The Microsoft Graph PowerShell SDK
Av Emil Björk · Microsoft-ekosystemskonsult, Göteborg
Microsoft Graph PowerShell is the modern way to script Microsoft 365 administration. Here's the basics.
For years, Microsoft 365 administrators had separate PowerShell modules for each service: AzureAD, MSOnline, ExchangeOnlineManagement, MicrosoftTeams, Microsoft.Online.SharePoint.PowerShell, PnP.PowerShell. Some still exist, but the strategic direction is the unified Microsoft Graph PowerShell SDK — a single set of cmdlets that talk to the Graph API.
Why Graph PowerShell
- Single module covers most of what the older per-service modules did.
- Cross-platform — runs on Windows PowerShell, PowerShell 7 on Mac and Linux.
- Modern authentication — supports interactive sign-in, certificate-based auth, managed identity, and client credentials without extra plumbing.
- Aligns with the Graph API — what you can do in the cmdlets matches what you can do via REST.
- Active investment — older modules (
AzureAD,MSOnline) are deprecated or in maintenance.
Getting started
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"
Get-MgUser -Top 10
Get-MgGroup -Filter "displayName eq 'Marketing'"
Disconnect-MgGraph
Sign-in uses your normal Microsoft 365 admin account with MFA. The first time you sign in for a given scope, the SDK prompts for consent.
Cmdlet shape
Cmdlets follow a <Verb>-Mg<Noun> pattern:
Get-MgUser,New-MgUser,Update-MgUser,Remove-MgUser.Get-MgGroup,Add-MgGroupMember,Remove-MgGroupMember.Get-MgUserMessage,Send-MgUserMail.Get-MgDeviceManagementManagedDevice(Intune).
Sub-modules let you install only what you need: Microsoft.Graph.Users, Microsoft.Graph.Groups, Microsoft.Graph.Mail, Microsoft.Graph.Identity.SignIns — useful for keeping the install footprint small.
Service-specific modules that still matter
A few modules remain non-Graph for now:
- ExchangeOnlineManagement — still the right module for Exchange-specific work (mail flow rules, mailbox settings, retention).
- MicrosoftTeams — Teams-specific configuration that hasn't fully landed in Graph yet.
- PnP.PowerShell — community/Microsoft-supported, great for SharePoint deep work.
Graph PowerShell handles the broad cases; reach for the others for service-specific deep configuration.
Production patterns
- Use certificate-based authentication for unattended scripts. App registration in Entra ID + certificate + appropriate Graph permissions.
- Use managed identities when the script runs on Azure compute (VM, Function, Logic App).
- Audit script identities — service principals with Graph permissions show up in your enterprise apps list. Review them like any other app.
- Avoid running scripts as a Global Admin user — that's a Conditional Access mess waiting to happen.
The transition from old modules to Graph PowerShell is well underway. New automation should start there; existing scripts should be migrated over time as their owners touch them.