I received a question from a customer asking me for a way to create MFA-enabled administrator accounts on all Microsoft 365 tenants managed through the Partner portal, without having to manually go to each tenant and creating them. To solve this, I threw together a quick script that imports a .CSV file containing the DisplayName, UserPrincipalName and Password and then goes through every managed tenant to create the accounts and enables MFA on the newly created accounts.
As an extra bonus, I’ve also provided a script that could be used to remove the accounts on all managed tenants.
Enjoy!
Account Creation
<#
.Description
This script is used for creating (multiple) Microsoft 365 tenant administrator accounts for all tenants managed by your MSP.
Current Version: 1.1
Version History:
----------------
v1.0: First release.
v1.1: Fixed a bug that caused trouble when adding roles.
By: Stefan van Bruggen
#>
# Connect to Microsoft 365 using your partner account credentials.
Connect-MsolService
# Get managed tenant IDs and prefixes.
Get-MsolPartnerContract -All | ForEach {
$TenantPrefix = [string]$_.DefaultDomainName
$TenantId = [string]$_.TenantId.Guid
# Define administrator roles to be granted to the user.
$Roles = "Authentication Administrator","Azure Information Protection Administrator","Company Administrator","Conditional Access Administrator","Directory Readers","Directory Synchronization Accounts","Directory Writers","Exchange Service Administrator","Helpdesk Administrator","Hybrid Identity Administrator","Intune Service Administrator","Kaizala Administrator","License Administrator","Message Center Privacy Reader","Message Center Reader","Partner Tier1 Support","Partner Tier2 Support","Password Administrator","Privileged Authentication Administrator","Privileged Role Administrator","Reports Reader","Service Support Administrator","SharePoint Service Administrator","Teams Communications Administrator","Teams Communications Support Engineer","Teams Communications Support Specialist","Teams Service Administrator","User Account Administrator"
# Import users from .csv and create new user account, the .csv should have the following fields: DisplayName,UserPrincipalName,Password
Import-Csv .\users.csv | ForEach {
$newUPN = $_.UserPrincipalName + "@" + $TenantPrefix
$newUPN = [string]$newUPN
New-MsolUser -DisplayName $_.DisplayName -UserPrincipalName $newUPN -Password $_.Password -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $TenantId
# Add newly created user account to previously defined administrator roles
ForEach($role in $roles){
Add-MsolRoleMember -TenantId $TenantId -RoleName $role -RoleMemberEmailAddress $newUPN
}
}
# Set required variables for MFA.
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
# Enable MFA.
Set-MsolUser -TenantId $TenantId -UserPrincipalName $newUPN -StrongAuthenticationRequirements $sta
}
Account Removal
<#
.Description
This script is used for removing (multiple) Microsoft 365 tenant administrator accounts for all tenants managed by your MSP.
Current Version: 1.0
By: Stefan van Bruggen, Open ICT
s.vanbruggen@open-ict.nl
#>
# Connect to Microsoft 365 using your partner account credentials.
Connect-MsolService
# Get managed tenant IDs and prefixes.
Get-MsolPartnerContract -All | ForEach {
$TenantPrefix = [string]$_.DefaultDomainName
$TenantId = [string]$_.TenantId.Guid
# Import list of users that need to be removed from .csv and remove the accounts, the .csv should have the following fields: UserPrincipalName
Import-Csv .\delete-users.csv | ForEach {
$UPN = $_.UserPrincipalName + "@" + $TenantPrefix
$UPN = [string]$UPN
Remove-MsolUser -UserPrincipalName $UPN -TenantId $TenantId -Force
}
}