UserLock Documentation
UserLock Documentation
You are here: Use cases > Implement Single Sign-On > Advanced > Microsoft 365 PowerShell Commands

Microsoft 365 PowerShell Commands

Microsoft 365 and Microsoft Entra ID (formerly Azure AD) can be managed entirely using Powershell. This document contains several very useful cmdlets regarding domain federation and Single Sign-On.

The Microsoft.Entra module - which is necessary for these cmdlets - is installed when the UserLock SSO assistant is launched for the first time.

Connect to Microsoft 365 services

The administrator must have the permissions required in the Scopes parameter below.

Connect-MgGraph -Scopes "Domain.ReadWrite.All User.ReadWrite.All Directory.ReadWrite.All Directory.AccessAsUser.All"

Domain Management

Display domain settings

Get-MgDomain -DomainId domain.com

Display domain federation settings

Get-MgDomainFederationConfiguration -DomainId domain.com

Federate a domain with UserLock SSO

  1. Get the signing certificate data and store them in a Powershell variable: $response = Invoke-RestMethod -Uri "https://<userlockssourl>/api/infos/certificate" -Method GET
    $certData = $response.currentCertificate.rawCertificate
  2. Use the following command New-MgDomainFederationConfiguration -DomainId domain.com -IssuerUri https://<userlockssourl>/domain.com
    -PassiveSignInUri https://<userlockssourl>/saml/sso -SignOutUri https://<userlockssourl>/connect/endsession
    -SigningCertificate $certData -FederatedIdpMfaBehavior 'acceptIfMfaDoneByFederatedIdp'
    -IsSignedAuthenticationRequestRequired -PreferredAuthenticationProtocol saml

Cancel federation

Update-MgDomain -DomainId domain.com -AuthenticationType Managed

Users Management

Display a user information

Get-MgUser -UserId user@domain.com -Property "Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId" | select Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId

Synchronize a user

Important Note on Microsoft Entra Connect Service Management

By default, the Microsoft Entra Connect application automatically handles synchronization operations. The steps below should only be performed if you require manual intervention.

Prerequisite

Before proceeding, you must temporarily stop the Microsoft Entra Connect synchronization service:

  1. Launch the Microsoft Entra Connect application
    (In most cases, this action automatically pauses synchronization processes)
  2. Verify service status
    Ensure no active synchronization cycles are running before proceeding with manual operations

Create the user in the default domain (xxx.onmicrosoft.com)

$immutableId = [convert]::ToBase64String((Get-ADUser -Identity <samAccountName>| Select-Object -ExpandProperty ObjectGUID).ToByteArray())
$PasswordProfile = @{
Password = 'MySuperStrongPassword'
ForceChangePasswordNextSignIn = $false
}
New-MgUser -UserPrincipalName newuser@office365domain.onmicrosoft.com -DisplayName '<Firstname> <Lastname>' -OnPremisesImmutableId $immutableId -PasswordProfile $PasswordProfile -AccountEnabled -MailNickname <Nickname>

Move the user in the federated domain:

Update-MgUser -UserId newuser@office365domain.onmicrosoft.com -UserPrincipalName newuser@domain.com

Unlock an account (Microsoft Entra Domain Services only)

Unlocking an account is not possible using Microsoft Entra Domain Services.