PowerShell modules like AzureAD and Msol are being deprecated in favor of the brand new Microsoft Graph module. The Microsoft Graph module is nice however is usually a bit overwhelming. To make the migration from the AzureAD module a bit simpler, Microsoft has now launched the Microsoft Entra PowerShell Module.
The Microsoft Entra PowerShell module is constructed upon the Microsoft Graph PowerShell SDK however provides backward compatibility with the deprecated AzureAD module.
On this article, we are going to have a look at tips on how to set up and use the brand new Entra PowerShell Module.
Set up Microsoft Entra PowerShell Module
To make use of the brand new Microsoft Entra PowerShell module, we have to set up it. Identical to with the opposite Microsoft Graph modules, the traditional, secure, model will level towards v1.0 of Microsoft Graph which is advisable to be used in manufacturing environments.
We will additionally set up the beta model, pointing towards the Microsoft Graph beta sources. Each modules might be put in independently:
# Set up the secure model Set up-Module -Identify Microsoft.Graph.Entra -Repository PSGallery -Scope CurrentUser -AllowPrerelease -Power # Set up the beta model Set up-Module -Identify Microsoft.Graph.Entra.Beta -Repository PSGallery -Scope CurrentUser -AllowPrerelease -Power
You’ll be able to set up the modules in each PowerShell model 5.1+ and PowerShell 7+. The latter is in fact advisable to make use of.
Connecting to Microsoft Entra
Earlier than we will use the Microsoft Entra module, we first want to connect with Microsoft Entra. Connecting is finished in an analogous manner as with the Microsoft Graph module:
Join-Entra -Scopes 'Consumer.Learn.All'
Discovering the right scopes can typically be a bit difficult, you possibly can learn some recommendations on discovering the right scope on this article, or use the Graph Permissions Explorer.
To view all of the out there cmdlets of the brand new module, you should utilize the next PowerShell command:
Get-Command -Module Microsoft.Graph.Entra
Migrating from AzureAD module
Microsoft Entra PowerShell module is developed to make it simpler emigrate from the previous AzureAD module to Microsoft Graph. That can assist you with migrating your current scripts as seamlessly as potential, you possibly can allow the compatibility mode.
The compatibility mode must be re-enabled for every PowerShell session (or originally of your script), however the benefit of it’s that you may maintain utilizing the AzureAD module cmdlets till you’ve the time to rewrite your scripts.
To allow it, use the next cmdlet in your script or session:
Allow-EntraAzureADAlias
Bear in mind although that the output objects might return barely totally different outcomes, so ensure you take a look at your scripts!
Utilizing the Entra Module
The Microsoft Entra PowerShell module comes with lots of cmdlets that we will use. Most will overlap with their Microsoft Graph PowerShell module counterparts, however we are going to check out some cmdlets to offer you an concept of tips on how to use the brand new module.
A great level to start out with is managing your Entra Consumer. The brand new module permits you to retrieve details about your customers, create or replace customers, and even take away them. The place we see the distinction with the Microsoft Graph module is how we will retrieve extra info of the person for instance.
Get and Discover customers with Get-EntraUser
The Get-EntraUser cmdlet permits you to discover and extract person info from Microsoft Entra. There are a few parameters that we will use to seek out or filter the customers:
- ObjectId – Return particular person primarily based on UPN or ObjectID
- Filter – Retrieve a number of objects primarily based on an oDate v3 question
- SearchString – Get all customers that match the searchString
- Prime – Return n variety of outcomes
- All – Return all outcomes (by default the primary 100 gadgets are returned)
Be aware
Good to know is the cmdlet returns solely the primary 100 outcomes by default. So just be sure you use the
-allparameter to get all outcomes when wanted.
So step one is to connect with Microsoft Entra with the right scope. We’re solely going to retrieve person information, so we will use the Consumer.Learn.All scope.
Join-Entra -Scopes 'Consumer.Learn.All'
To check if the cmdlet is working you possibly can merely get all customers from Microsoft Entra with the next cmdlet:
Get-EntraUser -All
To get a single person we will use the ObjectId of the person. This will both be the UserPrincipalName of the person or the precise object ID of the person:
# Get the person by the UserPrincipalName Get-EntraUser -objectId adelev@lazydev.onmicrosoft.com # Get the person by the precise id: Get-EntraUser -objectId 7a3b301d-0462-41b6-8468-19a3837b8ad1
Utilizing Filters and Search
Identical to with the Get-MgUser cmdlet we will filter or search the customers outcomes. The filter is predicated on the oDate v3 question, however not all operators are supported. We will solely use the next operators to filter to customers:
| Operator | Description | Instance |
|---|---|---|
| eq | Equals to | jobtitle eq ‘Advertising Assistant’ |
| and | And | jobtitle eq ‘Recruiter’ and jobtitle eq ‘hr’ |
| or | Or | jobtitle eq ‘Recruiter’ or jobtitle eq ‘hr’ |
| startswith | String begins with | startswith(jobtitle,’recr’) |
Essential is that you simply wrap the filter question in double quotes and the string that you simply wish to filter on in single quotes. Solely once you filter on a boolean you don’t must put quotes across the true or false assertion.
So let’s check out a few examples utilizing the -filter parameter. To discover a person by the show title we will specify the whole title of the person or use the startsWith operator. Take into account that we will’t use wildcard or the -like operator right here.
