Create SharePoint service accounts with PowerShell

There are a few of these scripts around to create SharePoint service accounts with PowerShell but I decided to create a new one as SharePoint 2019 is coming with a bit more functionality and error handling.
A good blog about the different service accounts needed can be found at
The general recommendation in this blog is to use different service accounts for each environment which can be easily done with this script.

Using the script

The script needs the activedirectory module to function correctly.
Please install the Active Directory management tools to be able to use this module.
I recommend running this script on the domain controller or a management server with sufficient permissions.

PowerShell Gallery

The script has been uploaded to the PowerShell Gallery.
Start PowerShell as an administrator on a server/computer and run the following command:

Install-Script -Name Add-ServiceAccounts


Press Y if you want to add the default imported scripts location to the PATH environment variable.


Press Y to install and import the NuGet provider now as this is a “clean” server installation.


Press Y to install the scripts from the PSGallery and the script will be saved on the default location C:\Program Files\WindowsPowerShell\Scripts.
I always recommend first reading through the .ps1 file if you haven’t already read it at the PowerShell Gallery page.

You can now run the following command to create the service accounts:

Add-ServiceAccounts -OU "OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com" -UPNSuffix "" -Prefix "SA_SP2019" -LogPath "C:\Install"


The service accounts have been created in the specified location


You can also verify the log file and add the passwords to your password database.


Copy / Paste

The other option is to just copy and paste the below code in PowerShell as administrator.
Please note that the below script may not be the latest version as the PowerShell Gallery script will always be more updated!
You can add additional users easier this way by simply updating the $Accounts variable with more users.

<#PSScriptInfo .VERSION 2.3 .GUID a8d133a6-dc3b-4dbf-a6f5-1ea8abcbb7bd .AUTHOR Maarten Peeters - SharePointFire - .COMPANYNAME SharePointFire .COPYRIGHT .TAGS SharePoint, Active Directory, Service Accounts .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES ActiveDirectory .RELEASENOTES Version 1.0: Original published version. Version 2.0: Removed function Version 2.1: Changed Admin to Install Version 2.2: Fixed A positional parameter cannot be found that accepts argument Version 2.3: Fixed A positional parameter cannot be found that accepts argument #> 

<# .SYNOPSIS Simple Function to create needed SharePoint service accounts .DESCRIPTION Simple Function to create needed SharePoint service accounts. Each service account will receive an unique password. .PARAMETER OU Enter the full path to the OU where to add the service accounts. For example: OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com .PARAMETER UPNSuffix Enter the UPNSuffix to be used during creation For example: .PARAMETER Prefix Specify the prefix to be used for the service accounts. For example: SA_SP2019 which will create service accounts like SA_SP2019Farm and SA_SP2019Install .PARAMETER LogPath Enter the full path to store a .csv file (; delimited) of the created service accounts with their unique password For example: C:\Install .EXAMPLE Add-ServiceAccounts.ps1 -OU "OU=Service Accounts,OU=SPFire,DC=sharepointfire,DC=com" -UPNSuffix "" -Prefix "SA_SP2019" -LogPath "C:\Install" .NOTES Version: 2.3 Author: Maarten Peeters Creation Date: 29-07-2018 Purpose/Change: Fast creation of Service Accounts #>

    [string] $OU,
    [string] $UPNSuffix,
    [string] $Prefix,
    [string] $LogPath

#Array of accounts to be created. Add names if needed as for example Visio Unattented userID
$Accounts = "Install", "Farm", "Services", "Pool", "MySitePool", "Crawl", "Sync", "C2WTS", "SU", "SR"

    #Verify if Active Directory Module is available
    if (Get-Module -ListAvailable -Name activedirectory) {
        #Import Active Directory Module
        import-module activedirectory -ErrorAction SilentlyContinue

        #Verify if the OU exists
        if(get-adorganizationalunit -Filter { DistinguishedName -eq $OU }) {

            #Test if logpath exists
            If(Test-Path $LogPath) { 
                #Loop through all accounts and create them
                foreach($Account in $Accounts){
                    $Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..16 | Sort-Object {Get-Random})[0..15] -join ''
                    New-ADUser -Name "$($Prefix)$($Account)" -SamAccountName "$($Prefix)$($Account)" -DisplayName "$($Prefix)$($Account)" -UserPrincipalName "$($Prefix)$($Account)@$($UPNSuffix)" -Path $OU -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires $true -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -force) -PassThru | out-null
                    $Log += "$($Prefix)$($Account);$($Password) `n"
                $Log | out-file -FilePath "$($LogPath)\SharePointAccounts$((get-date).tostring('sshhMMddyyyy')).csv"
                Write-Host "Accounts created and log located on $($LogPath)" -foregroundcolor green
            } Else { 
                Write-Host "The path $($LogPath) could not be found. Please enter a correct path to store the passwords" -foregroundcolor yellow
        }  else  {
            Write-Host "The OU $($OU) could not be found. Please enter a correct OU to store the accounts" -foregroundcolor yellow
    } else {
        Write-Host "Active Directory module not loaded. Please install Active Directory Management Tools" -foregroundcolor yellow
    write-host "Error occurred: $($_.Exception.Message)" -foregroundcolor red


You will need to enter the parameters used for this script.


