In the past, I used LDIFDE or CSVDE to export Active Directory information. For Entra ID, there’s EntraExporter from Merill Fernando 🙂 In this blog post, I will show you how it works.
What is EntraExporter?
“The Entra Exporter is a PowerShell module that allows you to export your Entra and Azure AD B2C configuration settings to local .json files.
This module can be run as a nightly scheduled task or a DevOps component (Azure DevOps, GitHub, Jenkins) and the exported files can be version controlled in Git or SharePoint.
This will provide tenant administrators with a historical view of all the settings in the tenant including the change history over the years.”
Source: https://github.com/microsoft/entraexporter?tab=readme-ov-file#entra-exporter
How does it work?
Installation
You can install the module using:
Install-Module EntraExporter
Or, if you have PSResourceGet available, you can use:
Install-PSResource EntraExporter
After installation, you will have the Cmdlets available:
Cmdlets and Parameters
Connect-EntraExporter
This Cmdlet allows you to connect to Microsoft Graph with all the necessary Scopes. Alternatively, you can connect to Microsoft Graph and Azure yourself by using:
Connect-AzAccount
Connect-MgGraph -Scopes 'Directory.Read.All',
'Policy.Read.All',
'IdentityProvider.Read.All',
'Organization.Read.All',
'User.Read.All',
'EntitlementManagement.Read.All',
'UserAuthenticationMethod.Read.All',
'IdentityUserFlow.Read.All',
'APIConnectors.Read.All',
'AccessReview.Read.All',
'Agreement.Read.All',
'Policy.Read.PermissionGrant',
'RoleEligibilitySchedule.Read.Directory',
'PrivilegedEligibilitySchedule.Read.AzureADGroup',
'Application.Read.All',
'OnPremDirectorySynchronization.Read.All',
'Teamwork.Read.All',
'TeamworkAppSettings.ReadWrite.All',
'SharepointTenantSettings.Read.All',
'Reports.Read.All',
'RoleManagement.Read.All',
'AuditLog.Read.All'
The Connect-EntraExporter has a set of Parameters that you can use. The -Type Parameter allows you to export a specific type, such as Applications, Domains, Teams, etc.
NAME
Connect-EntraExporter
SYNOPSIS
Authenticate against Graph Api and/or Azure using delegated permissions (as user).
SYNTAX
Connect-EntraExporter [-TenantId <String>] [-Environment <String>] [-Type {AccessPolicies | AccessReviews | AdministrativeUnits | All | Applications | AppProxy | B2B | B2C | CloudPCRoles | ConditionalAcce
ss | Config | Devices | Directory | DirectoryRoles | Domains | EntitlementManagement | EntitlementManagementRoles | ExchangeRoles | Governance | Groups | IAM | Identity | IntuneRoles | Organization | PIM
| PIMDirectoryRoles | PIMGroups | PIMResources | Policies | Reports | RoleManagement | Roles | ServicePrincipals | Sharepoint | SKUs | Teams | Users | UsersRegisteredByFeatureReport}] [-ExportSchema <Obje
ct>] [<CommonParameters>]
Connect-EntraExporter [-TenantId <String>] [-Environment <String>] -All [-ExportSchema <Object>] [<CommonParameters>]
DESCRIPTION
Authenticate against Graph Api and/or Azure using delegated permissions (as user).
To authenticate using a certificate or client secret, use Connect-MgGraph or Connect-AzAccount directly.
PARAMETERS
-TenantId <String>
Required? false
Position? named
Default value common
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-Environment <String>
Required? false
Position? named
Default value Global
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-Type
Required? false
Position? named
Default value Config
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-All [<SwitchParameter>]
Perform a full export of all available configuration item types.
Required? true
Position? named
Default value False
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-ExportSchema <Object>
Specifies the schema to use for the export. If not specified, the default schema will be used.
Required? false
Position? named
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Connect-EntraExporter
Connect to home tenant of authenticated user.
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Connect-EntraExporter -TenantId 3043-343434-343434 -Type Users, Groups, Devices
Connect to a specific Tenant. Correct delegated Graph scopes will be automatically requested based on the types specified.
Note: It will prompt for permissions, if needed, which you can consent to as an admin, leaving the “Consent on behalf of your organisation” checkbox deselected: (Screenshot below is when using the -All Parameter, it depends on the selected Types, of course)
Export-Entra
Using this Cmdlet, you can export the Types that you specify, like Applications, Users, etc., to a folder on your system. In the screenshot below, I started an export of all types to C:\Temp\EntraExport. (You will need to be connected to Microsoft Graph, use Connect-EntraExporter and Connect-AzAccount (Or Connect-MgGraph/Connect-AzAccount first))
When done (This may take a while depending on your environment size, of course), you will have a folder that will look like the screenshot below, containing JSON files for each item you exported.
