Setup & Connection

# Install Microsoft Graph module
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.Read.All"

# Check connection status
Get-MgContext

User Information Commands

# Get specific user details
Get-MgUser -UserId "john.doe@company.com"

# Search user by display name (partial match)
Get-MgUser -Filter "startsWith(displayName,'John')"

# Get user with specific properties only
Get-MgUser -UserId "john.doe@company.com" | Select-Object DisplayName, UserPrincipalName, AccountEnabled

# Check if user account is enabled/disabled
Get-MgUser -UserId "john.doe@company.com" | Select-Object AccountEnabled

# Get user's manager
Get-MgUser -UserId "john.doe@company.com" -ExpandProperty Manager

# Get user's last sign-in date
Get-MgUser -UserId "john.doe@company.com" | Select-Object LastSignInDateTime

User Account Management

# Create new user
New-MgUser -DisplayName "Jane Smith" -UserPrincipalName "jane.smith@company.com" -MailNickname "jane.smith" -AccountEnabled:$true -PasswordProfile @{Password="TempPass123!"; ForceChangePasswordNextSignIn=$true} -UsageLocation "US"

# Enable user account
Update-MgUser -UserId "john.doe@company.com" -AccountEnabled:$true

# Disable user account
Update-MgUser -UserId "john.doe@company.com" -AccountEnabled:$false

# Update user's job title
Update-MgUser -UserId "john.doe@company.com" -JobTitle "Senior Developer"

# Update user's department
Update-MgUser -UserId "john.doe@company.com" -Department "IT"

# Update user's phone number
Update-MgUser -UserId "john.doe@company.com" -MobilePhone "+1-555-0123"

# Delete user account (soft delete)
Remove-MgUser -UserId "john.doe@company.com"

# Restore deleted user
Restore-MgDirectoryDeletedItem -DirectoryObjectId "user-object-id"

Password Management

# Reset user password (force change on next login)
Update-MgUser -UserId "john.doe@company.com" -PasswordProfile @{Password="NewTemp123!"; ForceChangePasswordNextSignIn=$true}

# Reset password without forcing change
Update-MgUser -UserId "john.doe@company.com" -PasswordProfile @{Password="NewPass123!"; ForceChangePasswordNextSignIn=$false}

# Force user to change password on next login
Update-MgUser -UserId "john.doe@company.com" -PasswordProfile @{ForceChangePasswordNextSignIn=$true}

MFA Management

# Get user's authentication methods
Get-MgUserAuthenticationMethod -UserId "john.doe@company.com"

# Get phone authentication methods
Get-MgUserAuthenticationPhoneMethod -UserId "john.doe@company.com"

# Remove phone authentication method (reset MFA)
Remove-MgUserAuthenticationPhoneMethod -UserId "john.doe@company.com" -PhoneAuthenticationMethodId "method-id"

# Sign out user from all sessions
Invoke-MgInvalidateUserRefreshToken -UserId "user-object-id"

Group Information

# Get specific group details
Get-MgGroup -Filter "displayName eq 'IT Department'"

# Search groups by name (partial match)
Get-MgGroup -Filter "startsWith(displayName,'Sales')"

# Get all groups user belongs to
Get-MgUserMemberOf -UserId "john.doe@company.com"

# Get members of a specific group
Get-MgGroupMember -GroupId "group-object-id"

# Check if user is member of specific group
Get-MgGroupMember -GroupId "group-object-id" | Where-Object {$_.Id -eq "user-object-id"}

Group Management

# Create security group
New-MgGroup -DisplayName "IT Support" -Description "IT Support Team" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "ITSupport"

# Create Microsoft 365 group
New-MgGroup -DisplayName "Marketing Team" -Description "Marketing Department" -MailEnabled:$true -SecurityEnabled:$false -MailNickname "marketing" -GroupTypes @("Unified")

# Add user to group
New-MgGroupMember -GroupId "group-object-id" -DirectoryObjectId "user-object-id"

# Remove user from group
Remove-MgGroupMemberByRef -GroupId "group-object-id" -DirectoryObjectId "user-object-id"

# Delete group
Remove-MgGroup -GroupId "group-object-id"

License Management

# Get all available license plans
Get-MgSubscribedSku

# Get available licenses count
Get-MgSubscribedSku | Select-Object SkuPartNumber, @{Name="Available";Expression={$_.PrepaidUnits.Enabled - $_.ConsumedUnits}}

