The Microsoft Identity Tools PowerShell module provides various tools for performing enhanced Identity administration activities. It is intended to address more complex business scenarios that can't be met solely with the use of MS Graph PowerShell SDK module.
A collection of cmdlets that use the MS Graph SDK PowerShell module to simplify common tasks for administrators of Azure AD tenants.
The module can be found and installed from the PowerShell gallery at PowerShell Gallery: MSIdentity Tools or can be downloaded from the releases page on this repo.
View the latest list of cmdlets on the cmdlet summary page.
| Command | Synopsys |
|---|---|
| Add-MsIdServicePrincipal | Create service principal for existing application registration |
| Confirm-MsIdJwtTokenSignature | Validate the digital signature for JSON Web Token. |
| ConvertFrom-MsIdAadcAadConnectorSpaceDn | Convert Azure AD connector space object Distinguished Name (DN) in AAD Connect |
| ConvertFrom-MsIdAadcSourceAnchor | Convert Azure AD Connect metaverse object sourceAnchor or Azure AD ImmutableId to sourceGuid. |
| ConvertFrom-MsIdJwtToken | Convert Msft Identity token structure to PowerShell object. |
| ConvertFrom-MsIdSamlMessage | Convert SAML Message structure to PowerShell object. |
| ConvertFrom-MsIdUniqueTokenIdentifier | Convert Azure AD Unique Token Identifier to Request Id. |
| Expand-MsIdJwtTokenPayload | Extract Json Web Token (JWT) payload from JWS structure to PowerShell object. |
| Export-MsIdAppConsentGrantReport | Lists and categorizes privilege for delegated permissions (OAuth2PermissionGrants) and application permissions (AppRoleAssignments). |
| Find-MsIdUnprotectedUsersWithAdminRoles | Find Users with Admin Roles that are not registered for MFA |
| Get-MsIdAdfsSamlToken | Initiates a SAML logon request to and AD FS server to generate log activity and returns the user token. |
| Get-MsIdAdfsSampleApp | Returns the list of availabe sample AD FS relyng party trust applications available in this module. These applications do NOT use real endpoints and are meant to be used as test applications. |
| Get-MsIdAdfsWsFedToken | Initiates a Ws-Fed logon request to and AD FS server to generate log activity and returns the user token. |
| Get-MsIdAdfsWsTrustToken | Initiates a Ws-Trust logon request to and AD FS server to generate log activity and returns the user token. |
| Get-MsIdApplicationIdByAppId | Lookup Application Registration by AppId |
| Get-MsIdAuthorityUri | Build Microsoft Identity Provider Authority URI |
| Get-MsIdAzureIpRange | Get list of IP ranges for Azure |
| Get-MsIdCrossTenantAccessActivity | Gets cross tenant user sign-in activity |
| Get-MsIdGroupWithExpiration | Return groups with an expiration date via lifecycle policy. |
| Get-MsIdGroupWritebackConfiguration | Gets the group writeback configuration for the group ID |
| Get-MsIdHasMicrosoftAccount | Returns true if the user's mail is a Microsoft Account |
| Get-MsIdInactiveSignInUser | Retrieve Users who have not had interactive sign ins since XX days ago |
| Get-MsIdIsViralUser | Returns true if the user's mail domain is a viral (unmanaged) Azure AD tenant. |
| Get-MsIdMsftIdentityAssociation | Parse Microsoft Identity Association Configuration for a Public Domain (such as published apps) |
| Get-MsIdO365Endpoints | Get list of URLs and IP ranges for O365 |
| Get-MsIdOpenIdProviderConfiguration | Parse OpenId Provider Configuration and Keys |
| Get-MsIdProvisioningLogStatistics | Get Statistics for Set of Azure AD Provisioning Logs |
| Get-MsIdSamlFederationMetadata | Parse Federation Metadata |
| Get-MsIdServicePrincipalIdByAppId | Lookup Service Principal by AppId |
| Get-MsIdSigningKeyThumbprint | Get signing keys used by Azure AD. |
| Get-MsIdUnmanagedExternalUser | Returns a list of all the external users in the tenant that are unmanaged (viral users). |
| Get-MsIdUnredeemedInvitedUser | Retrieve Users who have not had interactive sign ins since XX days ago |
| Import-MsIdAdfsSampleApp | Imports a list availabe sample AD FS relyng party trust applications available in this module, the list is created by the Get-MsIdAdfsSampleApps cmdlet. These applications do NOT use real endpoints and are meant to be used as test applications. |
| Import-MsIdAdfsSamplePolicy | Imports the 'MsId Block Off Corp and VPN' sample AD FS access control policy. This policy is meant to be used as test policy. |
| Invoke-MsIdAzureAdSamlRequest | Invoke Saml Request on Azure AD. |
| New-MsIdClientSecret | Generate Random Client Secret for application registration or service principal in Azure AD. |
| New-MsIdSamlRequest | Create New Saml Request. |
| New-MsIdTemporaryUserPassword | Generate Random password for user in Azure AD. |
| New-MsIdWsTrustRequest | Create a WS-Trust request. |
| Reset-MsIdExternalUser | Resets the redemption state of an external user. |
| Resolve-MsIdAzureIpAddress | Lookup Azure IP address for Azure Cloud, Region, and Service Tag. |
| Resolve-MsIdTenant | Resolve TenantId or DomainName to an Azure AD Tenant |
| Revoke-MsIdServicePrincipalConsent | Revoke Existing Consent to an Azure AD Service Principal. |
| Set-MsIdServicePrincipalVisibleInMyApps | Toggles whether application service principals are visible when launching myapplications.microsoft.com (MyApps) |
| Set-MsIdWindowsTlsSettings | Set TLS settings on Windows OS to use more secure TLS protocols. |
| Show-MsIdJwtToken | Show Json Web Token (JWT) decoded in Web Browser using diagnostic web app. |
| Show-MsIdSamlToken | Show Saml Security Token decoded in Web Browser using diagnostic web app. |
| Split-MsIdEntitlementManagementConnectedOrganization | Split elements of a connectedOrganization |
| Test-MsIdAzureAdDeviceRegConnectivity | Test connectivity on Windows OS for Azure AD Device Registration |
| Test-MsIdCBATrustStoreConfiguration | Test & report for common mis-configuration issues with the Entra ID Certificate Trust Store |
| Update-MsIdApplicationSigningKeyThumbprint | Update a Service Princpal's preferredTokenSigningKeyThumbprint to the specified certificate thumbprint |
| Update-MsIdGroupWritebackConfiguration | Update an Azure AD cloud group settings to writeback as an AD on-premises group |
For issues, questions, and feature requests please review the guidance on the Support page for this project for filing issues.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.