One-off user creation is fine. Scale, consistency, and future-proofing is better. That’s where Microsoft Graph comes in. In this post, we’ll create Microsoft Entra ID users using PowerShell and Microsoft Graph—with clean, scalable scripting.
Microsoft Graph was introduced in 2015 to unite dozens of fragmented Microsoft APIs—Azure AD, Exchange, SharePoint, Teams—into a single, modern endpoint. It’s now the backbone of identity and data access across Microsoft 365 and Azure services. AzureAD and MSOnline are being phased out in favor of Graph, making it the go-to tool for cloud-native management and automation.
Let’s automate Entra ID user creation using PowerShell and Microsoft Graph—with smart defaults, error handling, and dynamic group assignment. Creating users through the Azure Portal works… until it doesn’t. Once you’re dealing with onboarding, consistency, or dynamic environments, it’s time to automate.
Before we start scripting, make sure you have:
- PowerShell 7+
- Microsoft Graph PowerShell SDK
- Admin permissions to Microsoft Entra ID
Install-Module Microsoft.Graph -Scope CurrentUser
Authenticate:
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.Read.All"
Here’s a reusable PowerShell function that creates a user and adds them to a security group.
function New-SmartUser {
param(
[Parameter(Mandatory)] [string]$DisplayName,
[Parameter(Mandatory)] [string]$UserPrincipalName,
[Parameter(Mandatory)] [string]$Password,
[Parameter(Mandatory)] [string]$Department,
[Parameter()] [string]$GroupName = "Default Users"
)
# Create the user
$user = New-MgUser -AccountEnabled:$true `
-DisplayName $DisplayName `
-MailNickname ($UserPrincipalName.Split("@")[0]) `
-PasswordProfile @{ ForceChangePasswordNextSignIn = $true; Password = $Password } `
-UserPrincipalName $UserPrincipalName `
-Department $Department `
-UsageLocation "US"
Write-Host "User '$($user.DisplayName)' created successfully."
# Find or create the group
$group = Get-MgGroup -Filter "displayName eq '$GroupName'" -ErrorAction SilentlyContinue
if (-not $group) {
$group = New-MgGroup -DisplayName $GroupName `
-MailEnabled:$false -MailNickname:$GroupName.Replace(" ", "") `
-SecurityEnabled:$true -GroupTypes @()
Write-Host "Group '$GroupName' created."
}
# Add user to group
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
Write-Host "User added to group '$GroupName'."
}
New-SmartUser -DisplayName "Beast" `
-UserPrincipalName "[email protected]" `
-Password "l1n3arFus1on" `
-Department "R&D" `
-GroupName "Research & Development"
C:\Users\logphile> New-SmartUser -DisplayName "Beast" `
>> -UserPrincipalName "[email protected]" `
>> -Password "P@ssword123!" `
>> -Department "R&D" `
>> -GroupName "Research & Development"
User 'Beast' created successfully.
Group 'Research & Development' created.
User added to group 'Research & Development'.
Log into Entra ID > Users and confirm the user shows up with correct info.
Then check Groups to confirm group creation and membership.
Manual user creation introduces:
- Typos in emails or departments
- Missed group assignments
- No audit trail
- Automated creation ensures:
- Consistency
- Scalability
- Auditability
Plus, you’re scripting against Microsoft Graph—the modern way to manage Microsoft 365.
- Make password generation secure (use New-Guid, or integrate with a vault)
- Add license assignment via New-MgUserLicense
- Export logs or send Teams alerts on creation
- Bundle into a CI pipeline using GitHub Actions or Azure DevOps
Still using the Azure Portal or legacy PowerShell modules like AzureAD or MSOnline? Reasons to change:
| Feature | Portal | Old PowerShell (AzureAD) |
Graph + PowerShell |
|---|---|---|---|
| Automation-ready | ✖️ | ✅ | ✅✅ |
| Modern, supported | ✖️ | ⚠️ Deprecated | ✅✅ |
| Full attribute support | ✖️ | ✖️ | ✅✅ |
| API-level consistency | ✖️ | ✖️ | ✅✅ |
| Fine-grained permissions | ✖️ | ✖️ | ✅✅ |
| Auditable/source-controllable | ✖️ | ✅ | ✅✅ |
| Scalable across tenants | ✖️ | ✅ | ✅✅ |