Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Get-EntraUser
Gets a user.
Syntax
GetQuery (Default)
Get-EntraUser
[-Filter <String>]
[-All]
[-Top <Int32>]
[-PageSize <Int32>]
[-Property <String[]>]
[<CommonParameters>]
GetByValue
Get-EntraUser
[-SearchString <String>]
[-All]
[-Property <String[]>]
[<CommonParameters>]
GetById
Get-EntraUser
-UserId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>]
GetFiltered
Get-EntraUser
[-All]
[-Top <Int32>]
[-PageSize <Int32>]
[-EnabledFilter <String>]
[-HasErrorsOnly]
[-LicenseReconciliationNeededOnly]
[-Synchronized]
[-UnlicensedUsersOnly]
[-Property <String[]>]
[<CommonParameters>]
Description
The Get-EntraUser cmdlet gets a user from Microsoft Entra ID.
Examples
Example 1: Get top three users
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -Top 3
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Angel Brown cccccccc-2222-3333-4444-dddddddddddd AngelB@contoso.com AngelB@contoso.com
Avery Smith dddddddd-3333-4444-5555-eeeeeeeeeeee AveryS@contoso.com AveryS@contoso.com
Sawyer Miller eeeeeeee-4444-5555-6666-ffffffffffff SawyerM@contoso.com SawyerM@contoso.com
This example demonstrates how to get top three users from Microsoft Entra ID. You can use -Limit as an alias for -Top.
Example 2: Get a user by ID
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -UserId 'SawyerM@contoso.com'
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Sawyer Miller bbbbbbbb-1111-2222-3333-cccccccccccc sawyerm@tenant.com sawyerm@tenant.com
This command gets the specified user.
-UserIdSpecifies the ID as a user principal name (UPN) or UserId.
Example 3: Search among retrieved users
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -SearchString 'New'
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
New User88 bbbbbbbb-1111-2222-3333-cccccccccccc demo99@tenant.com
New User cccccccc-2222-3333-4444-dddddddddddd NewUser@tenant.com
This cmdlet gets all users that match the value of SearchString against the first characters in DisplayName or UserPrincipalName.
Example 4: Retrieve user's password policy
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -UserId 'SawyerM@contoso.com' `
-Property UserPrincipalName, PasswordPolicies |
Select-Object UserPrincipalName,
@{
Name = "PasswordNeverExpires"
Expression = { $_.PasswordPolicies -contains "DisablePasswordExpiration" }
}
userPrincipalName PasswordNeverExpires
----------------- --------------------
SawyerM@contoso.com True
This example shows how to get a user's password policy. To update it, run Get-EntraUser -UserId SawyerM@contoso.com | Set-EntraUser -PasswordPolicies DisablePasswordExpiration.
Example 5: Per-user MFA report
Connect-Entra -scope 'User.Read.All', 'UserAuthenticationMethod.Read.All'
$users = Get-EntraUser -All -Select Id, UserPrincipalName, DisplayName
Write-Output "Amount of requests within `"fetchAll`": $($users.Count)"
$usersReport = [System.Collections.ArrayList]::new()
$users | ForEach-Object {
$userProperties = @{
Id = $_.Id
DisplayName = $_.DisplayName
UserPrincipalName = $_.UserPrincipalName
PerUserMFAState = (Get-EntraBetaUserAuthenticationRequirement -UserId $_.Id).PerUserMFAState
}
[void]$usersReport.Add([PSCustomObject]$userProperties)
}
$usersReport | Format-Table -AutoSize
UserPrincipalName DisplayName PerUserMFAState Id
----------------- ----------- --------------- --
AngelB@contoso.com Angel Brown enforced cccccccc-2222-3333-4444-dddddddddddd
AveryS@contoso.com Avery Smith disabled dddddddd-3333-4444-5555-eeeeeeeeeeee
SawyerM@contoso.com Sawyer Miller enforced eeeeeeee-4444-5555-6666-ffffffffffff
ChristieC@contoso.com Christie Cline enabled bbbbbbbb-1111-2222-3333-cccccccccccc
PattiF@contoso.com Patti Fernandez disabled aaaaaaaa-bbbb-cccc-1111-222222222222
This example shows a report of per-user MFA state.
Note: Microsoft recommends using Conditional Access policies and security defaults to manage multi-factor authentication (MFA) instead of relying on legacy per-user MFA.
Example 6: Get a user by userPrincipalName
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -Filter "userPrincipalName eq 'SawyerM@contoso.com'"
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Sawyer Miller cccccccc-2222-3333-4444-dddddddddddd SawyerM@contoso.com
This command gets the specified user.
Example 7: Get a user by MailNickname
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -Filter "startsWith(MailNickname,'Ada')"
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Mark Adams bbbbbbbb-1111-2222-3333-cccccccccccc Adams@contoso.com Adams@contoso.com
In this example, we retrieve all users whose MailNickname starts with Ada.
Example 8: Get SignInActivity of a User
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All'
Get-EntraUser -UserId 'SawyerM@contoso.com' -Property 'SignInActivity' | Select-Object -Property Id, DisplayName, UserPrincipalName -ExpandProperty 'SignInActivity'
lastNonInteractiveSignInRequestId : bbbbbbbb-1111-2222-3333-aaaaaaaaaaaa
lastSignInRequestId : cccccccc-2222-3333-4444-dddddddddddd
lastSuccessfulSignInDateTime : 9/9/2024 1:12:13 PM
lastNonInteractiveSignInDateTime : 9/9/2024 1:12:13 PM
lastSuccessfulSignInRequestId : bbbbbbbb-1111-2222-3333-aaaaaaaaaaaa
lastSignInDateTime : 9/7/2024 9:15:41 AM
id : aaaaaaaa-bbbb-cccc-1111-222222222222
displayName : Sawyer Miller
userPrincipalName : SawyerM@contoso.com
This example demonstrates how to retrieve the SignInActivity of a specific user by selecting a property.
Example 9: List users with disabled accounts
Connect-Entra -Scopes 'User.Read.All'
Get-EntraUser -Filter "accountEnabled eq false" | Select-Object DisplayName, Id, Mail, UserPrincipalName
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
New User cccccccc-2222-3333-4444-dddddddddddd NewUser@tenant.com
This example demonstrates how to retrieve all users with disabled accounts.
Example 10: List users based in a specific country
Connect-Entra -Scopes 'User.Read.All'
$usersInCanada = Get-EntraUser -Filter "Country eq 'Canada'"
$usersInCanada | Select-Object Id, DisplayName, UserPrincipalName, OfficeLocation, Country | Format-Table -AutoSize
Id DisplayName UserPrincipalName OfficeLocation Country
-- ----------- ----------------- -------------- -------
cccccccc-2222-3333-4444-dddddddddddd New User NewUser@tenant.com 23/2102 Canada
This example demonstrates how to retrieve all users based in Canada.
Example 11: List user count per department
Connect-Entra -Scopes 'User.Read.All'
$departmentCounts = Get-EntraUser -All | Group-Object -Property Department | Select-Object Name, @{Name="MemberCount"; Expression={$_.Count}}
$departmentCounts | Format-Table Name, MemberCount -AutoSize
Name MemberCount
---- -----------
7
Engineering 2
Executive Management 1
Finance 1
HR 1
This example demonstrates how to retrieve user count in each department.
Example 12: List disabled users with active licenses
Connect-Entra -Scopes 'User.Read.All'
$disabledUsersWithLicenses = Get-EntraUser -Filter "accountEnabled eq false" -All | Where-Object {
$_.AssignedLicenses -ne $null -and $_.AssignedLicenses.Count -gt 0
}
$disabledUsersWithLicenses | Select-Object Id, DisplayName, UserPrincipalName, AccountEnabled | Format-Table -AutoSize
Id DisplayName UserPrincipalName AccountEnabled
-- ----------- ----------------- --------------
cccccccc-2222-3333-4444-dddddddddddd New User NewUser@tenant.com False
This example demonstrates how to retrieve disabled users with active licenses.
