AzureAD Module (original) (raw)
Important
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update). After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
The Azure Active Directory PowerShell for Graph module can be downloaded and installed from the PowerShell Gallery. The gallery uses the PowerShellGet module. The PowerShellGet module requires PowerShell 3.0 or newer and requires one of the following operating systems:
- Windows 10
- Windows 8.1 Pro
- Windows 8.1 Enterprise
- Windows 7 SP1
- Windows Server 2016 TP5
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1
PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.
For more detailed info on installation of the AzureAD cmdlets please see: Azure Active Directory PowerShell for Graph.
These are the cmdlets in the Azure Active Directory PowerShell for Graph module.
Administrative Units
| Cmdlet | Description |
|---|---|
| Add-AzureADMSAdministrativeUnitMember | Adds an administrative unit member. |
| Add-AzureADMSScopedRoleMembership | Adds a scoped role membership to an administrative unit. |
| Get-AzureADMSAdministrativeUnit | Gets an administrative unit. |
| Get-AzureADMSAdministrativeUnitMember | Gets a member of an administrative unit. |
| Get-AzureADMSScopedRoleMembership | Gets a scoped role membership from an administrative unit. |
| New-AzureADMSAdministrativeUnit | Creates an administrative unit. |
| Remove-AzureADMSAdministrativeUnit | Removes an administrative unit. |
| Remove-AzureADMSAdministrativeUnitMember | Removes an administrative unit member. |
| Remove-AzureADMSScopedRoleMembership | Removes a scoped role membership. |
Application Proxy Application Management
| Cmdlet | Description |
|---|---|
| Get-AzureADApplicationProxyApplication | The Get-AzureADApplicationProxyApplication cmdlet retrieves an application configured for Application Proxy in Azure Active Directory. |
| Get-AzureADApplicationProxyApplicationConnectorGroup | The Get-AzureADApplicationProxyApplicationConnectorGroup cmdlet retrieves the connector group assigned for a specific application. |
| New-AzureADApplicationProxyApplication | The New-AzureADApplicationProxyApplication cmdlet creates a new application configured for Application Proxy in Azure Active Directory. |
| Remove-AzureADApplicationProxyApplication | Deletes an Application Proxy application. |
| Remove-AzureADApplicationProxyApplicationConnectorGroup | The Remove-AzureADApplicationProxyApplicationConnectorGroup cmdlet sets the connector group assigned for the specified application to 'Default' and removes the current assignment. |
| Set-AzureADApplicationProxyApplication | The Set-AzureADApplicationProxyApplication allows you to modify and set configurations for an application in Azure Active Directory configured to use ApplicationProxy. |
| Set-AzureADApplicationProxyApplicationCustomDomainCertificate | The Set-AzureADApplicationProxyApplicationCustomDomainCertificate cmdlet assigns a certificate to an application configured for Application Proxy in Azure Active Directory (AD). This will upload the certificate and allow the application to use Custom Domains. |
| Set-AzureADApplicationProxyApplicationSingleSignOn | The Set-AzureADApplicationProxyApplicationSingleSignOn cmdlet allows you to set and modify single sign-on (SSO) settings for an application configured for Application Proxy in Azure Active Directory. |
Application Proxy Connector Management
| Cmdlet | Description |
|---|---|
| Get-AzureADApplicationProxyConnector | The Get-AzureADApplicationProxyApplicationConnector cmdlet a list of all connectors, or if specified, details of a specific connector. |
| Get-AzureADApplicationProxyConnectorGroup | The Get-AzureADApplicationProxyConnectorGroup cmdlet retrieves a list of all connector groups, or if specified, details of a specific connector group. |
| Get-AzureADApplicationProxyConnectorGroupMembers | The Get-AzureADApplicationProxyConnectorGroupMembers gets all the Application Proxy connectors associated with the given connector group. |
| Get-AzureADApplicationProxyConnectorMemberOf | The Get-AzureADApplicationProxyConnectorMemberOf command gets the ConnectorGroup that the specified Connector is a member of. |
| New-AzureADApplicationProxyConnectorGroup | The New-AzureADApplicationProxyConnectorGroup cmdlet creates a new Application Proxy Connector group. |
| Remove-AzureADApplicationProxyConnectorGroup | The Remove-AzureADApplicationProxyConnectorGroup cmdlet deletes an Application Proxy Connector group. |
| Set-AzureADApplicationProxyApplicationConnectorGroup | The Set-AzureADApplicationProxyApplicationConnectorGroup cmdlet assigns the given connector group to a specified application. |
| Set-AzureADApplicationProxyConnector | The Set-AzureADApplicationProxyConnector cmdlet allows reassignment of the connector to another connector group. |
| Set-AzureADApplicationProxyConnectorGroup | The Set-AzureADApplicationProxyConnectorGroup cmdlet allows you to change the name of a given Application Proxy connector group. |
Applications
| Cmdlet | Description |
|---|---|
| Add-AzureADApplicationOwner | Adds an owner to an application. |
| Get-AzureADApplication | Gets an application. |
| Get-AzureADApplicationExtensionProperty | Gets application extension properties. |
| Get-AzureADApplicationKeyCredential | Gets the key credentials for an application. |
| Get-AzureADApplicationLogo | Retrieve the logo of an application |
| Get-AzureADApplicationOwner | Gets the owner of an application. |
| Get-AzureADApplicationPasswordCredential | Gets the password credential for an application. |
| Get-AzureADApplicationServiceEndpoint | Retrieve the service endpoint of an application |
| Get-AzureADDeletedApplication | Retrieves the list of previously deleted applications |
| New-AzureADApplication | Creates an application. |
| New-AzureADApplicationExtensionProperty | Creates an application extension property. |
| New-AzureADApplicationKeyCredential | Creates a key credential for an application. |
| New-AzureADApplicationPasswordCredential | Creates a password credential for an application. |
| Remove-AzureADApplication | Delete an application by objectId. |
| Remove-AzureADApplicationExtensionProperty | Removes an application extension property. |
| Remove-AzureADApplicationKeyCredential | Removes a key credential from an application. |
| Remove-AzureADApplicationOwner | Removes an owner from an application. |
| Remove-AzureADApplicationPasswordCredential | Removes a password credential from an application. |
| Set-AzureADApplication | Updates an application. |
| Set-AzureADApplicationLogo | Sets the logo for an Application |
| Cmdlet | Description |
|---|---|
| Get-AzureADTrustedCertificateAuthority | Gets the trusted certificate authority. |
| New-AzureADTrustedCertificateAuthority | Creates a trusted certificate authority. |
| Remove-AzureADTrustedCertificateAuthority | Removes a trusted certificate authority. |
| Set-AzureADTrustedCertificateAuthority | Updates a trusted certificate authority. |
Connect to your directory
| Cmdlet | Description |
|---|---|
| Connect-AzureAD | Connects with an authenticated account to use Active Directory cmdlet requests. |
| Disconnect-AzureAD | Disconnects the current session from an Azure Active Directory tenant. |
| Cmdlet | Description |
|---|---|
| Get-AzureADContact | Gets a contact from Azure Active Directory. |
| Get-AzureADContactDirectReport | Get the direct reports for a contact. |
| Get-AzureADContactManager | Gets the manager of a contact. |
| Get-AzureADContactMembership | Get a contact membership. |
| Get-AzureADContactThumbnailPhoto | Retrieves the thumbnail photo of a contact |
| Remove-AzureADContact | Removes a contact. |
| Remove-AzureADContactManager | Removes a contact's manager. |
| Select-AzureADGroupIdsContactIsMemberOf | Get groups in which a contact is a member. |
Contracts
| Cmdlet | Description |
|---|---|
| Get-AzureADContract | Gets a contract. |
Deleted Objects
| Cmdlet | Description |
|---|---|
| Restore-AzureADDeletedApplication | Restores a previously deleted application |
Devices
| Cmdlet | Description |
|---|---|
| Add-AzureADDeviceRegisteredOwner | Adds a registered owner for a device. |
| Add-AzureADDeviceRegisteredUser | Adds a registered user for a device. |
| Get-AzureADDevice | Gets a device from Active Directory. |
| Get-AzureADDeviceConfiguration | This cmdlet retrieves the device configuration object |
| Get-AzureADDeviceRegisteredOwner | Gets the registered owner of a device. |
| Get-AzureADDeviceRegisteredUser | Gets a registered user. |
| New-AzureADDevice | Creates a device. |
| Remove-AzureADDevice | Deletes a device. |
| Remove-AzureADDeviceRegisteredOwner | Removes the registered owner of a device. |
| Remove-AzureADDeviceRegisteredUser | Removes a registered user from a device. |
| Set-AzureADDevice | Updates a device. |
Directory
| Cmdlet | Description |
|---|---|
| Get-AzureADSubscribedSku | Gets subscribed SKUs to Microsoft services. |
| Get-AzureADTenantDetail | Gets the details of a tenant. |
| Set-AzureADTenantDetail | Set contact details for a tenant |
Directory Objects
| Cmdlet | Description |
|---|---|
| Get-AzureADObjectByObjectId | Retrieves the object(s) specified by the objectIds parameter |
Directory Roles
| Cmdlet | Description |
|---|---|
| Add-AzureADDirectoryRoleMember | Adds a member to a directory role. |
| Enable-AzureADDirectoryRole | Activates an existing directory role in Azure Active Directory. |
| Get-AzureADDirectoryRole | Gets a directory role. |
| Get-AzureADDirectoryRoleMember | Gets members of a directory role. |
| Get-AzureADDirectoryRoleTemplate | Gets directory role templates. |
| Get-AzureADMSRoleAssignment | Gets information about role assignments in Azure AD. |
| Get-AzureADMSRoleDefinition | Gets information about role definitions in Azure AD. |
| New-AzureADMSRoleAssignment | Creates an Azure AD role assignment. |
| New-AzureADMSRoleDefinition | Creates an Azure AD role definition. |
| Remove-AzureADDirectoryRoleMember | Removes a member of a directory role. |
| Remove-AzureADMSRoleAssignment | Removes an Azure AD role assignment. |
| Remove-AzureADMSRoleDefinition | Removes an Azure AD role definition. |
| Set-AzureADMSRoleDefinition | Update an existing Azure AD role definition. |
Domains
| Cmdlet | Description |
|---|---|
| Confirm-AzureADDomain | Validate the ownership of a domain. |
| Get-AzureADDomain | Gets a domain. |
| Get-AzureADDomainNameReference | This cmdlet retrieves the objects that are referenced by a given domain name |
| Get-AzureADDomainServiceConfigurationRecord | Gets the domain's service configuration records from the serviceConfigurationRecords navigation property. |
| Get-AzureADDomainVerificationDnsRecord | Retrieve the domain verification DNS record for a domain |
| New-AzureADDomain | Creates a domain. |
| Remove-AzureADDomain | Removes a domain. |
| Set-AzureADDomain | Updates a domain. |
Extension Properties
| Cmdlet | Description |
|---|---|
| Get-AzureADExtensionProperty | Gets extension properties registered with Azure AD. |
Groups
| Cmdlet | Description |
|---|---|
| Add-AzureADGroupMember | Adds a member to a group. |
| Add-AzureADGroupOwner | Adds an owner to a group. |
| Add-AzureADMSLifecyclePolicyGroup | Adds a group to a lifecycle policy |
| Get-AzureADGroup | Gets a group (via Microsoft Graph). |
| Get-AzureADGroupAppRoleAssignment | Gets a group application role assignment. |
| Get-AzureADGroupMember | Gets a member of a group. |
| Get-AzureADGroupOwner | Gets an owner of a group. |
| Get-AzureADMSGroup | Gets information about groups in the Microsoft Entra ID (via MS Graph). |
| Get-AzureADMSGroupLifecyclePolicy | Retrieves the properties and relationships of a groupLifecyclePolicies object in Azure Active Directory. If you specify no parameters, this cmdlet gets all groupLifecyclePolicies. |
| Get-AzureADMSLifecyclePolicyGroup | Retrieves the lifecycle policy object to which a group belongs. |
| New-AzureADGroup | Creates a group. |
| New-AzureADGroupAppRoleAssignment | Assign a group of users to an application role. |
| New-AzureADMSGroup | Creates an Azure AD group. |
| New-AzureADMSGroupLifecyclePolicy | Creates a new groupLifecyclePolicy |
| Remove-AzureADGroup | Removes a group. |
| Remove-AzureADGroupAppRoleAssignment | Delete a group application role assignment. |
| Remove-AzureADGroupMember | Removes a member from a group. |
| Remove-AzureADGroupOwner | Removes an owner from a group. |
| Remove-AzureADMSGroup | Removes an Azure AD group. |
| Remove-AzureADMSGroupLifecyclePolicy | Deletes a groupLifecyclePolicies object |
| Remove-AzureADMSLifecyclePolicyGroup | Removes a group from a lifecycle policy |
| Reset-AzureADMSLifeCycleGroup | Renews a group by updating the RenewedDateTime property on a group to the current DateTime. |
| Select-AzureADGroupIdsGroupIsMemberOf | Gets group IDs that a group is a member of. |
| Set-AzureADGroup | Updates a specific group in Azure Active Directory |
| Set-AzureADMSGroup | Sets the properties for an existing Azure AD group. |
| Set-AzureADMSGroupLifecyclePolicy | Updates a specific group Lifecycle Policy in Azure Active Directory |
OAuth2
| Cmdlet | Description |
|---|---|
| Get-AzureADOAuth2PermissionGrant | Gets OAuth2PermissionGrant entities. |
| Remove-AzureADOAuth2PermissionGrant | Removes an oAuth2PermissionGrant. |
Policies
| Cmdlet | Description |
|---|---|
| Get-AzureADMSAuthorizationPolicy | Gets an authorization policy, which represents a policy that can control Azure Active Directory authorization settings. |
| Set-AzureADMSAuthorizationPolicy | Updates an authorization policy, which represents a policy that can control Azure Active Directory authorization settings. |
Service Principals
| Cmdlet | Description |
|---|---|
| Add-AzureADServicePrincipalOwner | Adds an owner to a service principal. |
| Get-AzureADServiceAppRoleAssignedTo | Gets app role assignments for this app or service, granted to users, groups and other service principals. |
| Get-AzureADServiceAppRoleAssignment | Gets a service principal application role assignment. |
| Get-AzureADServicePrincipal | Gets a service principal. |
| Get-AzureADServicePrincipalCreatedObject | Get objects created by a service principal. |
| Get-AzureADServicePrincipalKeyCredential | Get key credentials for a service principal. |
| Get-AzureADServicePrincipalMembership | Get a service principal membership. |
| Get-AzureADServicePrincipalOAuth2PermissionGrant | Gets an oAuth2PermissionGrant object. |
| Get-AzureADServicePrincipalOwnedObject | Gets an object owned by a service principal. |
| Get-AzureADServicePrincipalOwner | Get the owner of a service principal. |
| Get-AzureADServicePrincipalPasswordCredential | Get credentials for a service principal. |
| New-AzureADServiceAppRoleAssignment | Assigns an app role to a user, a group, or another service principal. |
| New-AzureADServicePrincipal | Creates a service principal. |
| New-AzureADServicePrincipalKeyCredential | Create a new key credential for a service principal |
| New-AzureADServicePrincipalPasswordCredential | Creates a password credential for a service principal. |
| Remove-AzureADServiceAppRoleAssignment | Removes a service principal application role assignment. |
| Remove-AzureADServicePrincipal | Removes a service principal. |
| Remove-AzureADServicePrincipalKeyCredential | Removes a key credential from a service principal. |
| Remove-AzureADServicePrincipalOwner | Removes an owner from a service principal. |
| Remove-AzureADServicePrincipalPasswordCredential | Removes a password credential from a service principal. |
| Select-AzureADGroupIdsServicePrincipalIsMemberOf | Selects the groups in which a service principal is a member. |
| Set-AzureADServicePrincipal | Updates a service principal. |
Users
| Cmdlet | Description |
|---|---|
| Get-AzureADUser | Gets a user. |
| Get-AzureADUserAppRoleAssignment | Get a user application role assignment. |
| Get-AzureADUserCreatedObject | Get objects created by the user. |
| Get-AzureADUserDirectReport | Get the user's direct reports. |
| Get-AzureADUserExtension | Gets a user extension. |
| Get-AzureADUserLicenseDetail | Retrieves license details for a user |
| Get-AzureADUserManager | Gets the manager of a user. |
| Get-AzureADUserMembership | Get user memberships. |
| Get-AzureADUserOAuth2PermissionGrant | Gets an oAuth2PermissionGrant object. |
| Get-AzureADUserOwnedDevice | Get registered devices owned by a user. |
| Get-AzureADUserOwnedObject | Get objects owned by a user. |
| Get-AzureADUserRegisteredDevice | Get devices registered by a user. |
| Get-AzureADUserThumbnailPhoto | Retrieve the thumbnail photo of a user |
| New-AzureADMSInvitation | This cmdlet is used to invite a new external user to your directory. |
| New-AzureADUser | Creates an Azure AD user. |
| New-AzureADUserAppRoleAssignment | Assigns a user to an application role. |
| Remove-AzureADUser | Removes a user. |
| Remove-AzureADUserAppRoleAssignment | Removes a user application role assignment. |
| Remove-AzureADUserExtension | Removes a user extension. |
| Remove-AzureADUserManager | Removes a user's manager. |
| Revoke-AzureADSignedInUserAllRefreshToken | Invalidates the refresh tokens issued to applications for the current user. |
| Revoke-AzureADUserAllRefreshToken | Invalidates the refresh tokens issued to applications for a user. |
| Select-AzureADGroupIdsUserIsMemberOf | Selects the groups that a user is a member of. |
| Set-AzureADUser | Updates a user. |
| Set-AzureADUserExtension | Sets a user extension. |
| Set-AzureADUserLicense | Adds or removes licenses for a Microsoft online service to the list of assigned licenses for a user. Note The Set-AzureADUserLicense cmdlet is deprecated. Learn how to assign licenses with Microsoft Graph PowerShell. For more info, see the Assign License Microsoft Graph API. |
| Set-AzureADUserManager | Updates a user's manager. |
| Set-AzureADUserPassword | Sets the password of a user. |
| Set-AzureADUserThumbnailPhoto | Set the thumbnail photo for a user |
| Update-AzureADSignedInUserPassword | Updates the password for the signed-in user. |
AzureAD
| Cmdlet | Description |
|---|---|
| Add-AzureADMSApplicationOwner | Adds an owner for an application object. |
| Add-AzureADMSServicePrincipalDelegatedPermissionClassification | Add a classification for a delegated permission. |
| Get-AzureADApplicationProxyConnectorGroupMember | {{ Fill in the Synopsis }} |
| Get-AzureADCurrentSessionInfo | This cmdlet will return the current session state |
| Get-AzureADMSApplication | Retrieves the list of applications within the organization. |
| Get-AzureADMSApplicationExtensionProperty | Retrieves the list of extension properties on an application object. |
| Get-AzureADMSApplicationOwner | Retrieves the list of owners for an application object. |
| Get-AzureADMSConditionalAccessPolicy | Gets an Azure Active Directory conditional access policy. |
| Get-AzureADMSDeletedDirectoryObject | This cmdlet is used to retrieve a soft deleted directory object from the directory |
| Get-AzureADMSDeletedGroup | This cmdlet is used to retrieve the soft deleted groups in a directory. |
| Get-AzureADMSIdentityProvider | This cmdlet is used to retrieve the configured identity providers in the directory. |
| Get-AzureADMSNamedLocationPolicy | Gets an Azure Active Directory named location policy. |
| Get-AzureADMSPermissionGrantConditionSet | Get an Azure Active Directory permission grant condition set by id. |
| Get-AzureADMSPermissionGrantPolicy | Gets a permission grant policy. |
| Get-AzureADMSServicePrincipalDelegatedPermissionClassification | Retreive the delegated permission classification objects on a service principal. |
| Get-CrossCloudVerificationCode | Gets the verification code used to validate the ownership of the domain in another connected cloud. Important: Only applies to a verified domain. |
| New-AzureADMSApplication | Creates (registers) a new application object. |
| New-AzureADMSApplicationExtensionProperty | Creates an extension property on an application object. |
| New-AzureADMSApplicationKey | Adds a new key to an application. |
| New-AzureADMSApplicationPassword | Adds a strong password to an application. |
| New-AzureADMSConditionalAccessPolicy | Creates a new conditional access policy in Azure Active Directory. |
| New-AzureADMSIdentityProvider | This cmdlet is used to configure a new identity provider in the directory. |
| New-AzureADMSNamedLocationPolicy | Creates a new named location policy in Azure Active Directory. |
| New-AzureADMSPermissionGrantConditionSet | Create a new Azure Active Directory permission grant condition set in a given policy. |
| New-AzureADMSPermissionGrantPolicy | Creates a permission grant policy. |
| Remove-AzureADDeletedApplication | {{ Fill in the Synopsis }} |
| Remove-AzureADMSApplication | Deletes an application object. |
| Remove-AzureADMSApplicationExtensionProperty | Deletes an extension property from an application object. |
| Remove-AzureADMSApplicationKey | Removes a key from an application. |
| Remove-AzureADMSApplicationOwner | Removes an owner from an application object. |
| Remove-AzureADMSApplicationPassword | Remove a password from an application. |
| Remove-AzureADMSApplicationVerifiedPublisher | Removes the verified publisher from an application. |
| Remove-AzureADMSConditionalAccessPolicy | Deletes a conditional access policy in Azure Active Directory by Id. |
| Remove-AzureADMSDeletedDirectoryObject | This cmdlet is used to permanently delete a previously deleted directory object |
| Remove-AzureADMSIdentityProvider | This cmdlet is used to delete an identity provider in the directory. |
| Remove-AzureADMSNamedLocationPolicy | Deletes an Azure Active Directory named location policy by PolicyId. |
| Remove-AzureADMSPermissionGrantConditionSet | Delete an Azure Active Directory permission grant condition set by id |
| Remove-AzureADMSPermissionGrantPolicy | Removes a permission grant policy. |
| Remove-AzureADMSServicePrincipalDelegatedPermissionClassification | Remove delegated permission classification. |
| Restore-AzureADMSDeletedDirectoryObject | This cmdlet is used to restore a previously deleted object. |
| Set-AzureADMSAdministrativeUnit | Updates an administrative unit. |
| Set-AzureADMSApplication | Updates the properties of an application object. |
| Set-AzureADMSApplicationLogo | Sets the logo for an application object. |
| Set-AzureADMSApplicationVerifiedPublisher | Sets the verified publisher of an application to a verified Microsoft Partner Network (MPN) identifier. |
| Set-AzureADMSConditionalAccessPolicy | Updates a conditional access policy in Azure Active Directory by Id. |
| Set-AzureADMSIdentityProvider | This cmdlet is used to update the properties of an existing identity provider configured in the directory. |
| Set-AzureADMSNamedLocationPolicy | Updates a named location policy in Azure Active Directory by PolicyId. |
| Set-AzureADMSPermissionGrantConditionSet | Update an existing Azure Active Directory permission grant condition set. |
| Set-AzureADMSPermissionGrantPolicy | Updates a permission grant policy. |