How to Allowlist a domain in Microsoft 365 and bypass the spam filtering service? An…
How to use Get-MgUser in PowerShell
The Get-MgUser cmdlet in Microsoft Graph PowerShell retrieves all user details in Microsoft Entra ID. You can get all the Microsoft 365 users or specific users from your organization. While you can get all the users in the Microsoft Entra admin center or Microsoft 365 admin center, you can always do more and be precise with PowerShell. In this article, you will learn how to use Get-MgUser cmdlet in PowerShell.
Table of contents
- Before you start
- Get user information
- Get user account status
- Get all cloud users
- Get licensed users
- Get on-premises synced users
- Get manager of user
- Get users that Start with a display name
- Get users that End with a mail address
- Get users that End with a user principal name
- Get users sign-in activity
- Get users with company name
- Get-MgUser PowerShell script examples
- Conclusion
Before you start
It’s important that you install and connect to Microsoft Graph PowerShell before you proceed further. Otherwise, the Get-MgUser cmdlet will not work.
Install Microsoft Graph PowerShell
Run PowerShell as administrator and Install Microsoft Graph PowerShell module.
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
Connect to Microsoft Graph PowerShell
You need to connect to Microsoft Graph PowerShell with the correct permissions. If you don’t, you cannot retrieve the user results with the Get-MgUser cmdlet.
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All"
Do you want to connect without user interaction because you want a script to run automatically? Set it up with Certificate Based Authentication or a Client Secret. Read more in the article Connect to Microsoft Graph PowerShell.
Get user information
Let’s first start with the basics, and that’s to get the user information.
Get single user information
To get the user information, use the –UserId parameter and append the user ID.
Get-MgUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031"
You can also use the UserPrincipalName to get the user information.
Get-MgUser -UserId "amanda.morgan@exoip.com"
Add the Format-List cmdlet to get a list of properties.
Get-MgUser -UserId "amanda.morgan@exoip.com" | Format-List
Get all users information
Run the Get-MgUser cmdlet, including the -All parameter, to retrieve all the users.
Note: Always use the -All parameter to get all the results. Otherwise, only 100 items will appear.
Get-MgUser -All
To count all the users, we will add the Measure-Object cmdlet to the command.
Get-MgUser -All | Measure-Object | Select-Object -ExpandProperty Count
Get user account status
To get the user account status, we must add the -Property parameter, including the AccountEnabled property. Otherwise, the AccountEnabled value shows empty.
Get single user account status
Get the account status of a single user.
Get-MgUser -UserId "amanda.morgan@exoip.com" -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled
Get all users account status
Get all the user account statuses.
Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled
You can always add the -Filter parameter and only retrieve the enabled accounts.
Get-MgUser -All -Filter "accountEnabled eq true" -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled
Or filter only the disabled user accounts.
Get-MgUser -All -Filter "accountEnabled ne true" -ConsistencyLevel eventual -CountVariable CountVar -Property Id, DisplayName, UserPrincipalName, AccountEnabled | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled
To know which property you can add to get the user properties information from the Get-MgUser cmdlet, use the Microsoft document table.
Get all cloud users
If you have a Hybrid environment, users are synced from on-premises AD to Microsoft Entra ID. The on-premises AD is your domain authority, and you should create the users there. However, there might be users in the organization who are directly created in the cloud.
Get all cloud users including guests
Let’s filter only on the cloud users. This includes the guest accounts.
Note: Use the -Filter parameter with the ne operator. This request isn’t supported by default because the ne operator is only supported in advanced queries. Therefore, you must add the ConsistencyLevel header set to eventual and use the CountVar query string.
Get-MgUser -All -Filter "OnPremisesSyncEnabled ne true" -ConsistencyLevel eventual -CountVariable CountVar
Get all cloud users excluding guests
Now, let’s filter only the cloud users without the guest accounts.
Get-MgUser -All -Filter "OnPremisesSyncEnabled ne true and UserType eq 'Member'" -ConsistencyLevel eventual -CountVariable CountVar
Get all cloud guest users
Filter only on guest users in the cloud.
Get-MgUser -All -Filter "OnPremisesSyncEnabled ne true and UserType eq 'Guest'" -ConsistencyLevel eventual -CountVariable CountVar
Get licensed users
Not all the users are licensed. There are users in the tenant with and without a license. To know exactly which user accounts have a license assigned and who don’t, we can filter specifically on that.
Get all licensed users
Filter only on the licensed users.
Get-MgUser -All -Filter "assignedLicenses/`$count ne 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records
Get all unlicensed users
Filter only on the unlicensed users.
Get-MgUser -All -Filter "assignedLicenses/`$count eq 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records
Get all licensed and blocked users
You can block users, and they still have a license. Let’s get all the blocked users with a license.
Get-MgUser -All -Filter "assignedLicenses/`$count ne 0 and accountEnabled eq false" -ConsistencyLevel eventual -CountVariable Records
Get on-premises synced users
Get only the on-premises users that are synced to the cloud and sort them on the display name.
Get-MgUser -All -Filter "OnPremisesSyncEnabled eq true" | Sort-Object DisplayName
Get manager of user
Not all users have managers, but some of them do. We like to know the manager of a user or all the users.
Get manager of a single user
Let’s check who the manager is of a single user.
If you run the below cmdlet to retrieve the manager of a single user, you will not see the manager.
Get-MgUser -UserId "amanda.morgan@exoip.com" | Select-Object DisplayName, Manager
You will see that it shows the value Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject.
DisplayName Manager
----------- -------
Amanda Morgan Microsoft.Graph.PowerShell.Models.MicrosoftGraphDirectoryObject
That’s because you need to add the -ExpandProperty parameter.
Get-MgUser -UserId "amanda.morgan@exoip.com" -ExpandProperty Manager | Select-Object @{Name = 'Manager'; Expression = { $_.Manager.AdditionalProperties.mail } }
Another way is to store the Manager property in a variable and then show it.
$user = Get-MgUser -UserId "amanda.morgan@exoip.com" -ExpandProperty Manager
$user.Manager.AdditionalProperties.mail
Get manager of all users
To know which manager is assigned to which user, we can get a list of all the users and their manager.
Get-MgUser -All -ExpandProperty Manager | Select-Object UserPrincipalName, @{Name = 'Manager'; Expression = { $_.Manager.AdditionalProperties.mail } }
Get users that Start with a display name
We can add the startsWith operator and retrieve all the results that start with a display name.
Get-MgUser -All -Filter "startsWith(DisplayName,'Amanda')"
You can also add a letter instead of a word.
Get-MgUser -All -Filter "startsWith(DisplayName,'A')"
Get users that End with a mail address
Add the endsWith operator and retrieve all the users that end with a specific mail address and sort it on display name.
Get-MgUser -All -Filter "endsWith(mail,'exoip.com')" -Sort "displayName" -ConsistencyLevel eventual -CountVariable CountVar
Search for both domains that end with a specific mail address.
Get-MgUser -All -Filter "endsWith(mail,'exoip.com') or endsWith(mail,'tajran.com')" -Sort "displayName" -ConsistencyLevel eventual -CountVariable CountVar
Get users that End with a user principal name
Add the endsWith operator and retrieve all the users that end with a specific UserPrincipalName and sort it on display name.
Get-MgUser -All -Filter "endsWith(userprincipalname,'exoip.com')" -Sort "displayName" -ConsistencyLevel eventual -CountVariable CountVar
Get users sign-in activity
It’s good to filter on the last time a user signed in successfully. So we can understand if the account is being used or not.
Get single user sign-in activity
Check the sign-in activity of a single user.
Get-MgUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031" -Property SignInActivity | Select-Object -ExpandProperty SignInActivity
If you want to use the UserPrincipalName for the -UserId parameter, you will get an error. That’s because not all the properties accept that.
Get-MgUser_Get: Get By Key only supports UserId and the key has to be a valid Guid
Status: 400 (BadRequest)
ErrorCode: 400
What you can do instead is retrieve the UserId with the second Get-MgUser cmdlet and add it to the first Get-MgUser cmdlet.
Get-MgUser -UserId (Get-MgUser -UserId "amanda.morgan@exoip.com").Id -Property SignInActivity | Select-Object -ExpandProperty SignInActivity | fl
The result appears.
LastNonInteractiveSignInDateTime : 20/01/2024 05:23:30
LastNonInteractiveSignInRequestId : 27e83e67-4c1c-4f74-babb-a55791680900
LastSignInDateTime : 19/01/2024 11:31:20
LastSignInRequestId : 6f659c53-cf13-4b7d-9fe5-93c6f9a52100
AdditionalProperties : {}
There is also the Get-MgBetaUser cmdlet. Let’s look into that.
Note: Microsoft adds new properties in the beta version, and they will test them out before they appear in the release version.
Run the same command as above. But this time, add Beta in the Get-MgUser cmdlet.
Get-MgBetaUser -UserId "944d57a0-0d24-4d55-ac5b-e9b741be9031" -Property SignInActivity | Select-Object -ExpandProperty SignInActivity | fl
The result will show a new property, which is the LastSuccessfulSignInDateTime property.
LastNonInteractiveSignInDateTime : 20/01/2024 05:23:30
LastNonInteractiveSignInRequestId : 27e83e67-4c1c-4f74-babb-a55791680900
LastSignInDateTime : 19/01/2024 11:31:20
LastSignInRequestId : 6f659c53-cf13-4b7d-9fe5-93c6f9a52100
LastSuccessfulSignInDateTime : 20/01/2024 05:23:30
LastSuccessfulSignInRequestId : 27e83e67-4c1c-4f74-babb-a55791680900
AdditionalProperties : {}
Get all users sign-in activity
Get all users last successful sign-in date and time and send the output to an interactive table in a separate window with the Out-GridView cmdlet.
Get-MgBetaUser -All -Property Id, UserPrincipalName, DisplayName, SignInActivity | Select-Object Id, UserPrincipalName, DisplayName, @{Name = 'LastSuccessfulSignInDateTime'; Expression = { $_.SignInActivity.LastSuccessfulSignInDateTime } } | Out-GridView -Title "Last successful sign-in date"
Get users with company name
You can have different company names in the organization. It’s good to know which user belongs to which company or to filter on a specific company to narrow down the results.
Get company name of a single user
Get the company name of a single user.
Get-MgUser -UserId "amanda.morgan@exoip.com" -Property DisplayName, UserPrincipalName, CompanyName | Select-Object DisplayName, UserPrincipalName, CompanyName
Get company name of all users
Get all user accounts, including the company name.
Get-MgUser -All -Property DisplayName, UserPrincipalName, CompanyName | Select-Object DisplayName, UserPrincipalName, CompanyName
Add the -Filter parameter and the startsWith operator to retrieve all the results that start with a specific company name.
Get-MgUser -All -Property DisplayName, UserPrincipalName, CompanyName -ConsistencyLevel eventual -Count userCount -Filter "startsWith(CompanyName, 'Exo')" | Select-Object DisplayName, UserPrincipalName, CompanyName
You can use the -Search parameter to search on the company and get the results.
Get-MgUser -All -Search "CompanyName:Exoip" -ConsistencyLevel eventual
Get users with company name and account enabled
Add the -Search parameter to find the company name and the -Filter parameter to retrieve only enabled accounts.
Get-MgUser -All -Filter "accountEnabled eq true" -Search "CompanyName:Exoip" -ConsistencyLevel eventual
Get-MgUser PowerShell script examples
An excellent way to understand how to add the Get-MgUser cmdlet in PowerShell scripts is by going through the PowerShell script examples:
- Create Microsoft Entra ID Users from CSV with PowerShell
- Export Azure AD users to CSV with PowerShell
- Block sign-in from shared mailboxes
- Force sign-out users in Microsoft 365 with PowerShell
- How to remove permissions from applications in Microsoft Entra
- Export Microsoft 365 disabled users report
- Export Microsoft 365 inactive users report
Conclusion
You learned how to use Get-MgUser in PowerShell. The Get-MgUser cmdlet is an excellent cmdlet to retrieve the users from Microsoft Entra ID and Microsoft 365. Use specific parameters or combine them to filter the search results according to how you want the results to appear.
Did you enjoy this article? You may also like How to export Conditional Access policies. Don’t forget to follow us and share this article.
This Post Has 0 Comments