Office 365 User & Group Provisioning


Office 365 customers can be managed by their hosting partners using the CSP model.

This allows for hosting partner personnel to administrate the subscription without needing any direct connection with the customer itself.

SMBBlueprint simplifies the initial provisioning of O365 users and (private) Office groups for a CSP tenant by providing a Powershell-based deployment workflow.

Starting the deployment

The cmdlet New-SMBOfficeDeployment can be used to initiate the deployment.

The deployment needs to be started with a certain set of parameters that specify both the connection info towards the target tenant (PowerShell-parameters), as well as a CSV file that contains the user and group payload to be provisioned.

Note: For the full explanation of the parameters, refer to the PowerShell documentation of the Office deployment cmdlet.


The deployment needs a valid CSV file with the following information:

Jan,Van Meirvenne,Consultant,Jan.VanMeirvenne,ICT,Inovativ,32478707741,BE,TestGroup1,ADALLOM_O365|POWER_BI_STANDARD
Jin,Van Meirvenne,Consultant,Jin.VanMeirvenne,ICT,Inovativ,32478707741,BE,TestGroup10,ADALLOM_O365|POWER_BI_STANDARD
Jon,Van Meirvenne,Consultant,Jon.VanMeirvenne,ICT,Inovativ,32478707741,BE,TestGroup10,ADALLOM_O365|POWER_BI_STANDARD

Mail Domain

Before this solution is used, a validated custom domain needs to be present in the tenant's configuration. By default, the tenant domain that is marked as default will be used as primary mail suffix. A specific domain can be chosen by providing the '-MailDomain ' parameter (in the GUI, an option to control this is available as well).

Note: While using the standard <TenantName> suffix is not blocked, the user won't be able to send/receive mails.

Default Password

A parameter 'DefaultPassword' can be passed. This sets the initial logon for ALL users in the CSV to a specific password. If the parameter is omitted, a random password is generated.

Preflight check

Before starting the provisioning, a few conditions are checked: The CSP credential must be valid The entered Tenant ID or Domain must be present in the CSP partner's directory * Note: Do not confuse the tenant-domain with the tenant's own domains. The tenant domain is the value that is shown in the CSP portal, and not the tenant's admin portal! * The licenses specified in the CSV-file must not be more that the ones available in the subscription

CSP Admin account

Not all resources can be reliably deployed by the CSP model currently. This consists of: Onedrive For Business Office 365 groups

To work around this limitation, the deployment will use the CSP credential to create an admin user within the tenant itself, and proceed to use this last one to configure the restricted resources. The password for this user is randomly generated and renewed everytime the SMbBlueprint solution is ran. This means that the CSP admin user can not be used for login without manually resetting the password. The password is not stored in any outputs.


When all checks are passed OK, the CSV information is used to commence the actual provisioning.

This happens in the following order: 1) Create the users in the tenant's Azure AD, set the password and license information If a user already exists, no action is performed 2) Connect to the Exchange interface of O365 and create the groups. Assign ownership based on the CSV-information. If a group already exists, no action is performed 3) Populate the standard memberships for the created groups 4) Bulk provision all created users' OneDrive using the Sharepoint Online Management shell


When the provisioning completes, an object is returned containing the following information: Type (the deployment-type. This will be 'Office' for deployments started with this function) Duration (the duration of the deployment) Status (Provides status-information for the deployment) * Configuration (contains several outputs of the deployment) * ProvisionedUsers (a list of all provisioned users including login-information) * ProvisionedGroups (a list of all provisioned office groups) Completed (equals 'TRUE' if the deployment is done) Error (if an exception occured during the deployment, it will be stored here) Log (the full location of the logfile for the deployment)