Introduction
This cheatsheet provides quick reference commands and examples for automating common Azure Active Directory (Azure AD) tasks using PowerShell. Leverage these scripts to streamline your Identity and Access Management operations.
For the full, detailed PDF document, please use the download link below.
Download Full Cheatsheet (PDF)Core Modules
Ensure you have the necessary PowerShell modules installed. The most common are:
- AzureAD (or AzureADPreview): For managing Azure AD objects directly.
- Microsoft.Graph: The modern, recommended module for interacting with Microsoft Graph API, which covers Azure AD.
# Install AzureAD module (if not already installed)
Install-Module -Name AzureAD -Force
# Install Microsoft.Graph module (recommended)
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Connecting to Azure AD
Establish a connection to your Azure AD tenant:
# Connect using AzureAD module
Connect-AzureAD
# Connect using Microsoft.Graph module (interactive login)
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
User Management
| Task | AzureAD Command | Microsoft.Graph Command |
|---|---|---|
| Get All Users | Get-AzureADUser -All $true |
Get-MgUser -All |
| Get User by UPN | Get-AzureADUser -ObjectId "user@domain.com" |
Get-MgUser -UserId "user@domain.com" |
| Create User | New-AzureADUser -DisplayName "John Doe" -PasswordProfile (New-Object Microsoft.Open.AzureAD.Model.PasswordProfile).Password = "YourStrongPassword123!" -AccountEnabled $true -MailNickname "johndoe" -UserPrincipalName "johndoe@yourtenant.onmicrosoft.com" -GivenName "John" -Surname "Doe" |
New-MgUser -DisplayName "John Doe" -UserPrincipalName "johndoe@yourtenant.onmicrosoft.com" -PasswordProfile @{ Password = "YourStrongPassword123!" } -AccountEnabled $true -GivenName "John" -Surname "Doe" |
| Update User | Set-AzureADUser -ObjectId "user@domain.com" -Department "IT" |
Update-MgUser -UserId "user@domain.com" -Department "IT" |
| Disable User | Set-AzureADUser -ObjectId "user@domain.com" -AccountEnabled $false |
Update-MgUser -UserId "user@domain.com" -AccountEnabled $false |
| Enable User | Set-AzureADUser -ObjectId "user@domain.com" -AccountEnabled $true |
Update-MgUser -UserId "user@domain.com" -AccountEnabled $true |
| Delete User | Remove-AzureADUser -ObjectId "user@domain.com" |
Remove-MgUser -UserId "user@domain.com" |
Group Management
| Task | AzureAD Command | Microsoft.Graph Command |
|---|---|---|
| Get All Groups | Get-AzureADGroup -All $true |
Get-MgGroup -All |
| Get Group by Display Name | Get-AzureADGroup -Filter "DisplayName eq 'My Project Team'" |
Get-MgGroup -Filter "displayName eq 'My Project Team'" |
| Create Group (Security) | New-AzureADGroup -DisplayName "New Security Group" -MailEnabled $false -MailNickname "newsecgroup" -SecurityEnabled $true |
New-MgGroup -DisplayName "New Security Group" -MailEnabled $false -SecurityEnabled $true |
| Add Member to Group | Add-AzureADGroupMember -ObjectId "group-object-id" -RefObjectId "user-object-id" |
New-MgGroupMember -GroupId "group-object-id" -DirectoryObjectId "user-object-id" |
| Remove Member from Group | Remove-AzureADGroupMember -ObjectId "group-object-id" -MemberId "user-object-id" |
Remove-MgGroupMember -GroupId "group-object-id" -DirectoryObjectId "user-object-id" |
Application Management
| Task | AzureAD Command | Microsoft.Graph Command |
|---|---|---|
| List Applications | Get-AzureADApplication -All $true |
Get-MgApplication -All |
| Get Application by Display Name | Get-AzureADApplication -Filter "DisplayName eq 'My Custom App'" |
Get-MgApplication -Filter "displayName eq 'My Custom App'" |
| Create Application | Creation of Applications is more complex and often better handled via Graph API SDKs or Azure Portal/ARM. Basic creation can be done with: New-AzureADApplication -DisplayName "New PowerShell App" -IdentifierUris "https://mytenant.com/NewPowerShellApp" |
Use Microsoft Graph PowerShell SDK or REST API for robust application creation. # Example (simplified)
$params = @{
displayName = "New PowerShell App (Graph)"
}
New-MgApplication -BodyParameter $params |
Licensing
| Task | AzureAD Command | Microsoft.Graph Command |
|---|---|---|
| Get Assigned Licenses for User | (Get-AzureADUser -ObjectId "user@domain.com").AssignedLicenses |
(Get-MgUserLicenseDetail -UserId "user@domain.com").SkuPartNumber |
| Assign License to User | Requires service plan IDs and SKU ID. Complex. See AzureAD documentation. |
Use # Example: Assigning a license
$addLicenses = @()
$removeLicenses = @()
$servicePrincipalId = "your-service-principal-id" # If needed
$skuId = "your-sku-id" # e.g., "DEVELOPERPACK_E5"
$addLicenses += New-Object -TypeName Microsoft.Graph.PowerShell.Models.MgUserLicense
$addLicenses[0].SkuId = $skuId
Set-MgUserLicense -UserId "user@domain.com" -AddLicenses $addLicenses -RemoveLicenses $removeLicenses |
Other Useful Commands
- Get Tenant Information:
Get-AzureADTenantDetail(AzureAD) /Get-MgOrganization(Microsoft.Graph) - Get All Service Principals:
Get-AzureADServicePrincipal -All $true/Get-MgServicePrincipal -All - Get Audit Logs: Requires Azure AD Premium and specific modules/APIs.
Tips and Best Practices
- Always test scripts in a non-production environment first.
- Use the Microsoft.Graph module for new development as AzureAD is being deprecated.
- Grant appropriate permissions (scopes) when connecting with Microsoft.Graph.
- Handle errors gracefully using
try-catchblocks. - Use
-All $truewith AzureAD commands to ensure all results are retrieved. - For complex operations, consider creating Azure Functions or other automation tools.