The Best Connect To Azure AD Powershell Reviewed (2023)

In this post, we are going to see the reviewed guide on Azure AD PowerShell to administrate Microsoft 365.

PowerShell (also known as Windows PowerShell) is a command-line environment that’s designed specifically for system administration. PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications, such as Microsoft 365.

The most basic part of PowerShell is called a cmdlet (pronounced command-let). Cmdlets allow you to do things in the Microsoft 365 PowerShell environment like adding users to your Microsoft 365 organization, managing Microsoft 365 license assignments and know which mailboxes are inactive.

Connect to azure ad PowerShell allows you to manage Microsoft 365 using a single point of administration by using automated and scripted actions and streamlines your daily work.

Benefits of AAD Powershell Module

• Windows PowerShell Can Reveal “Hidden” Information Not Available in the Admin Center
• Microsoft 365 has Features That You Can Only Configure by Using Windows PowerShell
• Windows PowerShell Excels at Carrying Out Bulk Operations
• Windows PowerShell is Great at Filtering Data
• Windows PowerShell Makes It Easy to Print or Save Data
• Windows PowerShell Lets You Do “Cross-Product” Management

Before you can run any of the cmdlets discussed in this article, you must install the Azure module.

The Azure Module is supported on the following Windows operating systems with the default version of Microsoft .NET Framework and Windows PowerShell: Windows 8.1, Windows 8, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.

The easiest way to install the module is from the PowerShell Gallery. You can install the module with the Install-Module cmdlet: Install-Module MSOnline

The Connect-MsolService cmdlet attempts to initiate a connection to Azure Active Directory. You must specify a credential, as a PSCredential object, or specify the CurrentCredentials parameter to use the credentials of the current user.

This cmdlet may return a warning or error if the version of the module is out of date.

Now, we can start with managing Azure services

Connect to Azure AD powershell – Get users details

To get a user:

Get-MsolUser -UserPrincipalName “User UPN”

If you are not sure of a user UPN but knows the display name, use the SearchString cmdlet.

Get-MsolUser -SearchString “Test“

The searchstring helps to find a user using UPN, object ID or the displayname.

To get a user information based on a title:

Get-MsolUser -Title “Manager”

To get a user based on a department:

Get-MsolUser -Department “IT”

To view a list of users in your organization:

Get-MsolUser

The Get-MsolUser command will show a maximum of 1000 users.

To view all users:

Get-MsolUser -All

Export user details

We have seen on how to view user details. What if you want to export results into a csv file. It’s straight forward. Just add the export.

To export 1000 users:

Get-MsolUser | Export-Csv “C:\msolusers.csv” -NoTypeInformation

Note: You will get the warning message like the below if your organization have more than 1000 users.

So, add the all to export everyone in your organization.

Note: You may also mention the MaxResults if you want to export only a specific number of users. For example, 25,000 users. I would recommend going with the All to avoid any confusion.

Get-MsolUser -MaxResults 25000

How to find errors on a user account?

To retrieve errors on a user object:

(Get-MsolUser -UserPrincipalName test@techieberry.com).errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription

To retrieve all errors for all users on Azure:

Get-MsolUser -HasErrorsOnly | ft DisplayName,UserPrincipalName,@{Name=”Error”;Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize -Wrap

How to change a user UPN?

A User Principal Name (UPN) is made up of two parts, the prefix (user account name) and the suffix (DNS domain name).

For example: user1@techieberry.com

In this case, the prefix is “user1” and the suffix is “techieberry.com.”

You also change a user’s UPN in the Azure AD by changing their username.

Set-MsolUserPrincipalName -UserPrincipalName “test1@techieberry.com” -NewUserPrincipalName “test2@techieberry.com”

Get Microsoft 365 plan details

Get Microsoft 365 plan (Account SKU) details

Get-MsolAccountsku

Get group details

To retrieve groups from the Microsoft 365 services:

Get-MsolGroup

To retrieve group members:

Get-MsolGroupMember -GroupObjectId $Group.ObjectId

Get details of Administrative roles

To retrieve a list of administrator roles:

Get-MsolRole

To retrieve all members of the specified role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

Remove and restore a user

To remove a user:

Remove-MsolUser -UserPrincipalName “User UPN” -Force

This command removes a user from Azure Active Directory. If the user has any licenses, the cmdlet removes these.