# Get user's assigned licenses
Get-MgUserLicenseDetail -UserId "john.doe@company.com"

# Assign license to user (Office 365 E3 example)
Set-MgUserLicense -UserId "john.doe@company.com" -AddLicenses @{SkuId="sku-id-here"} -RemoveLicenses @()

# Remove license from user
Set-MgUserLicense -UserId "john.doe@company.com" -AddLicenses @() -RemoveLicenses @("sku-id-here")

# Get users without licenses
Get-MgUser -Filter "assignedLicenses/`$count eq 0" -ConsistencyLevel eventual

Bulk Operations

# Get all users in specific department
Get-MgUser -Filter "department eq 'IT'" -All

# Get all disabled users
Get-MgUser -Filter "accountEnabled eq false" -All

# Get users created in last 30 days
Get-MgUser -Filter "createdDateTime ge $(((Get-Date).AddDays(-30)).ToString('yyyy-MM-dd'))" -All

# Get users who never signed in
Get-MgUser -Filter "lastSignInDateTime eq null" -All

# Export all users to CSV
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled, Department | Export-Csv -Path "C:\Users.csv" -NoTypeInformation

Reporting Commands

# Count total users
(Get-MgUser -All).Count

# Count enabled users
(Get-MgUser -Filter "accountEnabled eq true" -All).Count

# Count users by department
Get-MgUser -All | Group-Object Department | Select-Object Name, Count

# Get license usage summary
Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits, @{Name="Total";Expression={$_.PrepaidUnits.Enabled}}

# Get group membership count
Get-MgGroup -All | Select-Object DisplayName, @{Name="MemberCount";Expression={(Get-MgGroupMember -GroupId $_.Id).Count}}

Troubleshooting Commands

# Check if user exists
try { Get-MgUser -UserId "john.doe@company.com"; "User exists" } catch { "User not found" }

# Get deleted users (recycle bin)
Get-MgDirectoryDeletedItem -DirectoryObjectId "user"

# Test Graph connection
Get-MgContext | Select-Object TenantId, Scopes

# Get organization info
Get-MgOrganization | Select-Object DisplayName, Id

# Check user's sign-in activity (requires premium license)
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'john.doe@company.com'" -Top 5

# Get user's risk events (requires Identity Protection)
Get-MgIdentityProtectionRiskyUser -Filter "userPrincipalName eq 'john.doe@company.com'"

Emergency Commands

# Immediately disable compromised account
Update-MgUser -UserId "compromised@company.com" -AccountEnabled:$false

# Reset password and force change
Update-MgUser -UserId "compromised@company.com" -PasswordProfile @{Password="Emergency123!"; ForceChangePasswordNextSignIn=$true}

# Sign out user from all devices
Invoke-MgInvalidateUserRefreshToken -UserId (Get-MgUser -UserId "compromised@company.com").Id

# Remove user from all groups (emergency)
Get-MgUserMemberOf -UserId "user-id" | ForEach-Object { Remove-MgGroupMemberByRef -GroupId $_.Id -DirectoryObjectId "user-id" }

Useful Filters and Properties

# Common user properties to select
Select-Object DisplayName, UserPrincipalName, AccountEnabled, Department, JobTitle, LastSignInDateTime, CreatedDateTime

# Common group properties to select  
Select-Object DisplayName, Description, GroupTypes, SecurityEnabled, MailEnabled

# Date filters (last 30 days)
-Filter "createdDateTime ge $(((Get-Date).AddDays(-30)).ToString('yyyy-MM-dd'))"

# Multiple conditions filter
-Filter "department eq 'IT' and accountEnabled eq true"

# Starts with filter
-Filter "startsWith(displayName,'John')"

# Contains filter (use search instead)
Get-MgUser -Search "displayName:John" -ConsistencyLevel eventual

Quick Tips

• Always use -UserId parameter with email or object ID

• Use -Filter for server-side filtering (faster than Where-Object)

• Add -All parameter to get all results (default is first 100)

• Use Select-Object to limit returned properties for better performance

• Object IDs are required for most management operations

• Use try/catch blocks for error handling in scripts

• Test commands with -WhatIf parameter when available