Skip to main content
Uncategorized

How to use Get-MgUser in PowerShell

By March 24, 2024No Comments

The Get-MgUser cmdlet in Microsoft Graph PowerShell retrieves all user details in Microsoft Entra ID. You can get all the Microsoft 365 users or specific users from your organization. While you can get all the users in the Microsoft Entra admin center or Microsoft 365 admin center, you can always do more and be precise with PowerShell. In this article, you will learn how to use Get-MgUser cmdlet in PowerShell.

Before you start

It’s important that you install and connect to Microsoft Graph PowerShell before you proceed further. Otherwise, the Get-MgUser cmdlet will not work.

Install Microsoft Graph PowerShell

Run PowerShell as administrator and Install Microsoft Graph PowerShell module.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Connect to Microsoft Graph PowerShell

You need to connect to Microsoft Graph PowerShell with the correct permissions. If you don’t, you cannot retrieve the user results with the Get-MgUser cmdlet.

Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All"

Do you want to connect without user interaction because you want a script to run automatically? Set it up with Certificate Based Authentication or a Client Secret. Read more in the article Connect to Microsoft Graph PowerShell.

Get user information

Let’s first start with the basics, and that’s to get the user information.

Get single user information

To get the user information, use the –UserId parameter and append the user ID.

Get-MgUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031"

You can also use the UserPrincipalName to get the user information.

Get-MgUser -UserId "amanda.morgan@exoip.com"

Add the Format-List cmdlet to get a list of properties.

Get-MgUser -UserId "amanda.morgan@exoip.com" | Format-List

Get all users information

Run the Get-MgUser cmdlet, including the -All parameter, to retrieve all the users.

Note: Always use the -All parameter to get all the results. Otherwise, only 100 items will appear.

Get-MgUser -All

To count all the users, we will add the Measure-Object cmdlet to the command.

Get-MgUser -All | Measure-Object | Select-Object -ExpandProperty Count

Get user account status

To get the user account status, we must add the -Property parameter, including the AccountEnabled property. Otherwise, the AccountEnabled value shows empty.

Get single user account status

Get the account status of a single user.

Get-MgUser -UserId "amanda.morgan@exoip.com" -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled

Get all users account status

Get all the user account statuses.

Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled

You can always add the -Filter parameter and only retrieve the enabled accounts.

Get-MgUser -All -Filter "accountEnabled eq true" -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled

Or filter only the disabled user accounts.

Get-MgUser -All -Filter "accountEnabled ne true" -ConsistencyLevel eventual -CountVariable CountVar -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled

To know which property you can add to get the user properties information from the Get-MgUser cmdlet, use the Microsoft document table.

Get all cloud users

If you have a Hybrid environment, users are synced from on-premises AD to Microsoft Entra ID. The on-premises AD is your domain authority, and you should create the users there. However, there might be users in the organization who are directly created in the cloud.

Get all cloud users including guests

Let’s filter only on the cloud users. This includes the guest accounts.

Note: Use the -Filter parameter with the ne operator. This request isn’t supported by default because the ne operator is only supported in advanced queries. Therefore, you must add the ConsistencyLevel header set to eventual and use the CountVar query string.

Get-MgUser -All -Filter "OnPremisesSyncEnabled ne true" -ConsistencyLevel eventual -CountVariable CountVar

Get all cloud users excluding guests

Now, let’s filter only the cloud users without the guest accounts.

Get-MgUser -All -Filter "OnPremisesSyncEnabled ne true and UserType eq 'Member'" -ConsistencyLevel eventual -CountVariable CountVar

Get licensed users

Not all the users are licensed. There are users in the tenant with and without a license. To know exactly which user accounts have a license assigned and who don’t, we can filter specifically on that.

Get all licensed users

Filter only on the licensed users.

Get-MgUser -All -Filter "assignedLicenses/`$count ne 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records

Get all unlicensed users

Filter only on the unlicensed users.

Get-MgUser -All -Filter "assignedLicenses/`$count eq 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records

Get all licensed and blocked users

You can block users, and they still have a license. Let’s get all the blocked users with a license.

Get-MgUser -All -Filter "assignedLicenses/`$count ne 0 and accountEnabled eq false" -ConsistencyLevel eventual -CountVariable Records

Get on-premises synced users

Get only the on-premises users that are synced to the cloud and sort them on the display name.

Get-MgUser -All -Filter "OnPremisesSyncEnabled eq true" | Sort-Object DisplayName

Get manager of user

Not all users have managers, but some of them do. We like to know the manager of a user or all the users.

Get manager of a single user

Let’s check who the manager is of a single user.

If you run the below cmdlet to retrieve the manager of a single user, you will not see the manager.

Get-MgUser -UserId "amanda.morgan@exoip.com" | Select-Object DisplayName, Manager

You will see that it shows the value Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject.

DisplayName   Manager
-----------   -------
Amanda Morgan Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject

That’s because you need to add the -ExpandProperty parameter.

Get-MgUser -UserId "amanda.morgan@exoip.com" -ExpandProperty Manager | Select-Object @{Name = 'Manager'; Expression = { $_.Manager.AdditionalProperties.mail } }

Another way is to store the Manager property in a variable and then show it.

$user = Get-MgUser -UserId "amanda.morgan@exoip.com" -ExpandProperty Manager
$user.Manager.AdditionalProperties.mail

Get manager of all users

To know which manager is assigned to which user, we can get a list of all the users and their manager.

Get-MgUser -All -ExpandProperty Manager | Select-Object UserPrincipalName, @{Name = 'Manager'; Expression = { $_.Manager.AdditionalProperties.mail } }

Get users that Start with a display name

We can add the startsWith operator and retrieve all the results that start with a display name.

Get-MgUser -All -Filter "startsWith(DisplayName,'Amanda')"

You can also add a letter instead of a word.

Get-MgUser -All -Filter "startsWith(DisplayName,'A')"

Get users that End with a mail address

Add the endsWith operator and retrieve all the users that end with a specific mail address and sort it on display name.

Get-MgUser -All -Filter "endsWith(mail,'exoip.com')" -Sort "displayName" -ConsistencyLevel eventual -CountVariable CountVar

Search for both domains that end with a specific mail address.

Get-MgUser -All -Filter "endsWith(mail,'exoip.com') or endsWith(mail,'tajran.com')" -Sort "displayName" -ConsistencyLevel eventual -CountVariable CountVar

Get users sign-in activity

It’s good to filter on the last time a user signed in successfully. So we can understand if the account is being used or not.

Get single user sign-in activity

Check the sign-in activity of a single user.

Get-MgUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031" -Property SignInActivity | Select-Object -ExpandProperty SignInActivity

If you want to use the UserPrincipalName for the -UserId parameter, you will get an error. That’s because not all the properties accept that.

Get-MgUser_Get: Get By Key only supports UserId and the key has to be a valid Guid

Status: 400 (BadRequest)
ErrorCode: 400

What you can do instead is retrieve the UserId with the second Get-MgUser cmdlet and add it to the first Get-MgUser cmdlet.

Get-MgUser -UserId (Get-MgUser -UserId "amanda.morgan@exoip.com").Id -Property SignInActivity | Select-Object -ExpandProperty SignInActivity | fl

The result appears.

LastNonInteractiveSignInDateTime  : 20/01/2024 05:23:30
LastNonInteractiveSignInRequestId : 27e83e67-4c1c-4f74-babb-a55791680900
LastSignInDateTime                : 19/01/2024 11:31:20
LastSignInRequestId               : 6f659c53-cf13-4b7d-9fe5-93c6f9a52100
AdditionalProperties              : {}

There is also the Get-MgBetaUser cmdlet. Let’s look into that.

Note: Microsoft adds new properties in the beta version, and they will test them out before they appear in the release version.

Run the same command as above. But this time, add Beta in the Get-MgUser cmdlet.

Get-MgBetaUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031" -Property SignInActivity | Select-Object -ExpandProperty SignInActivity | fl

The result will show a new property, which is the LastSuccessfulSignInDateTime property.

LastNonInteractiveSignInDateTime  : 20/01/2024 05:23:30
LastNonInteractiveSignInRequestId : 27e83e67-4c1c-4f74-babb-a55791680900
LastSignInDateTime                : 19/01/2024 11:31:20
LastSignInRequestId               : 6f659c53-cf13-4b7d-9fe5-93c6f9a52100
LastSuccessfulSignInDateTime      : 20/01/2024 05:23:30
LastSuccessfulSignInRequestId     : 27e83e67-4c1c-4f74-babb-a55791680900
AdditionalProperties              : {}

Get all users sign-in activity

Get all users last successful sign-in date and time and send the output to an interactive table in a separate window with the Out-GridView cmdlet.

Get-MgBetaUser -All -Property Id, UserPrincipalName, DisplayName, SignInActivity | Select-Object Id, UserPrincipalName, DisplayName, @{Name = 'LastSuccessfulSignInDateTime'; Expression = { $_.SignInActivity.LastSuccessfulSignInDateTime } } | Out-GridView -Title "Last successful sign-in date"

Get users with company name

You can have different company names in the organization. It’s good to know which user belongs to which company or to filter on a specific company to narrow down the results.

Get company name of a single user

Get the company name of a single user.

Get-MgUser -UserId "amanda.morgan@exoip.com" -Property DisplayName, UserPrincipalName, CompanyName | Select-Object DisplayName, UserPrincipalName, CompanyName

Get company name of all users

Get all user accounts, including the company name.

Get-MgUser -All -Property DisplayName, UserPrincipalName, CompanyName | Select-Object DisplayName, UserPrincipalName, CompanyName

Add the -Filter parameter and the startsWith operator to retrieve all the results that start with a specific company name.

Get-MgUser -All -Property DisplayName, UserPrincipalName, CompanyName -ConsistencyLevel eventual -Count userCount -Filter "startsWith(CompanyName, 'Exo')" | Select-Object DisplayName, UserPrincipalName, CompanyName

You can use the -Search parameter to search on the company and get the results.

Get-MgUser -All -Search "CompanyName:Exoip" -ConsistencyLevel eventual

Get users with company name and account enabled

Add the -Search parameter to find the company name and the -Filter parameter to retrieve only enabled accounts.

Get-MgUser -All -Filter "accountEnabled eq true" -Search "CompanyName:Exoip" -ConsistencyLevel eventual

Leave a Reply