AzureAD

Important

Azure AD PowerShell is planned for deprecation. For more details on the deprecation plans, see the deprecation update. You can start trying Microsoft Graph PowerShell to interact with Azure AD as you would in Azure AD PowerShell. In addition, Microsoft Graph PowerShell allows you access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to frequent migration queries, see the migration FAQ.

The Azure Active Directory PowerShell for Graph module can be downloaded and installed from the PowerShell Gallery. The gallery uses the PowerShellGet module. The PowerShellGet module requires PowerShell 3.0 or newer and requires one of the following operating systems:

  • Windows 10
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise
  • Windows 7 SP1
  • Windows Server 2016 TP5
  • Windows Server 2012 R2
  • Windows Server 2008 R2 SP1

PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.

For more detailed info on installation of the AzureAD cmdlets please see: Azure Active Directory PowerShell for Graph.

These are the cmdlets in the Azure Active Directory PowerShell for Graph module.

Administrative Units

Add-AzureADMSAdministrativeUnitMember

Adds an administrative unit member.

Add-AzureADMSScopedRoleMembership

Adds a scoped role membership to an administrative unit.

Get-AzureADMSAdministrativeUnit

Gets an administrative unit.

Get-AzureADMSAdministrativeUnitMember

Gets a member of an administrative unit.

Get-AzureADMSScopedRoleMembership

Gets a scoped role membership from an administrative unit.

New-AzureADMSAdministrativeUnit

Creates an administrative unit.

Remove-AzureADMSAdministrativeUnit

Removes an administrative unit.

Remove-AzureADMSAdministrativeUnitMember

Removes an administrative unit member.

Remove-AzureADMSScopedRoleMembership

Removes a scoped role membership.

Application Proxy Application Management

Get-AzureADApplicationProxyApplication

The Get-AzureADApplicationProxyApplication cmdlet retrieves an application configured for Application Proxy in Azure Active Directory.

Get-AzureADApplicationProxyApplicationConnectorGroup

The Get-AzureADApplicationProxyApplicationConnectorGroup cmdlet retrieves the connector group assigned for a specific application.

New-AzureADApplicationProxyApplication

The New-AzureADApplicationProxyApplication cmdlet creates a new application configured for Application Proxy in Azure Active Directory.

Remove-AzureADApplicationProxyApplication

Deletes an Application Proxy application.

Remove-AzureADApplicationProxyApplicationConnectorGroup

The Remove-AzureADApplicationProxyApplicationConnectorGroup cmdlet sets the connector group assigned for the specified application to 'Default' and removes the current assignment.

Set-AzureADApplicationProxyApplication

The Set-AzureADApplicationProxyApplication allows you to modify and set configurations for an application in Azure Active Directory configured to use ApplicationProxy.

Set-AzureADApplicationProxyApplicationCustomDomainCertificate

The Set-AzureADApplicationProxyApplicationCustomDomainCertificate cmdlet assigns a certificate to an application configured for Application Proxy in Azure Active Directory (AD). This will upload the certificate and allow the application to use Custom Domains.

Set-AzureADApplicationProxyApplicationSingleSignOn

The Set-AzureADApplicationProxyApplicationSingleSignOn cmdlet allows you to set and modify single sign-on (SSO) settings for an application configured for Application Proxy in Azure Active Directory.

Application Proxy Connector Management

Get-AzureADApplicationProxyConnector

The Get-AzureADApplicationProxyApplicationConnector cmdlet a list of all connectors, or if specified, details of a specific connector.

Get-AzureADApplicationProxyConnectorGroup

The Get-AzureADApplicationProxyConnectorGroup cmdlet retrieves a list of all connector groups, or if specified, details of a specific connector group.

Get-AzureADApplicationProxyConnectorGroupMembers

The Get-AzureADApplicationProxyConnectorGroupMembers gets all the Application Proxy connectors associated with the given connector group.

Get-AzureADApplicationProxyConnectorMemberOf

The Get-AzureADApplicationProxyConnectorMemberOf command gets the ConnectorGroup that the specified Connector is a member of.

New-AzureADApplicationProxyConnectorGroup

The New-AzureADApplicationProxyConnectorGroup cmdlet creates a new Application Proxy Connector group.

Remove-AzureADApplicationProxyConnectorGroup

The Remove-AzureADApplicationProxyConnectorGroup cmdlet deletes an Application Proxy Connector group.