And these accounts will also be created correctly


With their unique passwords


SharePoint Online site provisioning using Microsoft Flow, Azure Functions and Azure Storage Queue

A while back I created a provider hosted app using CSOM in C# for creating project sites but this required the users to have sufficient permissions to create a site. Using Microsoft Flow, Azure Function, Azure Storage Queue, PowerShell and SharePoint Online I created a proof of concept with the latest techniques and using the AppId/AppSecret so the user doesn’t need additional permissions. This solution isn’t free as it needs an Azure Subscription but the costs are minimal. Please find references to Microsoft in the summary at the end.

This article describes the following scenario:

  1. The user creates an item in a SharePoint list.
  2. Microsoft Flow will be triggered on item creation.
  3. Microsoft Flow will add a message on the Azure Storage Queue.
  4. The Azure Function will monitor the Azure Storage Queue and create the subsite based on the values entered in the SharePoint list using PowerShell.

This article has the following chapters:

  • Create SharePoint List
  • Get and register AppId and AppSecret in SharePoint Online
  • Create Azure Storage Queue
  • Create Azure Function
  • Create PowerShell Script
  • Test Azure Storage Queue
  • Create Microsoft Flow

Create SharePoint List

First we are going to create a list in SharePoint which we are going to use for our site metadata.

Add an App

Custom List


Add the below columns:

  • SiteURL –> Single line of Text
  • SiteTemplate –> Choice
  • SiteLanguage –> Choice


The list has been created which we are going to use for our site provisioning.

Get AppId and AppSecret in SharePoint Online

It is possible to use a username and password for the Azure Function but it is also possible to use an AppId and AppSecret for impersonation.
In this scenario we are going to use an AppId and AppSecret.

Go to the site collection where you want to register the app by appending the url with “_layouts/15/appregnew.aspx”

Fill in the above information and click on create


Save the Client Id and Secret as we are going to need it for our Azure Function.
Next append /_layouts/appinv.aspx to the url

With the below Permission Request XML we allow the app access to the site collection. You can specify different levels which are explained at .

<AppPermissionRequests AllowAppOnlyPolicy=”true”>

<AppPermissionRequest Scope=”http://sharepoint/content/sitecollection” Right=”FullControl” />


and click on Create

Trust It

Create Azure Storage Queue

We are going to setup the Azure Storage Queue which will handle all our messages which have been sent using Microsoft Flow.
Please note that this can also be achieved without the Azure Storage Queue as you can directly sent the message to the Azure Function using an Azure HttpTrigger function.

First go to your Azure Dashboard

Storage accounts



Open the newly created storage account

Click on Queues

+ Queue


The Azure Storage Queue has now been created which we use within our Microsoft Flow and Azure Function.

Create Azure Function

The next thing we will build is the Azure Function. The Azure Function will be created based on PowerShell and the SharePointPnPPowerShellOnline module.
We are going to start from the Azure Dashboard.

Go to the App Services


Function App


We are going to use the existing resource group and storage which we created during the Azure Storage Account. Click on Create

Open the newly created Azure Function

New function

Enable Experimental Language Support and navigate to Queue trigger

Click on PowerShell

Enter the queue name we created earlier. And click on New

Select the Azure Storage Account

Create and navigate back to the Platform features

Go to Platform features

Open Advanced tools (Kudu)

Click on Debug Console and then on PowerShell

Navigate to Site –> wwwroot –> QueueTriggerPowerShell

Create a new folder called “modules”

We are going to upload the PowerShell DLL’s which we are going to use here as it is not possible to import-modules from within the Azure Function. You can drag and drop the files to this folder.
The files we need are by default installed in the following location: C:\Program Files\WindowsPowerShell\Modules\SharePointPnPPowerShellOnline

Copy the contents from this folder to the Azure Function.
If you are missing this folder; Install this using PowerShell on the workstation with the command: Install-Module SharePointPnPPowerShellOnline


Also copy the items from the following locations:

  • C:\Windows\assembly\GAC_MSIL\Microsoft.IdentityModel
  • C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityModel.Extensions

Go back to the function

Go to the application settings

Select 64-bit and scroll down

Add the AppId and AppSecret with the key to the application settings as we can reference to these settings from the Azure Function.
Save the modification and in the next chapter we will create the PowerShell script.

