Manage SSO for Microsoft using Powershell

This guide explains how to configure or remove Microsoft SSO using PowerShell commands, and how to synchronize users between Entra ID and your local Active Directory. It provides an alternative to the graphical UserLock SSO Assistant, ideal for automated or scripted deployments.

Published October 17, 2025
Note

If this is your first time configuring SSO for Microsoft, consult Standard configuration for Microsoft first.

Overview

Administrators can manually federate or defederate Entra ID domains using the Microsoft Entra PowerShell modules.
They can also manage users to create or synchronize Entra ID accounts with their local Active Directory.

This approach is ideal for automation, remote configurations, or troubleshooting situations where the graphical interface is unavailable.

Note

PowerShell operations directly modify Entra ID federation settings.
Always verify all values before applying them.

Prerequisites

  • ✅️ PowerShell 5.1 or later.

  • ✅️ The Microsoft.Graph powershell module installed.

  • ✅️ Global Admin credentials in your Entra ID tenant.

  • ✅️ Connectivity to Entra ID endpoints.

  • ✅️ A verified domain in Entra ID.

Connect to the Graph API

Before running any command, you will always need to connect to Microsoft Graph with the required permissions.

  1. Open a Powershell terminal

  2. Connect to Microsoft Graph

    powershell
    Connect-MgGraph -Scopes "Domain.ReadWrite.All User.ReadWrite.All Directory.ReadWrite.All Directory.AccessAsUser.All"

  3. When prompted, sign in with your Entra ID Global Administrator account.

  4. If you manage multiple tenants, retrieve and verify the current context:

    powershell
    $context = Get-MgContext; $context

  5. Connect specifically to this tenant

    powershell
    Connect-MgGraph -NoWelcome -TenantId $context.TenantId -Scopes "Domain.ReadWrite.All User.ReadWrite.All Directory.ReadWrite.All Directory.AccessAsUser.All"

Domain Management

  1. Connect to the Graph API

  2. Check the authentication method of your domain

    powershell
    Get-MgDomain -DomainId yourdomain.com

  3. If the domain is federated, review its federation configuration.

    powershell
    Get-MgDomainFederationConfiguration -DomainId yourdomain.com

Federate a domain with UserLock SSO

  1. Connect to the Graph API

  2. Retrieve the UserLock SSO signing certificate and save it in a PowerShell variable:

    powershell
    $response = Invoke-RestMethod -Uri "https://<userlock_sso>/api/infos/certificate" -Method GET
$certData = $response.currentCertificate.rawCertificate

  3. Federate your domain with UserLock SSO

    powershell
    New-MgDomainFederationConfiguration `
  -DomainId yourdomain.com `
  -IssuerUri "https://<userlock_sso>/.domain.com" `
  -PassiveSignInUri "https://<userlock_sso>/saml/sso" `
  -SignOutUri "https://<userlock_sso>/connect/endsession" `
  -SigningCertificate $certData `
  -FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp" `
  -IsSignedAuthenticationRequestRequired `
  -PreferredAuthenticationProtocol saml

Canceling domain federation

To revert your domain to managed authentication, execute the following command:

powershell
Update-MgDomain -DomainId yourdomain.com -AuthenticationType Managed

Manage users

First you need to connect to the Graph API

Display user informations

powershell
Get-MgUser -UserId user@domain.com -Property "Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId" | select Mail, DisplayName, GivenName, Surname, UserPrincipalName, OnPremisesImmutableId

Synchronize a new user

Note

This method is only ment to be used if you encounter issues with the UserLock SSO Assistant and Microsoft Entra solutions

  1. Create the user in the default domain by replacing the placeholder values in this script (xxx.onmicrosoft.com):

    powershell
    $immutableId = [convert]::ToBase64String((Get-ADUser -Identity <samAccountName>| Select-Object -ExpandProperty ObjectGUID).ToByteArray())
$PasswordProfile = @{Password = 'MySuperStrongPassword' ForceChangePasswordNextSignIn = $false}
New-MgUser -UserPrincipalName newuser@office365domain.onmicrosoft.com -DisplayName '<Firstname> <Lastname>' -OnPremisesImmutableId $immutableId -PasswordProfile $PasswordProfile -AccountEnabled -MailNickname <Nickname>

  2. Move the user to the federated domain:

    powershell
    Update-MgUser -UserId newuser@office365domain.onmicrosoft.com -UserPrincipalName newuser@domain.com

Synchronize an existing user

  1. Move the user to the default domain:

    powershell
    Update-MgUser -UserId newuser@domain.com -UserPrincipalName newuser@office365domain.onmicrosoft.com

  2. Add the ImmutableId value:

    powershell
    $immutableId = [convert]::ToBase64String((Get-ADUser -Identity <samAccountName>| Select-Object -ExpandProperty ObjectGUID).ToByteArray())
Update-MgUser -UserId newuser@domain.com -OnPremisesImmutableId $immutableId

  3. Move the user back to the federated domain:

    powershell
    Update-MgUser -UserId newuser@office365domain.onmicrosoft.com -UserPrincipalName newuser@domain.com