Can I use PowerShell with Multi-Factore Authentication (MFA) with PowerShell
No. The account used for administration may cannot have MFA enabled. Obvsisouly this does not apply to the other (admin or standard) users when consuming the service or the Admin Center
Can I use Prowershell while I am not Tenant/Global Admin (aka MSOL…)
Yes. Thanks to the admin roles, MS Online Cmdlet can be used against a restricted set of functions deriving from the role’s scope of responsabilities. Detailed role definition: Assigning admin roles in Office 365.
Note: At writing time, the MS online documentation is still not up-to-date and often incorrectly states than global admin privilege is required for most of actions…
Can I administer multiple tenants from the same account?
Yes (but…). While the concept of “uber” admin does exist under the forme of the Delegated Administrator, it is intended for Partners to administer customer’s tenants. To enable it, the tenant must be linked to an approved Partner. Refer to this procedure for the détails.
Then, the approved partner must connect to the service using his/her account and recuperate the customer’s tenant’s unique identifier
$TenantGUID =(Get-MSOlPartnerContract -domain contoso.com).TenantId.Guid
In the command above, contoso.com is the DNS domain linked to the customer’s tenant. As stated above, this the Cmdlet Get-MSOlPartnerContract is only eligible to approved patners
For every action, the tenant unique identifier must be provided by mean of the -TenantId parameter:
Get-MsolUser -TenantID $TenantGUID
Do I need to be Tenant/Global Admin to interact with SharePoint Online site content or Exchange Online mailbox items?
It depends. While setting up users, permissions, sites and so on do require higher privilèges, interacting with SharePoint or Exchange content can be achieved with standard user permission using the CSOM (SharePoint) or the EWS (Exchange). I will cover this topic more in depth in a coming post.