# Discover the person primarily based on the total title Get-EntraUser -Filter "DisplayName eq 'Adele Vance'" # Discover the person by the primary a part of the title Get-EntraUser -Filter "startsWith(DisplayName, 'A')" # Discover customers primarily based on their job title Get-EntraUser -Filter "jobtitle eq 'Advertising Assistant'"
To get for instance solely the enabled person accounts with the Get-EntraUser cmdlet we will use the next command:
Get-EntraUser -Filter 'accountEnabled eq true' -All
To view extra strategies on tips on how to search or discover customers, you possibly can take a look at the Get-MgUser cmdlet article.
Viewing All Properties
The Microsoft Entra PowerShell module does a greater job of returning the properties of objects, in comparison with the traditional Microsoft Graph module. With the Get-MgUser cmdlet, you will have to specify precisely which properties you wish to see.
However in the event you look by means of the outcomes, you continue to see that lots of them include the worth Microsoft.Graph.PowerShell.Fashions adopted by a useful resource title. These fashions (or sources) are relationships of the useful resource kind that you’re viewing.
These relationships ought to permit us to simply view the associated information of the useful resource. If we take the person, for instance, we might wish to know the supervisor of it.
With the Get-MgUser cmdlet, we would have liked to broaden the property, however with the brand new Entra module, we will typically use a particular cmdlet for it. So to view the supervisor, we will use the Get-EntraUserManager cmdlet
Now right here we will see that the module remains to be in preview as a result of the cmdlet requires an ObjectId, similar to Get-EntraUser, however it doesn’t settle for a userprincipalname. On this case, we might want to use the precise object ID of the person:
# Get the person $person = Get-EntraUser -ObjectId adelev@lazydev.onmicrosoft.com # Get the supervisor of the person Get-EntraUserManager -objectId $person.id # We will ofcourse do that in PowerShell Get-EntraUser -ObjectId adelev@lazydev.onmicrosoft.com | Get-EntraUserManager
Getting Consumer’s Group Membership
One other good instance of the power of the brand new module is once we wish to retrieve the group membership of a person. With the Graph module, we will use the Get-MgUserMemberOf cmdlet, and dig into the extra properties to retrieve the group title:
Get-MgUserMemberOf -UserId adelev@lazydev.onmicrosoft.com | Choose @{Identify="Supervisor"; Expression = {$_.AdditionalProperties.displayName}}
With the brand new Entra module, nevertheless, we will simply use the Get-EntraUserMembership cmdlet, and easily choose the show title of the teams:
Get-EntraUserMemberShip -ObjectId adelev@lazydev.onmicrosoft.com | Choose DisplayName
Creating Customers
The brand new module may also be used to create a brand new person. To this, we have to hook up with Entra with the Consumer.ReadWrite.All scope.
Join-Entra -Scopes 'Consumer.ReadWrite.All'
To create a person we might want to create a password profile with a brief password for the brand new person. Just remember to additionally set ForceChangePasswordNextLogin to true, so the person is compelled to alter the password
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.PasswordProfile $PasswordProfile.Password = '<Sturdy-Password>' $PasswordProfile.ForceChangePasswordNextLogin = $true # Power password change at subsequent login
With the password profile set, we will create a brand new person. Within the instance under, we’re solely setting the required properties. However you may as well add different person properties, like job title, division, cellphone numbers, and many others.
$userParams = @{
DisplayName="New Entra Consumer"
PasswordProfile = $PasswordProfile
UserPrincipalName="newentrauser@lazydev.onmicrosoft.com"
AccountEnabled = $true
MailNickName="NewEntraUser"
}
New-EntraUser @userParams
To alter person attributes, you should utilize the Set-EntraUser cmdlet.
Get or Assign Customers’s Licenses
In terms of Microsoft 365 license administration, I choose to make use of group-based licensing as a lot as potential. However typically, you simply rapidly wish to test which license a person presently has, or assign a particular license to the person.
To view which licenses a person presently has, we will use the Get-EntraUserLicenseDetail cmdlet. This cmdlet wants the ObjectId (which might be the userprincipalname) of the person and can present which licenses the person presently has assigned:
Get-EntraUserLicenseDetail -ObjectId lazyadmin@lazydev.onmicrosoft.com
Assigning a license does require a bit extra steps. We might want to create an AssignedLicense and AssigendLicenses object so as to add the SkuId of the license to the person.
# Create the license object, primarily based on the SkuPartnumber $License = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.AssignedLicense $License.SkuId = (Get-EntraSubscribedSku | The place SkuPartNumber -eq 'FLOW_FREE').SkuId # Create the Assigned Licenses object, which can maintain the brand new license $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.AssignedLicenses $Licenses.AddLicenses = $License # Assign the license to the person Set-EntraUserLicense -ObjectId adelev@lazydev.onmicrosoft.com -AssignedLicenses $Licenses
Wrapping Up
The brand new Microsoft Entra PowerShell module is a welcome addition to the Microsoft Graph PowerShell modules. Though it has some overlap with the traditional Graph module, it does make it simpler to work with the Entra information.
In case you are nonetheless utilizing the Azure AD module, then ensure you attempt the brand new module out with its compatibility mode.
There’s much more to discover within the new module, however I hope that this text gave you a good suggestion of its capabilities and the variations with the prevailing module. When you have any questions, simply let me know within the feedback under.