Set-AzureADApplicationProxyApplicationConnectorGroup

The Set-AzureADApplicationProxyApplicationConnectorGroup cmdlet assigns the given connector group to a specified application.

Set-AzureADApplicationProxyConnector

The Set-AzureADApplicationProxyConnector cmdlet allows reassignment of the connector to another connector group.

Set-AzureADApplicationProxyConnectorGroup

The Set-AzureADApplicationProxyConnectorGroup cmdlet allows you to change the name of a given Application Proxy connector group.

Applications

Add-AzureADApplicationOwner

Adds an owner to an application.

Get-AzureADApplication

Gets an application.

Get-AzureADApplicationExtensionProperty

Gets application extension properties.

Get-AzureADApplicationKeyCredential

Gets the key credentials for an application.

Get-AzureADApplicationLogo

Retrieve the logo of an application

Get-AzureADApplicationOwner

Gets the owner of an application.

Get-AzureADApplicationPasswordCredential

Gets the password credential for an application.

Get-AzureADApplicationServiceEndpoint

Retrieve the service endpoint of an application

Get-AzureADDeletedApplication

Retrieves the list of previously deleted applications

New-AzureADApplication

Creates an application.

New-AzureADApplicationExtensionProperty

Creates an application extension property.

New-AzureADApplicationKeyCredential

Creates a key credential for an application.

New-AzureADApplicationPasswordCredential

Creates a password credential for an application.

Remove-AzureADApplication

Delete an application by objectId.

Remove-AzureADApplicationExtensionProperty

Removes an application extension property.

Remove-AzureADApplicationKeyCredential

Removes a key credential from an application.

Remove-AzureADApplicationOwner

Removes an owner from an application.

Remove-AzureADApplicationPasswordCredential

Removes a password credential from an application.

Set-AzureADApplication

Updates an application.

Set-AzureADApplicationLogo

Sets the logo for an Application

AzureAD

Add-AzureADMSApplicationOwner

Adds an owner for an application object.

Add-AzureADMSServicePrincipalDelegatedPermissionClassification

Add a classification for a delegated permission.

Get-AzureADApplicationProxyConnectorGroupMember

{{ Fill in the Synopsis }}

Get-AzureADCurrentSessionInfo

This cmdlet will return the current session state

Get-AzureADMSApplication

Retrieves the list of applications within the organization.

Get-AzureADMSApplicationExtensionProperty

Retrieves the list of extension properties on an application object.

Get-AzureADMSApplicationOwner

Retrieves the list of owners for an application object.

Get-AzureADMSConditionalAccessPolicy

Gets an Azure Active Directory conditional access policy.

Get-AzureADMSDeletedDirectoryObject

This cmdlet is used to retrieve a soft deleted directory object from the directory

Get-AzureADMSDeletedGroup

This cmdlet is used to retrieve the soft deleted groups in a directory.

Get-AzureADMSIdentityProvider

This cmdlet is used to retrieve the configured identity providers in the directory.

Get-AzureADMSNamedLocationPolicy

Gets an Azure Active Directory named location policy.

Get-AzureADMSPermissionGrantConditionSet

Get an Azure Active Directory permission grant condition set by id.

Get-AzureADMSPermissionGrantPolicy

Gets a permission grant policy.

Get-AzureADMSServicePrincipalDelegatedPermissionClassification

Retreive the delegated permission classification objects on a service principal.

Get-CrossCloudVerificationCode

Gets the verification code used to validate the ownership of the domain in another connected cloud. Important: Only applies to a verified domain.

New-AzureADMSApplication

Creates (registers) a new application object.

New-AzureADMSApplicationExtensionProperty

Creates an extension property on an application object.

New-AzureADMSApplicationKey

Adds a new key to an application.

New-AzureADMSApplicationPassword

Adds a strong password to an application.

New-AzureADMSConditionalAccessPolicy

Creates a new conditional access policy in Azure Active Directory.

New-AzureADMSIdentityProvider

This cmdlet is used to configure a new identity provider in the directory.

New-AzureADMSNamedLocationPolicy

Creates a new named location policy in Azure Active Directory.

New-AzureADMSPermissionGrantConditionSet

Create a new Azure Active Directory permission grant condition set in a given policy.

New-AzureADMSPermissionGrantPolicy

Creates a permission grant policy.

Remove-AzureADDeletedApplication

{{ Fill in the Synopsis }}

Remove-AzureADMSApplication

Deletes an application object.

Remove-AzureADMSApplicationExtensionProperty

Deletes an extension property from an application object.

Remove-AzureADMSApplicationKey

Removes a key from an application.

Remove-AzureADMSApplicationOwner

Removes an owner from an application object.

Remove-AzureADMSApplicationPassword

Remove a password from an application.

Remove-AzureADMSApplicationVerifiedPublisher

Removes the verified publisher from an application.

Remove-AzureADMSConditionalAccessPolicy

Deletes a conditional access policy in Azure Active Directory by Id.

Remove-AzureADMSDeletedDirectoryObject

This cmdlet is used to permanently delete a previously deleted directory object

Remove-AzureADMSIdentityProvider

This cmdlet is used to delete an identity provider in the directory.

Remove-AzureADMSNamedLocationPolicy

Deletes an Azure Active Directory named location policy by PolicyId.

Remove-AzureADMSPermissionGrantConditionSet

Delete an Azure Active Directory permission grant condition set by id

Remove-AzureADMSPermissionGrantPolicy

Removes a permission grant policy.

Remove-AzureADMSServicePrincipalDelegatedPermissionClassification

Remove delegated permission classification.

Restore-AzureADMSDeletedDirectoryObject

This cmdlet is used to restore a previously deleted object.

Set-AzureADMSAdministrativeUnit

Updates an administrative unit.

Set-AzureADMSApplication

Updates the properties of an application object.

Set-AzureADMSApplicationLogo

Sets the logo for an application object.

Set-AzureADMSApplicationVerifiedPublisher

Sets the verified publisher of an application to a verified Microsoft Partner Network (MPN) identifier.

Set-AzureADMSConditionalAccessPolicy

Updates a conditional access policy in Azure Active Directory by Id.

Set-AzureADMSIdentityProvider

This cmdlet is used to update the properties of an existing identity provider configured in the directory.

Set-AzureADMSNamedLocationPolicy

Updates a named location policy in Azure Active Directory by PolicyId.

Set-AzureADMSPermissionGrantConditionSet

Update an existing Azure Active Directory permission grant condition set.

Set-AzureADMSPermissionGrantPolicy

Updates a permission grant policy.

Certificate Authorities

Get-AzureADTrustedCertificateAuthority

Gets the trusted certificate authority.

New-AzureADTrustedCertificateAuthority

Creates a trusted certificate authority.

Remove-AzureADTrustedCertificateAuthority

Removes a trusted certificate authority.

Set-AzureADTrustedCertificateAuthority

Updates a trusted certificate authority.

Connect to your directory

Connect-AzureAD

Connects with an authenticated account to use Active Directory cmdlet requests.

Disconnect-AzureAD

Disconnects the current session from an Azure Active Directory tenant.

Contacts

Get-AzureADContact

Gets a contact from Azure Active Directory.

Get-AzureADContactDirectReport

Get the direct reports for a contact.

Get-AzureADContactManager

Gets the manager of a contact.

Get-AzureADContactMembership

Get a contact membership.

Get-AzureADContactThumbnailPhoto

Retrieves the thumbnail photo of a contact

Remove-AzureADContact

Removes a contact.

Remove-AzureADContactManager

Removes a contact's manager.

Select-AzureADGroupIdsContactIsMemberOf

Get groups in which a contact is a member.

Contracts

Get-AzureADContract

Gets a contract.

Deleted Objects

Restore-AzureADDeletedApplication

Restores a previously deleted application

Devices

Add-AzureADDeviceRegisteredOwner

Adds a registered owner for a device.

Add-AzureADDeviceRegisteredUser

Adds a registered user for a device.

Get-AzureADDevice

Gets a device from Active Directory.

Get-AzureADDeviceConfiguration

This cmdlet retrieves the device configuration object

Get-AzureADDeviceRegisteredOwner

Gets the registered owner of a device.

Get-AzureADDeviceRegisteredUser

Gets a registered user.

New-AzureADDevice

Creates a device.

Remove-AzureADDevice

Deletes a device.

Remove-AzureADDeviceRegisteredOwner

Removes the registered owner of a device.

Remove-AzureADDeviceRegisteredUser

Removes a registered user from a device.

Set-AzureADDevice

Updates a device.

Directory

Get-AzureADSubscribedSku

Gets subscribed SKUs to Microsoft services.

Get-AzureADTenantDetail

Gets the details of a tenant.

