Azure Active Directory PowerShell for Graph is a PowerShell module used to manage Azure Active Directory. Thanks to this module you can:
- Retrieve data from the directory,
- Create new objects,
- Update existing objects,
- Remove objects,
- and configure the directory.
The Azure AD PowerShell for Graph module has two versions:
- a Public preview version
- a General Availability version. (https://www.powershellgallery.com/packages/AzureAD)
It’s not recommended to use the Public Preview version for production scenarios but you use it to test the PowerShell module.
Let’s see how to install the Preview Module. Open a PowerShell console as administrator:
PS C:\WINDOWS\system32> Install-Module -Name AzureADPreview Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y PS C:\WINDOWS\system32>
If you want to install the Public Module:
PS > Install-Module AzureAD
You must first connect the Connect-AzureAD cmdlet to connect to your Azure Active Directory:
PS C:\WINDOWS\system32> Connect-AzureAD -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Account Environment TenantId TenantDomain AccountType ------- ----------- -------- ------------ ----------- yyyyyyyyyy@yyyyyy.yyy AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx yourdomain.onmicrosoft.com User
Use the Get-Command cmdlet to retrieve all the AzureAD cmdlets:
PS C:\WINDOWS\system32> get-command -Module *AzureAD* CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-AzureADAdministrativeUnitMember 2.0.1.2 AzureADPreview Cmdlet Add-AzureADApplicationOwner 2.0.1.2 AzureADPreview Cmdlet Add-AzureADApplicationPolicy 2.0.1.2 AzureADPreview Cmdlet Add-AzureADDeviceRegisteredOwner 2.0.1.2 AzureADPreview Cmdlet Add-AzureADDeviceRegisteredUser 2.0.1.2 AzureADPreview Cmdlet Add-AzureADDirectoryRoleMember 2.0.1.2 AzureADPreview Cmdlet Add-AzureADGroupMember 2.0.1.2 AzureADPreview Cmdlet Add-AzureADGroupOwner 2.0.1.2 AzureADPreview [...]
Now I can easily retrieve information about my Azure AD Domain:
PS C:\WINDOWS\system32> Get-AzureADDomain | fl * AuthenticationType : Managed AvailabilityStatus : ForceDeleteState : IsAdminManaged : True IsDefault : True IsInitial : True IsRoot : True IsVerified : True Name : yourdomain.onmicrosoft.com State : SupportedServices : {Email, OfficeCommunicationsOnline}
I can create a new Azure AD User account using the following command:
PS C:\WINDOWS\system32> $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile PS C:\WINDOWS\system32> $PasswordProfile.Password = "YOUR_PWD" PS C:\WINDOWS\system32> New-AzureADUser -AccountEnabled $True -DisplayName "Nico Prigent" -PasswordProfile $PasswordProfile -Ma ilNickName "NicoP" -UserPrincipalName "Nico@yourdomain.onmicrosoft.com" ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Nico Prigent Nico@yourdomain.onmicrosoft.com Member
Let’s check if the user exists:
PS C:\WINDOWS\system32> Get-AzureADUser | ? {$_.DisplayName -eq "Nico Prigent"} | fl * ExtensionProperty : {[odata.type, Microsoft.DirectoryServices.User], [ageGroup, ], [consentProvidedForMinor, ], [employeeId, ]...} DeletionTimestamp : ObjectId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ObjectType : User AccountEnabled : True AssignedLicenses : {} AssignedPlans : {} City : CompanyName : Country : CreationType : Department : DirSyncEnabled : DisplayName : Nico Prigent FacsimileTelephoneNumber : GivenName : IsCompromised : ImmutableId : JobTitle : LastDirSyncTime : Mail : MailNickName : NicoP Mobile : OnPremisesSecurityIdentifier : OtherMails : {} PasswordPolicies : PasswordProfile : class PasswordProfile { Password: ForceChangePasswordNextLogin: True EnforceChangePasswordPolicy: False } PhysicalDeliveryOfficeName : PostalCode : PreferredLanguage : ProvisionedPlans : {} ProvisioningErrors : {} ProxyAddresses : {} RefreshTokensValidFromDateTime : 03/24/2018 11:07:29 ShowInAddressList : SignInNames : {} SipProxyAddress : State : StreetAddress : Surname : TelephoneNumber : UsageLocation : UserPrincipalName : Nico@yourdomain.onmicrosoft.com UserType : Member
Great, the user exists, so I can now update information using the following commands:
# Retrieve user information PS C:\WINDOWS\system32> $user = Get-AzureADUser -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Let's check the content of the variable PS C:\WINDOWS\system32> $user ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Nico Prigent Nico@yourdomain.onmicrosoft.com Member # Update the display name PS C:\WINDOWS\system32> $user.DisplayName = 'Hello Azure AD' # Check if the value is updated PS C:\WINDOWS\system32> $user ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Hello Azure AD Nico@yourdomain.onmicrosoft.com Member # Now you can update information in Azure AD PS C:\WINDOWS\system32> Set-AzureADUser -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -Displayname $user.Displayname # Let's confirm if the display name is updated PS C:\WINDOWS\system32> Get-AzureADUser | ? {$_.ObjectId -eq "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Hello Azure AD Nico@yourdomain.onmicrosoft.com Member
That’s all. Azure AD PowerShell is very useful to manage your Azure AD Users.
Thanks for reading! You can follow me on Twitter @PrigentNico