PowerShell Basics: Azure AD Management Commands

Now that we’ve covered the basics in my previous post, Step-By-Step: Intro to Managing Azure AD via PowerShell, we’ll take a look at the commands available to further manage you Azure AD deployment. Some of the commands currently used for on-premises Active Directory Management will also work for Azure Active Directory or differ very little. For example, in an on-premises AD deployment, New-ADUser is used to add user, in Azure AD it becomes New-​Msol​User. The following are a list of commands available to manage Azure AD in PowerShell.


More information about a command can view using,

Get-Help New-​Msol​User –Detailed


Technical Information about thecommand can view using,

Get-Help New-​Msol​User –Full


Online information about the command can view using,

Get-Help New-Msol​User –Online


We also can view some example for the command using,

Get-Help New-Msol​User –Example




We can simply create new user using,

New-MsolUser -UserPrincipalName "jeffm@therebeladmin.com" -DisplayName "Jeff Mak" -FirstName "Jeff" -LastName "Mak" -PasswordNeverExpires $true




In order to create a user, you need to connect to Azure AD with a user who has “Global Admin” role.

In above command UserPrincipalName specify the UPN and user password s set not to expire.

It is obvious sometime we need to change password of an existing account.


Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -NewPassword "pa$$word"

The above command will reset the password for the jeffm@therebeladmin.com in to new password.


Instead of specifying password, following command will generate random password and force user to reset it on next login.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -ForceChangePassword $true



Azure Active Directory does have predefined administrative roles with different capabilities. This allows administrators to assign permissions to users to do only certain tasks.

More details about these administrative roles and their capabilities can found on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

We can list down these administrative roles using




According to requirements, we can add users to these administrative roles.

Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"


Above command will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to the role.

In order to view existing members of different administrator roles, we can use command similar to below.

$RoleMembers = Get-MsolRole -RoleName "User Account Administrator"

Get-MsolRoleMember -RoleObjectId $RoleMembers.ObjectId


This will list down the users with User Account Administrator role assigned.



Apart from the roles, AD also have security groups.

New-MsolGroup -DisplayName "HelpDesk" -Description "Help Desk Users"

Above command creates a group called HelpDesk




A group contains members. We can add members to group using commands similar to below.

Add-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupMemberObjectId e74c79ec-250f-4a47-80dd-78022455e383


This will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to group with object id a53cc08c-6ffa-4bd6-8b03-807740e100f1.

We can list down the users of the group using

Get-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1




We can view all the groups and their group ids using




In order to remove member from the security group we can use Remove-MsoLGroupMember cmdlet.

Remove-MsoLGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupmemberObjectId e74c79ec-250f-4a47-80dd-78022455e383


In order to remove a user from administrator role we can use Remove-MsolRoleMember cmdlet.

Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType User -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"


Above command will remove user with object id e74c79ec-250f-4a47-80dd-78022455e383 from the group User Account Administrator

Comments (0)

Skip to main content