Free Microsoft Graph PowerShell SDK command builder for Entra ID (Azure AD). Generate copy-ready scripts for users, groups, MFA reports, licensing, roles, sign-in logs, and devices - each with the minimal Connect-MgGraph scopes. Legacy AzureAD equivalents included.
Azure Active Directory (now Microsoft Entra ID) PowerShell modules enable administrators to manage identity, access, and directory services programmatically. Instead of clicking through the Azure portal for each user, group, or policy change, PowerShell commands allow bulk operations, automation, and scripted management of cloud identities at enterprise scale.
Two primary modules exist: the older MSOnline (MSOL) module and the newer Microsoft Graph PowerShell SDK. Microsoft is deprecating MSOL in favor of the Graph SDK, making it essential for administrators to understand both modules during the transition period.
| Feature | MSOnline (MSOL) | AzureAD Module | Microsoft Graph PowerShell |
|---|---|---|---|
| Status | Deprecated (March 2024) | Deprecated | Current / Recommended |
| Authentication | Basic + MFA | Basic + MFA | Modern auth, certificate, managed identity |
| Scope | Azure AD only | Azure AD only | All Microsoft 365 services |
| Command prefix | Msol- | AzureAD- | Mg- |
| Install | Install-Module MSOnline | Install-Module AzureAD | Install-Module Microsoft.Graph |
The AzureAD and MSOnline modules were deprecated and retired by Microsoft on March 30, 2025. The Microsoft Graph PowerShell SDK is the supported replacement, built on the Microsoft Graph API, and receives all new features and security fixes. This builder generates Graph commands by default and only shows the old AzureAD/MSOnline equivalents as a secondary reference where they still function.
Install the SDK for your account with Install-Module Microsoft.Graph -Scope CurrentUser -Force (no admin rights needed). Then connect with Connect-MgGraph -Scopes "User.Read.All" (or whichever scopes your task needs). On a headless server use -UseDeviceCode, and for unattended automation use app-only auth with -ClientId and -CertificateThumbprint. Run Disconnect-MgGraph when finished.
Scopes are the delegated permissions you grant to a Connect-MgGraph session. Requesting the minimum needed (for example User.Read.All for a read instead of Directory.ReadWrite.All) follows least-privilege and reduces risk if the session is compromised. This tool sets the smallest scope set for each task automatically and shows it above the generated script, along with the Entra role required to run it.
Use Get-MgUserAuthenticationMethod -UserId user@contoso.com to list the authentication methods registered for a user. The builder's "List users without MFA registered" task loops every user and flags anyone whose only method is the password, and the "Per-user MFA method report" task builds a full export. Both need the UserAuthenticationMethod.Read.All scope.
A usage location must be set first: Update-MgUser -UserId user@contoso.com -UsageLocation "US". Then resolve the SKU ID from its part number with Get-MgSubscribedSku and call Set-MgUserLicense -UserId user@contoso.com -AddLicenses @{ SkuId = $skuId } -RemoveLicenses @(). To remove, pass the SKU ID in -RemoveLicenses instead. The License Administrator role is required.
The SignInActivity property (used by the last sign-in and inactive-user reports) requires an Entra ID P1 or P2 license and the AuditLog.Read.All scope. Without both, the field returns null for every user. Connect with Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All" and confirm the tenant has the right licensing.
Block sign-in with Update-MgUser -UserId user@contoso.com -AccountEnabled:$false, then immediately revoke active tokens with Revoke-MgUserSignInSession -UserId user@contoso.com so existing sessions are signed out. The builder's "Disable an account" task generates both steps. Deleting a user (Remove-MgUser) is a soft delete; the account stays restorable for 30 days.
Yes. Reporting, licensing, group, MFA, and device tasks expose an optional CSV export path field. When you fill it in, the generated script pipes the results to Export-Csv -Path "C:\Reports\report.csv" -NoTypeInformation -Encoding UTF8 instead of formatting to the console, so you can open the output in Excel or hand it to compliance.