The Best Connect To Azure AD Powershell Reviewed (2023)

In this post, we are going to see the reviewed guide on Azure AD PowerShell to administer Microsoft 365.

PowerShell (also known as Windows PowerShell) is a command-line environment that’s designed specifically for system administration. PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications, such as Microsoft 365.

The most basic part of PowerShell is called a cmdlet (pronounced command-let). Cmdlets allow you to do things in the Microsoft 365 PowerShell environment like add users to your Microsoft 365 organization, manage Microsoft 365 license assignments, and know which mailboxes are inactive.

Connect to Azure AD PowerShell allows you to manage Microsoft 365 from a single point of administration using automated and scripted actions, which streamlines your daily work.

Benefits of the AAD Powershell Module

• Windows PowerShell can reveal “hidden” information that is not available in the admin center.
• Microsoft 365 has features that you can only configure by using Windows PowerShell.
• Windows PowerShell excels at carrying out bulk operations.
• Windows PowerShell is great at filtering data.
• Windows PowerShell makes it easy to print or save data.
• Windows PowerShell lets you do cross product management.

Before you can run any of the cmdlets discussed in this article, you must install the Azure module.

The gallery uses the PowerShellGet module. The PowerShellGet module requires PowerShell 3.0 or newer and requires one of the following operating systems:

• Windows 10
• Windows 8.1 Pro
• Windows 8.1 Enterprise
• Windows 7 SP1
• Windows Server 2016 TP5
• Windows Server 2012 R2
• Windows Server 2008 R2 SP1

PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.

The easiest way to install the module is through the PowerShell Gallery. You can install the module with the Install-Module cmdlet: Install-Module MSOnline.

The Connect-MsolService cmdlet attempts to initiate a connection to Azure Active Directory. You must specify a credential as a PSCredential object or specify the CurrentCredentials parameter to use the credentials of the current user.

This cmdlet may return a warning or error if the version of the module is out of date.

Now, we can start managing Azure services.

Connect to Azure AD PowerShell – get user details

To get a user:

Get-MsolUser -UserPrincipalName “User UPN”

If you are not sure of a user’s UPN but know the display name, use the SearchString cmdlet.

Get-MsolUser -SearchString “Test“

The searchstring helps find a user using the UPN, object ID, or displayname.

To get user information based on a title:

Get-MsolUser -Title “Manager”

To get a user based on a department:

Get-MsolUser -Department “IT”

To view a list of users in your organization:

Get-MsolUser

The Get-MsolUser command will show a maximum of 1000 users.

To view all users:

Get-MsolUser -All

Export user details

We have seen how to view user details. What if you want to export results into a CSV file? It’s straight forward. Just add the export.

To export users:

Get-MsolUser | Export-Csv “C:\msolusers.csv” -NoTypeInformation

Note: You will get a warning message like the one below if your organization has more than 1000 users.

So, add “all” to export everyone in your organization.

Note: You may also mention MaxResults if you want to export only a specific number of users. For example, 25,000 users I would recommend going with “All” to avoid any confusion.

Get-MsolUser -MaxResults 25000

How do I find errors on user accounts?

To retrieve errors on a user object:

(Get-MsolUser -UserPrincipalName test@techieberry.com).errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription

To retrieve all errors for all users on Azure:

Get-MsolUser -HasErrorsOnly | ft DisplayName,UserPrincipalName,@{Name=”Error”;Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}} -AutoSize -Wrap

How do I change a user’s UPN?

A user principal name (UPN) is made up of two parts, the prefix (user account name) and the suffix (DNS domain name).

For example: user1@techieberry.com

In this case, the prefix is “user1” and the suffix is “techieberry.com.”

You can also change a user’s UPN in Azure AD by changing their username.

Set-MsolUserPrincipalName -UserPrincipalName “test1@techieberry.com” -NewUserPrincipalName “test2@techieberry.com”

Get Microsoft 365 plan details

To get Microsoft 365 plan (Account SKU) details:

Get-MsolAccountsku

Get group details

To retrieve groups from the Microsoft 365 services:

Get-MsolGroup

To retrieve group members:

Get-MsolGroupMember -GroupObjectId $Group.ObjectId

Get details on administrative roles

To retrieve a list of administrator roles:

Get-MsolRole

To retrieve all members of the specified role:

Get-MsolRoleMember -RoleObjectId $role.ObjectId

Remove and restore a user

To remove a user:

Remove-MsolUser -UserPrincipalName “User UPN” -Force

This command removes a user from Azure Active Directory. If the user has any licenses, the cmdlet removes them.

