Home
PowerShell
Get-MgUserOwnedObject

How to get Microsoft Entra ID user-owned objects using Get-MgUserOwnedObject

Getting Microsoft Entra ID user-owned objects

An admin needs to see the directory objects owned by a user in Microsoft Entra ID to monitor and manage access to critical resources, ensuring that users do not retain ownership of sensitive groups, applications, or service principals after role changes. This helps prevent security risks, such as unauthorized privilege escalation or orphaned objects that could impact compliance and governance.

Get Microsoft Entra ID user-owned objects using Microsoft Graph PowerShell

Prerequisites

Before using the Get-MgUserOwnedObject cmdlet, ensure the following:

The Microsoft Graph PowerShell module is installed. If not, install it using this script:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph PowerShell with the required permissions (least privileged) to fetch Microsoft Entra ID user-owned objects.
Connect-MgGraph -Scopes "User.Read.All"

Using the Get-MgUserOwnedObject command to get Microsoft Entra ID user-owned objects

The Get-MgUserOwnedObject cmdlet can be used in Microsoft Graph PowerShell to fetch Microsoft Entra ID user-owned objects. Here's the syntax:


                                    Get-MgUserOwnedObject 

                                    -UserId <String> 

                                    [-ExpandProperty <String[]>] 

                                    [-Property <String[]>] 

                                    [-Filter <String>] 

                                    [-Search <String>] 

                                    [-Skip <Int32>] 

                                    [-Sort <String[]>] 

                                    [-Top <Int32>] 

                                    [-ConsistencyLevel <String>] 

                                    [-ResponseHeadersVariable <String>] 

                                    [-Headers <IDictionary>] 

                                    [-PageSize <Int32>] 

                                    [-All] 

                                    [-CountVariable <String>] 

                                    [-ProgressAction <ActionPreference>] 

                                    [<CommonParameters>]

An example use case using the Get-MgUserOwnedObject cmdlet

Example 1: List the objects owned by a particular user


                                    Get-MgUserOwnedObject -UserId <"user_id"> $userId

In this command, replace user_id with the user's ID for whom you would like to list the user-owned objects.

Supported parameters

The following table contains some parameters that can be used along with the Get-MgUserOwnedObject command to fetch Microsoft Entra ID user-owned objects efficiently.

Parameters	Description
-All	This parameter retrieves all user-owned objects without default pagination limits.
-Filter	This parameter filters user-owned objects based on attributes and values.
-UserId	This parameter retrieves user-owned objects based on their unique identifiers, such as user principal name or object ID.
-Property	This parameter retrieves specific attributes of user-owned objects.
-ConsistencyLevel	This enables advanced query capabilities for improved performance.

Limitations of using Graph PowerShell scripts to get Microsoft Entra ID user-owned objects

Graph PowerShell requires IT admins to upgrade from Azure AD PowerShell and have familiarity with PowerShell scripting.
The Microsoft Graph API imposes throttling limits, which may affect performance when fetching user-owned objects in bulk.
The scripts may require extra effort to format and export data for reporting purposes.
It demands technical expertise to troubleshoot errors.
The lack of an intuitive interface makes the overall experience less user-friendly, particularly for those new to scripting.

Highlights of using ADManager Plus

Bid adieu to complicated PowerShell scripts with ADManager Plus. ManageEngine ADManager Plus is a identity governance and administration tool with powerful Microsoft 365 management and reporting capabilities that can help you perform complicated, administrative tasks from a single, user-friendly console.

ADManager Plus comes with an intuitive interface that streamlines the report generation process.
It offers comprehensive, customizable reports with options to schedule and automate report generation.
It supports on-the-fly management actions to manage users instantly.
It is optimized for large-scale environments and does not require any scripts for bulk operations.
Delegate tasks to technicians without elevating their native privileges.
Keep a watchful eye on your IT environment with more than 200 prepackaged reports.
It allows reports to be exported in various formats, such as CSV or HTML, in a few clicks.

Say goodbye to PowerShell hassles and manage Entra ID with ease using ADManager Plus.

Try it now for free

Fetch Microsoft Entra ID user-owned objects using ADManager Plus
Get Microsoft Entra ID user-owned objects using Microsoft Graph PowerShell
Limitations of using Graph PowerShell scripts to get Microsoft Entra ID user-owned objects
Highlights of using ADManager Plus to get Microsoft Entra ID user-owned objects

Related features:

Related Powershell Guides: