What's new in Microsoft Entra PowerShell

What's new in docs

November 2025

New articles

• Install Microsoft Entra PowerShell offline - Learn how to install the Microsoft Entra PowerShell module in offline environments by using nupkg files and a local repository.
• Manage administrative units - Learn how to manage administrative units for granular delegation of permissions in Microsoft Entra ID.
• Manage Microsoft MCP Server for Enterprise permissions - Learn how to grant and revoke delegated permissions for MCP clients to access enterprise resources through Microsoft MCP Server.

June 2025

New articles

• Generate a password expiration report using Microsoft Entra PowerShell - Learn how to generate and export a report of users with expired or soon-to-expire passwords.
• Manage per-user MFA settings in Microsoft Entra ID - Learn how to configure and manage multi-factor authentication settings for individual users.
• View and export apps with expiring secrets and certificates - Learn how to identify and export a list of applications with secrets or certificates that are about to expire.
• View and export delegated permissions for users and service principals - Learn how to identify and export delegated permissions assigned to users and service principals.

Updated articles

• Manage guest accounts using Microsoft Entra PowerShell - Add examples for managing guest sponsors.

April 2025

New articles

• Offboard users - Learn how to offboard users by invalidating sessions, resetting passwords, and removing device ownership.

Updated articles

• Manage guest users - Refined code snippets to improve readability and ensure alignment with best practices.
• Manage users - Refined code snippets to improve readability and ensure alignment with best practices.
• Manage user licenses using Microsoft Entra PowerShell - Improved metadata and keywords for better search engine visibility.

Latest (recommended) version

• Version 1.2.0 - January 2026

  • Features:

    • Migrated the Agent ID cmdlet set from Microsoft Identity Tools PowerShell module into Microsoft Entra Powershell, delivering a production-ready implementation for managing Agent identity blueprints and Agent identities in Microsoft Entra ID.

  • New Commands:

    • Add-EntraBetaClientSecretToAgentIdentityBlueprint: Adds a 90-day client secret to a blueprint with retry logic.
    • Add-EntraBetaInheritablePermissionsToAgentIdentityBlueprint: Configures Microsoft Graph permissions and consent flows.
    • Add-EntraBetaPermissionsToInheritToAgentIdentityBlueprintPrincipal: Opens admin consent page in browser for Agent Identity Blueprint Principal to inherit permissions.
    • Add-EntraBetaPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal: Grants permission to create Agent Users to the Agent Identity Blueprint Principal.
    • Add-EntraBetaRedirectURIToAgentIdentityBlueprint: Adds web redirect URIs for authentication callbacks.
    • Add-EntraBetaScopeToAgentIdentityBlueprint: Adds OAuth2 permission scopes to a blueprint.
    • Get-EntraBetaAgentIdentity: Gets an Agent Identity by its ID.
    • Get-EntraBetaAgentIdentityToken: Acquires tokens for multiple authentication modes (app-only, OBO, user).
    • Invoke-EntraBetaAgentIdInteractive: Launches an interactive wizard for Agent ID setup.
    • New-EntraBetaAgentIdentityBlueprint: Creates a new Agent Identity Blueprint with sponsors and owners.
    • New-EntraBetaAgentIdentityBlueprintPrincipal: Creates a service principal for the Agent Identity Blueprint.
    • New-EntraBetaAgentIDForAgentIdentityBlueprint: Creates agent identities under a blueprint using stored credentials.
    • New-EntraBetaAgentIDUserForAgentId: Creates agent users with auto-generated UPN and mailNickname.

  • Bug Fixes:

    • Enabled support for the -PreAuthorizedApplications parameter in the Set-EntraBetaApplication cmdlet, enabling users to configure pre-authorized applications for an Entra application.
    • Updated the InvitedUser and InvitedUserMessageInfo parameter types. New-EntraBetaInvitation commands now use interfaces from Microsoft.Graph.Beta.PowerShell.Models, while New-EntraInvitation commands use interfaces from Microsoft.Graph.PowerShell.Models.

Module version history

Version 1.1.0 - December 2025

• Features:

  • Removed version pinning of Microsoft Graph PowerShell modules from version 2.25.0 to allow users to use the latest version of the module without any version restriction.
  • Added sample scripts on how to apply batch operations in Graph API calls for performance improvement on operations involving a lot of API calls.