Set-AzureADTenantDetail

Set contact details for a tenant

Directory Objects

Get-AzureADObjectByObjectId

Retrieves the object(s) specified by the objectIds parameter

Directory Roles

Add-AzureADDirectoryRoleMember

Adds a member to a directory role.

Enable-AzureADDirectoryRole

Activates an existing directory role in Azure Active Directory.

Get-AzureADDirectoryRole

Gets a directory role.

Get-AzureADDirectoryRoleMember

Gets members of a directory role.

Get-AzureADDirectoryRoleTemplate

Gets directory role templates.

Get-AzureADMSRoleAssignment

Gets information about role assignments in Azure AD.

Get-AzureADMSRoleDefinition

Gets information about role definitions in Azure AD.

New-AzureADMSRoleAssignment

Creates an Azure AD role assignment.

New-AzureADMSRoleDefinition

Creates an Azure AD role definition.

Remove-AzureADDirectoryRoleMember

Removes a member of a directory role.

Remove-AzureADMSRoleAssignment

Removes an Azure AD role assignment.

Remove-AzureADMSRoleDefinition

Removes an Azure AD role definition.

Set-AzureADMSRoleDefinition

Update an existing Azure AD role definition.

Domains

Confirm-AzureADDomain

Validate the ownership of a domain.

Get-AzureADDomain

Gets a domain.

Get-AzureADDomainNameReference

This cmdlet retrieves the objects that are referenced by a given domain name

Get-AzureADDomainServiceConfigurationRecord

Gets the domain's service configuration records from the serviceConfigurationRecords navigation property.

Get-AzureADDomainVerificationDnsRecord

Retrieve the domain verification DNS record for a domain

New-AzureADDomain

Creates a domain.

Remove-AzureADDomain

Removes a domain.

Set-AzureADDomain

Updates a domain.

Extension Properties

Get-AzureADExtensionProperty

Gets extension properties registered with Azure AD.

Groups

Add-AzureADGroupMember

Adds a member to a group.

Add-AzureADGroupOwner

Adds an owner to a group.

Add-AzureADMSLifecyclePolicyGroup

Adds a group to a lifecycle policy

Get-AzureADGroup

Gets a group (via Microsoft Graph).

Get-AzureADGroupAppRoleAssignment

Gets a group application role assignment.

Get-AzureADGroupMember

Gets a member of a group.

Get-AzureADGroupOwner

Gets an owner of a group.

Get-AzureADMSGroup

Gets information about groups in the Microsoft Entra ID (via MS Graph).

Get-AzureADMSGroupLifecyclePolicy

Retrieves the properties and relationships of a groupLifecyclePolicies object in Azure Active Directory. If you specify no parameters, this cmdlet gets all groupLifecyclePolicies.

Get-AzureADMSLifecyclePolicyGroup

Retrieves the lifecycle policy object to which a group belongs.

New-AzureADGroup

Creates a group.

New-AzureADGroupAppRoleAssignment

Assign a group of users to an application role.

New-AzureADMSGroup

Creates an Azure AD group.

New-AzureADMSGroupLifecyclePolicy

Creates a new groupLifecyclePolicy

Remove-AzureADGroup

Removes a group.

Remove-AzureADGroupAppRoleAssignment

Delete a group application role assignment.

Remove-AzureADGroupMember

Removes a member from a group.

Remove-AzureADGroupOwner

Removes an owner from a group.

Remove-AzureADMSGroup

Removes an Azure AD group.

Remove-AzureADMSGroupLifecyclePolicy

Deletes a groupLifecyclePolicies object

Remove-AzureADMSLifecyclePolicyGroup

Removes a group from a lifecycle policy

Reset-AzureADMSLifeCycleGroup

Renews a group by updating the RenewedDateTime property on a group to the current DateTime.

Select-AzureADGroupIdsGroupIsMemberOf

Gets group IDs that a group is a member of.

Set-AzureADGroup

Updates a specific group in Azure Active Directory

Set-AzureADMSGroup

Sets the properties for an existing Azure AD group.

Set-AzureADMSGroupLifecyclePolicy

Updates a specific group Lifecycle Policy in Azure Active Directory

OAuth2

Get-AzureADOAuth2PermissionGrant

Gets OAuth2PermissionGrant entities.

Remove-AzureADOAuth2PermissionGrant

Removes an oAuth2PermissionGrant.

Policies

Get-AzureADMSAuthorizationPolicy

Gets an authorization policy, which represents a policy that can control Azure Active Directory authorization settings.

