Automate with PowerShell: Bulk User Operations
Use Microsoft Graph PowerShell and Microsoft Entra PowerShell for bulk user creation, licence assignment, attribute updates, and operational automation.
Why PowerShell matters at Expert level
Clicking through 200 user accounts in the admin center is not administration. It’s suffering.
At the Expert level, you’re expected to know PowerShell — not because the exam is a coding test, but because real M365 admins automate repetitive tasks. Microsoft Graph PowerShell and Microsoft Entra PowerShell are the two toolsets you need to know. They handle everything from bulk user creation to licence audits to reporting.
The exam won’t ask you to write complex scripts from memory, but it WILL ask: “Which cmdlet does Dev use to…” or “What approach is most efficient for…”
The two PowerShell toolsets
| Feature | Microsoft Graph PowerShell | Microsoft Entra PowerShell |
|---|---|---|
| Module name | Microsoft.Graph | Microsoft.Entra |
| Scope | All Microsoft Graph resources (users, groups, mail, files, devices, etc.) | Microsoft Entra ID focused (users, groups, apps, roles, policies) |
| Replaces | Azure AD PowerShell, MSOnline | Simplifies Graph PowerShell for identity tasks |
| Authentication | Connect-MgGraph | Connect-Entra |
| User creation cmdlet | New-MgUser | New-EntraUser |
| Best for | Broad M365 management and automation | Identity-focused operations |
| Exam relevance | Primary module for bulk operations | Know it exists and when to prefer it |
Exam tip: Deprecated modules
The exam may reference older module names. Key deprecations:
- MSOnline (
Connect-MsolService,Set-MsolUser) — deprecated, replaced by Graph PowerShell - Azure AD PowerShell (
Connect-AzureAD,New-AzureADUser) — deprecated, replaced by Graph/Entra PowerShell
If the exam asks about the “recommended” or “current” approach, always choose Microsoft Graph PowerShell or Microsoft Entra PowerShell. Never select MSOnline or AzureAD cmdlets unless the question specifically asks about legacy compatibility.
Common bulk operations
Connecting and authenticating
Before any operations, connect to Microsoft Graph:
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"This triggers an interactive sign-in and requests the specified permissions. For automated scripts, use a service principal with certificate authentication.
Bulk user creation from CSV
Dev’s typical workflow for onboarding a new client’s 200 users:
- Prepare the CSV — columns: DisplayName, UserPrincipalName, Password, UsageLocation, Department
- Import and create:
Import-Csv users.csv | ForEach-Object {
New-MgUser -DisplayName $_.DisplayName `
-UserPrincipalName $_.UserPrincipalName `
-PasswordProfile @{ Password = $_.Password; ForceChangePasswordNextSignIn = $true } `
-UsageLocation $_.UsageLocation `
-Department $_.Department `
-AccountEnabled:$true
}- Assign licences — using group-based licensing (Module 5) or:
Set-MgUserLicense -UserId "user@domain.com" `
-AddLicenses @(@{SkuId = "your-sku-id"}) `
-RemoveLicenses @()Bulk attribute updates
Update department for 50 users who moved to the new “Digital Innovation” team:
Get-MgUser -Filter "department eq 'IT'" -All |
Where-Object { $_.JobTitle -like '*innovation*' } |
ForEach-Object {
Update-MgUser -UserId $_.Id -Department "Digital Innovation"
}Licence audit report
Generate a report of all licensed users and their assigned plans:
Get-MgUser -All -Property DisplayName,UserPrincipalName,AssignedLicenses |
Where-Object { $_.AssignedLicenses.Count -gt 0 } |
Select-Object DisplayName, UserPrincipalName,
@{N='Licences';E={($_.AssignedLicenses | ForEach-Object { $_.SkuId }) -join ','}} |
Export-Csv "licence-report.csv" -NoTypeInformationDeep dive: Application vs delegated permissions
For automated scripts (scheduled tasks, CI/CD pipelines), use application permissions with a service principal instead of interactive sign-in:
- Register an app in Entra > App registrations
- Grant application permissions (e.g., User.ReadWrite.All)
- Get admin consent — application permissions require admin consent
- Connect with certificate:
Connect-MgGraph -ClientId "app-id" -TenantId "tenant-id" -CertificateThumbprint "thumbprint"The exam may ask: “Dev needs to run a nightly script that updates user attributes without interactive sign-in. What authentication method should he use?” Answer: Application permissions with a certificate-based service principal.
Microsoft Entra PowerShell for identity tasks
The newer Microsoft Entra PowerShell module simplifies common identity operations:
| Operation | Graph PowerShell | Entra PowerShell |
|---|---|---|
| Create user | New-MgUser | New-EntraUser |
| Get user | Get-MgUser | Get-EntraUser |
| Update user | Update-MgUser | Set-EntraUser |
| Get group | Get-MgGroup | Get-EntraGroup |
| Add group member | New-MgGroupMember | Add-EntraGroupMember |
The Entra module uses familiar verb-noun patterns that align more closely with traditional PowerShell conventions, making it easier for admins already comfortable with PowerShell.
Key concepts to remember
Knowledge check
Dev needs to run a nightly automated script that disables user accounts for employees flagged by HR as terminated. The script runs from a server with no interactive sign-in. Which authentication method should Dev use?
Priya needs to generate a report showing all users who have an M365 E5 licence but haven't signed in for 90 days. Which approach is most efficient?
🎬 Video coming soon
Next up: Roles, Role Groups and Workload Permissions — because not every admin should have Global Admin powers.