Get-EntraBetaUser
Gets a user.
Syntax
Get-EntraBetaUser
[-Filter <String>]
[-All]
[-Top <Int32>]
[-Property <String[]>]
[<CommonParameters>] Get-EntraBetaUser
[-SearchString <String>]
[-All]
[-Property <String[]>]
[<CommonParameters>] Get-EntraBetaUser
-UserId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraBetaUser cmdlet gets a user from Microsoft Entra ID.
Examples
Example 1: Get top three users
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -Top 3
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Angel Brown cccccccc-2222-3333-4444-dddddddddddd [email protected] [email protected]
Avery Smith dddddddd-3333-4444-5555-eeeeeeeeeeee [email protected] [email protected]
Sawyer Miller eeeeeeee-4444-5555-6666-ffffffffffff [email protected] [email protected]This example demonstrates how to get top three users from Microsoft Entra ID. You can use -Limit as an alias for -Top.
Example 2: Get a user by ID
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -UserId '[email protected]'
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Sawyer Miller bbbbbbbb-1111-2222-3333-cccccccccccc [email protected] [email protected]This command gets the specified user.
-UserIdSpecifies the ID as a user principal name (UPN) or UserId.
Example 3: Search among retrieved users
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -SearchString 'New'
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
New User88 bbbbbbbb-1111-2222-3333-cccccccccccc [email protected]
New User cccccccc-2222-3333-4444-dddddddddddd [email protected]This cmdlet gets all users that match the value of SearchString against the first characters in DisplayName or UserPrincipalName.
Example 4: Retrieve user's password policy
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -UserId '[email protected]' `
-Property UserPrincipalName, PasswordPolicies |
Select-Object UserPrincipalName,
@{
Name = "PasswordNeverExpires"
Expression = { $_.PasswordPolicies -contains "DisablePasswordExpiration" }
}
userPrincipalName PasswordNeverExpires
----------------- --------------------
[email protected] TrueThis example shows how to get a user's password policy. To update it, run Get-EntraBetaUser -UserId [email protected] | Set-EntraBetaUser -PasswordPolicies DisablePasswordExpiration.
Example 5: Per-user MFA report
Connect-Entra -scope 'User.Read.All', 'UserAuthenticationMethod.Read.All'
$users = Get-EntraBetaUser -All -Select Id, UserPrincipalName, DisplayName
Write-Output "Amount of requests within `"fetchAll`": $($users.Count)"
$usersReport = [System.Collections.ArrayList]::new()
$users | ForEach-Object {
$userProperties = @{
Id = $_.Id
DisplayName = $_.DisplayName
UserPrincipalName = $_.UserPrincipalName
PerUserMFAState = (Get-EntraBetaUserAuthenticationRequirement -UserId $_.Id).PerUserMFAState
}
[void]$usersReport.Add([PSCustomObject]$userProperties)
}
$usersReport | Format-Table -AutoSize
UserPrincipalName DisplayName PerUserMFAState Id
----------------- ----------- --------------- --
[email protected] Angel Brown enforced cccccccc-2222-3333-4444-dddddddddddd
[email protected] Avery Smith disabled dddddddd-3333-4444-5555-eeeeeeeeeeee
[email protected] Sawyer Miller enforced eeeeeeee-4444-5555-6666-ffffffffffff
[email protected] Christie Cline enabled bbbbbbbb-1111-2222-3333-cccccccccccc
[email protected] Patti Fernandez disabled aaaaaaaa-bbbb-cccc-1111-222222222222This example shows a report of per-user MFA state.
Note: Microsoft recommends using Conditional Access policies and security defaults to manage multi-factor authentication (MFA) instead of relying on legacy per-user MFA.
Example 6: Get a user by userPrincipalName
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -Filter "userPrincipalName eq '[email protected]'"
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Sawyer Miller cccccccc-2222-3333-4444-dddddddddddd [email protected]This command gets the specified user.
Example 7: Get a user by MailNickname
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -Filter "startsWith(MailNickname,'Ada')"
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Mark Adams bbbbbbbb-1111-2222-3333-cccccccccccc [email protected] [email protected]In this example, we retrieve all users whose MailNickname starts with Ada.
Example 8: Get SignInActivity of a User
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All'
Get-EntraBetaUser -UserId '[email protected]' -Property 'SignInActivity' | Select-Object -Property Id, DisplayName, UserPrincipalName -ExpandProperty 'SignInActivity'
lastNonInteractiveSignInRequestId : bbbbbbbb-1111-2222-3333-aaaaaaaaaaaa
lastSignInRequestId : cccccccc-2222-3333-4444-dddddddddddd
lastSuccessfulSignInDateTime : 9/9/2024 1:12:13 PM
lastNonInteractiveSignInDateTime : 9/9/2024 1:12:13 PM
lastSuccessfulSignInRequestId : bbbbbbbb-1111-2222-3333-aaaaaaaaaaaa
lastSignInDateTime : 9/7/2024 9:15:41 AM
id : aaaaaaaa-bbbb-cccc-1111-222222222222
displayName : Sawyer Miller
userPrincipalName : [email protected]This example demonstrates how to retrieve the SignInActivity of a specific user by selecting a property.
Example 9: List users with disabled accounts
Connect-Entra -Scopes 'User.Read.All'
Get-EntraBetaUser -Filter "accountEnabled eq false" | Select-Object DisplayName, Id, Mail, UserPrincipalName
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
New User cccccccc-2222-3333-4444-dddddddddddd [email protected]This example demonstrates how to retrieve all users with disabled accounts.
Example 10: List users based in a specific country
Connect-Entra -Scopes 'User.Read.All'
$usersInCanada = Get-EntraBetaUser -Filter "Country eq 'Canada'"
$usersInCanada | Select-Object Id, DisplayName, UserPrincipalName, OfficeLocation, Country | Format-Table -AutoSize
Id DisplayName UserPrincipalName OfficeLocation Country
-- ----------- ----------------- -------------- -------
cccccccc-2222-3333-4444-dddddddddddd New User [email protected] 23/2102 CanadaThis example demonstrates how to retrieve all users based in Canada.
Example 11: List user count per department
Connect-Entra -Scopes 'User.Read.All'
$departmentCounts = Get-EntraBetaUser -All | Group-Object -Property Department | Select-Object Name, @{Name="MemberCount"; Expression={$_.Count}}
$departmentCounts | Format-Table Name, MemberCount -AutoSize
Name MemberCount
---- -----------
7
Engineering 2
Executive Management 1
Finance 1
HR 1This example demonstrates how to retrieve user count in each department.
Example 12: List disabled users with active licenses
Connect-Entra -Scopes 'User.Read.All'
$disabledUsersWithLicenses = Get-EntraBetaUser -Filter "accountEnabled eq false" -All | Where-Object {
$_.AssignedLicenses -ne $null -and $_.AssignedLicenses.Count -gt 0
}
$disabledUsersWithLicenses | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled | Format-Table -AutoSize
Id DisplayName UserPrincipalName AccountEnabled
-- ----------- ----------------- --------------
cccccccc-2222-3333-4444-dddddddddddd New User [email protected] FalseThis example demonstrates how to retrieve disabled users with active licenses.
Example 13: Retrieve guest users with active licenses
Connect-Entra -Scopes 'User.Read.All'
$guestUsers = Get-EntraBetaUser -Filter "userType eq 'Guest'" -All
$guestUsersWithLicenses = foreach ($guest in $guestUsers) {
if ($guest.AssignedLicenses.Count -gt 0) {
[PSCustomObject]@{
Id = $guest.Id
DisplayName = $guest.DisplayName
UserPrincipalName = $guest.UserPrincipalName
AssignedLicenses = ($guest.AssignedLicenses | ForEach-Object { $_.SkuId }) -join ", "
}
}
}
$guestUsersWithLicenses | Format-Table Id, DisplayName, UserPrincipalName, AssignedLicenses -AutoSize
Id DisplayName UserPrincipalName AssignedLicenses
-- ----------- ----------------- ----------------
cccccccc-2222-3333-4444-dddddddddddd Sawyer Miller sawyerm_gmail.com#EXT#@contoso.com c42b9cae-ea4f-4ab7-9717-81576235ccacThis example demonstrates how to retrieve guest users with active licenses.
Example 14: List users with a specific license
Connect-Entra -Scopes 'User.Read.All'
$skuId = (Get-EntraBetaSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'POWERAPPS_DEV' }).SkuId
Get-EntraBetaUser -Filter "assignedLicenses/any(l:l/skuId eq $skuId)" -Select id, displayName, userPrincipalName, userType, accountEnabled, assignedLicenses |
Select-Object id, displayName, userPrincipalName, userType, accountEnabled | Format-Table -AutoSize
id displayName userPrincipalName userType accountEnabled
-- ----------- ----------------- -------- --------------
cccccccc-2222-3333-4444-dddddddddddd Angel Brown [email protected] Member True
dddddddd-3333-4444-5555-eeeeeeeeeeee Avery Smith [email protected] Member TrueThis example demonstrates how to retrieve users with a specific license.
Example 15: Retrieve users without managers
Connect-Entra -Scopes 'User.Read.All'
$allUsers = Get-EntraBetaUser -All
$usersWithoutManagers = foreach ($user in $allUsers) {
$manager = Get-EntraBetaUserManager -ObjectId $user.Id -ErrorAction SilentlyContinue
if (-not $manager) {
[PSCustomObject]@{
Id = $user.Id
DisplayName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$usersWithoutManagers | Format-Table Id, DisplayName, UserPrincipalName -AutoSize
Id DisplayName UserPrincipalName
-- ----------- -----------------
cccccccc-2222-3333-4444-dddddddddddd New User [email protected]
bbbbbbbb-1111-2222-3333-cccccccccccc Sawyer Miller [email protected]This example demonstrates how to retrieve users without managers.
Example 16: List all guest users
Connect-Entra -Scopes 'User.Read.All'
$guestUsers = Get-EntraBetaUser -Filter "userType eq 'Guest'" -All
$guestUsers | Select-Object DisplayName, UserPrincipalName, Id, createdDateTime, creationType, accountEnabled, UserState | Format-Table -AutoSize
DisplayName UserPrincipalName Id CreatedDateTime CreationType AccountEnabled UserState
----------- ----------------- -- --------------- ------------ -------------- ---------
Sawyer Miller sawyerm_gmail.com#EXT#@contoso.com bbbbbbbb-1111-2222-3333-cccccccccccc 9/13/2024 6:37:33 PM Invitation True AcceptedThis example demonstrates how to retrieve list all guest users.
Example 17: List five recently created users
Get-EntraBetaUser -All | Sort-Object -Property createdDateTime -Descending | Select-Object -First 5
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Angel Brown cccccccc-2222-3333-4444-dddddddddddd [email protected] [email protected]
Avery Smith dddddddd-3333-4444-5555-eeeeeeeeeeee [email protected] [email protected]
Sawyer Miller eeeeeeee-4444-5555-6666-ffffffffffff [email protected] [email protected]
Christie Cline bbbbbbbb-1111-2222-3333-cccccccccccc [email protected] [email protected]
Patti Fernandez aaaaaaaa-bbbb-cccc-1111-222222222222 [email protected] [email protected]This example shows how to retrieve the recently created users.
Example 18: List of users with Global Administrator role
Connect-Entra -Scopes 'User.Read.All', 'RoleManagement.Read.Directory'
$roleId = Get-EntraBetaDirectoryRoleTemplate | Where-Object { $_.DisplayName -eq 'Global Administrator' } | Select-Object -ExpandProperty Id
$globalAdmins = Get-EntraBetaDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" | ForEach-Object {
Get-EntraBetaUser -UserId $_.PrincipalId
}
$globalAdmins | Select-Object Id, DisplayName, UserPrincipalName, CreatedDateTime, AccountEnabled | Format-Table -AutoSize
id displayName userPrincipalName createdDateTime accountEnabled
-- ----------- ----------------- --------------- --------------
cccccccc-2222-3333-4444-dddddddddddd Angel Brown [email protected] 3/7/2024 12:34:59 AM True
dddddddd-3333-4444-5555-eeeeeeeeeeee Avery Smith [email protected] 10/1/2024 9:47:06 AM TrueThis example shows how to list all users with a specific role, such as Global Administrator. Microsoft recommends assigning the Global Administrator role to fewer than five people for best practice. See best practices.
Example 19: List all Users with revoked sessions in the last 30 Days
Connect-Entra -Scopes 'User.Read.All'
$pastDate = (Get-Date).AddDays(-30).ToUniversalTime()
Get-EntraBetaUser | Where-Object { $_.signInSessionsValidFromDateTime -ge $pastDate } |
Select-Object DisplayName, UserPrincipalName, signInSessionsValidFromDateTime
displayName userPrincipalName signInSessionsValidFromDateTime
----------- ----------------- -------------------------------
Angel Brown [email protected] 03/03/2025 16:13:47
Avery Smith [email protected] 03/03/2025 16:05:02This example shows how to list all users with revoked sessions in the last 30 Days.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned. Details on querying with OData can be found here.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned.
| Type: | System.String[] |
| Aliases: | Select |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SearchString
Specifies a search string.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
Specifies the maximum number of records to return.
| Type: | System.Int32 |
| Aliases: | Limit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-UserId
Specifies the ID (as a User Principal Name (UPN) or UserId) of a user in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId, UPN, Identity, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |