PowerShell

Microsoft 365 Azure AD/Entra ID笔记

安装与连接

Microsoft Learn - Connect to Microsoft 365

# 安装
Get-Module AzureAD

# 连接到Azure AD
Connect-AzureAD

# 注销
Disconnect-AzureAD

使用

# 查询用户
Get-AzureADUser

# 查询用户有什么字段可以查询
Get-AzureADUser | Get-Member -MemberType Property

# 查询用户特定字段
Get-AzureADUser | Select-Object DisplayName,UserPrincipalName,Mail,OtherMails

批量替换主要邮箱

# 批量替换主要邮箱，并跳过已经设置好正确域名的用户

Get-AzureADUser | ForEach-Object {
  $user = $_
  if ($user.UserPrincipalName.EndsWith("@aaa.com")) {
    Write-Host "Skipping user $($user.UserPrincipalName) as primary email is already aaa.com"
  } else {
    $newUPN = ($user.UserPrincipalName.Split("@")[0]) + "@aaa.com"
    $newOtherMails = @($user.UserPrincipalName)
    Set-AzureADUser -ObjectId $user.ObjectId -UserPrincipalName $newUPN -OtherMails $newOtherMails
    Write-Host "Updated user $($user.UserPrincipalName) with new UPN: $newUPN"
  }
}

# 如果你的alias email不小心已经改成自定义域名邮箱， 可以通过以下方式改
Get-AzureADUser | ForEach-Object {
  $user = $_
  $newOtherMails = @($user.UserPrincipalName.Replace("@aaa.com", "@xxx.onmicrosoft.com"))
  Set-AzureADUser -ObjectId $user.ObjectId -OtherMails $newOtherMails
  Write-Host "Updated user $($user.UserPrincipalName) with new OtherMails: $($newOtherMails -join ', ')"
}

批量修改用户密码AAD版

AAD修改密码
AD修改密码
方法1：

# 该方法写了Write-Host,能很方便利用-WhatIf(不存在的函数)来测试是否运行如预期结果

Get-AzureADUser | ForEach-Object {
  $user = $_
  if ($user.UserPrincipalName.Equals("aaa@aaa.com") -or $user.UserPrincipalName.Equals("bbb@aaa.com")){
    Write-Host "Skipping user $($user.UserPrincipalName) as we don't want to change admin password"
  } else {
    $newPassword = "otpU1294"
    $securePassword = ConvertTo-SecureString -AsPlainText $newPassword -Force  
    Set-AzureADUserPassword -ObjectId $user.ObjectId -Password $securePassword -WhatIf
    Write-Host "Updated user $($user.UserPrincipalName) with new passwrd: $securePassword"  
  }
}

方法2：

# 先跳过管理员
$excludeUsers = @("aaa@aaa.com", "bbb@aaa.com")

# 然后输入以下命令
$users = Get-AzureADUser | Where-Object {$_.UserPrincipalName -notin $excludeUsers}

foreach ($user in $users) {
    $newPassword = "otpU1294"
    $securePassword = ConvertTo-SecureString -AsPlainText $newPassword -Force
    Set-AzureADUserPassword -ObjectId $user.ObjectId -Password $securePassword
}


# 单独重置一个人的密码 （需要先知道他ObjectId）
Set-AzureADUserPassword -ObjectId c365b02b-f9b6-4642-a9e2-ec83cece4b02 -Password (ConvertTo-SecureString -AsPlainText "otpU1294" -Force)

批量根据ObjectID替换姓名

# Read CSV File
$csvPath = "C:\Users\AADTest\Downloads\exportUsers.csv"
$csvData = Import-Csv -Path $csvPath

# Loop Through and Update Users
foreach ($entry in $csvData) {
    $user = Get-AzureADUser -ObjectId $entry.ObjectId

    if ($user -ne $null) {
        $updatedUser = Set-AzureADUser -ObjectId $user.ObjectId -GivenName $entry.givenName -Surname $entry.surname

        Write-Host "Updated user $($user.UserPrincipalName) with new first name $($updatedUser.givenName) and last name $($updatedUser.surname)."
    } else {
        Write-Host "User with ObjectID $($entry.ObjectId) not found."
    }
}

批量根据姓名替换邮箱

$csvPath = "C:\Users\AADTest\Downloads\exportUsers.csv"
$csvData = Import-Csv -Path $csvPath
foreach ($row in $csvData) {
    $objectId = $row.ObjectId

    $user = Get-AzureADUser -ObjectId $objectId    
    if ($user) {

        $newUPN = $user.GivenName + "." + $user.Surname + "@aaa.com"
        $newDisplayName = $user.GivenName + " " + $user.Surname
        $newEmailAddress = $newUPN
        $newOtherMails = @($newUPN.Replace("@aaa.com", "@xxx.onmicrosoft.com"))
        Set-AzureADUser -ObjectId $user.ObjectId -UserPrincipalName $newUPN -DisplayName $newDisplayName -OtherMails $newOtherMails 
        Write-Host "User with ObjectID $objectId update $newUPN and $newDisplayName and $newOtherMails"
    } else {
        Write-Host "User with ObjectID $objectId not found."
    }
}

AD使用

将AD用户导出为Excel

# 
Get-ADUser -Filter * | Select-Object DistinguishedName, Name,GivenName,Surname, UserPrincipalName, employeeID | Export-Csv -Path C:\Users\Administrator\Documents\users.csv -NoTypeInformation

# 列出AD用户全部属性
Get-ADUser -Filter * -Properties * | Get-Member -MemberType Property | Select-Object Name

# 列出AD用户


Get-ADUser -Filter * | Select-Object DistinguishedName, Name,GivenName,Surname, UserPrincipalName, employeeID

AD DisplayName 最佳实践

小公司500-1000人：
First Name + Last Name + Group/BU/Department
例如： Eleanor Harrison [Vendor], Emily Johnson [Staff] ….

跨区域公司1000+人：
Preferred English Name + Last Name + First Name Initial + Site + Department 或者
Last Name + ，+ Preferred English Name + First Name Initial + Site + Department
例如：Li, Elaine X.Y. (HZ/HR)

搜索文件夹内文件内容

我们有时候想搜索某个文件夹内的内容，从而直接找到这个文件。在linux我们可以很容易使用grep来实现，那么在Windows应该怎么使用呢？

直接查找到文件夹：

Get-ChildItem -Recurse -File -Path 'D:\abc\defg' |
 Select-String -Pattern 'Search This Content' -CaseSensitive:$false -List |
 Split-Path -Parent |
 Sort-Object -Unique