Skip to content

Managing Microsoft 365

Registering a tenant

Microsoft 365 tenants are stored as directory objects on Adaxes Configuration Server (AD LDS). To register a tenant, first, you need to bind to the container where Microsoft 365 tenants are stored using the following alias: “CloudServicesO365”. The container implements the IAdmO365Container interface that can be used to register Microsoft 365 tenants.

To register a tenant, call the RegisterTenant method of the interface. The first parameter of the method specifies the ID of a Microsoft 365 account that will be used to perform operations within the new tenant. The ID consists of a Microsoft 365 user name and your Microsoft 365 domain name, for example, johndoe@example.onmicrosoft.com or johndoe@example.com. The account must be assigned either to the Global Administrator or both the User Administrator and Exchange Administrator roles in Microsoft 365. The second parameter specifies the account password.

The return value of the method is an instance of the IAdmO365Tenant interface. You can use properties and methods of the interface to modify settings of the new tenant.

The following code sample registers a Microsoft 365 tenant.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$adminUserName = "someone@example.onmicrosoft.com"
$adminPassword = "secret"

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Microsoft 365 container
$containerPath = $admService.Backend.GetConfigurationContainerPath(
    "CloudServicesO365")
$container = $admService.OpenObject($containerPath.ToString(),
    $NULL, $NULL, 0)

# Register Tenant
$tenant = $container.RegisterTenant($adminUserName, $adminPassword)
using System;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        const String adminUserName = "someone@example.onmicrosoft.com";
        const String adminPassword = "secret";

        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to the Microsoft 365 container
        String containerPath = admService.Backend.GetConfigurationContainerPath(
            "CloudServicesO365");
        IAdmO365Container container = (IAdmO365Container)admService.OpenObject(
            containerPath, null, null, 0);

        // Register Tenant
        IAdmO365Tenant tenant = (IAdmO365Tenant)container.RegisterTenant(
            adminUserName, adminPassword);
    }
}

Modifying tenants

To modify a tenant, you need to bind to the directory object that represents the tenant at the Adaxes Configuration Server (AD LDS). To do this, first, you need to bind to the container where Microsoft 365 tenants are stored. The container supports the IADsContainer interface. You can use the interface to bind a particular tenant by name. To do so, call the GetObject method.

The first parameter of the method specifies the type of the directory object you want to bind to. The type of objects that represent Microsoft 365 tenants is “adm-O365Tenant”. As the second parameter, specify the tenant name preceded by the “CN=” prefix. For example, if you want to bind to a tenant called “My Tenant”, specify the following string as the second parameter: “CN=My Tenant”.

Each tenant object supports the IAdmO365Tenant interface that can be used to modify the tenant settings. To save the changes you make via the IAdmO365Tenant interface, call IADs::SetInfo.

The following code sample enables the Synchronize passwords option for a tenant.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$tenantName = "My Tenant"

# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Microsoft 365 container
$containerPath = $admService.Backend.GetConfigurationContainerPath("CloudServicesO365")
$container = $admService.OpenObject($containerPath, $NULL, $NULL, 0)

# Bind to the Microsoft 365 tenant
$tenant = $container.GetObject("adm-O365Tenant", "CN=$tenantName")

# Synchronize passwords
$tenant.SynchronizePasswords = $True

# Save changes
$tenant.SetInfo()
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;

class Program
{
    static void Main(string[] args)
    {
        const string tenantName = "My Tenant";

        // Connect to Adaxes service
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to the Microsoft 365 container
        string configurationContainerPath = admService.Backend.GetConfigurationContainerPath(
            "CloudServicesO365");
        IADsContainer configurationContainer = (IADsContainer)admService.OpenObject(
            configurationContainerPath, null, null, 0);

        // Bind to the Microsoft 365 tenant
        IAdmO365Tenant tenant = (IAdmO365Tenant)configurationContainer.GetObject(
            "adm-O365Tenant", "CN=" + tenantName);

        // Synchronize passwords
        tenant.SynchronizePasswords = true;

        // Save changes
        IAdmTop tenant2 = (IAdmTop)tenant;
        tenant2.SetInfo();
    }
}

Defining the associated Active Directory scope

The Active Directory scope of a tenant defines which part of your AD is associated with it. The AD scope can include whole domains, members of groups and Business Units, objects located in specific Organizational Units, etc.

To modify the AD scope of a tenant, you need to use the IAdmO365Tenant interface. The AssociatedScopeItems property of the interface represents a collection of activity scope items that comprise the tenant scope. The property exposes the IAdmCollection interface, and each item in the collection supports the IAdmActivityScopeItem interface.

For more information on how to manage activity scope items, see Defining the scope of activity.

The following code sample includes a whole Active Directory domain in the Active Directory scope of a tenant.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$tenantName = "My Tenant"
$domainName = "example.com"

# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the Microsoft 365 container
$containerPath = $admService.Backend.GetConfigurationContainerPath("CloudServicesO365")
$container = $admService.OpenObject($containerPath, $NULL, $NULL, 0)

# Bind to the Microsoft 365 tenant
$tenant = $container.GetObject("adm-O365Tenant", "CN=$tenantName")

# Bind to the domain object
$domainObj = $admService.OpenObject("Adaxes://$domainName", $NULL, $NULL, 0)

# Add the domain to the AD scope of the tenant
$scopeItem = $tenant.AssociatedScopeItems.Create()
$scopeItem.BaseObject = $domainObj
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_CONTAINER"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()
$tenant.AssociatedScopeItems.Add($scopeItem)
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;

class Program
{
    static void Main(string[] args)
    {
        const string tenantName = "My Tenant";
        const string domainName = "example.com";

        // Connect to Adaxes service
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to the Microsoft 365 container
        string containerPath = admService.Backend.GetConfigurationContainerPath(
            "CloudServicesO365");
        IADsContainer container = (IADsContainer)admService.OpenObject(
            containerPath, null, null, 0);

        // Bind to the Microsoft 365 tenant
        IAdmO365Tenant tenant = (IAdmO365Tenant)container.GetObject(
            "adm-O365Tenant", "CN=" + tenantName);

        // Bind to the domain object
        IAdmTop domainObj = (IAdmTop)admService.OpenObject("Adaxes://" + domainName,
            null, null, 0);

        // Add the domain to the AD scope of the tenant
        IAdmActivityScopeItem scopeItem =
            (IAdmActivityScopeItem)tenant.AssociatedScopeItems.Create();
        scopeItem.BaseObject = domainObj;
        scopeItem.Type =
            ADM_SCOPEBASEOBJECTTYPE_ENUM.ADM_SCOPEBASEOBJECTTYPE_CONTAINER;
        scopeItem.Inheritance = ADS_SCOPEENUM.ADS_SCOPE_SUBTREE;
        scopeItem.Exclude = false;
        scopeItem.SetInfo();
        tenant.AssociatedScopeItems.Add(scopeItem);
    }
}

Retrieving Microsoft 365 properties of users

To retrieve properties of a Microsoft 365 account of a user, you need to bind to the user object in Active Directory. Then, use the IAdmO365Account interface supported by user objects. To retrieve Microsoft 365 properties of the user, call the GetOffice365Properties method of the interface.

Note

Calling the GetOffice365Properties method is expensive with regard to performance, as it fetches all information related to a user from Microsoft 365.

The following code sample outputs the status of the Sign In Blocked option for a user.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Retrieve properties of the Microsoft 365 account
$m365Props = $user.GetOffice365Properties()

Write-Host "Sign in blocked:" $m365Props.SignInBlocked
using System;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);


         // Retrieve properties of the Microsoft 365 account
        IAdmO365AccountProperties m365Props = user.GetOffice365Properties();

        bool signInBlocked = m365Props.SignInBlocked;
        Console.WriteLine("Sign in blocked: " + signInBlocked.ToString());
   }
}

Modifying Microsoft 365 properties of users

To perform operations on a Microsoft 365 account, first, you need to bind to the user object in Active Directory. All user objects support the IAdmO365Account interface. To modify Microsoft 365 properties of the user, call the SetOffice365Properties method of the interface.

