These scripts manage identities and access policies in Azure Active Directory (now Entra ID). Microsoft has consolidated management under the Microsoft.Graph PowerShell SDK, though the legacy AzureAD module is still widely used in existing environments.
The AzureAD and MSOnline PowerShell modules are deprecated. Microsoft has ended support for these modules. Migrate your scripts to the Microsoft.Graph module to ensure continued compatibility and access to the latest features.
Required modules
# Install the Microsoft Graph PowerShell SDK
Install-Module -Name Microsoft.Graph -Force
# Or install only the modules you need
Install-Module -Name Microsoft.Graph.Users -Force
Install-Module -Name Microsoft.Graph.Groups -Force
Install-Module -Name Microsoft.Graph.Identity.SignIns -Force
Connecting with Microsoft.Graph
Connect with required permission scopes
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Directory.Read.All"
Verify the connection
Review the Scopes and Account fields to confirm you are connected with the right identity and permissions. Run your commands
# List all users
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled
User management (Microsoft.Graph)
# Get all users
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled
# Get a specific user
Get-MgUser -UserId user@yourdomain.com
# Get users with a filter
Get-MgUser -Filter "Department eq 'IT'" -All
# Disable a user account
Update-MgUser -UserId user@yourdomain.com -AccountEnabled $false
# Enable a user account
Update-MgUser -UserId user@yourdomain.com -AccountEnabled $true
# Force password reset at next sign-in
Update-MgUser -UserId user@yourdomain.com -PasswordProfile @{
ForceChangePasswordNextSignIn = $true
}
Group management (Microsoft.Graph)
# List all groups
Get-MgGroup -All | Select-Object DisplayName, GroupTypes, MailEnabled
# Get members of a group
Get-MgGroupMember -GroupId <GroupId> |
ForEach-Object { Get-MgUser -UserId $_.Id } |
Select-Object DisplayName, UserPrincipalName
# Add a user to a group
New-MgGroupMember -GroupId <GroupId> -DirectoryObjectId <UserId>
# Remove a user from a group
Remove-MgGroupMemberByRef -GroupId <GroupId> -DirectoryObjectId <UserId>
The AzureAD module is deprecated. Use these commands only for maintaining existing scripts. New scripts should use Microsoft.Graph.
# Install the legacy AzureAD module
Install-Module -Name AzureAD -Force
Connecting with AzureAD (legacy)
# Connect interactively
Connect-AzureAD
# Connect as a specific user
Connect-AzureAD -AccountId admin@yourdomain.com
User management (AzureAD legacy)
# Get all users
Get-AzureADUser -All $true |
Select-Object DisplayName, UserPrincipalName, AccountEnabled
# Get a specific user
Get-AzureADUser -ObjectId user@yourdomain.com
# Disable a user account
Set-AzureADUser -ObjectId user@yourdomain.com -AccountEnabled $false
# Get group members
Get-AzureADGroupMember -ObjectId <GroupObjectId> |
Select-Object DisplayName, UserPrincipalName
Conditional Access policies
Conditional Access policies define the conditions under which users are granted or blocked access to resources. The scripts in AzureAD/ConditionalAccess/ automate reporting and management of these policies.
Managing Conditional Access policies requires the Policy.Read.All and Policy.ReadWrite.ConditionalAccess permission scopes when using Microsoft.Graph.
# Connect with Conditional Access permissions
Connect-MgGraph -Scopes "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess"
# List all Conditional Access policies
Get-MgIdentityConditionalAccessPolicy |
Select-Object DisplayName, State, Id
# Get details of a specific policy
Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId <PolicyId> |
Format-List
# Get only enabled policies
Get-MgIdentityConditionalAccessPolicy -Filter "state eq 'enabled'" |
Select-Object DisplayName, State
# Export all CA policies to JSON for backup/documentation
$policies = Get-MgIdentityConditionalAccessPolicy -All
$policies | ConvertTo-Json -Depth 10 |
Out-File -FilePath "C:\Reports\ConditionalAccessPolicies.json"
Changes to Conditional Access policies can lock users out of your tenant, including administrators. Always maintain a break-glass account that is excluded from all CA policies, and test policy changes in report-only mode before enabling enforcement.
