -Surname "Allison"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘LastName‘ instead of ‘Surname‘:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select LastName
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").LastName
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -LastName "Allison"
TelephoneNumber
The primary telephone number for the user. This property can be a string with a maximum length of 64 characters. The Azure AD admin portal GUI shows this property as “Office Phone”.
This is how you can get and set the TelephoneNumber property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select TelephoneNumber
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).TelephoneNumber
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -TelephoneNumber "+49 8955555555"
Important Note: In case you use the MSOnline (MSOL) API, you can also access this property, but it is called ‘PhoneNumber‘ instead of ‘TelephoneNumber‘:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select PhoneNumber
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").PhoneNumber
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -PhoneNumber" +49 8955555555"
ThumbNailPhoto
The ThumbNailPhoto of a user account is an optional property that can be used to store a small picture of the person. This picture is shown in several places in Office 365 applications, like Outlook or Teams, whenever you receive a mail from that person or when you are in the same chat.
The complicated thing is that this ThumbNailPhoto property cannot be accessed like the other normal properties, it is NOT returned as an object member with a normal ‘Get-AzureADUser’ cmdlet. Instead, you have to use the ‘Get-AzureADUserThumbnailPhoto‘ cmdlet. If only the account is specified without any other parameter, you just get info whether there is a thumbnail photo or not, together with some meta data:
Get-AzureADUserThumbnailPhoto -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004
Only if you use the parameter -View, you get a preview of the image. Or you use -FilePath and -FileName, then you can save the picture as a file somewhere to disk. Please note that FilePath should actually be a subdirectory without a filename, and -FileName should be specified without an extension. The extension (.png, .jpeg etc) will be set automatically according to the picture content in the account property.
Get-AzureADUserThumbnailPhoto -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -FilePath c:\temp -FileName alice
Get-AzureADUserThumbnailPhoto -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -View $true
If you want to set a picture, you can write the ThumbnailPhoto property with the cmdlet Set-AzureADUserThumbnailPhoto:
Set-AzureADUserThumbnailPhoto -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -FilePath c:\temp\alice.png
#Fehler
Set-AzureADUserThumbnailPhoto -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -FilePath c:\temp\alice.allison.jpg
The optimal picture pixel size is 96×96 – any bigger pictures will be cropped to that size. You should use JPG or PNG files, and they must be smaller than 100 kb – otherwise you will get an error when you try to upload the picture:
Important Note: In case you use the MSOnline (MSOL) API, there is no property or cmdlet related to thumbnail photo available. So if you want to access the ThumbnailPhoto property, then you have to stay with the AzureAD API!
UsageLocation
The Usage property contains a 2-letter ISO country code like ‘US’ or ‘DE’. This attribute is the one needed while assigning a license to a user in office 365. Some features in Office 365 are not allowed in certain countries and Microsoft determines this with the help of the UsageLocation property. When you assign a license to a user and specify the usage location of Office 365 services, Microsoft applies usage restrictions to those particular users based on their usage location.
This is how you can get and set the UsageLocation property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select UsageLocation
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).UsageLocation
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -UsageLocation "US"
In case you use the MSOnline (MSOL) API, you can also access the DisplayName property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select UsageLocation
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").UsageLocation
Set-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" -UsageLocation "US"
UserPrincipalName
This is the login name for the user account. It is an Internet-style user name based on the Internet e-mail standard RFC 822, often referred to as UPN. The UserPrincipalName has to be unique amongst all security principals in the Azure AD tenant.
Note that the UserPrincipalName looks like an email (e.g. “someone@exmaple.com”), but technically this property has nothing to do with the user’s mailbox. As the technical login name, it could even be completely different from the e-mail recipient address. Although, in most cases users will have the same UPN as their e-mail address – it’s not enforces, but recommended by Microsoft. You won’t find this as an official statement not easily, but it is there:
This is how you can get and set the UserPrincipalName property by a script (with the example user account of the initial screenshot):
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select UserPrincipalName
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).UserPrincipalName
Set-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 -UserPrincipalName "alice.allison@up-in-the.cloud"
In case you use the MSOnline (MSOL) API, you can also access the UserPrincipalName property. However, you have to use a special cmdlet: ‘Set-MSOLUserPrincipalName‘. You cannot change the UPN with the usual ‘Set-MSOLUser‘.
Get-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select UserPrincipalName
(Get-MSOLUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).UserPrincipalName
Set-MSOLUserPrincipalName -UserPrincipalName "aa@up-in-the.cloud" -NewUserPrincipalName "alice.allison@up-in-the.cloud"
UserType
This is the account type – either ‘Member‘ or ‘Guest‘. The normal standard user accounts in your tenant are called members, whereas guests are the external B2B-accounts that you create by sending them an invitation to your tenant. So it is basically decided when creating the account whether it is a guest or a member. If you’re interested in listing all the guests in your tenant, check this blog post out: How to filter like the O365 portal: Guest Users.
This is how you can get the UserType property by a script. We use here the example user account of the initial screenshot:
Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004 | Select UserType
(Get-AzureADUser -ObjectId 33bb18ff-75e0-4bef-a158-0bbbae3c9004).UserType
In case you use the MSOnline (MSOL) API, you can also access the UserType property:
Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud" | Select UserType
(Get-MSOLUser -UserPrincipalName "aa@up-in-the.cloud").UserType
4 thoughts on “Scripting the Azure AD Portal: User Properties”
I’m looking for a property that reveals the FQDN of the source (on-prem AD domain). Any ideas?
Try this: onPremisesDistinguishedName … it contains the entire LDAP path of the on-prem ADobject, but this LDAP path also contains the Domain Name… look here for details: https://scripting.up-in-the.cloud/property-handling/where-do-you-come-from-the-onpremisesdistinguishedname-property.html
I would like to import a .csv with a with two columns UserPrinicpalName and EmployeeID to bulk update the employeeID field in AzureAD.
Can you please help me write the script to import the .csv and update the EmployeeID field. My current script reads as such but gets an error that : Set-AzureADUserExtension : Cannot bind argument to parameter ‘ObjectId’ because it is null.
$csvdata = Get-content “c:\path\to\csvfile.csv” | convertfrom-csv -delimiter “,”
Foreach ($item in $csvdata) {
Set-azureaduserextension -objectID $user.UPN -ExtensionName “EmployeeID” -ExtensionValue $item.EmployeeID
First: You could try to use “Import-CSV” instead of “Get-Content….. | ConvertFrom-CSV….”
Second: Could you post the first text line in your CSV file? You refer to a “$user.UPN” but it seems to be empty….