For Active Directory (AD) administrators, using native AD tools for recurring tasks can be time-consuming. PowerShell is a scripting language built into Windows, that can tackle this issue by automating repetitive tasks. While Azure AD PowerShell has been a reliable tool for managing Azure AD, there is now a need for a shift towards Microsoft Graph PowerShell. This article provides a brief intro into AD automation with PowerShell.
What is Microsoft Graph PowerShell?
Microsoft Graph PowerShell is a scripting module built on top of standard PowerShell that interacts with the Microsoft Graph API. Microsoft Graph is the central hub for managing Microsoft services, including Azure AD. Microsoft Graph PowerShell is a bridge between the familiar PowerShell environment and the capabilities of Microsoft Graph.
Why should one use Microsoft Graph PowerShell?
- Automate repetitive tasks: PowerShell lets you script routine tasks. With a single execution, you can,say, create a new user account, add them to relevant groups, and set up their mailbox.
- Handle bulk operations: Microsoft Graph PowerShell lets you to manage large numbers of objects. You can create or disable multiple user accounts, update group memberships for a department, or reset passwords for a group in a single script.
- Gain more control: Micromanaging is made easier with PowerShell.You can control password expiration policies, configure conditional access with specific criteria, and assign specific application permissions.
- Integrate with automation tools: PowerShell scripts can integrate with automation tools like System Center Orchestrator or Azure Automation. This helps build complex workflows that interact with Azure AD and other IT systems.
Why are we shifting from Azure AD PowerShell to Microsoft Graph PowerShell ?
The key reason for the shift is Azure AD PowerShell being deprecated on March 30, 2024. This means that these modules will no longer receive new features or bug fixes. Microsoft is moving towards using Microsoft Graph as the central platform for interacting with its services. Microsoft Graph PowerShell leverages this API, hence staying aligned with Microsoft’s future development direction. If you are already an Azure AD Powershell user, you can seamlessly transition to Microsoft Graph PowerShell using this migration guide.
Using Microsoft Graph PowerShell for Azure AD automation.
To begin automating tasks with PowerShell, you need to have the Microsoft Graph PowerShell SDK. Here’s how to install the Microsoft Graph PowerShell SDK:
Prerequisites:
- Windows PowerShell 5.1 or later: You can verify the version by running $PSVersionTable.PSVersion in a PowerShell window. If you need to upgrade, download and install the latest version from the Microsoft website.
- .NET Framework 4.7.2 or later: Download and install the appropriate version from the official website if needed.
- Updated PowerShellGet: PowerShellGet is a module that simplifies installing and managing PowerShell modules. Update it to the latest version using the Install-Module PowerShellGet command in a PowerShell window with administrator privileges.
Installation steps:
- Open a PowerShell window.
- Run the installation command
The SDK comes in two modules, Microsoft.Graph and Microsoft.Graph.Beta. You can install the two modules on the same PowerShell version, separately.
To install the v1 version, run the following command:
Install-Module Microsoft.Graph -Scope CurrentUserTo install the beta version, run the following command:
Install-Module Microsoft.Graph.Beta- Verify installation by running this command.
Get-InstalledModule Microsoft.GraphOnce you’ve installed the Microsoft Graph PowerShell SDK, you can use it to automate various tasks in Azure AD using commands known as cmdlets. Here’s a breakdown of the general process:
1.Use the Connect-MgGraph command to establish a connection with Microsoft Graph. This cmdlet requires permissions to access specific data or perform actions within Azure AD.
For example:
Connect-MgGraph -Scopes "User.ReadWrite.All"This command connects to Microsoft Graph and requests permission to read and write all user data within Azure AD. Replace “User.ReadWrite.All” with the appropriate permission scopes based on your automation needs.
2. Utilize cmdlets as per your automation needs. Here are some examples of tasks you can automate with cmdlets:
User provisioning:
To create new users
New-MgUserTo update user details
Set-MgUserTo disable or delete users
Disable-MgUser,Remove-MgUserGroup management
To create security groups
New-MgGroupTo add or remove members from groups
Add-MgGroupMember, Remove-MgGroupMemberTo assign permissions to groups
Add-MgGroupAssignedPermissionApplication permissions
To assign applications to users
Add-MgUserAssignedRoleTo grant permissions to applications
Add-MgServicePrincipalPermissionThe comprehensive list of cmdlets can be found here.
Going beyond PowerShell for automation
While PowerShell offers a solution for AD management that goes beyond basic point-and-click configuration, the scripts can get increasingly complex when you need to get more done. PowerShell’s flexibility comes with a learning cost. It requires understanding various parameters to achieve the desired outcome.
There are other AD and Identity Governance solutions that can bypass this need for advanced scripting, such as ADManager Plus. The choice of AD automation tool ultimately lies on the user need and technical expertise.
