Get-MgUser: Get and Export Azure AD users properties with Graph Modules

Hello everyone,

Recently Microsoft started adding/changing ways to extract user information from Azure AD (The Microsoft plan is to replace the AzureAD PS Module). One of the new ways (Not so new) is through the Microsoft Graph, which can be used through the Graph API or through the Graph Modules. In this article I will demonstrate how to install the graph module and also how to perform some queries using the existing cmdlets in one of the Microsoft Graph Modules.

To begin with, there are several Graph modules currently available (43 at the moment) and all of them can be installed at once, however MS recommends that you only install what you are going to use.

You can list all available modules using the following command:

Find-Module Microsoft.Graph*

Install the Graph Module

Use the following command: Install-Module Microsoft.Graph

Or you can use the -scope option to install only in the context of your Windows user (Usually used in cases of device sharing).

Use the following command: Install-Module Microsoft.Graph -Scope CurrentUser

PS. The above command installs every single Graph Modules available at the moment.

Now that you have the module installed, you need to connect/import it.

Just like in the Graph API you can choose which profile you want to use, through PS it is also possible through the commands below:

To use the BETA profile: Select-MgProfile -Name “beta”

To use the production one: Select-MgProfile -Name “v1.0”

If you don’t specify the profile, it connects to the production profile by default.

Next, we want to connect to Graph with the scopes that we need:

Connect-MgGraph -Scopes “User.Read.All”,”Group.ReadWrite.All”

The scope here is important so that at the time of invoking the command you can receive the prompt to grant permission to access the Graph API through the PS. You can read more about this here.

You can now use the Graph API. When you are working with Graph in PowerShell you can add additional scopes to your session by simply using the Connect-MgGraph command again with the new permissions.

Now we can try a few commands:

#GET ALL

Get-MgUser –All

#GET EMPLOYEE TYPE

Get-MgUser -all -Property “employeeType,DisplayName,UserPrincipalName” | select EmployeeType,DisplayName,UserPrincipalName

#GET MANAGER

Get-MgUser -ExpandProperty Manager  | select @{Name = ‘Manager’; Expression = {$_.Manager.AdditionalProperties.displayName}}, UserPrincipalName

#FILTER

Get-MgUser -Filter “DisplayName eq ‘Test IT'”

Get-MgUser -Filter “startsWith(DisplayName, ‘J

Get-MgUser –Filter ‘AccountEnabled eq True’ –All

Changing EmployeeType in bulk mode

I’ll show you how to change the EmployeeType in Bulk Mode, and as an example I’ve created the following CSV (Comma Separated Value) file. The important thing is that in the command you use the variables exactly as in the header of each column of the CSV file.

Once the file is filled in, I’ve saved it to the path C:\Scripts\ and then the little script will look like this:

Import-Csv “C:\Scripts\EmployeeType.csv” | ForEach-Object{
$UserPrincipalName = $_.UserPrincipalName
$EmployeeType = $_.EmployeeType
Update-MgUser -UserId $UserPrincipalName -EmployeeType $EmployeeType
}

Get manager in bulk mode

You can use the same concept as the previous CSV file or even use the same file, in this case you will only use the UserPrincipalName column as a variable.

Import-CSV “C:\Scripts\EmployeeType.csv” | Foreach-Object { (Get-MgUserManager -UserId $_.UserPrincipalName).additionalProperties[‘displayName’] }
Get-MgUser -ExpandProperty Manager  | select @{Name = ‘Manager’; Expression = {$_.Manager.AdditionalProperties.displayName}}, UserPrincipalName

With these commands and concepts you can extract much more information if necessary, as long as you use the same principles as the previous commands.

I’ll stay here, until next time.

Joao Paulo Costa