Zum Inhalt

Entra or Microsoft Graph PowerShell

Since June 2024, a new option has become available for transitioning legacy PowerShell scripts away from the deprecated AzureAD module. Below are examples and thoughts on which option might suit your path to solving this challenge. The 'Entra PowerShell' module, currently in Public Preview, shows great potential to soon be ready for production environments.

Explanation

Microsoft Entra PowerShell (preview), is a command-line tool that allows administrators to manage and automate Microsoft Entra product family resources programmatically.

The module offers human-readable parameters, inline documentation, and core PowerShell fundamentals like pipelining. The module builds upon and is part of the Microsoft Graph PowerShell SDK.


Starting off with a quick overview of the available modules:

Module Description Deprecation
AzureAD Azure Active Directory PowerShell for Graph (LEGACY) Yes (EOS1: March 2024, EOL2: March 2025)
AzureADPreview Azure AD Preview PowerShell Yes (EOS1: March 2024, EOL2: March 2025)
Microsoft.Graph Microsoft Graph PowerShell (CLASSIC) No
Microsoft.Graph.Entra Entra PowerShell (NEW) No
MSOnline MSOnline PowerShell (MSOL, LEGACY Yes (EOS1: March 2024, EOL2: March 2025)

To get started with 'Entra PowerShell' you have to prepare with the following steps:

1
2
3
4
5
6
7
8
9
# --- Preparation
# Install-Module PowerShellGet -Force or Update-Module PowerShellGet -Force
## Install-Module -Name Microsoft.Graph.Entra -AllowPrerelease -Scope AllUsers
## Update-Module -Name Microsoft.Graph.Entra -AllowPrerelease -Scope AllUsers
Install-Module Microsoft.Graph.Entra -AllowPrerelease -Repository PSGallery -Force
# 0.12.0-preview (current version) 
Connect-Entra
# Get-Command -Module Microsoft.Graph.Entra
# Get-Help Get-EntraUser -Full

Solution 1 - Rewrite (Complex)

In preparation of March 2024 the only options was rewriting your scripts and understand how to transition each action with the "Cmdlet map3" from AzureAD to MgGraph. This could sometimes mean understanding what is event supported, in which steps can you achieve the same result, up to writing JSON snippets. In my opinion, this could require some DevOps skills. Here is an example in which we try to transition a simple "Contains" search string:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# --- Before
Connect-AzureAD
Get-AzureADUser -SearchString "New"
# It searches inside of the string

# --- After
Connect-MgGraph
Get-MgUser -Filter "DisplayName eq 'New'"
# This just display an exact match
Get-MgUser -ConsistencyLevel eventual -Count userCount -Filter "startsWith(DisplayName, 'New')" -Top 1
# This just displays all with the same matching start string
Get-MgUser -All | Where-Object {$_.DisplayName -like "*New*"}
# This should fulfill the above search, but needs quiet some performance in some environments (paging).

Solution 2 - Renew or enable Aliasing (Simple)

With the new 'Entra PowerShell' Module you can update your script to the newest Entra Cmdlet, which should have mostly the same functions or try out the Aliasing option in which existing AzureAD Cmdlet are getting overloaded and run with the new Entra PowerShell in the background. This could reduce your effort to just updating the start section of the existing script and verifying the end result.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# --- 2.1 Renew
# Connect-MgGraph -Scopes 'User.Read.All'
Get-AzureADUser -SearchString "New" # Before
Get-EntraUser -SearchString 'New' # After


# --- 2.2 Aliasing 
#Import-Module -Name Microsoft.Graph.Entra
Connect-Entra # Replaces Connect-AzureAD for Authentication
Enable-EntraAzureADAlias # Enable Aliasing

Get-AzureADUser -Top 1 # Use the same cmdlets as before
Get-AzureADUser -SearchString "New"

Permission for Role vs Permission for Action

Despite the different transition options, you will need some effort, to rethink with what permission you need to run the script successfully. With the new Attribute "ContextScope", you can no longer directly use your user's role permission. You have to request them in a new manner. This is useful if you are later transitioning to app-only authentication instead of the current delegation access, but requires some additional understanding.

1
2
3
4
5
6
7
8
# In MgGraph you can easily find them
(Find-MgGraphCommand -Command 'Get-MgUser').Permissions
Connect-MgGraph -Scopes 'User.Read.All'

# In Entra the same is not possible, you have to guess a bit
# Find-EntraCommand --> not yet available
Connect-Entra -Scopes 'User.Read.All'
# Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All'

Summary

I personally really like to have this option and like to see the further development around it. I hope to soon see some documentation like MgGraph has and a full feature set, which is nearly reached with the current compatibility (significant over 98%). Wish you all a good day and success in the first experiments!

PS: Please also consider changing your Authentication Method to app-only authentication4, which is not part of this article

Reference:

  1. End of support (EOS), cmdlet is still available, critical security patches 

  2. End of life (EOL), cmdlet not available anymore, service is offline, no patches 

  3. Cmdlet map: Find Azure AD PowerShell and MSOnline cmdlets in Microsoft Graph PowerShell 

  4. Use app-only authentication