Control Users' Access to Windows Remote Management

By default, all new user accounts are allowed to use Windows Remote Management (WinRM) to access the Outlook Live organization with Windows PowerShell. However, you can prevent new and existing users from using Windows PowerShell to access your Outlook Live organization.

Here's how:

Before you begin

To learn how to install and configure Windows PowerShell and connect to Outlook Live, see Use Windows PowerShell.

Prevent access for a new user

Run the following command after you have connected to the Outlook Live server-side session:

New-Mailbox -Name <Name> -WindowsLiveID <Windows Live ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false

For example, to prevent access for a new user named "Kim Akers" with the Windows Live ID kakers@contoso.edu and the password Pa$$word1, run the following command:

New-Mailbox -Name "Kim Akers" -WindowsLiveID kakers@contoso.edu -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false
Prevent access for an existing user

Run the following command after you have connected to the Outlook Live server-side session:

Set-User <Identity> -RemotePowerShellEnabled $false

For example, to prevent access for the user laura@contoso.edu, run the following command:

Set-User laura@contoso.edu -RemotePowerShellEnabled $false
Prevent access for many existing users

There are two ways to prevent access for a specific group of existing users:

  • Filter the users based on an existing attribute   This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users.
  • Use a list of specific accounts   After you generate the list of specific accounts, you can use that list to assign a mailbox plan.
Filter the users based on an existing attribute

Run the following command after you have connected to the Outlook Live server-side session:

Get-User -Filter <Filter> | Set-User -RemotePowerShellEnabled $false

For example, let's assume you want to prevent access for students in the primary grades and you've stored students' grade level in the Title attribute. To prevent access for all mailboxes where the Title property contains "Primary", run the following command:

Get-User -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*primary*')} | Set-User -RemotePowerShellEnabled $false
Use a list of specific accounts

Run the following command after you have connected to the Outlook Live server-side session:

Get-Content <text file> | Set-User -RemotePowerShellEnabled $false

For example, the following procedure uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their Windows Live IDs. The text file must contain one Windows Live ID on each line like this:

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

After you populate the text file with the user accounts you want to update, run the following command:

Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false
Grant access

To grant access to existing users who have been denied access in the past, simply use the value $true with the RemotePowerShellEnabled parameter as described in the previous examples.

To grant access to new users you create using Windows PowerShell, you don't have to use the RemotePowerShellEnabled parameter at all, because all new users are granted access automatically.

Find out who has access already

As mentioned earlier, all new users that you create are automatically granted access for your Outlook live organization, but what if your Outlook Live organization was upgraded from a previous version of Outlook Live when users weren't granted access by default? Here's how it works:

If an existing user was explicitly granted or denied access before your Outlook Live organization was upgraded, their access status before the upgrade is preserved. All other existing users are automatically granted access as part of the upgrade to the current version of Outlook Live.

To find out who has access and view all users' access status, you can use Windows PowerShell.

View the access status for a specific user

Run the following command after you have connected to the Outlook Live server-side session:

Get-User <Identity> | Format-List RemotePowerShellEnabled

For example, to determine the access status of a user named "Tamara Johnston", run the following command:

Get-User "Tamara Johnston" | Format-List RemotePowerShellEnabled
View the access status for all users

Run the following command:

Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled

To display only those users who don't have access, run the following command:

Get-Mailbox -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}

To display only those users who have access, run the following command:

Get-Mailbox -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}
Page view tracker