Now that we’ve covered the basics in my previous post, Step-By-Step: Intro to Managing Azure AD via PowerShell, we’ll take a look at the commands available to further manage you Azure AD deployment. Some of the commands currently used for on-premises Active Directory Management will also work for Azure Active Directory or differ very little. For example, in an on-premises AD deployment, New-ADUser is used to add user, in Azure AD it becomes New-MsolUser. The following are a list of commands available to manage Azure AD in PowerShell.
More information about a command can view using,
Get-Help New-MsolUser –Detailed
Technical Information about thecommand can view using,
Get-Help New-MsolUser –Full
Online information about the command can view using,
Get-Help New-MsolUser –Online
We also can view some example for the command using,
Get-Help New-MsolUser –Example
We can simply create new user using,
New-MsolUser -UserPrincipalName "firstname.lastname@example.org" -DisplayName "Jeff Mak" -FirstName "Jeff" -LastName "Mak" -PasswordNeverExpires $true
In order to create a user, you need to connect to Azure AD with a user who has “Global Admin” role.
In above command UserPrincipalName specify the UPN and user password s set not to expire.
It is obvious sometime we need to change password of an existing account.
Set-MsolUserPassword -UserPrincipalName "email@example.com" -NewPassword "pa$$word"
The above command will reset the password for the firstname.lastname@example.org in to new password.
Instead of specifying password, following command will generate random password and force user to reset it on next login.
Set-MsolUserPassword -UserPrincipalName "email@example.com" -ForceChangePassword $true
Azure Active Directory does have predefined administrative roles with different capabilities. This allows administrators to assign permissions to users to do only certain tasks.
More details about these administrative roles and their capabilities can found on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
We can list down these administrative roles using
According to requirements, we can add users to these administrative roles.
Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"
Above command will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to the role.
In order to view existing members of different administrator roles, we can use command similar to below.
$RoleMembers = Get-MsolRole -RoleName "User Account Administrator"
Get-MsolRoleMember -RoleObjectId $RoleMembers.ObjectId
This will list down the users with User Account Administrator role assigned.
Apart from the roles, AD also have security groups.
New-MsolGroup -DisplayName "HelpDesk" -Description "Help Desk Users"
Above command creates a group called HelpDesk
A group contains members. We can add members to group using commands similar to below.
Add-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupMemberObjectId e74c79ec-250f-4a47-80dd-78022455e383
This will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to group with object id a53cc08c-6ffa-4bd6-8b03-807740e100f1.
We can list down the users of the group using
Get-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1
We can view all the groups and their group ids using
In order to remove member from the security group we can use Remove-MsoLGroupMember cmdlet.
Remove-MsoLGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupmemberObjectId e74c79ec-250f-4a47-80dd-78022455e383
In order to remove a user from administrator role we can use Remove-MsolRoleMember cmdlet.
Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType User -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"
Above command will remove user with object id e74c79ec-250f-4a47-80dd-78022455e383 from the group User Account Administrator