Example 13: Retrieve guest users with active licenses
Connect-Entra -Scopes 'User.Read.All'
$guestUsers = Get-EntraUser -Filter "userType eq 'Guest'" -All
$guestUsersWithLicenses = foreach ($guest in $guestUsers) {
if ($guest.AssignedLicenses.Count -gt 0) {
[PSCustomObject]@{
Id = $guest.Id
DisplayName = $guest.DisplayName
UserPrincipalName = $guest.UserPrincipalName
AssignedLicenses = ($guest.AssignedLicenses | ForEach-Object { $_.SkuId }) -join ", "
}
}
}
$guestUsersWithLicenses | Format-Table Id, DisplayName, UserPrincipalName, AssignedLicenses -AutoSize
Id DisplayName UserPrincipalName AssignedLicenses
-- ----------- ----------------- ----------------
cccccccc-2222-3333-4444-dddddddddddd Sawyer Miller sawyerm_gmail.com#EXT#@contoso.com c42b9cae-ea4f-4ab7-9717-81576235ccac
This example demonstrates how to retrieve guest users with active licenses.
Example 14: List users with a specific license
Connect-Entra -Scopes 'User.Read.All'
$skuId = (Get-EntraSubscribedSku | Where-Object { $_.SkuPartNumber -eq 'POWERAPPS_DEV' }).SkuId
Get-EntraUser -Filter "assignedLicenses/any(l:l/skuId eq $skuId)" -Select id, displayName, userPrincipalName, userType, accountEnabled, assignedLicenses |
Select-Object id, displayName, userPrincipalName, userType, accountEnabled | Format-Table -AutoSize
id displayName userPrincipalName userType accountEnabled
-- ----------- ----------------- -------- --------------
cccccccc-2222-3333-4444-dddddddddddd Angel Brown AngelB@contoso.com Member True
dddddddd-3333-4444-5555-eeeeeeeeeeee Avery Smith AveryS@contoso.com Member True
This example demonstrates how to retrieve users with a specific license.
Example 15: Retrieve users without managers
Connect-Entra -Scopes 'User.Read.All'
$allUsers = Get-EntraUser -All
$usersWithoutManagers = foreach ($user in $allUsers) {
$manager = Get-EntraUserManager -ObjectId $user.Id -ErrorAction SilentlyContinue
if (-not $manager) {
[PSCustomObject]@{
Id = $user.Id
DisplayName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
}
}
}
$usersWithoutManagers | Format-Table Id, DisplayName, UserPrincipalName -AutoSize
Id DisplayName UserPrincipalName
-- ----------- -----------------
cccccccc-2222-3333-4444-dddddddddddd New User NewUser@tenant.com
bbbbbbbb-1111-2222-3333-cccccccccccc Sawyer Miller SawyerM@contoso.com
This example demonstrates how to retrieve users without managers.
Example 16: List all guest users
Connect-Entra -Scopes 'User.Read.All'
$guestUsers = Get-EntraUser -Filter "userType eq 'Guest'" -All
$guestUsers | Select-Object DisplayName, UserPrincipalName, Id, createdDateTime, creationType, accountEnabled, UserState | Format-Table -AutoSize
DisplayName UserPrincipalName Id CreatedDateTime CreationType AccountEnabled UserState
----------- ----------------- -- --------------- ------------ -------------- ---------
Sawyer Miller sawyerm_gmail.com#EXT#@contoso.com bbbbbbbb-1111-2222-3333-cccccccccccc 9/13/2024 6:37:33 PM Invitation True Accepted
This example demonstrates how to retrieve list all guest users.
Example 17: List five recently created users
Get-EntraUser -All | Sort-Object -Property createdDateTime -Descending | Select-Object -First 5
DisplayName Id Mail UserPrincipalName
----------- -- ---- -----------------
Angel Brown cccccccc-2222-3333-4444-dddddddddddd AngelB@contoso.com AngelB@contoso.com
Avery Smith dddddddd-3333-4444-5555-eeeeeeeeeeee AveryS@contoso.com AveryS@contoso.com
Sawyer Miller eeeeeeee-4444-5555-6666-ffffffffffff SawyerM@contoso.com SawyerM@contoso.com
Christie Cline bbbbbbbb-1111-2222-3333-cccccccccccc ChristieC@contoso.com ChristieC@contoso.com
Patti Fernandez aaaaaaaa-bbbb-cccc-1111-222222222222 PattiF@contoso.com PattiF@contoso.com
This example shows how to retrieve the recently created users.
