Azure AD PowerShell

Azure Active Directory PowerShell cmdlets for cloud identity management.

Module Setup & Connection

Install-Module -Name AzureAD

Install Azure AD PowerShell module

Import-Module AzureAD

Import Azure AD module

Connect-AzureAD

Connect to Azure AD

Connect-AzureAD -TenantId <tenant_id>

Connect to specific tenant

Connect-AzureAD -Credential $cred

Connect with stored credentials

Disconnect-AzureAD

Disconnect from Azure AD

Get-AzureADTenantDetail

Get tenant information

Get-Command -Module AzureAD

List all Azure AD cmdlets

User Management

Get-AzureADUser

Get all users

Get-AzureADUser -ObjectId user@domain.com

Get specific user

Get-AzureADUser -Filter "startswith(DisplayName,'John')"

Search users by display name

New-AzureADUser -DisplayName "John Doe" -UserPrincipalName john@domain.com -PasswordProfile $pass -AccountEnabled $true

Create new user

Set-AzureADUser -ObjectId user@domain.com -DisplayName "New Name"

Update user properties

Set-AzureADUserPassword -ObjectId user@domain.com -Password $pass

Reset user password

Set-AzureADUser -ObjectId user@domain.com -AccountEnabled $false

Disable user account

Set-AzureADUser -ObjectId user@domain.com -AccountEnabled $true

Enable user account

Remove-AzureADUser -ObjectId user@domain.com

Delete user (soft delete)

Get-AzureADUserExtension -ObjectId user@domain.com

Get user extension attributes

Group Management

Get-AzureADGroup

Get all groups

Get-AzureADGroup -ObjectId <guid>

Get specific group

Get-AzureADGroup -Filter "startswith(DisplayName,'IT')"

Search groups by name

New-AzureADGroup -DisplayName "Team Group" -MailEnabled $false -SecurityEnabled $true -MailNickName "team"

Create security group

New-AzureADGroup -DisplayName "M365 Group" -MailEnabled $true -SecurityEnabled $false -MailNickName "m365group" -GroupTypes "Unified"

Create Microsoft 365 group

Set-AzureADGroup -ObjectId <guid> -DisplayName "New Name"

Update group properties

Remove-AzureADGroup -ObjectId <guid>

Delete group

Get-AzureADGroupMember -ObjectId <guid>

Get group members

Add-AzureADGroupMember -ObjectId <group_guid> -RefObjectId <user_guid>

Add member to group

Remove-AzureADGroupMember -ObjectId <group_guid> -MemberId <user_guid>

Remove member from group

Get-AzureADUserMembership -ObjectId user@domain.com

Get user group memberships

Application Registration

Get-AzureADApplication

List all applications

Get-AzureADApplication -ObjectId <guid>

Get specific application

New-AzureADApplication -DisplayName "My App"

Create new application

Set-AzureADApplication -ObjectId <guid> -DisplayName "New Name"

Update application

Remove-AzureADApplication -ObjectId <guid>

Delete application

New-AzureADApplicationPasswordCredential -ObjectId <guid>

Create app secret

Get-AzureADApplicationPasswordCredential -ObjectId <guid>

List app secrets

Remove-AzureADApplicationPasswordCredential -ObjectId <guid> -KeyId <key_guid>

Remove app secret

Service Principal Management

Get-AzureADServicePrincipal

List all service principals

Get-AzureADServicePrincipal -ObjectId <guid>

Get specific service principal

New-AzureADServicePrincipal -AppId <app_id>

Create service principal

Remove-AzureADServicePrincipal -ObjectId <guid>

Delete service principal

New-AzureADServicePrincipalPasswordCredential -ObjectId <guid>

Create service principal secret

Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId <guid>

Get OAuth2 permission grants

Directory Roles & Permissions

Get-AzureADDirectoryRole

List all directory roles

Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'"

Get specific role

Get-AzureADDirectoryRoleMember -ObjectId <role_guid>

Get role members

Add-AzureADDirectoryRoleMember -ObjectId <role_guid> -RefObjectId <user_guid>

Add user to role

Remove-AzureADDirectoryRoleMember -ObjectId <role_guid> -MemberId <user_guid>

Remove user from role

Get-AzureADUserMembership -ObjectId user@domain.com | Where-Object {$_.ObjectType -eq "Role"}

Get user role memberships

Device Management

Get-AzureADDevice

List all devices

Get-AzureADDevice -ObjectId <guid>

Get specific device

Get-AzureADDevice -Filter "startswith(DisplayName,'DESKTOP')"

Search devices by name

Set-AzureADDevice -ObjectId <guid> -AccountEnabled $false

Disable device

Set-AzureADDevice -ObjectId <guid> -AccountEnabled $true

Enable device

Remove-AzureADDevice -ObjectId <guid>

Delete device

Get-AzureADUserRegisteredDevice -ObjectId user@domain.com

Get user registered devices

Get-AzureADUserOwnedDevice -ObjectId user@domain.com

Get user owned devices

Domain Management

Get-AzureADDomain

List all domains

Get-AzureADDomain -Name domain.com

Get specific domain

New-AzureADDomain -Name newdomain.com

Add new domain

Remove-AzureADDomain -Name domain.com

Remove domain

Get-AzureADDomainVerificationDnsRecord -Name domain.com

Get DNS verification records

Confirm-AzureADDomain -Name domain.com

Verify domain ownership

Set-AzureADDomain -Name domain.com -IsDefault $true

Set default domain

Conditional Access Policies

Get-AzureADMSConditionalAccessPolicy

List all conditional access policies

Get-AzureADMSConditionalAccessPolicy -PolicyId <guid>

Get specific policy

New-AzureADMSConditionalAccessPolicy -DisplayName "Policy Name"

Create conditional access policy

Set-AzureADMSConditionalAccessPolicy -PolicyId <guid> -State Enabled

Enable policy

Set-AzureADMSConditionalAccessPolicy -PolicyId <guid> -State Disabled

Disable policy

Remove-AzureADMSConditionalAccessPolicy -PolicyId <guid>

Delete policy

License Management

Get-AzureADSubscribedSku

List all available licenses

Get-AzureADUser -ObjectId user@domain.com | Select-Object -ExpandProperty AssignedLicenses

Get user licenses

Set-AzureADUserLicense -ObjectId user@domain.com -AssignedLicenses $licenses

Assign license to user

Get-AzureADUser -Filter "assignedLicenses/$count eq 0"

Find unlicensed users

Guest User Management

New-AzureADMSInvitation -InvitedUserEmailAddress guest@external.com -InviteRedirectUrl "https://portal.azure.com"

Invite guest user

Get-AzureADUser -Filter "userType eq 'Guest'"

List all guest users

Remove-AzureADUser -ObjectId guest@external.com

Remove guest user

Administrative Units

Get-AzureADAdministrativeUnit

List all administrative units

Get-AzureADAdministrativeUnit -ObjectId <guid>

Get specific administrative unit

New-AzureADAdministrativeUnit -DisplayName "Unit Name"

Create administrative unit

Remove-AzureADAdministrativeUnit -ObjectId <guid>

Delete administrative unit

Add-AzureADAdministrativeUnitMember -ObjectId <unit_guid> -RefObjectId <user_guid>

Add member to unit

Get-AzureADAdministrativeUnitMember -ObjectId <guid>

List unit members

OAuth2 Permissions & Consent

Get-AzureADOAuth2PermissionGrant

List OAuth2 permission grants

Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId <sp_guid>

Get service principal grants

Remove-AzureADOAuth2PermissionGrant -ObjectId <grant_guid>

Remove permission grant

New-AzureADServiceAppRoleAssignment -ObjectId <sp_guid> -PrincipalId <user_guid> -ResourceId <resource_guid> -Id <role_guid>

Assign app role

Directory Settings

Get-AzureADDirectorySetting

Get directory settings

Get-AzureADDirectorySettingTemplate

Get directory setting templates

New-AzureADDirectorySetting -DirectorySetting $setting

Create directory setting

Set-AzureADDirectorySetting -Id <guid> -DirectorySetting $setting

Update directory setting

Remove-AzureADDirectorySetting -Id <guid>

Delete directory setting

Deleted Objects

Get-AzureADDeletedApplication

List deleted applications

Restore-AzureADDeletedApplication -ObjectId <guid>

Restore deleted application

Remove-AzureADDeletedApplication -ObjectId <guid>

Permanently delete application

Get-AzureADMSDeletedGroup

List deleted groups

Restore-AzureADMSDeletedDirectoryObject -Id <guid>

Restore deleted group

Session Connection Procedure

# Step 1: Verify module installation

Get-Module -ListAvailable AzureAD

# Step 2: Install module if missing

Install-Module -Name AzureAD -Force -AllowClobber

# Step 3: Import module

Import-Module AzureAD

# Step 4: Connect to Azure AD

Connect-AzureAD

# Step 5: Verify connection

Get-AzureADTenantDetail

# Alternative: Connect with credentials

$cred = Get-Credential; Connect-AzureAD -Credential $cred

# Alternative: Connect to specific tenant

Connect-AzureAD -TenantId <tenant_id>

Session Disconnection Procedure

# Step 1: Verify active session

Get-AzureADTenantDetail

# Step 2: Disconnect from Azure AD

Disconnect-AzureAD

# Step 3: Verify disconnection

Get-AzureADTenantDetail (should fail)

# Step 4: Remove module (optional)

Remove-Module AzureAD

# Note: Clear cached credentials

Clear-AzureProfile (if using older profile)

Reporting & Auditing

Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2024-01-01"

Get audit directory logs

Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2024-01-01"

Get sign-in logs

Get-AzureADUser | Measure-Object

Count total users

Get-AzureADGroup | Measure-Object

Count total groups

Get-AzureADDevice | Measure-Object

Count total devices

Get-AzureADUser | Where-Object {$_.AccountEnabled -eq $false}

Find disabled users

Get-AzureADUser | Export-Csv users.csv -NoTypeInformation

Export users to CSV

Bulk Operations

Import-Csv users.csv | ForEach-Object {New-AzureADUser -DisplayName $_.Name -UserPrincipalName $_.UPN -PasswordProfile $pass -AccountEnabled $true}

Bulk create users from CSV

Get-AzureADUser | Set-AzureADUser -UsageLocation "US"

Bulk set usage location

Import-Csv members.csv | ForEach-Object {Add-AzureADGroupMember -ObjectId $groupId -RefObjectId (Get-AzureADUser -ObjectId $_.UPN).ObjectId}

Bulk add group members

Get-AzureADUser -Filter "Department eq 'IT'" | Export-Csv it-users.csv

Export filtered users

© 2026 CHAI WEN TAH
Last build: Jan 13, 2026