{"id":4576,"date":"2017-01-06T12:30:12","date_gmt":"2017-01-06T17:30:12","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/azuregov\/?p=4576"},"modified":"2017-01-06T12:30:12","modified_gmt":"2017-01-06T17:30:12","slug":"managing-azure-government-directories-with-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/managing-azure-government-directories-with-powershell\/","title":{"rendered":"How to manage Azure Government directories with Powershell"},"content":{"rendered":"

When utilizing a new directory for your Azure Government environment, one gap commonly encountered is assigning an alternate email address to each user. This attribute is only mandatory for accounts given a Service Administrator role, thus many accounts, including Co-Administrators, do not have the attribute set.\u00a0Enabling features such as Self-Service Password Reset requires the alternate email address\u00a0to be assigned as well. The Azure Active Directory V2 PowerShell module<\/a> can be used to solve this issue. If you have used this PowerShell module for Azure Public, it is very similar with the exception of connecting your account as you need to specify the Environment Name.<\/p>\n\n\n\n
Connect-AzureAD -AzureEnvironmentName AzureUSGovernment<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

In order to set the alternate email address, you need to identify the account\u2019s Object ID. The easiest way to achieve this is running a search against the directory for the alias using the following command:<\/span><\/p>\n\n\n\n
Get-AzureADUser<\/span> <\/span>-SearchString \u201caccountName\u201d<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

With the Object Id identified, now the alternate email can be set on the account.<\/p>\n\n\n\n
Set-AzureADUser<\/span> <\/span>-objectid<\/span> <\/span>\u201cobjectID\u201d <\/span>-OtherMails<\/span> @(<\/span>\u2018accountName@contoso.com\u2019<\/span>)<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Many organizations use the same account name on their directory for Azure Government and their enterprise directory. If your organization follows this convention, adding an alternate email can be done for every user with a simple script that utilizes the commands above and some string manipulation.<\/p>\n

To run this script, you will need to update the $govTenant and $enterpriseTenant variables with the appropriate details. The script gets a list of 5000 user accounts and iterates through each account. It checks if there is an alternate email set. If there is no alternate email, it adds one assuming that the alias on the Azure Government tenant is valid on the enterprise tenant.<\/p>\n\n\n\n
Connect-AzureAD<\/span> <\/span>-AzureEnvironmentName<\/span> <\/span>AzureUSGovernment <\/span><\/span><\/p>\n

\u00a0<\/span><\/span><\/p>\n

$users = Get-AzureADUser -Top 5000<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$govTenant = ‘@AzureGovTenant.onmicrosoft.com’<\/span><\/p>\n

$enterpriseTenant = ‘@Contoso.com’<\/span><\/p>\n

\u00a0<\/span><\/p>\n

foreach($user in $users)<\/span><\/p>\n

{<\/span><\/p>\n

\u00a0\u00a0\u00a0 $upn = $user.UserPrincipalName<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\u00a0\u00a0\u00a0 if($user.OtherMails.Count -eq 0)<\/span><\/p>\n

\u00a0\u00a0\u00a0 {<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $corpEmail =\u00a0 $upn.Replace($govTenant, $enterpriseTenant)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Set-AzureADUser -objectid $user.ObjectID -OtherMails @( $corpEmail )<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Output “update\u00a0 $upn”<\/span><\/p>\n

\u00a0\u00a0\u00a0 }<\/span><\/p>\n

\u00a0\u00a0\u00a0 else<\/span><\/p>\n

\u00a0\u00a0\u00a0 {<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Output “no update $upn”<\/span><\/p>\n

\u00a0\u00a0\u00a0 }<\/span><\/p>\n

}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

References:<\/strong><\/p>\n

Managing and connecting to your subscription in Azure Government<\/a><\/p>\n

Azure Active Directory V2 PowerShell module<\/a><\/p>\n

We welcome your comments and suggestions to help us continually\u00a0improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed<\/span><\/a> and to receive emails, click \u201cSubscribe by Email!\u201d on the Azure Government Blog<\/span><\/a>. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial<\/span><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

When utilizing a new directory for your Azure Government environment, one gap commonly encountered is assigning an alternate email address to each user. This attribute is only mandatory for accounts given a Service Administrator role, thus many accounts, including Co-Administrators, do not have the attribute set.\u00a0Enabling features such as Self-Service Password Reset requires the alternate […]<\/p>\n","protected":false},"author":1777,"featured_media":4685,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,21,25],"tags":[75,76,95,252,462],"class_list":["post-4576","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azuregov","category-onboarding","category-portalpreview","tag-azure","tag-azure-active-directory","tag-azure-government","tag-directory","tag-powershell"],"acf":[],"blog_post_summary":"

When utilizing a new directory for your Azure Government environment, one gap commonly encountered is assigning an alternate email address to each user. This attribute is only mandatory for accounts given a Service Administrator role, thus many accounts, including Co-Administrators, do not have the attribute set.\u00a0Enabling features such as Self-Service Password Reset requires the alternate […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/4576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/1777"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=4576"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/4576\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=4576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=4576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=4576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}