Set-AzureADMSAuthorizationPolicy

Updates an authorization policy, which represents a policy that can control Azure Active Directory authorization settings.

Service Principals

Add-AzureADServicePrincipalOwner

Adds an owner to a service principal.

Get-AzureADServiceAppRoleAssignedTo

Gets app role assignments for this app or service, granted to users, groups and other service principals.

Get-AzureADServiceAppRoleAssignment

Gets a service principal application role assignment.

Get-AzureADServicePrincipal

Gets a service principal.

Get-AzureADServicePrincipalCreatedObject

Get objects created by a service principal.

Get-AzureADServicePrincipalKeyCredential

Get key credentials for a service principal.

Get-AzureADServicePrincipalMembership

Get a service principal membership.

Get-AzureADServicePrincipalOAuth2PermissionGrant

Gets an oAuth2PermissionGrant object.

Get-AzureADServicePrincipalOwnedObject

Gets an object owned by a service principal.

Get-AzureADServicePrincipalOwner

Get the owner of a service principal.

Get-AzureADServicePrincipalPasswordCredential

Get credentials for a service principal.

New-AzureADServiceAppRoleAssignment

Assigns an app role to a user, a group, or another service principal.

New-AzureADServicePrincipal

Creates a service principal.

New-AzureADServicePrincipalKeyCredential

Create a new key credential for a service principal

New-AzureADServicePrincipalPasswordCredential

Creates a password credential for a service principal.

Remove-AzureADServiceAppRoleAssignment

Removes a service principal application role assignment.

Remove-AzureADServicePrincipal

Removes a service principal.

Remove-AzureADServicePrincipalKeyCredential

Removes a key credential from a service principal.

Remove-AzureADServicePrincipalOwner

Removes an owner from a service principal.

Remove-AzureADServicePrincipalPasswordCredential

Removes a password credential from a service principal.

Select-AzureADGroupIdsServicePrincipalIsMemberOf

Selects the groups in which a service principal is a member.

Set-AzureADServicePrincipal

Updates a service principal.

Users

Get-AzureADUser

Gets a user.

Get-AzureADUserAppRoleAssignment

Get a user application role assignment.

Get-AzureADUserCreatedObject

Get objects created by the user.

Get-AzureADUserDirectReport

Get the user's direct reports.

Get-AzureADUserExtension

Gets a user extension.

Get-AzureADUserLicenseDetail

Retrieves license details for a user

Get-AzureADUserManager

Gets the manager of a user.

Get-AzureADUserMembership

Get user memberships.

Get-AzureADUserOAuth2PermissionGrant

Gets an oAuth2PermissionGrant object.

Get-AzureADUserOwnedDevice

Get registered devices owned by a user.

Get-AzureADUserOwnedObject

Get objects owned by a user.

Get-AzureADUserRegisteredDevice

Get devices registered by a user.

Get-AzureADUserThumbnailPhoto

Retrieve the thumbnail photo of a user

New-AzureADMSInvitation

This cmdlet is used to invite a new external user to your directory.

New-AzureADUser

Creates an Azure AD user.

New-AzureADUserAppRoleAssignment

Assigns a user to an application role.

Remove-AzureADUser

Removes a user.

Remove-AzureADUserAppRoleAssignment

Removes a user application role assignment.

Remove-AzureADUserExtension

Removes a user extension.

Remove-AzureADUserManager

Removes a user's manager.

Revoke-AzureADSignedInUserAllRefreshToken

Invalidates the refresh tokens issued to applications for the current user.

Revoke-AzureADUserAllRefreshToken

Invalidates the refresh tokens issued to applications for a user.

Select-AzureADGroupIdsUserIsMemberOf

Selects the groups that a user is a member of.

Set-AzureADUser

Updates a user.

Set-AzureADUserExtension

Sets a user extension.

Set-AzureADUserLicense

Adds or removes licenses for a Microsoft online service to the list of assigned licenses for a user.

Note

The Set-AzureADUserLicense cmdlet is deprecated. Learn how to assign licenses with Microsoft Graph PowerShell. For more info, see the Assign License Microsoft Graph API.

Set-AzureADUserManager

Updates a user's manager.

Set-AzureADUserPassword

Sets the password of a user.

Set-AzureADUserThumbnailPhoto

Set the thumbnail photo for a user

Update-AzureADSignedInUserPassword

Updates the password for the signed-in user.