PowerShell function to create accounts in MS365 that have a custom (federated) domain

New-FederatedUser.ps1

##
## This PowerShell function will create a federated user in Microsoft's directory, allowing
## you to create new users having your custom domain.
##
## First, I had already set up federated user ids, with SAML Auth setup on the Google Workspace
## side, and setting some things on the Microsoft Entra ID side. There is a Microsoft how-to
## document on setting this up, if you search for it.
##
## The problem was that in the MS Admin portal (https://admin.microsoft.com/Adminportal/Home?#/users)
## I could add new users, but I could not see our custom domain in the drop down list when specifying
## their new id. So this function does it directly from the PowerShell command line.
##
## Note: I had to use PowerShell v7.x. Version 5 would not work for various reasons.
##

function New-FederatedUser {
    param (
        [Parameter(Mandatory)]
        [string]$DisplayName,

        [Parameter(Mandatory)]
        [string]$MailNickname,

        [Parameter(Mandatory)]
        [string]$Domain
    )

    $upn = "$MailNickname@$Domain"

    # Generate a strong random password
    function New-RandomPassword {
        param ([int]$Length = 64)
        $allowed = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}<>?'
        $bytes = New-Object byte[] $Length
        [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
        -join ($bytes | ForEach-Object { $allowed[ $_ % $allowed.Length ] })
    }
    $password = New-RandomPassword

    # Build identity object
    $identity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphObjectIdentity]::new()
    $identity.SignInType = "federated"
    $identity.Issuer = $Domain
    $identity.IssuerAssignedId = $MailNickname

    # Build password profile
    # The user will never use this password, since they will log in with the federated id (i.e. w/ Google).
    # So construct and assign a large random password, and don't make the user change it (to something weaker).
    $passwordProfile = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphPasswordProfile]::new()
    $passwordProfile.Password = $password
    $passwordProfile.ForceChangePasswordNextSignIn = $false

    # Build user object
    $user = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphUser]::new()
    $user.AccountEnabled = $true
    $user.DisplayName = $DisplayName
    $user.MailNickname = $MailNickname
    $user.UserPrincipalName = $upn
    $user.Identities = @($identity)
    $user.PasswordProfile = $passwordProfile
    $user.OnPremisesImmutableId = $upn  # Required for federated users

    # Create the user
    try {
        $created = New-MgUser -BodyParameter $user
        Write-Host "Created user: $($created.UserPrincipalName)" -ForegroundColor Green
    }
    catch {
        Write-Error "Failed to create user ${upn}: $($_.Exception.Message)"
    }
}

Here's how to use it. Install the Microsoft Graph module:

Install-Module Microsoft.Graph -Scope CurrentUser -Force

Then log in from the command line client into the MS Portal (pops up a login window):

Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"

*And when you log in, be sure to use an account that has Administrative privs.

Then you need to copy paste the function into your shell, or load it from a file.

Here is how you would use it to create a new user:

New-FederatedUser -DisplayName "Test E. User" -MailNickname "testuser" -Domain "yourdomain.com"

This will create a user with an id of [email protected] and display name of Test E. User.