• New Parameters:

  • Get-EntraDevice & Get-EntraBetaDevice:
    • Added -LogonTimeBefore parameter to filter devices with last sign-in before a specified date.
    • Added -Stale parameter to filter devices that haven't signed in for 2 months or more.
    • Added -NonCompliant parameter to filter devices that are not compliant with organizational policies.
    • Added -IsManaged parameter to filter devices based on whether they are managed by a Mobile Device Management (MDM) solution.
    • Added -JoinType parameter to filter devices by join type: MicrosoftEntraJoined, MicrosoftEntraHybridJoined, or MicrosoftEntraRegistered.
  • Get-EntraServicePrincipal & Get-EntraBetaServicePrincipal:
    • Added -AssignmentRequired parameter to filter by whether user assignment is required to access the application. When set to $true, returns only service principals where user assignment is required. When set to $false, returns only service principals where user assignment is not required.
    • Added -ApplicationType parameter to filter by application type such as: AppProxyApps, EnterpriseApps, ManagedIdentity and MicrosoftApps.

• Bug Fixes:

  • Fixed an issue where Microsoft.Entra.Beta.Applications module was experiencing a parsing issue in PowerShell 5.1.

Version 1.0.13 - November 2025

• New Commands:

  • Grant-EntraBetaMcpServerPermission: Grants delegated permissions to Model Context Protocol (MCP) clients for accessing the Microsoft MCP Server for Enterprise.
  • Revoke-EntraBetaMcpServerPermission: Revokes delegated permissions from a specified client for Microsoft MCP Server for Enterprise in Microsoft Entra ID.

• New Parameters:

  • Get-EntraContact & Get-EntraBetaContact:
    • Added -HasErrorsOnly parameter to return only contacts with service provisioning errors.
  • Get-EntraGroup & Get-EntraBetaGroup:
    • Added -HasErrorsOnly parameter to return only groups that have service provisioning errors.
    • Added -HasLicenseErrorsOnly parameter to return only groups that have members with license errors.
  • Get-EntraUser & Get-EntraBetaUser:
    • Added -EnabledFilter parameter which filters users based on the state of their accounts. Valid values are EnabledOnly and DisabledOnly.
    • Added -HasErrorsOnly parameter which returns only users that have one or more service provisioning or validation errors (surfaced via the serviceProvisioningErrors collection).
    • Added -LicenseReconciliationNeededOnly parameter which returns only users whose service provisioning errors include license-related issues indicating that license reconciliation is needed (for example, insufficient licenses, dependency violations, mutually exclusive plans).
    • Added -Synchronized parameter which returns only users synchronized from on-premises Active Directory (those with onPremisesSyncEnabled eq true). This is useful for distinguishing cloud-only identities from hybrid managed identities.
    • Added -UnlicensedUsersOnly parameter which returns only users who have no assigned licenses.

• Bug Fixes:

  • Fixed Get-EntraUser issue where handling of guest UPNs was corrected to properly escape/quote special characters so that user@external#EXT#@tenant.onmicrosoft.com no longer triggers "unterminated string literal" errors.
  • Set-EntraUserManager -ManagerId parameter type corrected from Guid to String, enabling UPN (and not just objectId) for the manager reference.

Version 1.0.12 - September 2025

• Bug Fixes:

  • Moved Get-EntraUnsupportedCommand to the root modules - Microsoft.Entra and Microsoft.Entra.Beta - and removed it from sub-modules to align with its usage in Enable-EntraAzureADAlias. PR #1543
  • Enabled Enable-EntraAzureADAlias cmdlet in the beta module. PR #1542

• Cmdlet Enhancements:

  • Added the -AppendSelected parameter to high usage cmdlets in applications, users, and groups sub-modules. PR #1518
  • Implemented authentication checks across all cmdlets to indicate the correct permissions in case of a failed connection using Connect-Entra.
  • Updated the -Features parameter under Set-EntraDirSyncFeature command to allow processing of multiple features at once. PR #1527
  • Extended the Get-EntraUser command to include -PageSize parameter. PR #1526