To search out users in Azure AD with the Get-MsolUser command, you have basically two options:
- Extract all users and search the result set
- Use the SearchString parameter to limit the result set server(cloud)-side
If you were to perform on-premises AD searches, I would always recommend using an LDAP filter to limit the result set and improve performance.
But with the Get-MsolUser SearchString approach, I’m not too sure:
The Get-MsolUser SearchString command is very limited in functionality.
From testing, it seems that Get-MsolUser -SearchString performs a ‘search string + wildcard’ search in the DisplayName, FirstName, and LastName attributes.
The documentation from Microsoft is very vague (if not to say outright wrong) on this.
Let’s look at the following example:
PS C:\> Get-MsolUser -UserPrincipalName lene.hau@azure.skrubbeltrang.com | fl FirstName,LastName,DisplayName FirstName : Lene LastName : Hau DisplayName : Awesome Scientist
The following are some different queries using the SearchString parameter to illustrate my point:
PS C:\> Get-MsolUser -SearchString Len UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- lene.hau@azure.skrubbeltrang.com Awesome Scientist True PS C:\> Get-MsolUser -SearchString ene PS C:\> Get-MsolUser -SearchString Hau UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- lene.hau@azure.skrubbeltrang.com Awesome Scientist True PS C:\> Get-MsolUser -SearchString Awe UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- lene.hau@azure.skrubbeltrang.com Awesome Scientist True PS C:\> Get-MsolUser -SearchString Scien PS C:\>
There may be other attributes being searched that I haven’t identified.
But more or less you can think like this:
(FirstName StartsWith [string]) OR (LastName StartsWith [string] OR DisplayName StartsWith [string])
This way of searching may be useful to quickly identify if a given user exists in Azure AD.
But as part of a greater search scheme it’s pretty much useless.
The best alternative (alas slow-performing in large enterprise environments) is to fetch everything and search it locally:
Get-MsolUser | ? {$_.Country -eq 'Denmark' -and $_.DisplayName -Like '*Scientist*'}
As seen above, you can search any attribute and look inside string attributes:
PS C:\> Get-MsolUser | ? {$_.Country -eq 'Denmark' -and $_.DisplayName -Like '*Scientist*'} UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- lene.hau@azure.skrubbeltrang.com Awesome Scientist True
… just to illustrate two things that can’t be done with the SearchString parameter.
I’m sure the uselessness of the SearchString parameter takes a lot of heat away from the Microsoft cloud infrastructure.
Searches are better off being done locally after retrieving the lot… 😕
How to Quickly Search and Edit Hybrid Office 365 Users
One way to make your admin life a lot easier is by using Easy365Manager.
Easy365Manager is a snap-in for AD Users & Computers that exposes the Office 365 mailbox and license configuration.
You can easily search out any user account in AD Users & Computers and fix your Office 365 settings (yes, you don’t even need to open any web consoles or use PowerShell).
Consider how easily you can delegate calendar access directly from user properties in AD Users & Computers:
(without Easy365Manager, calendar delegation requires some nasty PowerShell’ing, with one command to add permissions, another command to modify permissions, and a third command to get the folder name of the mailbox calendar 😖)
You can download and install Easy365Manager in a couple of minutes, and you will immediately start saving time by using the intuitive graphical user interface: