Connect to all Azure & Office 365 services in one PowerShell window

We've all been there, when running some commandlets from Exchange online suddenly you need to switch to Sharepoint, AzureAD or Skype Online.

With this handy script you can connect to all services at once.
I personally always use the Exchange Online PowerShell module for this, as it will be updated when starting it so you always have the latest commandlets for Exchange Online.

There are some requirements that have to be met before hand:

• .Net 4.5
• Windows Management Framework 3.0 or 4.0
• 64-bit version of Windows OS

Installed modules:

• Azure Active Directory V2 module
• SharePoint Online module
• Skype for Business Online module

Execution policy needs to be at least "Remote Signed"

In the past I have created a script that installs all these requirements at once:

https://vanbrenk.blogspot.com/2018/03/install-office365-requirements-with.html

I try to keep this updated, so if anything fails leave me a comment.

Then you can run the lines below and connect to all the services in one PowerShell window.
Mind you, this is all for MFA enabled accounts.

# Azure Active Directory            
Connect-MsolService            
# SharePoint Online            
Connect-SPOService -Url https://domain-admin.sharepoint.com            
# Skype for Business Online            
Import-Module SkypeOnlineConnector            
$sfboSession = New-CsOnlineSession -UserName "username@domain.com" -OverrideAdminDomain domain.onmicrosoft.com            
Import-PSSession $sfboSession            
# Exchange Online            
Connect-Exopssession -UserPrincipalName username@domain.com            
# Microsoft Teams            
Connect-MicrosoftTeams            
# AzureAD            
Connect-AzureAD            
# Intune            
Connect-MSGraph

Get-CsWebTicket : Failed to logon with given credentials. Make sure correct user name and password provided.

When trying to login to Skype Online through PowerShell or the Skype for Business control panel you receive the following error:
The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

Or this one:

Get-CsWebTicket : Failed to logon with given credentials. Make sure correct user name and password provided.

Then the search begins, and brought me to this:

View the current winrm settings to check whether "basic authentication" has been disabled or not.

winrm get winrm/config/client/auth

Auth

    Basic = true [Source="GPO"]

    Digest = true [Source="GPO"]

    Kerberos = true

    Negotiate = true

    Certificate = true

    CredSSP = false

For me it was set with a GPO.

Trying to set it with this:

winrm set config/client/auth/ @{basic="true"}

Update:

Set-Item WSMan:\localhost\Client\Auth\Basic -Value 'True'

Error: Invalid use of command line. Type "winrm -?" for help.

That didn't go as planned.

The tried to set it in the registry with this:

Open regedit as admin and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client

Simply change the DWORD from 0 to 1 and then restart the PowerShell console

Well that's nice but no solution.

Then searched for the other error, the one with the Get-CSWebTicket error.

Which led me to this:

Since Skype for Business Control Panel don’t support two-step verification we will need to to set up an “app password” for our Office 365 admin account that has MFA enabled.

Oh, really...and yes I just enabled the force MFA option policy in Azure: "Baseline policy: Require MFA for admins (Preview)".

Created an app password an pasted it in my SkypeOnline PowerShell module and voila I was in once again.

Source

Move multiple users from Skype on-premises to Skype Online - Bulk Move-CSUser

There isn't much to be found about this.
I needed to move a list of users from our on-premises Skype for Business 2015 servers to Skype Online.
I know how to do this one user at a time.

$cred = Get-Credential username@tenanant.com            
Move-CsUser -Identity UPN -Credential $cred -Target sipfed.online.lync.com -Confirm:$false

Thats nice and all, but I had a list of 15 users.

I came across this post from Brett Janzen:

https://brettjanzen.wordpress.com

He deserves a shit load of traffic to his site for this strike of genius :-)

He created a script to move users from on-premises to Online, to check if they are enabled if the move went well or not and notify you of this by email.

His version can be found here, I made some adjustments because my environment reacted a bit differently.

# Edit this script at lines: 4, 13, (possibly at 17), 23, 32, 46, 51 and 58 to 61            
            
#This 1 liner creates the hash file that we will need in the next script. Needs to be run only the first time, or if password changes            
Read-Host -Prompt "Enter your tenant password" -AsSecureString | ConvertFrom-SecureString | Out-File "cred.txt"            
             
#-------------------------            
#Script starts here:            
#-------------------------            
            
#Time Stamp used for file naming            
$DTStamp = get-date -f "dd-MM-yyyy HH-mm"            
#This uses a hash value of the password for the service user. This will allow us to run the script with out being asked            
$AdminName = "username@tenant.onmicrosoft.com"            
$Pass = Get-Content "cred.txt" | ConvertTo-SecureString            
$credential= new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass            
#Initialize session            
$session = New-CsOnlineSession -Credential $credential #-OverrideAdminDomain "domain.com"            
Import-PSSession $session -AllowClobber            
Set-ExecutionPolicy Unrestricted -force            
#The Beginning of the inspection of users that will be moved            
#Does the userlist file exist?            
If ((test-path "userlist.txt") -eq $False) {            
Send-MailMessage -from "Skype@domain.com" -to "admin@domain.com"-subject "Skype Migrations: No File" -body "Looks like we dont have a file to work with" -smtpServer smtp.domain.com            
}else{            
#check to see if the users are enabled. This will output new file for working with.            
ForEach ($UserToBeMigrated in (Get-Content userlist.txt)) {            
get-csuser $UserToBeMigrated | Where-object {$_.Enabled -eq $False} | Select-object -expandProperty sipaddress | Out-File NotEnabledUsers.txt -append            
get-csuser $UserToBeMigrated | Where-object {$_.Enabled -eq $True} | Select-object -expandProperty sipaddress | Out-File EnabledUsers.txt -append            
}            
#Start of moving users to the cloud with enabledusers.txt            
ForEach ($UserToBeMigrated in (Get-Content EnabledUsers.txt)) {            
Move-CsUser $UserToBeMigrated -Target sipfed.online.lync.com -Credential $credential -Confirm:$False #-verbose #-HostedMigrationOverrideUrl "https://youradmindomainname.online.lync.com/HostedMigration/hostedmigrationservice.svc" -ProxyPool "proxypool.domain.com"             
}            
# Lets give it a pause for any replication delays            
Start-Sleep 60            
#Lets verify the users where migrated            
ForEach ($UserToBeMigrated in (Get-Content EnabledUsers.txt)) {            
Get-CsUser $UserToBeMigrated | where-object {$_.hostingprovider -ne "sipfed.online.lync.com"} |Select-object -ExpandProperty Sipaddress | out-file LeftOvers.txt -Append            
}            
#If there were users that didnt move it will show up in the left overs file            
If ((Get-Content "LeftOvers.txt") -eq $Null) {            
ForEach ($UserToBeMigrated in (Get-Content EnabledUsers.txt)) {            
get-csuser $UserToBeMigrated | select-object SipAddress, HostingProvider | Out-file completedList.txt -append            
}            
#If it passes lets send an email to the admin with some txt files to look through if he or she wants to            
Send-MailMessage -from "Skype@domain.com" -to "admin@domain.com" -subject "Move Complete" -body "Passed on first try. Logs attached" -Attachment "CompletedList.txt","NotEnabledUsers.txt" -smtpServer smtp.domain.com            
#Cleanup!            
rename-item -path completedList.txt -newName "CompletedList- $DTStamp.txt"            
} else {            
#If there is failure email and let the admin know            
Send-MailMessage -from "Skype@domain.com" -to "admin@domain.com" -subject "Move Had Errors" -body "Looks like there was a failure. Logs attached" -attachment "LeftOvers.txt" -smtpServer smtp-lb.domain.com            
#Here we could add another try to see if we can move the users again. This is a work in progress            
}            
}            
#Close them sessions            
get-pssession | remove-pssession            
#Clean Up            
rename-item -path "D:\Scripts\Move-CSUser to Skype Online\leftovers.txt" -newName "_LeftOvers- $DTStamp.txt"            
rename-item -path "D:\Scripts\Move-CSUser to Skype Online\userlist.txt" -newName "_UserList- $DTStamp.txt"            
rename-item -path "D:\Scripts\Move-CSUser to Skype Online\NotEnabledUsers.txt" -newName "_NotEnabledUsers- $DTStamp.txt"            
rename-item -path "D:\Scripts\Move-CSUser to Skype Online\EnabledUsers.txt" -newName "_EnabledUsers- $DTStamp.txt"

Enable MFA for Exchange Online and Outlook, Skype Online and the Skype client

For the Office 365 services, the default state of modern authentication is:

• Exchange Online - off by default
• Skype Online - off by default 
• SharePoint Online - on by default

This means you have to enable it for Exchange Online and Skype Online after enabling MFA for your users.

Here how:

For Exchange Online:

Connect to Exchange Online PowerShell as shown here.
Do one of these steps:

1. Run this command to enable modern authentication in Exchange Online:
   

   Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

2. Run this command to disable modern authentication in Exchange Online:
   

   Set-OrganizationConfig -OAuth2ClientProfileEnabled $false

3. To verify that the change was successful, run this command:
   

   Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

For Skype Online:

Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell
Run the following command:

1. Run this command to enable modern authentication in Skype Online:
   

   Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

2. Verify that the change was successful by running the following:
   

   get-CsOAuthConfiguration | select ClientAdalAuthOverride

The output for both will look like this:

Get-OrganizationConfig | Select OAuth2ClientProfileEnabled

OAuth2ClientProfileEnabled
--------------------------
                     False

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True


Get-OrganizationConfig | Select OAuth2ClientProfileEnabled

OAuth2ClientProfileEnabled
--------------------------
                      True

Get-CsOAuthConfiguration | Select ClientAdalAuthOverride

ClientAdalAuthOverride
----------------------
Disallowed

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Get-CsOAuthConfiguration | Select ClientAdalAuthOverride

ClientAdalAuthOverride
----------------------
Allowed

Remote PowerShell login Office365, SkypeForBusiness Online, SharePoint Online, Exchange Online, Security and how to disconnect

Remote PowerShell login Office 365 all modules

Requisites login into Office 365 Skype for Business Online are:

· Running OS must be 64bit

· Microsoft .NET Framework 4.5.x

· PowerShell Version 3.0 or higher
(if you need to install Version 3.0+, download and install Windows Management Framework 4.0: https://www.microsoft.com/en-us/download/details.aspx?id=40855)

You need to install the modules that are required for Office 365, SharePoint Online, and Skype for Business Online:
Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

Download the Windows PowerShell module for Skype for Business Online
https://www.microsoft.com/en-us/download/details.aspx?id=39366
After installation copy the SkypeOnline and the LyncOnline module folders found in:

C:\Program Files\Common Files\Skype for Business Online\Modules

to:

C:\Windows\System32\WindowsPowerShell\v1.0\Modules

This is because when running Import-Module SkypeOnline the modules can not be found.

By copying them to the default module directory for PowerShell they can be found and load right up.

MicrosoftOnlineLogin

Set-ExecutionPolicy RemoteSigned

$credential = Get-Credential
Connect-MsolService -Credential $credential

SkypeForBusiness

Import-Module SkypeOnlineConnector
$SfBoSession = New-CsOnlineSession -Credential $credential
Import-PSSession $SfBoSession

SharePoint

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://domainhost-admin.sharepoint.com -credential $credential

Exchange

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking

Security

$ccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $ccSession -Prefix cc

Logout

Remove-PSSession $sfboSession
Remove-PSSession $exchangeSession
Remove-PSSession $ccSession
Disconnect-SPOService

There is no disconnect or remove session option for MSOL, just close the PowerShell window.

Skype Online New-CsOnlineSession - Create a shortcut for your Online Sessions

The way to connect to Skype Online according to Microsoft:

Import-Module SkypeOnlineConnector            
            
$cred = Get-Credential            
            
$CSSession = New-CsOnlineSession -Credential $cred            
            
Import-PSSession $CSSession -AllowClobber

While this works, it can be done faster:

Create a RemoteSkypeOnlineSession.ps1 file and paste the above in it and save it preferably in OneDrive.

Then on your desktop create new shortcut and point the source to the saved file in OneDrive.

Adjust the "Target" with this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Users\YourUsername\OneDrive\PowerShell\RemotePSSession\RemoteSkypeOnlineSession.ps1'"

When the Shortcut has been edited shift right click it and select "Run as a Administrator".

Enter your credentials and the PowerShell console will load the Exchange command-lets.

When you're finished with the session don't forget to exit the session, otherwise all the Powershell session will be used and there will be none left when you try to start another session.

There are 3 sessions per Admin account, and a total of 9 sessions per tenant.

Get-Psssession | fl id,session            
            
Remove-Psssession - id id-number  

Or use:        
            
Remove-psssession -name Sessionname

Skype Online authenticating proxy - 407 Proxy Authentication Required

When trying to sign in to Skype Online from the Skype for Business (2015) Control panel sitting behind an authenticating proxy you may receive the following:

You need to setup your proxy to allow the nececsary sites to be accessed without authentication.
Going through your proxy log you can see what sites are connected to.
These are the once that where accessed at my site. 

*.online.lync.com
*.microsoftonline.com

*.microsoftonline-p.net
*.microsoftonline-p.com
*.windows.net
*.office365.com
signup.microsoft.com

Yours could be different, there are quite a lot of sites and ip addresses linked with Skype Online, Office365 and Exchange Online as you can see here:

Office-365-URLs-and-IP-address-ranges

After allowing all these sites through your proxy you should be able to login to Skype Online with your tenant ID.