I ran into an issue yesterday with the roles in Security and Compliance center. It wouldn’t give me my entire directory so I could add someone to a role. The interface would only give me 50 random accounts to choose from. When the web app or GUI in Office 365 is broken and it often is, I’ve found that there usually is a PowerShell solution to the problem. It’s important to note that PowerShell in Office 365 is not one PowerShell, but many. Every application has its own PowerShell and accessing them all is different too, but that’s a story for another blog.
I want to give you a simply script in this blog, a solution to my problem. The two things you will get out of this is the ability to connect to the Security and Compliance center PowerShell module and the knowledge that you can adding roles here.
Here’s a little trick, I like to store encrypted credentials in a file somewhere, it makes accessing and running scripts especially automated ones quicker. Here is a script that will help you achieve that. Full disclousure make sure your accounts are purpose built accounts, and you do this in a secure place. You will be displaying passwords on screens, but I find this one time act better than storing them directly within scripts. You can take out the write-host line if you don’t want the password to be displayed on the screen.
#Get Password and Store in a file encrypted
$password = read-host -prompt “Enter your Password”
write-host “$password is password”
$secure = ConvertTo-SecureString $password -force -asPlainText
$bytes = ConvertFrom-SecureString $secure
$bytes | out-file C:\PS\dontlookhere.txt
If I crack open the file you will notice the password is hashed and encrypted…this only shows about a quarter of it
Connect to PowerShell
#Connect to Office 365 Security and Compliance Center PS
#Get and store username and passwords to use in the get-credentials command
$encrypted = get-content c:\ps\dontlookhere.txt | ConvertTo-SecureString
#Store your username and password into the $credential variable
$credential = New-object –typename System.Management.Automation.PSCredential –argumentlist ($username,$encrypted)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
You’ll notice that they connection URI points to the Compliance and Protection portion of Exchange. Since you are importing this session, there’s no need to install any modules in PowerShell.
Now to Add users to those roles. You’ll notice if I open the Permissions section of the Security and Compliance center, you can view all of the available pre-created roles
In PowerShell, the roles are joined into one word. Now we are just adding the users to the role
#Add User to role in security and compliance center
$User = “email@example.com”
Add-RoleGroupMember -Identity “SecurityAdministrator” -Member $user
Add-RoleGroupMember -Identity “ComplianceAdministrator” -Member $user
Add-RoleGroupMember -Identity “OrganizationManagement” -Member $user
This is a simple script to help you get around a Microsoft GUI bug…there seem to be so many these days that I don’t even report them but it also accentuates the importance of getting comfortable with PowerShell. Happy Shelling!