Example of one of the JSON files (From my powershellisfun.com domain):
The Export-Entra Cmdlet has a set of Parameters. You can use the -Type Parameter here, too, to specify a specific thing that you want exported:
NAME
Export-Entra
SYNOPSIS
Exports Entra's configuration and settings for a tenant.
SYNTAX
Export-Entra [-Path] <String> [-Type {AccessPolicies | AccessReviews | AdministrativeUnits | All | Applications | AppProxy | B2B | B2C | CloudPCRoles | ConditionalAccess | Config | Devices | Directory | D
irectoryRoles | Domains | EntitlementManagement | EntitlementManagementRoles | ExchangeRoles | Governance | Groups | IAM | Identity | IntuneRoles | Organization | PIM | PIMDirectoryRoles | PIMGroups | PIM
Resources | Policies | Reports | RoleManagement | Roles | ServicePrincipals | Sharepoint | SKUs | Teams | Users | UsersRegisteredByFeatureReport}] [-CloudUsersAndGroupsOnly] [-ExportSchema <Object>] [<Com
monParameters>]
Export-Entra [-Path] <String> [-All] [-CloudUsersAndGroupsOnly] [-ExportSchema <Object>] [<CommonParameters>]
DESCRIPTION
This cmdlet reads the configuration information from the target Entra tenant and produces the output files in a target directory.
PARAMETERS
-Path <String>
Specifies the directory path where the output files will be generated.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Aliases
Accept wildcard characters? false
-Type
Specifies the type of objects to export.
Default to Config which exports the key configuration settings of the tenant.
The available types are:
'AccessPolicies','AccessReviews','AdministrativeUnits','All','Applications','AppProxy','B2B','B2C','CloudPCRoles','ConditionalAccess','Config','Devices','Directory','DirectoryRoles','Domains',
'EntitlementManagement','EntitlementManagementRoles','ExchangeRoles','Governance','Groups','IAM','Identity','IntuneRoles','Organization','PIM','PIMDirectoryRoles','PIMGroups','PIMResources','Policies',
'Reports','RoleManagement','Roles','ServicePrincipals','Sharepoint','SKUs','Teams','Users','UsersRegisteredByFeatureReport'.
To see what each type exports, check src\Get-EEDefaultSchema.ps1 and check the
Required? false
Position? named
Default value Config
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-All [<SwitchParameter>]
If specified performs a full export of all objects and configuration in the tenant.
Required? false
Position? named
Default value False
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-CloudUsersAndGroupsOnly [<SwitchParameter>]
Excludes synched on-premises users and groups from the export. Only cloud-managed users and groups will be included.
Required? false
Position? named
Default value False
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-ExportSchema <Object>
Specifies the schema to use for the export. If not specified, the default schema will be used.
Required? false
Position? named
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS > Export-Entra -Path 'C:\EntraBackup\'
Runs a default export and includes the key tenant configuration settings. Does not include large data collections such as users, static groups, applications, service principals, etc.
-------------------------- EXAMPLE 2 --------------------------
PS > Export-Entra -Path 'C:\EntraBackup\' -All
Runs a full export of all objects and configuration settings.
-------------------------- EXAMPLE 3 --------------------------
PS > Export-Entra -Path 'C:\EntraBackup\' -All -CloudUsersAndGroupsOnly
Runs a full export but excludes on-prem synced users and groups.
-------------------------- EXAMPLE 4 --------------------------
PS > Export-Entra -Path 'C:\EntraBackup\' -Type ConditionalAccess, AppProxy
Runs an export that includes just the Conditional Access and Application Proxy settings.
-------------------------- EXAMPLE 5 --------------------------
PS > $exportTypes = @('Users', 'Groups', 'Devices', 'B2C')
# authenticate using user credentials
Connect-EntraExporter -Type $exportTypes
# export data
Export-Entra -Path 'C:\EntraBackup\' -Type $exportTypes
Authenticate interactively (user auth) and run an export of selected settings.
-------------------------- EXAMPLE 6 --------------------------
PS > $exportTypes = @('Users', 'Groups', 'Devices', 'B2C')
$requiredGraphScopes = Get-EERequiredScopes -Type $exportTypes -PermissionType Application
# determine if we need to authenticate to Graph
if ($requiredGraphScopes) {
"Following application type scopes are required: $($requiredGraphScopes -join ', ') !"