Remove-MsolUser -UserPrincipalName “User UPN” -RemoveFromRecycleBin

This command removes a user from the Azure Active Directory recycle bin. The command prompts you to confirm the operation. This command permanently removes the user. When this operation has been completed, you will not be able to recover the user by using the Restore-MsolUser cmdlet.

Find deleted users:

Get-MsolUser -ReturnDeletedUsers

To find a specific user from deleted users list:

Get-MsolUser -UserPrincipalName “User UPN” -ReturnDeletedUsers

To restore a user:

Restore-MsolUser -UserPrincipalName “User UPN”

How to manage groups?

To add a new group to the Azure AD:

New-MsolGroup -DisplayName “Marketing” -Description “Marketing”

To add members: The new members can be either users or other security groups.

Add-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId

To remove a member from a group:

Remove-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId

To delete a group:

Remove-MsolGroup -ObjectId “Group ObjectId” -Force

To check a group members count:

(Get-MsolGroupMember -GroupObjectId 7a87e16a-dfa7-4f98-81e4-2cf95ebce03b).count

Export members of a specific group into a csv file:

Get-MsolGroupMember -All -GroupObjectId 36c8a37b-1ce6-4973-b062-fe7804bb8b54 | Export-Csv C:\members.csv -NoTypeInformation

How to identify Azure AD Connect status in Microsoft 365?

If you have integrated your on-premises Active Directory Domain Services (ADDS) with Azure Active Directory (Azure AD) by synchronizing your on-premises environment with Microsoft 365, you can also check the status of your synchronization using the following command.

Get-MsolCompanyInformation | fl lastd*

How to check the last dirsync time of a single user?

The following command helps to identify when was the last time a user account synced to Microsoft 365.

Get-MsolUser -UserPrincipalName “User UPN” | fl lastd*

Export licensed users

Get-MSOLUser | Where-Object { $_.isLicensed -eq “True”} | Select-Object DisplayName, UserPrincipalName, isLicensed | Export-Csv C:\Users.csv -NoTypeInformation

Export unlicensed users

Get-MsolUser -all –UnlicensedUsersOnly | Export-Csv C:\non-licensed_users.csv -NoTypeInformation

ImmutableId

Directory synchronization uses a unique id to match the AD and Microsoft 365 accounts up, this is called the “ImmutableID”. It is based on the AD accounts ObjectGUID. If a user had an old AD account but created a new AD account then a different ObjectGUID will be created so the AD and Microsoft 365 account no longer had a matching “ImmutableID”.

We are going to find the objectGUID of the new AD account and use PowerShell to change the “ImmutableID” on the recovered Microsoft 365 to match the new AD accounts objectGUID.

• On a domain controller or a computer with the remote server admin tools open ADSI or ADAC
• Find and open the properties for the user.
• On the “Attribute Editor” tab find and copy the distinguishedName.

• Run the following command replacing the DN with the one from the previous step and execute them in Exchange on-premises powershell.

ldifde -d “CN=Someone,OU=Users,DC=someplace,DC=com” -f c:\user.txt

• Open the text file you created and copy the user’s ObjectGUID

Checking the current immutableid in Azure:

Get-MsolUser -UserPrincipalName “User UPN” | fl im*

To change the immutableid:

Set-MsolUser –UserPrincipalName “User UPN” -ImmutableId “GXXXXXXXXXXXXXXXQ==”

Allow for a few hours for these changes to reflect in Microsoft 365 and the sync type will change to “Synced with Active Directory”

Duplicate immutableid attributes:

This issue may occur if user objects have duplicate immutableid values. To resolve this issue, find the users who have duplicate immutableid, and then change it so that they are unique. To do this, follow the below command.

Get-msoluser -all | where {$_.ImmutableId -eq “vXXXXXXXXXXXXXXXXXXQ==”}

Also Read: The Powerful Guide To Azure AD App Registration

I hope this article provided you some guidance on connect to Azure AD powershell.

Now I’d like to hear from you:

Which strategy from today’s post are you going to try first? Or maybe you have a question about something that I covered.

Either way, let me know by leaving a comment below right now.