Microsoft Graph PowerShell: Effortless User Management in Microsoft 365
As the user base in a Microsoft 365 tenant continues to grow, the need for streamlined management processes becomes increasingly vital. To tackle this challenge, Microsoft 365 admins employ a combination of tools, including the Microsoft 365 admin center, Azure AD PowerShell, Graph PowerShell, and more. While the admin centers provide fundamental operations to manage Microsoft 365 users, PowerShell empowers M365 admins to execute bulk operations with minimal time investment.
In this informative blog, we will delve into the management of M365 users using Microsoft Graph PowerShell. Without further delay, let’s get started.
You might be curious about our preference for the Graph PowerShell SDK over other modules like Azure AD. Here’s why: The Graph PowerShell SDK serves as a robust interface for Microsoft Graph APIs, making the complete API suite accessible within PowerShell. This SDK provides a rich set of cmdlets that empower Microsoft 365 administrators to efficiently manage and automate bulk operations within Entra ID, formerly known as Azure AD.
Another important factor to consider is Microsoft’s deprecation of fundamental PowerShell modules such as MS Online and Azure AD. To stay ahead and align with Microsoft’s future direction, adopting the Graph PowerShell module is the wiser choice.
Discover the following major Graph PowerShell operations that help to manage Microsoft 365 users efficiently.
- Create a new user
- Create bulk users in Office 365
- Get a list of all users in Microsoft 365
- Update user properties
- Add a user to a group
- Add bulk users to a group
- Remove users from a group
- Remove multiple users from a group
- Assign managers for Microsoft 365 users
- Assign licenses to users
- Removing licenses from user accounts
- Delete a user from Microsoft 365
Before you begin working with these Microsoft Graph cmdlets, ensure that you have connected to the Microsoft Graph PowerShell module with the following scopes.
-
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- User.ReadWrite.All
To create a new user in the Microsoft Graph PowerShell module, you can use the ‘New-MgUser’ cmdlet.
$Password = @{Password = "<Password>"} New-MgUser -DisplayName "<DisplayName>" -AccountEnabled -UserPrincipalName "<User’sUPN>" -PasswordProfile $Password -MailNickname "<MailNickName>"
The above cmdlet creates a new user while making sure the user is required to change their password when they first sign in.
To not force the user to change the password during their first sign-in, use the below command.
$Password = @{ Password = "<Password>" ForceChangePasswordNextSignIn = $false } New-MgUser -DisplayName "<DisplayName>" -AccountEnabled -UserPrincipalName "<User’sUPN>" -PasswordProfile $Password -MailNickname "<MailNickName>"
After creating users, you can manage passwords using PowerShell to enable actions such as password changes, forcing users to reset passwords, configuring password expiration, and more.
To bulk-create users using the Microsoft Graph PowerShell module, first create a CSV file with the headers DisplayName, UPN, MailNickName, and Password as per the image below.
After creating the CSV file, create a PowerShell script that runs the ‘New-Mguser’ cmdlet for each user as described here.
Import-Csv <FileLocation> | Foreach { $Password = @{Password = $_.Password} New-MgUser -DisplayName $_.DisplayName -AccountEnabled -UserPrincipalName $_.UPN -PasswordProfile $Password -MailNickname $_.MailNickName }
Note: To efficiently set up multiple users with similar settings, utilize user templates in M365. This feature allows you to quickly apply consistent configurations, simplifying onboarding for groups with shared requirements like job roles, office location, or license needs.
As a M365 admin, you can retrieve all the users in your tenant using the ‘Get-MgUser’ cmdlet.
Get-MgUser –All
You can also identify M365 inactive users based on their successful sign-ins. It helps to pinpointing stale accounts, allowing you to remove licenses and achieve cost reduction
Microsoft 365 admins can update the properties of a user using the ‘Update-MgUser’ cmdlet as demonstrated below.
Update-MgUser -UserId <UserID> -UsageLocation 'US' -CompanyName 'Contoso' -City 'Denmark'
The above example only changes a few of the properties. The cmdlet can support more attributes, such as, AgeGroup, Birthday, DisplayName, EmployeeID, OfficeLocation, PostalCode, PreferredLanguage, and Department.
- When updating a user’s department post-transition, it’s not merely about adjusting the property details. As department changed, so should the access. Instead of managing it manually, use lifecycle workflows to manage M365 user department changes automatically. Also, if you wish to update M365 user’s profile photo, you need to use the ‘Set-MgUserPhotoContent’ cmdlet.
To add a user to an Azure AD group, you must know the object ID of the group. To get the object ID of the existing group, execute the following cmdlet.
Get-MgGroup –All
To add users to a new group, first create a group with Microsoft Graph PowerShell based on your requirements. After that, note the object ID of the group.
Execute the below cmdlet to add new users to a Microsoft group.
New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId <UserID>
To bulk add users to a group in Microsoft 365 using PowerShell, just create a CSV file with the user’s “ID” and then execute the forthcoming cmdlet.