Create PowerShell Script

Go to the QueueTriggerPowerShell in the Azure Function


Add the below PowerShell code

$requestBody = Get-Content $triggerInput -Raw | ConvertFrom-Json

$ParentSiteUrl = ""

$WebTemplate = $requestBody.WebTemplate

$SiteTitle = $requestBody.SiteTitle

$SiteDescription = "Site with PowerShell"

$SiteURL = $requestBody.SiteURL

$SiteLanguage = $requestBody.SiteLanguage

$AppId = $env:AppId

$AppSecret = $env:AppSecret

connect-PnPOnline -AppId $AppId -AppSecret $AppSecret -url $ParentSiteUrl

New-PnPWeb -Title $SiteTitle -url $SiteURL -Locale $SiteLanguage -Template $WebTemplate -Description $SiteDescription

Write-Output "PowerShell script processed queue message '$requestBody'"

Click on test in the right corner

Enter the below Request body

“WebTemplate”: “STS#0”,
“SiteTitle”: “TestCreation1”,
“SiteURL”: “TestCreation1”,
“SiteLanguage”: 1033

and click on Save and run

You can verify the log for success and navigate to the created site

We now know that the PowerShell code is successful.

Test Azure Storage Queue

Go to the Azure Storage Queue to test if adding a message is being successfully processed by the Azure Function.

Add message

OK and you can verify if the Azure function picked up the message if you still have the log open

Or go to the newly created site

We confirmed the Azure Storage Queue with the Azure Function is working correctly.

Create Microsoft Flow

We can now create a Microsoft Flow that will add an message in the Azure Storage Queue which will be picked up by our Azure Function.
Go to

Create from blank

When an item is created

And add a new step

Put a message on a queue

Add a new connection if you already had one like me

The Connection Name can be anything where the Storage Account Name and Shared Storage Key can be found in Azure



Save the flow and create a new item in the previous created SharePoint List


Save and first verify the Microsoft Flow

Next verify the Azure Function Log if still open

And last verify if the site has been created


The site has been created successfully.


We have now created a working site provisioning solution based on a SharePoint list.
This solution uses multiple techniques such as Microsoft Flow, Azure Storage Queues, Azure Functions and SharePoint Online.
This is just an example of working with these techniques but you can for example do more after the site creation such as adding extra permissions and set default columns.
It is possible to do more with Microsoft Flow as for example send an email after creation or update the status during the creation

You can find more information at regarding for example an app ID and app secret with administrative rights on your tenant, Microsoft Flow and an Azure function. Costs for an Azure Function are mentioned in and queue costs at

Information about the SharePoint PnP PowerShell CmdLets can be found at and

Please let me know your use case for Azure Functions and if there are any questions.

PowerShell Office 365 Inventory tool

I’ve thought of creating a different tool after creating the PowerShell Office 365 tool a couple of days ago to improve my PowerShell coding and to make my work and that of my colleagues a little bit easier. The PowerShell Office 365 inventory tool lists a lot of information you would like to see when troubleshooting or getting information from a tenant you never connected to.

You can follow and download the PowerShell Office 365 Inventory Tool at GitHub:

This PowerShell Office 365 Inventory tool will retrieve the following information:

  • Azure Active Directory Users
  • Azure Active Directory Deleted Users
  • Azure Active Directory External Users
  • Azure Active Directory Contacts
  • Azure Active Directory Groups
  • Azure Active Directory Licenses
  • Azure Active DIrectory Domains
  • Exchange Mailboxes
  • Exchange Archives
  • Exchange Groups
  • SharePoint Sites
  • SharePoint Webs

Please note that you will need a few pre-requisites before fully able to run this tool:

Please let me know which information you would like to see added to this tool and I’ll add this is as soon as possible.


[How to] PowerShell Office 365 Inventory Tool


Run ‘Start-Office365Inventory.ps1’. You will automatically be asked to run as administrator if you ran this as a normal user.


First Connect to Office 365 by clicking on the credential logo, by pressing f4 or via the menu

Fill in your credentials and press OK


You are connecting successfully when the icons are green.

There are 2 possible actions now:

  • Navigate to a tab and run only this action
  • Press the run all button to run all available actions


Only the Azure Active Directory Licenses have been returned. You can verify which actions have been run on the home tab.


Now click on the run all actions button. You can see the progress on the Home tab.

Please note that you will need site collections permissions for the SharePoint Webs option as this uses CSOM to connect to the different webs.

You will receive the following message but it will continue looking for more webs


After all actions everything should be green


Run the action individually if you encounter an error as the exception will be shown in the below message center.

You can create a .CSV or .HTML file based on the items visible at any time in the view by clicking on the button next to the CSV Report.
The report will be saved to the report folder located in the script root.

The .CSV report will look like:

The .HTML report will look like:

It is also possible to create a .HTML file for all the available tabs in a nice format. Please note that this is still a work in progress but it will lists everything at the moment.


Error log
Some error information is displayed on the background PowerShell window as other information is only readable using the errorlog.
Please send me this information and the message in the below message box if you encounter an error.