How do I assign or remove a license with Microsoft Graph PowerShell?

A usage location must be set first: Update-MgUser -UserId user@contoso.com -UsageLocation "US". Then resolve the SKU ID from its part number with Get-MgSubscribedSku and call Set-MgUserLicense -UserId user@contoso.com -AddLicenses @{ SkuId = $skuId } -RemoveLicenses @(). To remove, pass the SKU ID in -RemoveLicenses instead. The License Administrator role is required.

How do I disable and offboard a user account?

Block sign-in with Update-MgUser -UserId user@contoso.com -AccountEnabled:$false, then immediately revoke active tokens with Revoke-MgUserSignInSession -UserId user@contoso.com so existing sessions are signed out. The builder's "Disable an account" task generates both steps. Deleting a user (Remove-MgUser) is a soft delete; the account stays restorable for 30 days.

Home/Tools/Developer/Microsoft Graph PowerShell Command Builder (Azure AD / Entra ID)

Microsoft Graph PowerShell Command Builder (Azure AD / Entra ID)

Build complete, runnable Microsoft Graph PowerShell SDK scripts for Entra ID (Azure AD): connect with minimal scopes, manage users and groups, report on MFA registration, assign licenses, handle directory roles, pull sign-in and audit logs, and clean up stale devices. Every script includes the module install check, Connect-MgGraph with the least-privilege scopes for that task, and Disconnect-MgGraph.

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading Microsoft Graph PowerShell Command Builder (Azure AD / Entra ID)...

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Azure AD Management Complexity?

Our team automates identity management, access reviews, and security policies in Entra ID.

Learn About Productivity Suite Management Explore vCISO Services

What Is Azure AD PowerShell

Azure Active Directory (now Microsoft Entra ID) PowerShell modules enable administrators to manage identity, access, and directory services programmatically. Instead of clicking through the Azure portal for each user, group, or policy change, PowerShell commands allow bulk operations, automation, and scripted management of cloud identities at enterprise scale.

Two primary modules exist: the older MSOnline (MSOL) module and the newer Microsoft Graph PowerShell SDK. Microsoft is deprecating MSOL in favor of the Graph SDK, making it essential for administrators to understand both modules during the transition period.

Module Comparison

Feature	MSOnline (MSOL)	AzureAD Module	Microsoft Graph PowerShell
Status	Deprecated (March 2024)	Deprecated	Current / Recommended
Authentication	Basic + MFA	Basic + MFA	Modern auth, certificate, managed identity
Scope	Azure AD only	Azure AD only	All Microsoft 365 services
Command prefix	Msol-	AzureAD-	Mg-
Install	Install-Module MSOnline	Install-Module AzureAD	Install-Module Microsoft.Graph

Common Use Cases

Bulk user management: Create, modify, disable, or delete hundreds of user accounts using CSV imports and PowerShell loops
License assignment automation: Assign and remove Microsoft 365 licenses based on group membership, department, or custom attributes
Security policy enforcement: Configure Conditional Access policies, MFA settings, and password policies programmatically
Audit and compliance reporting: Extract sign-in logs, MFA registration status, guest user inventories, and privilege reports for auditors
Onboarding/offboarding automation: Script the complete onboarding (create account, assign licenses, add to groups, send welcome email) and offboarding (disable, remove licenses, transfer mailbox) workflows

Best Practices

Migrate to Microsoft Graph PowerShell — MSOL and AzureAD modules are deprecated. Start migrating scripts to use the Microsoft.Graph SDK now to avoid breaking changes.
Use certificate-based authentication for automation — Service principals with certificates are more secure than stored credentials for unattended scripts. Never hardcode passwords in scripts.
Apply least-privilege permissions — When connecting to Microsoft Graph, request only the scopes your script needs. Avoid using broad permissions like Directory.ReadWrite.All when Directory.Read.All suffices.
Test in a non-production tenant — Use an Azure AD development tenant for testing scripts before running them against production. Bulk operations cannot easily be undone.
Log all administrative actions — Pipe script output to log files and enable Azure AD audit logs. Administrative changes should be traceable for compliance and incident investigation.

Frequently Asked Questions

Common questions about the Microsoft Graph PowerShell Command Builder (Azure AD / Entra ID)

The AzureAD and MSOnline modules were deprecated and retired by Microsoft on March 30, 2025. The Microsoft Graph PowerShell SDK is the supported replacement, built on the Microsoft Graph API, and receives all new features and security fixes. This builder generates Graph commands by default and only shows the old AzureAD/MSOnline equivalents as a secondary reference where they still function.

Install the SDK for your account with Install-Module Microsoft.Graph -Scope CurrentUser -Force (no admin rights needed). Then connect with Connect-MgGraph -Scopes "User.Read.All" (or whichever scopes your task needs). On a headless server use -UseDeviceCode, and for unattended automation use app-only auth with -ClientId and -CertificateThumbprint. Run Disconnect-MgGraph when finished.

Scopes are the delegated permissions you grant to a Connect-MgGraph session. Requesting the minimum needed (for example User.Read.All for a read instead of Directory.ReadWrite.All) follows least-privilege and reduces risk if the session is compromised. This tool sets the smallest scope set for each task automatically and shows it above the generated script, along with the Entra role required to run it.

Use Get-MgUserAuthenticationMethod -UserId [email protected] to list the authentication methods registered for a user. The builder's "List users without MFA registered" task loops every user and flags anyone whose only method is the password, and the "Per-user MFA method report" task builds a full export. Both need the UserAuthenticationMethod.Read.All scope.

A usage location must be set first: Update-MgUser -UserId [email protected] -UsageLocation "US". Then resolve the SKU ID from its part number with Get-MgSubscribedSku and call Set-MgUserLicense -UserId [email protected] -AddLicenses @{ SkuId = $skuId } -RemoveLicenses @(). To remove, pass the SKU ID in -RemoveLicenses instead. The License Administrator role is required.

The SignInActivity property (used by the last sign-in and inactive-user reports) requires an Entra ID P1 or P2 license and the AuditLog.Read.All scope. Without both, the field returns null for every user. Connect with Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All" and confirm the tenant has the right licensing.

Block sign-in with Update-MgUser -UserId [email protected] -AccountEnabled:$false, then immediately revoke active tokens with Revoke-MgUserSignInSession -UserId [email protected] so existing sessions are signed out. The builder's "Disable an account" task generates both steps. Deleting a user (Remove-MgUser) is a soft delete; the account stays restorable for 30 days.

Yes. Reporting, licensing, group, MFA, and device tasks expose an optional CSV export path field. When you fill it in, the generated script pipes the results to Export-Csv -Path "C:\Reports\report.csv" -NoTypeInformation -Encoding UTF8 instead of formatting to the console, so you can open the output in Excel or hand it to compliance.