Example 18: List of users with Global Administrator role
Connect-Entra -Scopes 'User.Read.All', 'RoleManagement.Read.Directory'
$roleId = Get-EntraDirectoryRoleTemplate | Where-Object { $_.DisplayName -eq 'Global Administrator' } | Select-Object -ExpandProperty Id
$globalAdmins = Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'" | ForEach-Object {
Get-EntraUser -UserId $_.PrincipalId
}
$globalAdmins | Select-Object Id, DisplayName, UserPrincipalName, CreatedDateTime, AccountEnabled | Format-Table -AutoSize
id displayName userPrincipalName createdDateTime accountEnabled
-- ----------- ----------------- --------------- --------------
cccccccc-2222-3333-4444-dddddddddddd Angel Brown AngelB@contoso.com 3/7/2024 12:34:59 AM True
dddddddd-3333-4444-5555-eeeeeeeeeeee Avery Smith AveryS@contoso.com 10/1/2024 9:47:06 AM True
This example shows how to list all users with a specific role, such as Global Administrator. Microsoft recommends assigning the Global Administrator role to fewer than five people for best practice. See best practices.
Example 19: List all Users with revoked sessions in the last 30 Days
Connect-Entra -Scopes 'User.Read.All'
$pastDate = (Get-Date).AddDays(-30).ToUniversalTime()
Get-EntraUser | Where-Object { $_.signInSessionsValidFromDateTime -ge $pastDate } |
Select-Object DisplayName, UserPrincipalName, signInSessionsValidFromDateTime
displayName userPrincipalName signInSessionsValidFromDateTime
----------- ----------------- -------------------------------
Angel Brown AngelB@contoso.com 03/03/2025 16:13:47
Avery Smith AveryS@contoso.com 03/03/2025 16:05:02
This example shows how to list all users with revoked sessions in the last 30 Days.
Parameters
-All
List all pages.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-EnabledFilter
Filters users based on the state of their accounts. Valid values are EnabledOnly and DisabledOnly. When specified, the cmdlet adds an accountEnabled constraint to any existing -Filter expression.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | None |
Parameter sets
-Filter
Specifies an OData v4.0 filter statement. This parameter controls which objects are returned. Details on querying with OData can be found here.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-HasErrorsOnly
Returns only users that have one or more service provisioning or validation errors (surfaced via the serviceProvisioningErrors collection). Use this switch to quickly identify identities requiring administrative remediation.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | None |
Parameter sets
-LicenseReconciliationNeededOnly
Returns only users whose service provisioning errors include license-related issues indicating that license reconciliation is needed (for example, insufficient licenses, dependency violations, mutually exclusive plans). Internally the cmdlet matches common license error patterns to narrow the result set.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | None |
Parameter sets
-PageSize
When -PageSize is specified, the command may make multiple network calls to retrieve data in chunks (pages), continuing until it reaches the limit defined by either -Top or -All, depending on which is used.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Property
Specifies properties to be returned.
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Select |
Parameter sets
-SearchString
Specifies a search string.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Synchronized
Returns only users synchronized from on-premises Active Directory (those with onPremisesSyncEnabled eq true). This is useful for distinguishing cloud-only identities from hybrid managed identities.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | None |
Parameter sets
-Top
Specifies the maximum number of records to return.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Limit |
Parameter sets
-UnlicensedUsersOnly
Returns only users who have no assigned licenses (assignedLicenses count equals 0). This helps identify users that may not yet have the required service access.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | None |
Parameter sets
-UserId
Specifies the ID (as a User Principal Name (UPN) or UserId) of a user in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId, UPN, Identity, UserPrincipalName |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Related Links
Feedback
Was this page helpful?