Import-Csv <FileLocation> | Foreach {New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID}
The below Microsoft Graph cmdlet helps the admin to remove a user from a group in Microsoft 365.
Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId <UserID>
Note: Admins can’t remove a user from groups with dynamic memberships.
To remove multiple users from an Azure AD group, first create a CSV file with a list of User’s IDs. Thereafter, execute the ‘Remove-MgGroupMemberByRef’ cmdlet in the ‘for’ loop.
Import-Csv <FileLocation> | Foreach {Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID}
To update or assign a manager for users in Microsoft 365, administrators can use the cmdlet ‘Set-MgUserManagerByRef’.
$Manager = @{ "@odata.id"="https://Graph.microsoft.com/v1.0/users/<Manager’sObjectIDOrUPN>" } Set-MgUserManagerByRef -UserId '<UserIDOrUPN>' -BodyParameter $Manager
Before assigning licenses to users, it is essential to know the ‘SkuId’ of the specific license to be assigned. To know the ‘SkuId’ of the license, execute the cmdlet below.
Get-MgSubscribedSku –All
Thereafter, to assign licenses to Microsoft 365 users, you can use the ‘Set-MgUserLicense’ cmdlet as demonstrated below.
Set-MgUserLicense -UserId <UserIDOrUPN> -AddLicenses @{SkuId= <SKUID>} -RemoveLicenses @()
You can also use the Set-MgUserLicense cmdlet to assign licenses to bulk users. Additionally you can use Microsoft365DSC tool to assign licenses for bulk users.
Note: In order to assign a license to a Microsoft 365 user, you must have previously designated a usage location for them.
To remove licenses from Microsoft 365 users, use the same ‘Set-MgUserLicense’ cmdlet as described below.
Set-MgUserLicense -UserId <UserIDOrUPN> -AddLicenses @() -RemoveLicenses @(<SKUID>)
Furthermore, you can refer the manage Microsoft 365 licenses script to list, bulk assign, and bulk remove M365 licenses.
Finally, to remove a Microsoft 365 user using PowerShell, you can utilize the ‘Remove-MgUser’ cmdlet.
Remove-MgUser -UserId <UserIDOrUPN> -confirm
Executing this cmdlet asks for a confirmation to delete the user. To delete users without any confirmation, you can remove the parameter ‘Confirm’.
Soft-deleted users can be conveniently restored using the Entra ID portal or Microsoft Graph PowerShell. To restore a deleted user in Microsoft 365 using Graph PowerShell, execute the Restore-MgDirectoryDeletedItem cmdlet.
To remove a former employee, simply deleting the user is not recommended as it leads to the risk of losing critical data associated with the account. To do this safely, admins can automate Microsoft 365 user offboarding with PowerShell. Upon successful offboarding, administrators must ensure that departing employees no longer have access to company resources. In order to do that, you can make use of this convenient script to track Microsoft 365 offboarded user activities.
Ready to elevate your Microsoft 365 management game to new heights? Our journey through Microsoft 365 user management has been informative, but it’s time to step up your admin skills. AdminDroid, the all-in-one reporting and auditing solution, is here to transform your experience.
AdminDroid Microsoft 365 user reporting provides a wide spectrum of insight into your organization’s users. The user reporting categorizes various user-related reports, making it easy to identify and analyze every user’s detail with just a single click. The user reports covered by AdminDroid consists of:
- Microsoft 365 sign-in disabled/enabled users
- Microsoft user creations/deletions
- Users’ group memberships
- Azure AD synced users
- Microsoft 365 users with errors
- Microsoft 365 external users
- External users’ group memberships
- M365 users without mangers
AdminDroid Microsoft 365 user auditing is the watchful guardian that helps Microsoft 365 administrators stay ahead of evolving user dynamics. With the user auditing feature, admins can strengthen security by maintaining a vigilant watch over any alterations in user profiles, passwords, and administrative roles.
Moreover, the user dashboard gallery serves as the central hub, offering administrators a holistic view of critical user information at a glance. It furnishes admins with essential metrics, including the sign-in denied users, administrative users, users without managers, and those with weak passwords. These metrics provide valuable insights that empower informed decision-making.
Why choose AdminDroid for Microsoft 365 reporting?
AdminDroid stands out and it is preferred for a multitude of reasons:
- AdminDroid Azure AD management tool provides lifetime free access to 130+ reports.
- Rich in reports and customization with advanced AI graphics.
- Includes reports for all M365 services like Teams, SharePoint, Exchange, and more.
- Offers an impressive collection of 1800+ reports and 30+ dashboards.
- Experience the premium edition free for 15 days.
- Effortless Microsoft alerting, compliance auditing, and delegation to reporting!
Curious? Download AdminDroid today and effortlessly monitor your Microsoft 365 environment!
We hope that this blog has provided you with efficient operations from bulk user creation to deletion through Graph PowerShell. Embrace this powerful tool to ensure your organization remains agile and future-ready in the ever-evolving digital landscape. Feel free to leave your thoughts in the comments section.