# authenticate using managed identity
Connect-MgGraph -Identity
}
# determine if we need to authenticate to Az
if (Get-EEAzAuthRequirement -Type $exportTypes) {
# authenticate using managed identity
Connect-AzAccount -Identity
}
# export data
Export-Entra -Path 'C:\EntraBackup\' -Type $exportTypes
Authenticate using managed identity and run an export of selected settings.
Get-EEAzAuthRequirement
This Cmdlet will tell you whether you need to be connected to Azure using Azure Authentication. They return true or false depending on the Type you specify. For example:
It shows you that you don’t need an Azure Connection for exporting Users (False), for example, but you do need it for a complete PIM export (True). The Parameters are: (You will probably not use -All because that always is True, of course 😉 )
NAME
Get-EEAzAuthRequirement
SYNOPSIS
Determines if Az authentication is required based on the requested export types and schema.
SYNTAX
Get-EEAzAuthRequirement -Type {AccessPolicies | AccessReviews | AdministrativeUnits | All | Applications | AppProxy | B2B | B2C | CloudPCRoles | ConditionalAccess | Config | Devices | Directory | Director
yRoles | Domains | EntitlementManagement | EntitlementManagementRoles | ExchangeRoles | Governance | Groups | IAM | Identity | IntuneRoles | Organization | PIM | PIMDirectoryRoles | PIMGroups | PIMResourc
es | Policies | Reports | RoleManagement | Roles | ServicePrincipals | Sharepoint | SKUs | Teams | Users | UsersRegisteredByFeatureReport} [-ExportSchema <Object>] [<CommonParameters>]
Get-EEAzAuthRequirement -All [-ExportSchema <Object>] [<CommonParameters>]
DESCRIPTION
PARAMETERS
-Type
Required? true
Position? named
Default value Config
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-All [<SwitchParameter>]
Perform a full export of all available configuration item types.
Required? true
Position? named
Default value False
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-ExportSchema <Object>
Specifies the schema to use for the export. If not specified, the default schema will be used.
Required? false
Position? named
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-EERequiredScopes
Using the Cmdlet, you can show the required Scopes for authentication to Entra ID. For example:
These are the Permissions you need for “Application” or “Delegated”. Parameters are, the most important one is the Type Parameter, again, as follows:
NAME
Get-EERequiredScopes
SYNOPSIS
Gets the required scopes for schema
SYNTAX
Get-EERequiredScopes [-PermissionType] <String> [[-Type] {AccessPolicies | AccessReviews | AdministrativeUnits | All | Applications | AppProxy | B2B | B2C | CloudPCRoles | ConditionalAccess | Config | Dev
ices | Directory | DirectoryRoles | Domains | EntitlementManagement | EntitlementManagementRoles | ExchangeRoles | Governance | Groups | IAM | Identity | IntuneRoles | Organization | PIM | PIMDirectoryRol
es | PIMGroups | PIMResources | Policies | Reports | RoleManagement | Roles | ServicePrincipals | Sharepoint | SKUs | Teams | Users | UsersRegisteredByFeatureReport}] [[-ExportSchema] <Object>] [<CommonPa
rameters>]
DESCRIPTION
Gets the require scopes for schema
PARAMETERS
-PermissionType <String>
Required? true
Position? 1
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-Type
Required? false
Position? 2
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
-ExportSchema <Object>
Required? false
Position? 3
Default value
Accept pipeline input? false
Aliases
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS > Get-EERequiredScopes
Use cases
You can use it to export and investigate the data from a specific tenant, but you can also use it in an Azure DevOps Pipeline to automatically export it for future reference/archive purposes. (More on that here https://github.com/microsoft/entraexporter?tab=readme-ov-file#integrate-to-azure-devops-pipeline, step-by-step guide can be found here: https://doitpsway.com/how-to-easily-backup-your-azure-environment-using-entraexporter-and-azure-devops-pipeline (Created by Ondrej Sebela)
Fix for errors for long JSON file paths
If you run into errors because you’re exporting it on Windows and to a deep folder structure, you can use this to fix that:
New-ItemProperty `
-Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" `
-Name "LongPathsEnabled" `
-Value 1 `
-PropertyType DWORD `
-Force
Credit: @shaunluttin via https://bigfont.ca/enable-long-paths-in-windows-with-powershell/ and https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=powershell.
Limitations
There are a few limitations that you need to be aware of:
- This module exports all settings that are available through the Microsoft Graph API. Entra settings and objects that are not yet available in the Graph API are not included.
- Use PowerShell 7+ to create a consistent output. While PowerShell 5.1 can be used, the output generated is not optimal.
Wrapping up
And that’s how you can export configuration from Entra ID using the PowerShell Module from Merill Fernando. Have a lovely weekend!
It’s my test environment, but I understand what you’re saying and adjusted the screenshot and picture! Thanks 🙂