How do I install and connect to Microsoft Graph PowerShell?

Install with: Install-Module Microsoft.Graph -Scope CurrentUser. Connect with: Connect-MgGraph -Scopes User.Read.All,Group.Read.All. You will need to consent to permissions. Use Disconnect-MgGraph when done.

What scopes do I need for common operations?

User management: User.ReadWrite.All. Group management: Group.ReadWrite.All. MFA reports: Reports.Read.All, UserAuthenticationMethod.Read.All. License management: Organization.Read.All, User.ReadWrite.All. Directory roles: RoleManagement.Read.Directory.

How do I export all users with their MFA status?

Use Get-MgUser with the AuthenticationMethods API. First get users with Get-MgUser -All, then for each user query Get-MgUserAuthenticationMethod. This identifies users without MFA configured for security compliance reporting.

Home/Tools/Developer/Azure AD PowerShell Generator (Microsoft Graph)

Azure AD PowerShell Generator (Microsoft Graph)

Generate Microsoft Graph PowerShell commands for Azure AD user management, group operations, MFA status reports, license management, and Entra ID administration.

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading Azure AD PowerShell Generator (Microsoft Graph)...

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

DevOps & Development Experts

From CI/CD pipelines to custom applications, our team builds secure solutions that scale.

Learn About DevOps Consulting Explore Software Development

What Is Azure AD PowerShell

Azure Active Directory (now Microsoft Entra ID) PowerShell modules enable administrators to manage identity, access, and directory services programmatically. Instead of clicking through the Azure portal for each user, group, or policy change, PowerShell commands allow bulk operations, automation, and scripted management of cloud identities at enterprise scale.

Two primary modules exist: the older MSOnline (MSOL) module and the newer Microsoft Graph PowerShell SDK. Microsoft is deprecating MSOL in favor of the Graph SDK, making it essential for administrators to understand both modules during the transition period.

Module Comparison

Feature	MSOnline (MSOL)	AzureAD Module	Microsoft Graph PowerShell
Status	Deprecated (March 2024)	Deprecated	Current / Recommended
Authentication	Basic + MFA	Basic + MFA	Modern auth, certificate, managed identity
Scope	Azure AD only	Azure AD only	All Microsoft 365 services
Command prefix	Msol-	AzureAD-	Mg-
Install	Install-Module MSOnline	Install-Module AzureAD	Install-Module Microsoft.Graph

Common Use Cases

Bulk user management: Create, modify, disable, or delete hundreds of user accounts using CSV imports and PowerShell loops
License assignment automation: Assign and remove Microsoft 365 licenses based on group membership, department, or custom attributes
Security policy enforcement: Configure Conditional Access policies, MFA settings, and password policies programmatically
Audit and compliance reporting: Extract sign-in logs, MFA registration status, guest user inventories, and privilege reports for auditors
Onboarding/offboarding automation: Script the complete onboarding (create account, assign licenses, add to groups, send welcome email) and offboarding (disable, remove licenses, transfer mailbox) workflows

Best Practices

Migrate to Microsoft Graph PowerShell — MSOL and AzureAD modules are deprecated. Start migrating scripts to use the Microsoft.Graph SDK now to avoid breaking changes.
Use certificate-based authentication for automation — Service principals with certificates are more secure than stored credentials for unattended scripts. Never hardcode passwords in scripts.
Apply least-privilege permissions — When connecting to Microsoft Graph, request only the scopes your script needs. Avoid using broad permissions like Directory.ReadWrite.All when Directory.Read.All suffices.
Test in a non-production tenant — Use an Azure AD development tenant for testing scripts before running them against production. Bulk operations cannot easily be undone.
Log all administrative actions — Pipe script output to log files and enable Azure AD audit logs. Administrative changes should be traceable for compliance and incident investigation.

Frequently Asked Questions

Common questions about the Azure AD PowerShell Generator (Microsoft Graph)

The AzureAD and MSOnline modules are deprecated and will be retired. Microsoft Graph PowerShell is the recommended replacement with ongoing support, new features, and better security. It provides access to the full Microsoft 365 ecosystem through a unified API.