-localization_priority: Normal

- - seo-marvel-apr2020

- - has-azure-ad-ps-ref

-description: In this article, learn how to use PowerShell for Microsoft 365 to manage your customer tenancies.

-# Manage Microsoft 365 tenants with Windows PowerShell for Delegated Access Permissions (DAP) partners

-*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*

-Windows PowerShell allows Syndication and Cloud Solution Provider (CSP) partners to easily administer and report on customer tenancy settings that aren't available in the Microsoft 365 admin center. Administer on Behalf Of (AOBO) permissions are required for the partner administrator account to connect to its customer tenancies.

-Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They're frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they're automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.

-## What do you need to know before you begin?

-The procedures in this topic require you to connect to [Connect to Microsoft 365 with PowerShell](connect-to-microsoft-365-powershell.md).

-You also need your partner tenant administrator credentials.

-## What do you want to do?

-### List all tenant IDs

-> [!NOTE]

-> If you have more than 500 tenants, scope the cmdlet syntax with either _-All_ or _-MaxResultsParameter_. This applies to other cmdlets that can give a large output, such as **Get-MsolUser**.

-To list all customer tenant Ids that you have access to, run this command.

-```powershell

-Get-MsolPartnerContract -All | Select-Object TenantId

-```

-This displays a listing of all your customer tenants by **TenantId**.

->[!Note]

->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

->

-### Get a tenant ID by using the domain name

-To get the **TenantId** for a specific customer tenant by domain name, run this command. Replace _<domainname.onmicrosoft.com>_ with the actual domain name of the customer tenant that you want.

-```powershell

-Get-MsolPartnerContract -DomainName <domainname.onmicrosoft.com> | Select-Object TenantId

-```

-### List all domains for a tenant

-To get all domains for any one customer tenant, run this command. Replace _\<customer TenantId value>_ with the actual value.

-```powershell

-Get-MsolDomain -TenantId <customer TenantId value>

-```

-If you have registered additional domains, this returns all domains associated with the customer **TenantId**.

-### Get a mapping of all tenants and registered domains

-The previous PowerShell for Microsoft 365 commands showed you how to retrieve either tenant IDs or domains but not both at the same time, and with no clear mapping between them all. This command generates a listing of all your customer tenant IDs and their domains.

-```powershell

-$Tenants = Get-MsolPartnerContract -All; $Tenants | foreach {$Domains = $_.TenantId; Get-MsolDomain -TenantId $Domains | fl @{Label="TenantId";Expression={$Domains}},name}

-```

-### Get all users for a tenant

-This displays the **UserPrincipalName**, the **DisplayName**, and the **isLicensed** status for all users for a particular tenant. Replace _\<customer TenantId value>_ with the actual value.

-```powershell

-Get-MsolUser -TenantID <customer TenantId value>

-```

-### Get all details about a user

-If you want to see all the properties of a particular user, run this command. Replace _\<customer TenantId value>_ and _\<user principal name value>_ with the actual values.

-```powershell

-Get-MsolUser -TenantId <customer TenantId value> -UserPrincipalName <user principal name value>

-```

-### Add users, set options, and assign licenses

-The bulk creation, configuration, and licensing of Microsoft 365 users is particularly efficient by using PowerShell for Microsoft 365. In this two-step process, you first create entries for all the users you want to add in a comma-separated value (CSV) file and then import that file by using PowerShell for Microsoft 365.

-#### Create a CSV file

-Create a CSV file by using this format:

-`UserPrincipalName,FirstName,LastName,DisplayName,Password,TenantId,UsageLocation,LicenseAssignment`

-where:

-#### Import the CSV file and create the users

-After you have your CSV file created, run this command to create user accounts with non-expiring passwords that the user must change at first sign-in and that assigns the license you specify. Be sure to substitute the correct CSV file name.

-```powershell

-Import-Csv .\FILENAME.CSV | foreach {New-MsolUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -Password $_.Password -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment -ForceChangePassword:$true -PasswordNeverExpires:$true -TenantId $_.TenantId}

-```

-## See also

-[Help for partners](https://go.microsoft.com/fwlink/p/?LinkId=533477)

-

-1. **[Identify your scenarios](#step-1-identify-your-scenarios)**: Which scenarios do you want to implement for your frontline workers? After you have determined which scenarios you want, use the table below to identify the required apps and services for each scenario that you want to implement.

-1. **[Configure device enrollment](#step-4-configure-device-enrollment)**: Set up shared and personal devices to work with Microsoft 365 and Microsoft Teams and to allow your frontline workers to communicate more securely within your organization.

-| [Schedule your team with Shifts](shifts-for-teams-landing-page.md) | [Microsoft Teams](#set-up-microsoft-teams) |

-Some services are only included with F3 licenses, such as email and the Power Platform. Check out [Understand frontline worker user types and licensing](flw-licensing-options.md) to determine the type of licenses you'll need for your users.

-Now that you have Microsoft 365 set up, you can start to add users, organize them into groups, and assign licenses. Before you provision frontline users, you should create new administrator accounts or review and update your existing [administrator accounts in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference). [Learn more about what Microsoft Entra admin roles you might need for Microsoft 365](/microsoft-365/admin/add-users/about-admin-roles).

- - [Learn how to configure PingFederate with Microsoft Entra Connect](/azure/active-directory/hybrid/how-to-connect-install-custom#configuring-federation-with-pingfederate).

- - **Cloud-based HR systems:** Learn how to connect [SAP SuccessFactors](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-tutorial) and [Workday](/azure/active-directory/saas-apps/workday-inbound-tutorial#planning-your-deployment) to Microsoft Entra ID.

-|User is terminated in the cloud HR app |The user account is disabled in Microsoft Entra ID, and, if applicable, Active Directory. <br>The user canΓÇÖt sign into cloud or on-premises applications and resources assigned to them. |

-Configuring groups in Azure AD allows you to create and manage policies and license assignments at scale.

-The table below includes recommendations for applying groups in frontline implementations. For more information on group types, membership types, and assignment, see the [Microsoft Entra documentation for groups and membership](/azure/active-directory/fundamentals/concept-learn-about-groups?context=%2Fazure%2Factive-directory%2Fenterprise-users%2Fcontext%2Fugr-context) and [managing groups](/azure/active-directory/fundamentals/how-to-manage-groups). For more information on security group limits and other Microsoft Entra service limits, see [Microsoft Entra service limits and restrictions](/azure/active-directory/enterprise-users/directory-service-limits-restrictions).

-|Use [My Staff](/azure/active-directory/roles/my-staff-configure) to delegate permissions to frontline managers to view employee profiles, change phone numbers, and reset passwords. |[Administrative Unit](/azure/active-directory/roles/administrative-units) |

-[Learn more about group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) and [assigning licenses to groups](/azure/active-directory/enterprise-users/licensing-groups-assign).

-You may need to [unassign licenses](../admin/manage/assign-licenses-to-users.md) if you're changing some users from E to F licenses. [Learn more about how to switch specific users from E to F licenses](switch-from-enterprise-to-frontline.md#switch-users-to-a-microsoft-365-f-plan).

-## Step 4: Configure device enrollment

-Registering devices in Microsoft Entra ID creates a unique identity that can be used to secure and manage devices. [Learn more about Microsoft Entra device identity](/azure/active-directory/devices/).

-### Shared device enrollment with Intune

-**Android:** Automatically enroll Android devices into shared device mode with [Microsoft Intune](/mem/intune/enrollment/android-kiosk-enroll). [Learn more about enrolling shared devices in Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093).

-**iOS:** Not currently available.

-### BYOD device enrollment with Intune

-Use Microsoft Intune to keep your frontline workers' devices secure and protected. Learn more about how to enroll different types of BYOD devices in Intune:

-### Configuring devices for shared device mode with third-party mobile device management

-Zero-touch provisioning of shared device mode isnΓÇÖt currently supported by third-party mobile device management(MDM) solutions. However, you can [manually configure shared device mode](/azure/active-directory/develop/tutorial-v2-shared-device-mode#set-up-an-android-device-in-shared-mode) for Android and iOS devices managed in third-party MDM solutions.

-> [!NOTE]

-> While these steps register the device in Microsoft Entra ID, they don't connect Microsoft Entra ID to the MDM solution. Conditional access won't be available for these devices.

-[Learn more about configuration with VMware Workspace ONE](https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/ws1_access_connector_install/GUID-271C47F6-856C-40F0-97AB-A8AD95025F9C.html) and [SOTI](https://www.soti.net/mc/help/v15.0/en/console/configurations/advancedconfigurations/shareddevice/shareddevice.html).

-If you choose to manually configure devices in shared device mode, youΓÇÖll need to take more steps to re-enroll Android devices in shared device mode when third-party MDM support is available by uninstalling and reinstalling Authenticator from the device.

-To set up shared and personal devices to work with Microsoft 365 and Microsoft Teams and to allow your frontline workers to communicate more securely within your organization, see [Overview of device management for frontline workers](flw-devices.md).

-Follow the guidance in [Deploy Teams at scale for frontline workers](deploy-teams-at-scale.md).

-After provisioning users, enrolling your devices, and configuring your applications, youΓÇÖre now ready to create policies to secure your organizationΓÇÖs infrastructure resources.

-Once youΓÇÖre done setting up security policies, itΓÇÖs important for you to use a test user (non-admin) account to verify the policies work as expected, and to ensure that the end-user experience is right for your frontline workforceΓÇÖs needs. Some capabilities like multi-factor authentication and app protection policies can add additional steps to device enrollment or sign-on flows, which may not be acceptable for some frontline scenarios.

-The table below shows Teams applications commonly utilized in frontline solutions. Shifts, Approvals, and Walkie Talkie are present in the Teams mobile client out of the box. You can control which applications are available to all users in the Teams admin center.

-| [Virtual Appointments with Microsoft Teams](virtual-appointments.md) | &nbsp; | &#x2705; | &nbsp; | &nbsp; | &#x2705; | &nbsp;| &nbsp; |

-| [Schedule your team with Shifts](shifts-for-teams-landing-page.md) | &nbsp; | &nbsp; | &#x2705; | &nbsp; | &#x2705; | &#x2705; | &#x2705; |

-[Learn more about Microsoft Teams apps](/microsoftteams/deploy-apps-microsoft-teams-landing-page#core-apps).

-localization_priority: medium

-localization_priority: Normal

-localization_priority: medium

-localization_priority: Normal

-localization_priority: Normal

-localization_priority: Normal