Browse all topics
All guidesGlossary

The Microsoft Graph PowerShell SDK

Microsoft Graph PowerShell is the modern way to script Microsoft 365 administration. Here's the basics.

For years, Microsoft 365 administrators had separate PowerShell modules for each service: AzureAD, MSOnline, ExchangeOnlineManagement, MicrosoftTeams, Microsoft.Online.SharePoint.PowerShell, PnP.PowerShell. Some still exist, but the strategic direction is the unified Microsoft Graph PowerShell SDK — a single set of cmdlets that talk to the Graph API.

Why Graph PowerShell

  • Single module covers most of what the older per-service modules did.
  • Cross-platform — runs on Windows PowerShell, PowerShell 7 on Mac and Linux.
  • Modern authentication — supports interactive sign-in, certificate-based auth, managed identity, and client credentials without extra plumbing.
  • Aligns with the Graph API — what you can do in the cmdlets matches what you can do via REST.
  • Active investment — older modules (AzureAD, MSOnline) are deprecated or in maintenance.

Getting started

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"
Get-MgUser -Top 10
Get-MgGroup -Filter "displayName eq 'Marketing'"
Disconnect-MgGraph

Sign-in uses your normal Microsoft 365 admin account with MFA. The first time you sign in for a given scope, the SDK prompts for consent.

Cmdlet shape

Cmdlets follow a <Verb>-Mg<Noun> pattern:

  • Get-MgUser, New-MgUser, Update-MgUser, Remove-MgUser.
  • Get-MgGroup, Add-MgGroupMember, Remove-MgGroupMember.
  • Get-MgUserMessage, Send-MgUserMail.
  • Get-MgDeviceManagementManagedDevice (Intune).

Sub-modules let you install only what you need: Microsoft.Graph.Users, Microsoft.Graph.Groups, Microsoft.Graph.Mail, Microsoft.Graph.Identity.SignIns — useful for keeping the install footprint small.

Service-specific modules that still matter

A few modules remain non-Graph for now:

  • ExchangeOnlineManagement — still the right module for Exchange-specific work (mail flow rules, mailbox settings, retention).
  • MicrosoftTeams — Teams-specific configuration that hasn't fully landed in Graph yet.
  • PnP.PowerShell — community/Microsoft-supported, great for SharePoint deep work.

Graph PowerShell handles the broad cases; reach for the others for service-specific deep configuration.

Production patterns

  • Use certificate-based authentication for unattended scripts. App registration in Entra ID + certificate + appropriate Graph permissions.
  • Use managed identities when the script runs on Azure compute (VM, Function, Logic App).
  • Audit script identities — service principals with Graph permissions show up in your enterprise apps list. Review them like any other app.
  • Avoid running scripts as a Global Admin user — that's a Conditional Access mess waiting to happen.

The transition from old modules to Graph PowerShell is well underway. New automation should start there; existing scripts should be migrated over time as their owners touch them.