Remove-MsolUser -UserPrincipalName “User UPN” -RemoveFromRecycleBin

This command removes a user from the Azure Active Directory recycle bin. The command prompts you to confirm the operation. This command permanently removes the user. When this operation has been completed, you will not be able to recover the user by using the Restore-MsolUser cmdlet.

To find deleted users:

Get-MsolUser -ReturnDeletedUsers

To find a specific user from the deleted users list:

Get-MsolUser -UserPrincipalName “User UPN” -ReturnDeletedUsers

To restore a user:

Restore-MsolUser -UserPrincipalName “User UPN”

How do I manage groups?

To add a new group to Azure AD:

New-MsolGroup -DisplayName “Marketing” -Description “Marketing”

To add members: The new members can be either users or other security groups.

Add-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId

To remove a member from a group:

Remove-MsolGroupMember -groupObjectid $Group.ObjectId -GroupMemberType “User” -GroupMemberObjectId $User.ObjectId

To delete a group:

Remove-MsolGroup -ObjectId “Group ObjectId” -Force

To check a group’s member count:

(Get-MsolGroupMember -GroupObjectId 7a87e16a-dfa7-4f98-81e4-2cf95ebce03b).count

Export members of a specific group into a CSV file:

Get-MsolGroupMember -All -GroupObjectId 36c8a37b-1ce6-4973-b062-fe7804bb8b54 | Export-Csv C:\members.csv -NoTypeInformation

How do I identify Azure AD Connect status in Microsoft 365?

If you have integrated your on-premises Active Directory Domain Services (ADDS) with Azure Active Directory (Azure AD) by synchronizing your on-premises environment with Microsoft 365, you can also check the status of your synchronization using the following command:

Get-MsolCompanyInformation | fl lastd*

How do I check the last sync time of a single user?

The following command helps identify when the last time a user account synced to Microsoft 365 was.

Get-MsolUser -UserPrincipalName “User UPN” | fl lastd*

Export licensed users

Get-MSOLUser | Where-Object { $_.isLicensed -eq “True”} | Select-Object DisplayName, UserPrincipalName, isLicensed | Export-Csv C:\Users.csv -NoTypeInformation

Export unlicensed users

Get-MsolUser -all –UnlicensedUsersOnly | Export-Csv C:\non-licensed_users.csv -NoTypeInformation

ImmutableId

Directory synchronization uses a unique ID to match the AD and Microsoft 365 accounts; this is called the “ImmutableID“. It is based on the AD account ObjectGUID. If a user had an old AD account but created a new AD account, then a different ObjectGUID would be created, so the AD and Microsoft 365 accounts no longer had a matching “ImmutableID”.

We are going to find the objectGUID of the new AD account and use PowerShell to change the “ImmutableID” on the recovered Microsoft 365 to match the new AD account’s objectGUID.

• On a domain controller or a computer with the remote server admin tools, open ADSI or ADAC.
• Find and open the properties for the user.
• On the “Attribute Editor” tab, find and copy distinguishedName.

• Run the following command, replacing the DN with the one from the previous step, and execute it in Exchange on-premises PowerShell.

ldifde -d “CN=Someone,OU=Users,DC=someplace,DC=com” -f c:\user.txt

• Open the text file you created and copy the user’s ObjectGUID.

Checking the current immutable ID in Azure:

Get-MsolUser -UserPrincipalName “User UPN” | fl im*

To change the immutableid:

Set-MsolUser –UserPrincipalName “User UPN” -ImmutableId “GXXXXXXXXXXXXXXXQ==”

Allow for a few hours for these changes to reflect in Microsoft 365 and the sync type will change to “Synced with Active Directory.”

Duplicate immutableid attributes:

This issue may occur if user objects have duplicate immutable id values. To resolve this issue, find the users who have duplicate immutable IDs, and then change it so that they are unique. To do this, follow the below command.

Get-msoluser -all | where {$_.ImmutableId -eq “vXXXXXXXXXXXXXXXXXXQ==”}

Also read: The Powerful Guide to Azure AD App Registration

I hope this article provided you with some guidance on connect to Azure AD PowerShell.

Now I’d like to hear from you:

Which strategy from today’s post are you going to try first? Or maybe you have a question about something that I covered.

Either way, let me know by leaving a comment below right now.