By default, all new user accounts are allowed to use Windows Remote Management (WinRM) to access the Outlook Live organization with Windows PowerShell. However, you can prevent new and existing users from using Windows PowerShell to access your Outlook Live organization.
Here's how:
To learn how to install and configure Windows PowerShell and connect to Outlook Live, see Use Windows PowerShell.
Prevent access for a new user
Run the following command after you have connected to the Outlook Live server-side session:
New-Mailbox -Name <Name> -WindowsLiveID <Windows Live ID> -Password (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force) -RemotePowerShellEnabled $false
For example, to prevent access for a new user named "Kim Akers" with the Windows Live ID kakers@contoso.edu and the password Pa$$word1, run the following command:
New-Mailbox -Name "Kim Akers" -WindowsLiveID kakers@contoso.edu -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -RemotePowerShellEnabled $false
Prevent access for an existing user
Run the following command after you have connected to the Outlook Live server-side session:
Set-User <Identity> -RemotePowerShellEnabled $false
For example, to prevent access for the user laura@contoso.edu, run the following command:
Set-User laura@contoso.edu -RemotePowerShellEnabled $false
Prevent access for many existing users
There are two ways to prevent access for a specific group of existing users:
-
Filter the users based on an existing attribute This method assumes that the target user accounts all share a unique filterable attribute. For example, the Title, Department, or one of the CustomAttribute1-15 attributes are the same for and unique to all the affected users.
-
Use a list of specific accounts After you generate the list of specific accounts, you can use that list to assign a mailbox plan.
Filter the users based on an existing attribute
Run the following command after you have connected to the Outlook Live server-side session:
Get-User -Filter <Filter> | Set-User -RemotePowerShellEnabled $false
For example, let's assume you want to prevent access for students in the primary grades and you've stored students' grade level in the Title attribute. To prevent access for all mailboxes where the Title property contains "Primary", run the following command:
Get-User -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*primary*')} | Set-User -RemotePowerShellEnabled $false
Use a list of specific accounts
Run the following command after you have connected to the Outlook Live server-side session:
Get-Content <text file> | Set-User -RemotePowerShellEnabled $false
For example, the following procedure uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their Windows Live IDs. The text file must contain one Windows Live ID on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following command:
Get-Content "C:\My Documents\NoPowerShell.txt" | Set-User -RemotePowerShellEnabled $false
To grant access to existing users who have been denied access in the past, simply use the value $true with the RemotePowerShellEnabled parameter as described in the previous examples.
To grant access to new users you create using Windows PowerShell, you don't have to use the RemotePowerShellEnabled parameter at all, because all new users are granted access automatically.
Find out who has access already
As mentioned earlier, all new users that you create are automatically granted access for your Outlook live organization, but what if your Outlook Live organization was upgraded from a previous version of Outlook Live when users weren't granted access by default? Here's how it works:
If an existing user was explicitly granted or denied access before your Outlook Live organization was upgraded, their access status before the upgrade is preserved. All other existing users are automatically granted access as part of the upgrade to the current version of Outlook Live.
To find out who has access and view all users' access status, you can use Windows PowerShell.
View the access status for a specific user
Run the following command after you have connected to the Outlook Live server-side session:
Get-User <Identity> | Format-List RemotePowerShellEnabled
For example, to determine the access status of a user named "Tamara Johnston", run the following command:
Get-User "Tamara Johnston" | Format-List RemotePowerShellEnabled
View the access status for all users
Run the following command:
Get-User -ResultSize unlimited | Format-Table Name,DisplayName,RemotePowerShellEnabled
To display only those users who don't have access, run the following command:
Get-Mailbox -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $false}
To display only those users who have access, run the following command:
Get-Mailbox -ResultSize unlimited -Filter {RemotePowerShellEnabled -eq $true}