How to Update Azure AD User Attributes with Powershell

Updating Azure AD user attributes with PowerShell can be a daunting task, but it's a crucial step in managing your organization's identity and access.

You'll need to have the Azure AD PowerShell module installed on your machine to get started.

First, connect to your Azure AD tenant using the Connect-AzureAD cmdlet. This will authenticate you and allow you to run PowerShell commands against your Azure AD.

Make sure to use the correct Azure AD module version, as described in the article section "Azure AD PowerShell Module Requirements".

User attributes are an essential part of Azure AD user profiles. The user principal name (UPN) is a required property when creating a user, and it should map to the user's email name in the format alias@domain.

The UPN must be a valid Internet-style login name, following the Internet standard RFC 822. It's also worth noting that while the UPN can contain accent characters, they can cause access issues to first-party applications for the user.

There are several attributes that can be updated for a user, including the company name, which can be useful for describing the company that an external user comes from. The company name has a maximum length of 64 characters. Other attributes, such as additional email addresses, can also be updated. These additional email addresses can be a list of strings, such as ['[email protected]', '[email protected]'].

Here are some key attributes that can be updated for a user:

You can update a user's information in Microsoft Graph using the Update-MgUser cmdlet. This cmdlet allows you to modify various attributes of a user.

To update a user, you'll need to specify the user's Object ID. For example, you can use the PowerShell script in Example 2 to assign custom security attributes to a user, but you'll need to swap out the Object ID with the specific Object ID of the user in your organization.

The Update-MgUser cmdlet supports various attributes, including -AccountEnabled, which can be set to true to enable the account, and -CompanyName, which can be used to describe the company associated with the user.

Here are some supported attributes for the Update-MgUser cmdlet:

Note that the -UserPrincipalName attribute is required when creating a user and must be in the format alias@domain, where domain must be present in the tenant's collection of verified domains.

User State Change is a crucial aspect of managing user attributes. It helps track changes to the externalUserState property.

The ExternalUserStateChangeDateTime attribute shows the timestamp for the latest change to the externalUserState property. This can be useful for auditing purposes, ensuring that changes are properly recorded.

This attribute supports various filter options, including eq, ne, NOT, and in. This allows for more precise filtering and searching of user state changes.

The Mail Nickname is a crucial attribute for any user. It's essentially the mail alias for the user.

This property must be specified when a user is created. It's a required field, so don't forget to fill it in.

The maximum length for a Mail Nickname is 64 characters. Keep it concise and clear.

You can filter Mail Nicknames using various operators, such as eq, ne, NOT, ge, le, in, and startsWith. This comes in handy when you need to search or sort users by their Mail Nicknames.

The mail alias for a user is specified using the MailNickname property, which must be provided when creating a user. It has a maximum length of 64 characters and supports various filters.

You can update a user by their user principal name (UPN), which is an Internet-style login name based on the Internet standard RFC 822. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains.

Here's a summary of the properties related to mail and ID:

The UPN is required when a user is created and supports various filters, including eq, ne, NOT, ge, le, in, startsWith, and endsWith.

The External User State is a crucial aspect of managing external users in your tenant. This state can be PendingAcceptance or Accepted for invited users who were added using the invitation API.

For invited users, the External User State can be one of two possible values: PendingAcceptance or Accepted.

You can filter the External User State using various operators such as eq, ne, NOT, and in. This can be useful when you need to identify specific users or groups.

The External User State is represented by the ExternalUserState property, which shows the invited user's invitation status.

The On Premises Immutable ID is a crucial property for associating an on-premises Active Directory user account to their Azure AD user object.

This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.

The $ and _ characters cannot be used when specifying this property.

It's worth noting that this property only returns on $select.

You can filter this property using various operators, including eq, ne, NOT, ge, le, and in.

You can add extra email addresses to a user's profile in Microsoft Graph, which is useful for things like sending notifications or sharing information. This is done through the "OtherMail" property.

The "OtherMail" property is a list of additional email addresses, and it can contain accent characters. However, using accent characters can cause issues with access to first-party applications for the user.

You can filter the "OtherMail" property using various operators, such as "eq", "NOT", "ge", "le", "in", and "startsWith". This can be useful for searching or sorting through the list of email addresses.

Here are some details about the "OtherMail" property:

When you need to update a user's information, you'll often come across the terms UPN or ObjectId. The user principal name or object id of the user to be updated is crucial for this process.

The UPN or ObjectId is used to identify a specific user, ensuring that the correct information is updated.

This unique identifier is essential for mail and ID systems to function accurately.