As the parameter of the SetOffice365Properties method, you need to pass an instance of the IAdmO365AccountProperties interface that describes the modifications you want to make. To create a new instance of the interface, you can use the AdmO365AccountProperties class. Alternatively, you can call IAdmO365Account::GetOffice365Properties to retrieve the current Microsoft 365 properties of the user.

Calling SetOffice365Properties does not commit changes to Microsoft 365. To commit the changes, call IADs::SetInfo.

Activating Microsoft 365 accounts

To activate a Microsoft 365 account, you need to specify a location where the user will consume Microsoft 365 services. To specify a location, use the Location property of the IAdmO365AccountProperties interface. The value of the property must be represented by a two-letter country code as defined in ISO 3166-1 (e.g. US or DE).

The following code sample activates a Microsoft 365 account for a user and sets location in Microsoft 365 to United States.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Create a new instance of the AdmO365AccountProperties class
$m365Props = New-Object `
      "Softerra.Adaxes.Adsi.CloudServices.Office365.AdmO365AccountProperties"

# Set location to United States
$m365Props.Location = "US"
$user.SetOffice365Properties($m365Props)

# Save changes
$user.SetInfo()
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
class Program
{
    static void Main(string[] args)
    {
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account  user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);

        // Create an instance of the AdmO365AccountProperties class
        AdmO365AccountProperties m365Props =
            new AdmO365AccountProperties();

        // Set location to United States
        m365Props.Location = "US";
        user.SetOffice365Properties(m365Props);

        // Save changes
        IAdmTop user2 = (IAdmTop)user;
        user2.SetInfo();
   }
}

Note

If the Synchronize passwords option is enabled for the Microsoft 365 tenant associated with the user, you can also set a password for the new Microsoft 365 account. For this purpose, use the InitialPassword property of the interface.

Assigning and revoking licenses

Prior to assigning or revoking licenses from users, you need to retrieve the current Microsoft 365 properties of the user account. To do this, call the GetOffice365Properties method of the IAdmO365Account interface. The return value of the method is an instance of the IAdmO365AccountProperties interface that represents Microsoft 365 properties of the user. Use the Licenses property of the interface to assign and revoke licenses from the user.

The Licenses property gets an array of IAdmO365License interfaces. Each item in the array represents a Microsoft 365 license. To assign a license to a user, set the Assigned property of the interface to TRUE. If you want to revoke a license, set the property to FALSE.

The following code sample assigns all licenses available for a user.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Read Microsoft 365 properties
$m365Props = $user.GetOffice365Properties()

# Assign all licenses
foreach ($license in $m365Props.Licenses)
{
    $license.Assigned = $True
}
$user.SetOffice365Properties($m365Props)

# Save changes
$user.SetInfo()
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);

        // Read Microsoft 365 properties
        IAdmO365AccountProperties m365Props =
            user.GetOffice365Properties();

        // Assign all licenses
        foreach (IAdmO365License license in m365Props.Licenses)
        {
            license.Assigned = true;
        }
        user.SetOffice365Properties(m365Props);

        // Save changes
        IAdmTop user2 = (IAdmTop)user;
        user2.SetInfo();
   }
}

Note

A license will be assigned or revoked only if the AssignedModificationEnabled property of the IAdmO365License interface is set to TRUE. When you modify the value of the Assigned property, the AssignedModificationEnabled property is set to TRUE automatically.

Tip

To revoke all Microsoft 365 licenses from a user, set the RevokeAllLicenses property of the IAdmO365AccountProperties interface to TRUE.

Examples
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Create a new instance of the AdmO365AccountProperties class
$m365Props = New-Object `
    "Softerra.Adaxes.Adsi.CloudServices.Office365.AdmO365AccountProperties"

# Revoke all licenses
$m365Props.RevokeAllLicenses = $True
$user.SetOffice365Properties($m365Props)

# Save changes
$user.SetInfo()
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);

        // Create an instance of the AdmO365AccountProperties class
        AdmO365AccountProperties m365Props =
            new AdmO365AccountProperties();

        // Revoke all licenses
        m365Props.RevokeAllLicenses = true;
        user.SetOffice365Properties(m365Props);

        // Save changes
        IAdmTop user2 = (IAdmTop)user;
        user2.SetInfo();
    }
}

To assign or revoke a specific license, you need to identify which of the IAdmO365License interfaces available in the Licenses property represents the license you need. To do so, you can use the Sku property of the IAdmO365License interface. The property gets the IAdmO365SkuInfo interface that can be used to retrieve information about a license plan associated with the license. For example, using the SkuPartNumber property of the interface, you can get the name of the license plan in Microsoft 365.

After identifying the necessary IAdmO365License interface, modify the value of the Assigned property of the interface to assign or revoke the license.

The following code sample revokes a license for a specific license plan.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$planName = "ENTERPRISEPACK" # Microsoft 365 Enterprise E3

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Read Microsoft 365 properties
$m365Props = $user.GetOffice365Properties()

# Revoke the license
foreach ($license in $m365Props.Licenses)
{
    if ($license.Sku.SkuPartNumber -eq $planName)
    {
        $license.Assigned = $False
        break
    }
}
$user.SetOffice365Properties($m365Props)

# Save changes
$user.SetInfo()
using System;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        const string planName = "ENTERPRISEPACK"; // Microsoft 365 Enterprise E3

        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);

        // Read Microsoft 365 properties
        IAdmO365AccountProperties m365Props =
            user.GetOffice365Properties();

        // Revoke the license
        foreach (IAdmO365License license in m365Props.Licenses)
        {
            if (StringComparer.OrdinalIgnoreCase.Equals(
                license.Sku.SkuPartNumber, planName))
            {
                license.Assigned = false;
                break;
            }
        }
        user.SetOffice365Properties(m365Props);

        // Save changes
        IAdmTop user2 = (IAdmTop)user;
        user2.SetInfo();
    }
}

Deactivating Microsoft 365 accounts

To deactivate a Microsoft 365 account of a user and block user access to Microsoft 365 services, you need to set the SignInBlocked property of the IAdmO365AccountProperties interface to TRUE.

The following code sample deactivates a Microsoft 365 account for a user.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to user
$userDN = "CN=John Smith,CN=Users,DC=example,DC=com"
$user = $admService.OpenObject("Adaxes://$userDN", $NULL, $NULL, 0)

# Create a new instance of the AdmO365AccountProperties class
$m365Props = New-Object `
      "Softerra.Adaxes.Adsi.CloudServices.Office365.AdmO365AccountProperties"

# Block Access to Microsoft 365 services
$m365Props.SignInBlocked = $True
$user.SetOffice365Properties($m365Props)

# Save changes
$user.SetInfo()
using Softerra.Adaxes.Interop.Adsi;
using Softerra.Adaxes.Adsi;
using Softerra.Adaxes.Interop.Adsi.CloudServices.Office365;
using Softerra.Adaxes.Interop.Adsi.PersistentObjects;
class Program
{
    static void Main(string[] args)
    {
        AdmNamespace adsNS = new AdmNamespace();
        IAdmService admService = adsNS.GetServiceDirectly("localhost");

        // Bind to user
        IAdmO365Account user = (IAdmO365Account)admService.OpenObject(
            "Adaxes://CN=John Smith,CN=Users,DC=example,DC=com", null, null, 0);

        // Create an instance of the AdmO365AccountProperties class
        AdmO365AccountProperties m365Props =
            new AdmO365AccountProperties();

        // Block Access to Microsoft 365 services
        $m365Props.SignInBlocked = true;
        user.SetOffice365Properties(m365Props);

        // Save changes
        IAdmTop user2 = (IAdmTop)user;
        user2.SetInfo();
   }
}

Tip

Apart from Microsoft 365 user account management, you can also manage Exchange Online mailboxes. For more information, see Performing Exchange tasks

See also