Azure AD and MSOL PowerShell Modules Get Extension
Reflecting customer unease at the prospect of an imminent deprecation of the Azure AD Graph API on June 30, 2022, Microsoft has pushed the date out to the end of 2022. Amusingly because change management inside Microsoft 365 has been an issue for years, Microsoft said, “We’ve heard from our customers that managing these changes is becoming increasingly difficult so, starting today, we are simplifying change management for Azure AD.” It’s nice that the Azure AD team now appreciate the problem.
To be fair to Microsoft, they first announced their intention to end support for the Azure AD Graph API in June 2020. Unfortunately, other pressures (like the number of changes across Microsoft 365) inevitably meant that people didn’t pay much attention. Perhaps it was because few understood that the Azure AD Graph API is the technical underpinning for the Azure AD and Microsoft Online Services (MSOL) PowerShell modules.
The Graph SDK is the Way Forward
Further guidance came in June 2021, when Microsoft confirmed that the Microsoft Graph PowerShell SDK is the way forward. The Azure AD and MSOL modules would not be taken forward to support PowerShell 7 and new identity APIs would only be available through the Microsoft Graph PowerShell SDK. At that point, it became clear that any organization which uses the Azure AD and MSOL modules to automate tenant management had work to do to migrate away from the old modules.
The extra time available to upgrade scripts will come as a relief. However, The August 26, 2022 date still applies for the termination of support for license management cmdlets in both modules. Microsoft is moving to a new license management platform and the old cmdlets won’t work against that platform.
The order of priority for script upgrades is clear. Identify and update any script which accesses Azure AD license information (here’s an example of a conversion) by August 26, 2022 and prepare a list for other scripts which use the Azure AD and MSOL modules for upgrade later this year.
More Tools Promised
Microsoft says that they will provide information on tools to help with the migration towards the middle of this year. My experience of converting scripts is that it’s an intensely manual process. The cmdlets are different, the parameters and switches are different, and the Microsoft Graph PowerShell SDK documentation is obscure, convoluted, and unhelpful. Perhaps the Azure AD team has a magic wand that will make these issues go away, but I can’t see how in the available time.
Other issues which might be considered over and above a simple cmdlet for cmdlet conversion include using the SDK with certificate based authentication. It’s a bad idea to use the SDK interactively due to the potential for permission accumulation by the service principal used by the SDK. Using certificate-based authentication is preferable, including if you use the Microsoft Graph PowerShell SDK with Azure Automation to execute long-running jobs.
Prepare for Transition
It’s nice for Microsoft to extend the useful lifetime of the Azure AD and MSOL modules but it doesn’t take away the need for organizations to pay attention and prepare for the eventual transition away from these modules. Eventually, Microsoft will cease support. At that point, cmdlets might or might not continue working, or they might return unpredictable results. It’s time to embrace the Graph!