Microsoft 365 PowerShell Commands
Microsoft 365 and Microsoft Entra ID (formerly Azure AD) can be managed entirely using Powershell. This document contains several very useful cmdlets regarding domain federation and Single Sign-On.
The Microsoft.Entra module - which is necessary for these cmdlets - is installed when the UserLock SSO assistant is launched for the first time.
Connect to Microsoft 365 services
The administrator must have the permissions required in the Scopes parameter below.
Connect-MgGraph -Scopes "Domain.ReadWrite.All User.ReadWrite.All Directory.ReadWrite.All Directory.AccessAsUser.All"
Domain Management
Display domain settings
Get-MgDomain -DomainId domain.com
Display domain federation settings
Get-MgDomainFederationConfiguration -DomainId domain.com
Federate a domain with UserLock SSO
- Get the signing certificate data and store them in a Powershell variable:
$response = Invoke-RestMethod -Uri "https://<userlockssourl>/api/infos/certificate" -Method GET
$certData = $response.currentCertificate.rawCertificate - Use the following command
New-MgDomainFederationConfiguration -DomainId domain.com -IssuerUri https://<userlockssourl>/domain.com
-PassiveSignInUri https://<userlockssourl>/saml/sso -SignOutUri https://<userlockssourl>/connect/endsession
-SigningCertificate $certData -FederatedIdpMfaBehavior 'acceptIfMfaDoneByFederatedIdp'
-IsSignedAuthenticationRequestRequired -PreferredAuthenticationProtocol saml
Cancel federation
Update-MgDomain -DomainId domain.com -AuthenticationType Managed
Users Management
Display a user information
Get-MgUser -UserId user@domain.com -Property "Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId" | select Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId
Synchronize a user
Important Note on Microsoft Entra Connect Service Management
By default, the Microsoft Entra Connect application automatically handles synchronization operations. The steps below should only be performed if you require manual intervention.
Prerequisite
Before proceeding, you must temporarily stop the Microsoft Entra Connect synchronization service:
- Launch the Microsoft Entra Connect application
(In most cases, this action automatically pauses synchronization processes) - Verify service status
Ensure no active synchronization cycles are running before proceeding with manual operations
Create the user in the default domain (xxx.onmicrosoft.com)
$immutableId = [convert]::ToBase64String((Get-ADUser -Identity <samAccountName>| Select-Object -ExpandProperty ObjectGUID).ToByteArray())
$PasswordProfile = @{
Password = 'MySuperStrongPassword'
ForceChangePasswordNextSignIn = $false
}
New-MgUser -UserPrincipalName newuser@office365domain.onmicrosoft.com -DisplayName '<Firstname> <Lastname>' -OnPremisesImmutableId $immutableId -PasswordProfile $PasswordProfile -AccountEnabled -MailNickname <Nickname>
Move the user in the federated domain:
Update-MgUser -UserId newuser@office365domain.onmicrosoft.com -UserPrincipalName newuser@domain.com
Unlock an account (Microsoft Entra Domain Services only)
Unlocking an account is not possible using Microsoft Entra Domain Services.