Get-MgUser – The Complete Guide

If you manage Microsoft 365 users, chances are you’ve come across the Get-MgUser cmdlet. This powerful Microsoft Graph PowerShell command helps you fetch detailed information about users in your Microsoft 365 tenant — from their names and departments to licenses, sign-in activities, and more.

In this guide, we’ll walk through what Get-MgUser does, why it’s useful, how to use it effectively, and show you real-world examples and scripts (bulk password reset and account disable scripts) illustrating Get-MgUser cmdlet usage that can make your admin life easier.

What is Get-MgUser?

The Get-MgUser cmdlet is part of the Microsoft Graph PowerShell module, which allows administrators to interact with Microsoft 365 services using Graph API endpoints.

Simply put, it retrieves information about one or more users from your Microsoft 365 tenant. You can use it to:

• View user profiles and properties
• Filter users based on conditions (e.g., department, license, user type)
• Generate reports on user activity
• Integrate user data into automation scripts

Why use Get-MgUser?

The older Get-MsolUser and Get-AzureADUser cmdlets are being deprecated. Microsoft now recommends using Microsoft Graph PowerShell, where Get-MgUser serves as the new standard for retrieving user information.

Here’s why it’s worth using:

• ✅ Modern and Secure – Uses Microsoft Graph API.
• ✅ Future-Proof – Supported by Microsoft for long-term use.
• ✅ More Data Access – Exposes new properties not available in legacy modules (like SignInActivity).
• ✅ Automation-Ready – Works perfectly in scripts for reporting, account management, and audits.

How to use Get-MgUser?

Here’s the basic syntax of the Get-MgUser cmdlet:

Get-MgUser [-UserId <String>] [-ConsistencyLevel <String>]

Parameter	Description
-UserId	Specifies the user to retrieve, using either the User ID (GUID) or UPN (email address).
-ConsistencyLevel	Used for advanced queries (like $count) requiring eventual consistency.

You can also add parameters like -All, -Top, and -Filter to refine your search.

Get-MgUser Examples

Get All Users

Get-MgUser -All

Retrieves all users in the Microsoft 365 tenant.

Get Single User Using User ID

Get-MgUser -UserId "ab05dabd-d9fb-4e2e-b9e9-fb290157a12b"

Fetches details of a single user using their unique User ID.

Get Single User Using UPN

Get-MgUser -UserId "samadmin@7xh7fj.onmicrosoft.com"

Retrieves user details based on their User Principal Name (UPN).

Filter Users Based on Department

Get-MgUser -Filter "Department eq 'Sales'"

Returns only users who belong to the Sales department.

Get Licensed Users

Get-MgUser -All -Filter "assignedLicenses/$count ne 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records

Lists all licensed users (Members only) in your organization.

Get Unlicensed Users

Get-MgUser -All -Filter "assignedLicenses/$count eq 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records

Retrieves all users without any assigned licenses.

Limit Results of Get-MgUser

Get-MgUser -Top 10

Displays only the first 10 users.

Get-MgUser Cmdlet Usage in Scripts

Let’s now explore two powerful real-world automation scripts where Get-MgUser makes your daily administrative tasks much easier.

Bulk Password Reset for All Tenant Users

Scenario:

As an administrator, you may need to reset passwords for all users periodically — for example, after a security breach or compliance audit.

Script:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Fetch all users in the tenant
$Users = Get-MgUser -All

# Loop through each user and reset password
foreach ($User in $Users) {
    $NewPassword = [System.Web.Security.Membership]::GeneratePassword(12, 2)
    $Params = @{
        PasswordProfile = @{
            ForceChangePasswordNextSignIn = $true
            Password = $NewPassword
        }
    }

    # Update user password
    Update-MgUser -UserId $User.Id -BodyParameter $Params

    Write-Host "Password reset for: $($User.DisplayName) | New Password: $NewPassword"
}

How it works:

• Fetches all users using Get-MgUser -All
• Loops through each user
• Generates a strong random password
• Updates the password and enforces password change on next sign-in

💡 Tip: Store the new passwords securely if you need to share them with users later.

Bulk Account Disable for Inactive Users

Scenario:

Inactive users can be a security risk. This script disables accounts that haven’t signed in for 90 days.

Script:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Get all users with their SignInActivity property
$Users = Get-MgUser -All -Property "DisplayName,UserPrincipalName,AccountEnabled,SignInActivity"

# Set threshold date (90 days ago)
$ThresholdDate = (Get-Date).AddDays(-90)

foreach ($User in $Users) {
    $LastSignIn = $User.SignInActivity.LastSignInDateTime

    if ($LastSignIn -and ([datetime]$LastSignIn -lt $ThresholdDate)) {
        $Params = @{
            AccountEnabled = $false
        }

        Update-MgUser -UserId $User.Id -BodyParameter $Params
        Write-Host "Disabled account: $($User.DisplayName) | Last Sign-In: $LastSignIn"
    }
}

How it works:

• Retrieves all users with sign-in activity data using Get-MgUser -Property SignInActivity
• Compares the LastSignInDateTime with a 90-day threshold
• Disables inactive accounts using Update-MgUser

Optional: Modify $ThresholdDate to a different number of days as needed.

Conclusion

The Get-MgUser cmdlet is one of the most essential tools for Microsoft 365 administrators. Whether you’re fetching user data, filtering licensed accounts, or integrating it into automation scripts, it provides unmatched flexibility and depth.

By combining Get-MgUser with other Graph cmdlets like Update-MgUser, you can automate powerful workflows such as bulk password resets and account management — saving time and enhancing security.

🚀 Pro Tip: Always test scripts on a few users before running them tenant-wide, and use -WhatIf when available to preview the impact.