Use PowerShell Core and the AZ module to manage Azure Active Directory Users and Groups

5 minute read

August 2019

Overview

I have been mainly using PowerShell Core for my daily work for a while now and have been using it a lot recently to interact with Azure and Azure Active Directory (AAD) so will go through some details of getting connected to the Azure tenant and some commands to manage users and groups in AAD.

After using Azure for a few years now, getting started with cloud services and the classic deployment model (the old Windows Azure Service Management API - now deprecated) and migrating over to the Azure Resource Manager API, I use PowerShell as much as possible to interact with it and automate work. I’ve moved away from the AzureRM PowerShell cmdlets to now use the cross platform AZ cmdlets (a lot less typing and not too bad to migrate old scripts over).

This guide has been written running PowerShell Core on Ubuntu linux, but as long as you are running PowerShell Core on any of the supported platforms, you’ll be able to follow along.

Install PowerShell core

Install PowerShell Core for your platform following the guides linked in the link. For ubuntu 18.04 I installed with the method of adding the Microsoft repository to apt-get. Ubuntu 18.04 install instructions.

Although this guide is showing it running on Ubuntu 18.04, the AZ cmdlets will be the same running PowerShell Core on Mac, Windows and even PowerShell Desktop edition running on Windows.

Details of the system used in this post:

PowerShell Core running on Ubuntu 18.04

Install AZ module

First we need to install the AZ module and this can be done using PowerShell. The Find-Module cmdlet searches the PowerShell gallery (providing you have not changed the default provider) and the Install-Module cmdlet installs it for the current user (you will need to sudo if on linux to install the module for all users).

Find-Module az

Install-Module -Name az -Scope CurrentUser

installing the az module

Now we can see the module is installed and as mentioned earlier, it can be used both on PowerShell Core and the desktop edition.

Get-Module -Name az -ListAvailable

module details

Connecting

Note: You will need to sign in with a user who has permissions to manage users and groups in AAD (The User Administrator role would be good for least privilege access)

Now we have to sign in via a web browser for a token to be issued for your PowerShell session.

Connect-AzAccount

connecting to azure

Once you have signed in with the correct credentials, you will see the message below and can close the browser tab.

successful authentication

Context

If you only manage one Azure tenant, then this will be the one you signed into set as your AzContext. You can select to manage another tenant by using the Select-AzContext cmdlet (you will have to re-authenticate if you have not done so or your session has expired).

You can view the current context details by running the following cmdlet:

Get-AzContext

Getting Users: Get-AzADUser

The Get-AzADUser command with no parameters specified will return all users, my test AAD only has a small number of users but you can use the -First parameter to limit the number of users returned.

(Get-AzADUser | Measure-Object).Count
Get-AzADUser -First 2

output of get-azaduser cmdlet

Searching

You can search by knowing the full display name, UserPrincipalName (UPN) or get all users that start with a certain letter or word.

Get-AzADUser -DisplayName demo1

Get-AzADUser -StartsWith demo

search results

New User: New-AzADUser

Creating a new user is straight forward, I use the Get-Credential cmdlet to store a PSCredential object in the ‘creds’ variable then pass the username and password properties to the New-AzADUser cmdlet (I find this way easiest when running interactively. I would do it differently in a script as part of automation, this post covers ways on how to achieve this as well as good detail on credentials).

The MailNickname is required and cannot contain the ‘@’ sign (at time of this post you can not view this attribute with the az cmdlets). This is the mail alias and used if you are using Exchange online.

$creds = Get-Credential

New-AzADUser -DisplayName $creds.UserName -UserPrincipalName '[email protected]' -MailNickname $creds.UserName -Password $creds.Password -ForceChangePasswordNextLogin:$false

create a new user

Update User: Update-AzADUser

We can update the display name and password of users using the Update-AzADUser. Only use this on users that were created in AAD, use on premises AD if you are syncing users up there.

# save password in var
 $newpw = Get-Credential

# update displayname and password for user
 Get-AzADUser -UserPrincipalName demo@matthewdavis111.com | Update-AzADUser -DisplayName demooooo -Password $newpw.Password

update user

Delete User: Remove-AzADUser

Does what it says on the tin, use with caution, or if you’re a monster that knows what they are doing and the consequences, use with the force parameter.

Get-AzADUser -DisplayName demo2 | Remove-AzADUser

update user

New Group: New-AzADGroup

Similar to the New-AzADUser, the New-AzADGroup cmdlet is simple to use with a few properties to pass values to and again you need the MailNickName attribute.

New-AzADGroup -DisplayName a-demo-group -MailNickname a-demo-group -Description 'Group to hold demo users'

create a new group

Adding and removing Group Members

Adding and removing users from groups works as you would expect, you can add multiple members in the MemberUserPrincipalName parameters as shown below. One thing to note is that the Add-AzADGroupMember cmdlet will error if the group already contains a specified user and at present, will not add any of the users.

# Add a single user to a group
Add-AzADGroupMember -TargetGroupDisplayName 'a-demo-group' -MemberUserPrincipalName '[email protected]'

Get-AzADGroupMember -GroupDisplayName 'a-demo-group'

# Remove the user
Remove-AzADGroupMember -GroupDisplayName 'a-demo-group' -MemberUserPrincipalName '[email protected]'

# Add multiple users to a group
$userList = Get-AzADUser -StartsWith 'demo'
Add-AzADGroupMember -TargetGroupDisplayName 'a-demo-group' -MemberUserPrincipalName $userList.UserPrincipalName
Get-AzADGroupMember -GroupDisplayName 'a-demo-group'

add multiple users to a group

# Remove all users from a group
$RemoveUserList =  Get-AzADGroupMember -GroupDisplayName 'a-demo-group'
Remove-AzADGroupMember -GroupDisplayName 'a-demo-group' -MemberUserPrincipalName $RemoveUserList.UserPrincipalName
Get-AzADGroupMember -GroupDisplayName 'a-demo-group'

remove multiple members from a group

Delete the group: Remove-AzADGroup

Finally, we can tidy up by deleting the group (PassThru is a required parameter).

Remove-AzADGroup -DisplayName 'a-demo-group' -PassThru -Force

Summary

Using the AZ module in PowerShell core is a handy way to do some basic AAD user and group management and can easily enough be incorporated into automation. Despite being old and classed as ‘V1’ for interacting with AAD, the MS Online (MSOL) module gives access to lots more properties and I do need to use it from time to time, including in my previous post on how to check and alert if Azure Active Directory Sync has not been able to sync for a couple of hours.

The AZ module has become my daily driver and allows management via linux, mac or Windows. As I’m using my Ubuntu laptop more at home, it is great to be able to interact with Azure this way.

Share on

Twitter Facebook LinkedIn