Browse all topics

The Microsoft Graph PowerShell SDK

Av Emil Björk · Microsoft-ekosystemskonsult, Göteborg

Microsoft Graph PowerShell is the modern way to script Microsoft 365 administration. Here's the basics.

For years, Microsoft 365 administrators had separate PowerShell modules for each service: AzureAD, MSOnline, ExchangeOnlineManagement, MicrosoftTeams, Microsoft.Online.SharePoint.PowerShell, PnP.PowerShell. Some still exist, but the strategic direction is the unified Microsoft Graph PowerShell SDK — a single set of cmdlets that talk to the Graph API.

Why Graph PowerShell

  • Single module covers most of what the older per-service modules did.
  • Cross-platform — runs on Windows PowerShell, PowerShell 7 on Mac and Linux.
  • Modern authentication — supports interactive sign-in, certificate-based auth, managed identity, and client credentials without extra plumbing.
  • Aligns with the Graph API — what you can do in the cmdlets matches what you can do via REST.
  • Active investment — older modules (AzureAD, MSOnline) are deprecated or in maintenance.

Getting started

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"
Get-MgUser -Top 10
Get-MgGroup -Filter "displayName eq 'Marketing'"
Disconnect-MgGraph

Sign-in uses your normal Microsoft 365 admin account with MFA. The first time you sign in for a given scope, the SDK prompts for consent.

Cmdlet shape

Cmdlets follow a <Verb>-Mg<Noun> pattern:

  • Get-MgUser, New-MgUser, Update-MgUser, Remove-MgUser.
  • Get-MgGroup, Add-MgGroupMember, Remove-MgGroupMember.
  • Get-MgUserMessage, Send-MgUserMail.
  • Get-MgDeviceManagementManagedDevice (Intune).

Sub-modules let you install only what you need: Microsoft.Graph.Users, Microsoft.Graph.Groups, Microsoft.Graph.Mail, Microsoft.Graph.Identity.SignIns — useful for keeping the install footprint small.

Service-specific modules that still matter

A few modules remain non-Graph for now:

  • ExchangeOnlineManagement — still the right module for Exchange-specific work (mail flow rules, mailbox settings, retention).
  • MicrosoftTeamsTeams-specific configuration that hasn't fully landed in Graph yet.
  • PnP.PowerShell — community/Microsoft-supported, great for SharePoint deep work.

Graph PowerShell handles the broad cases; reach for the others for service-specific deep configuration.

Production patterns

  • Use certificate-based authentication for unattended scripts. App registration in Entra ID + certificate + appropriate Graph permissions.
  • Use managed identities when the script runs on Azure compute (VM, Function, Logic App).
  • Audit script identities — service principals with Graph permissions show up in your enterprise apps list. Review them like any other app.
  • Avoid running scripts as a Global Admin user — that's a Conditional Access mess waiting to happen.

The transition from old modules to Graph PowerShell is well underway. New automation should start there; existing scripts should be migrated over time as their owners touch them.