Get-MsolUser SearchString Filtering

Get-MsolUser SearchString

To search out users in Azure AD with the Get-MsolUser command, you have basically two options:

  • Extract all users and search the result set
  • Use the SearchString parameter to limit the result set server(cloud)-side

If you were to perform on-premises AD searches, I would always recommend using an LDAP filter to limit the result set and improve performance.

But with the Get-MsolUser SearchString approach, I’m not too sure:

The Get-MsolUser SearchString command is very limited in functionality.

From testing, it seems that Get-MsolUser -SearchString performs a ‘search string + wildcard’ search in the DisplayName, FirstName, and LastName attributes.

The documentation from Microsoft is very vague (if not to say outright wrong) on this.

Let’s look at the following example:

PS C:\> Get-MsolUser -UserPrincipalName lene.hau@azure.skrubbeltrang.com | fl FirstName,LastName,DisplayName

FirstName   : Lene
LastName    : Hau
DisplayName : Awesome Scientist

The following are some different queries using the SearchString parameter to illustrate my point:

PS C:\> Get-MsolUser -SearchString Len

UserPrincipalName                DisplayName       isLicensed
-----------------                -----------       ----------
lene.hau@azure.skrubbeltrang.com Awesome Scientist True

PS C:\> Get-MsolUser -SearchString ene
PS C:\> Get-MsolUser -SearchString Hau

UserPrincipalName                DisplayName       isLicensed
-----------------                -----------       ----------
lene.hau@azure.skrubbeltrang.com Awesome Scientist True

PS C:\> Get-MsolUser -SearchString Awe

UserPrincipalName                DisplayName       isLicensed
-----------------                -----------       ----------
lene.hau@azure.skrubbeltrang.com Awesome Scientist True

PS C:\> Get-MsolUser -SearchString Scien
PS C:\>

There may be other attributes being searched that I haven’t identified.

But more or less you can think like this:

(FirstName StartsWith [string]) OR (LastName StartsWith [string] OR DisplayName StartsWith [string])

This way of searching may be useful to quickly identify if a given user exists in Azure AD.

But as part of a greater search scheme it’s pretty much useless.

The best alternative (alas slow-performing in large enterprise environments) is to fetch everything and search it locally:

Get-MsolUser | ? {$_.Country -eq 'Denmark' -and $_.DisplayName -Like '*Scientist*'}

As seen above, you can search any attribute and look inside string attributes:

PS C:\> Get-MsolUser | ? {$_.Country -eq 'Denmark' -and $_.DisplayName -Like '*Scientist*'}

UserPrincipalName                DisplayName       isLicensed
-----------------                -----------       ----------
lene.hau@azure.skrubbeltrang.com Awesome Scientist True

… just to illustrate two things that can’t be done with the SearchString parameter.

I’m sure the uselessness of the SearchString parameter takes a lot of heat away from the Microsoft cloud infrastructure.

Searches are better off being done locally after retrieving the lot… 😕

How to Quickly Search and Edit Hybrid Office 365 Users

One way to make your admin life a lot easier is by using Easy365Manager.

Easy365Manager is a snap-in for AD Users & Computers that exposes the Office 365 mailbox and license configuration.

You can easily search out any user account in AD Users & Computers and fix your Office 365 settings (yes, you don’t even need to open any web consoles or use PowerShell).

Consider how easily you can delegate calendar access directly from user properties in AD Users & Computers:

(without Easy365Manager, calendar delegation requires some nasty PowerShell’ing, with one command to add permissions, another command to modify permissions, and a third command to get the folder name of the mailbox calendar 😖)

You can download and install Easy365Manager in a couple of minutes, and you will immediately start saving time by using the intuitive graphical user interface: