Saturday, November 26, 2022

✅Migrate Your Script from AzureAD or MSOnline to Graph API

Nobody can deny the superior assist of AzureAD and MSOL PowerShell modules and the way these two made cloud administration simple. However the finish for these two modules is close by, and the course is the Graph API.

Let’s begin now and study the migration steps from the outdated modules to Graph API.

In the event you’re new to utilizing graphs, take into account trying out the “Connecting and Utilizing Microsoft Graph API Utilizing PowerShell” submit. It’s an excellent start line for studying find out how to use this instrument.


Learn Your Outdated Script And Get It Prepared

Get your outdated script, find and perceive the AzureAD and the MSOnline cmdlet performance. So let’s assume that our script comprises some cmdlets reminiscent of

  • Import-AzureAD
  • Join-AzureAD
  • Get-AzureADUser
  • Get-MsolAccountSku

So, The best way to begin?!

Importing and connecting to Graph API

The module importing course of continues to be much like importing the AzureAD and MSOnline modules, that’s, by utilizing Import-Module cmdlet

Import-Module Microsoft.Graph

Connecting to Graph API is crucial within the script execution by utilizing Join-MgGraph. But it surely’s not solely utilizing the cmdlet and you might be achieved. As a substitute, you want to know the connection scope to incorporate. This may be achieved by utilizing the -Scope parameter.

The Scope is a declaration of which permission the script will use. The scope construction is a Useful resource.Operation.Constraint.

For instance, to learn all consumer knowledge, use Person.Learn.All, and to write down to all consumer’s knowledge, use Person.ReadWrite.All.. However find out how to discover these permissions?

Graph Explorer is an effective way to start out. Let’s get the required scope to learn the consumer’s profile.

  • Open your favourite browser, Edge, Chrome… no matter
  • Navigate to Microsoft Graph Explorer
  • Click on Useful resource tab
  • scroll down and discover the Person
  • develop it and choose [GET]Person or [POST]Person
  • Click on on Modify Permission,

Choose essentially the most related permission you want within the connection scope. The permission features a description of what every one can do.

You may also click on on the Code snippets for a PowerShell instance with the required cmdlet to run.

Find the scope
Discover the scope

Be certain to judge all of your script and get the required scope for any cmdlet that can use Graph API.

Authentication and Authorization PowerShell and Graph API.

When connecting to Graph API, there are two components to think about Authentication and Authorization. Beginning with the authentication. The authentication help two strategies as the next:

  • Delegate Authentication: The one that executes the script should authenticate by typing a legitimate group username and password. Often, the sort of authentication opens a browser window for the consumer to authenticate.
✅Migrate Your Script from AzureAD or MSOnline to Graph API
Person Authentication
  • Software Authentication: received’t request the consumer to sort any username or password and received’t open any browser home windows. It’s excellent for background processes and automation.
    The Azure admin ought to have beforehand registered an App in Azure Listing.
    Write down the Consumer Key, Tenant id, and shopper credentials as these values are wanted to attach.

For authorization, if the delegate authentication is used, the consumer should consent and settle for the listing of permissions after the consumer is linked. This may seem straight after the consumer login.

✅Migrate Your Script from AzureAD or MSOnline to Graph API
Customers want to just accept the permission.

But when the appliance authorization is used, there received’t be any message for the consumer to consent and settle for . The registered software is performing on behalf of the customers.

Azure admin ought to assign the registered software the required permission and consent them.

Which one to make use of?! No matter you need, be certain that at all times observe the least privileged permission. don’t assign read-write when solely learn permissions are wanted.

Learn extra about authentication and authorization and find out how to discover the required scope at Connecting and Utilizing Microsoft Graph API Utilizing PowerShell

Be certain that the Graph cmdlet you employ in your script helps the used authentication methodology. Some cmdlet received’t work if software authentication is used like utilizing New-MgChatMessage cmdlet. Such info can solely be discovered on the Microsoft Documentation web site.

Studying the Graph API Documentation To Discover The Alternative Cmdlets

Microsoft has made a pleasant map that exhibits every cmdlet with its changed cmdlet from the Graph API aspect. and typically, you will see your self returning to Microsoft Documentation for the Graph cmdlet assist. For instance, The Get-AzureADUser was changed by the Get-MgUser.

✅Migrate Your Script from AzureAD or MSOnline to Graph API

Try Discover Azure AD and MSOnline cmdlets in Microsoft Graph PowerShell to see the total map. Every cmdlet is linked to its rationalization web page together with examples.

Discovering the Alternative Cmdlets in Microsoft Graph utilizing Get-Comand cmdlet

What about guessing the cmdlet by utilizing Get-Command cmdlet? Let’s strive it. Open PowerShell and sort the next.

PS C:> Get-Command Get*Person* | the place {$_.Supply -like "Microsoft.Graph*"} | Choose-Object Title

. Output trimmed

This could be a good begin to see any cmdlet that may assist in doing an identical job of Get-AzureADUser.

Utilizing Get-Assistance is one other manner of realizing what the cmdlet can do, the supported parameters, and every parameter worth sort. You need to use Get-Assist Get-MgUser -Full for full assist. Maintain your assist recordsdata updated by operating Replace-Assist.

There’s a cmdlet named Get-MgUser. This appears to be like much like Get-AzureADUser. So let’s take a more in-depth look. run the next line to see the supported parameters.

PS C:> (Get-Command Get-Mguser).Parameters

Key                        Worth
---                        -----
UserId                     System.Administration.Automation.ParameterMetadata
InputObject                System.Administration.Automation.ParameterMetadata
ExpandProperty             System.Administration.Automation.ParameterMetadata
Property                   System.Administration.Automation.ParameterMetadata
Filter                     System.Administration.Automation.ParameterMetadata
Search                     System.Administration.Automation.ParameterMetadata
Skip                       System.Administration.Automation.ParameterMetadata
Type                       System.Administration.Automation.ParameterMetadata
High                        System.Administration.Automation.ParameterMetadata
ConsistencyLevel           System.Administration.Automation.ParameterMetadata
Break                      System.Administration.Automation.ParameterMetadata
HttpPipelineAppend         System.Administration.Automation.ParameterMetadata
HttpPipelinePrepend        System.Administration.Automation.ParameterMetadata
Proxy                      System.Administration.Automation.ParameterMetadata
ProxyCredential            System.Administration.Automation.ParameterMetadata
ProxyUseDefaultCredentials System.Administration.Automation.ParameterMetadata
PageSize                   System.Administration.Automation.ParameterMetadata
All                        System.Administration.Automation.ParameterMetadata
CountVariable              System.Administration.Automation.ParameterMetadata
Verbose                    System.Administration.Automation.ParameterMetadata
Debug                      System.Administration.Automation.ParameterMetadata
ErrorAction                System.Administration.Automation.ParameterMetadata

There are related parameters to Get-AzureADUser. Check out the desk under.

Get-MgUuser Get-AzureADUser
UserId ObjectId
Filter Filter
All All
Property SearchString
ExpandProperty High

Why not additionally test the worth sort the parameter UserId settle for? This helps us know what sort of enter ought to present to the parameter, whether or not it’s a string, array, hashtable…and many others.

(Get-Command Get-MgUser).Parameters.UserID

The UserID in Get-MgUser is a string, so we’re good for now and may proceed with the subsequent step.

✅Migrate Your Script from AzureAD or MSOnline to Graph API

We are able to use the UserID parameter with the Get-MgGraph cmdlet and go the consumer UPN to get consumer info. However wait, keep in mind to search out the required scope.

Utilizing Discover-MgGraphCommand To Discover The Required Permission Scope.

Use the Discover-MgGraphCommand cmdlet to get an inventory of all of the potential permission to execute the Get-MgUser cmdlet. Learn the listing to search out essentially the most correct permission that matches your requirement. On this case, it’s Person.Learn.All.

PS C:> (Discover-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 ).Permissions  | Choose-Object Title,Description

Title                                         Description
----                                         -----------
DeviceManagementApps.Learn.All                Learn Microsoft Intune apps
DeviceManagementApps.ReadWrite.All           Learn and write Microsoft Intune apps
DeviceManagementManagedDevices.Learn.All      Learn gadgets Microsoft Intune gadgets
DeviceManagementManagedDevices.ReadWrite.All Learn and write Microsoft Intune gadgets
DeviceManagementServiceConfig.Learn.All       Learn Microsoft Intune configuration
Listing.Learn.All                           Learn listing knowledge
Listing.ReadWrite.All                      Learn and write listing knowledge
Person.Learn.All                                Learn all customers' full profiles
Person.ReadBasic.All                           Learn all customers' primary profiles
Person.ReadWrite.All                           Learn and write all customers' full profiles

Some permission may not be wanted to execute the cmdlet, reminiscent of DeviceManagementApps.Learn.All, that is a part of the Intune apps. all that you simply want is essentially the most relative one in your use.

Maintain Microsoft Documentation in your bookmark as you want to open it to find different parameters.

Particse is the important thing, you’ll keep in mind all this stuff by attempting.

Let’s strive all of it. As for now, we discovered that the scope is Person.Learn.All

[email protected]('Person.Learn.All')
Join-Graph -Scopes $Scope

Strive the Get-MgUser cmdlet with the UserID UPN, and let see

PS C:> Get-MgUser -UserId [email protected]

Id                                   DisplayName         Mail                  UserPrincipalName     UserType
--                                   -----------         ----                  -----------------     --------
616ed1f3-3210-3210-9acd-9acdd9acd92a Person Take a look at One     [email protected]           [email protected]

Strive the -All parameter

PS C:> Get-MgUser -all

Id                                   DisplayName                             Mail                                          UserPrincipalName                                                  UserType
--                                   -----------                             ----                                          -----------------                                                  --------
616ed1f3-3210-3210-9acd-9acdd9acd92a Person Take a look at One                  [email protected]                       [email protected]
c74d2588-4173-4173-aa1a-7c74d257704a Person Take a look at Two                 [email protected]                        [email protected]

All working high quality, sure. That is cool and straight to the purpose.

Issues Are Not All the time Straight To The Level

Let’s see find out how to change Set-MsolUserLicense from the Microsoft Graph API module.

Begin by discovering the cmdlet that may relate to Set-MsolUserLicense, for instance, one thing with Set*UserLicense*. and discover the obtainable parameters

#Discover the cmdlet
PS C:> Get-Command Set*UserLicense* | the place {$_.Supply -like "Microsoft.Graph*"} | Choose-Object Title


#Discover the Supported Parameters
PS C:> (get-command  Set-MgUserLicense).Parameters

Key                        Worth
---                        -----
UserId                     System.Administration.Automation.ParameterMetadata
InputObject                System.Administration.Automation.ParameterMetadata
BodyParameter              System.Administration.Automation.ParameterMetadata
AddLicenses                System.Administration.Automation.ParameterMetadata
AdditionalProperties       System.Administration.Automation.ParameterMetadata
RemoveLicenses             System.Administration.Automation.ParameterMetadata
Break                      System.Administration.Automation.ParameterMetadata
HttpPipelineAppend         System.Administration.Automation.ParameterMetadata
HttpPipelinePrepend        System.Administration.Automation.ParameterMetadata
Proxy                      System.Administration.Automation.ParameterMetadat

Get the required permission to run the cmdlet.

PS C:> (Discover-MgGraphCommand -Command Set-MgUserLicense -ApiVersion v1.0).permissions | choose Title, Description

Title                    Description
----                    -----------
Listing.ReadWrite.All Learn and write listing knowledge
Person.ReadWrite.All      Learn and write all customers' full profiles

Evaluating the 2 cmdlets appears to be like good.

Set-MsolUserLicense Set-MgUserLicense
ObjectId UserID
AddLicenses AddLicenses
RemoveLicenses RemoveLicenses
There are different parameters, however right here I’m displaying the frequent one solely.

Issues appears to be right, so the code ought to work as anticipated if the road is written like the next. Sure ?!

Set-MgUserLicense -UserId '[email protected]' -AddLicenses "PowerShellCenter:SPE_E5"

The reply is No, as talked about earlier than. you want to test the worth sort for these parameters. There are two used parameters used within the Set-MsolUserLicense cmdlet. The UserID, and the AddLicenses.

The parameter sort for the UserID is a string, as proven under.

(Get-Command Set-MgUserLicense).Parameters.Userid.ParameterType
✅Migrate Your Script from AzureAD or MSOnline to Graph API
UserID Parameter Kind

However let’s test the AddLicenses parameter sort. The Title is IMicrosoftGraphAssignedLicense[], and the BaseType is System.Array.

(Get-Command Set-MgUserLicense).Parameters.AddLicenses.parametertype
IsPublic IsSerial Title                                     BaseType
-------- -------- ----                                     --------
True     True     IMicrosoftGraphAssignedLicense[]         System.Array

So now what to do?!! The reply is Microsoft Documentation. We have to know what sort of worth we have to present to this parameter to work.

Based on Microsoft, the AddLicenses parameter wants the next

ADDLICENSES : <MicrosoftGraphAssignedLicense[]>:.
[DisabledPlans ]: A group of the distinctive identifiers for plans which have been disabled.
[SkuId <String>]: The distinctive identifier for the SKU.

So, the construction is Set-MgUserLicense -AddLicenses [SkuId=”SKU Identifier”]. This key and worth are hashtable and are written between curly brackets. @{Key=Worth}

The AddLicenses parameter worth ought to be AddLicenses @{SkuId="06ebc4ee-1bb5-47dd-8120-11324bc54e06"}

Numerous the Graph API cmdlet worth sort are hashtables. So its -ParameterName @{Key=Worth}. Its additionally potential for the Key worth to be an array, reminiscent of -ParameterName @{[email protected](Value1,Value2,Value3)}.

Set-MgUserLicense -UserId '[email protected]' -AddLicenses @{SkuId="06ebc4ee-1bb5-47dd-8120-11324bc54e06"} -RemoveLicenses @() 

Additionally, by reviewing the documentation, you want to present an extra parameter RemoveLicenses. Working the Set-MgUserLicense with out the -RemoveLicenses returns the next error.

Set-MgUserLicense_AssignExpanded1: A number of parameters of the operate import ‘assignLicense’ are lacking from the request payload. The lacking parameters are: removeLicenses.

Guidelines to Migrate From MSOnline and AzureAD to Graph API

Here’s a fast guidelines:

  • Consider your outdated script, and see the place are all of the cmdlets associated to MSOnline and AzureAD. Take a word.
  • Authentication and Permissions
    • How the script will likely be executed utilizing the Person context of the appliance context?
    • Consider the required permission to execute the script, and don’t the least privilege idea. Solely assign the consumer/software the required permission.
    • Use Graph Explorer and Discover-MgGraphCommand to search out the required scope.
    • Microsoft Documentation is at all times an amazing start line.
  • Whereas evaluating the choice cmdlet, take a look at the supported parameter to know find out how to construction the parameters and the supported worth sort.
  • It’s okay for issues to not work from the primary time.
  • Microsoft Documentation is at all times an amazing start line
  • Learn to use Microsoft Graph Explorer.


There could be some challenges whereas migrating your script to the Graph API. However when you perceive the idea, you discover it straightforward.

Let me know within the remark your methodology of such migration.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles