Nobody can deny the superior assist of AzureAD and MSOL PowerShell modules and the way these two made cloud administration simple. However the finish for these two modules is close by, and the course is the Graph API.
Let’s begin now and study the migration steps from the outdated modules to Graph API.
In the event you’re new to utilizing graphs, take into account trying out the “Connecting and Utilizing Microsoft Graph API Utilizing PowerShell” submit. It’s an excellent start line for studying find out how to use this instrument.
Stipulations
Learn Your Outdated Script And Get It Prepared
Get your outdated script, find and perceive the AzureAD and the MSOnline cmdlet performance. So let’s assume that our script comprises some cmdlets reminiscent of
Import-AzureADJoin-AzureADGet-AzureADUserGet-MsolAccountSku
So, The best way to begin?!
Importing and connecting to Graph API
The module importing course of continues to be much like importing the AzureAD and MSOnline modules, that’s, by utilizing Import-Module cmdlet
Import-Module Microsoft.GraphConnecting to Graph API is crucial within the script execution by utilizing Join-MgGraph. But it surely’s not solely utilizing the cmdlet and you might be achieved. As a substitute, you want to know the connection scope to incorporate. This may be achieved by utilizing the -Scope parameter.
The Scope is a declaration of which permission the script will use. The scope construction is a Useful resource.Operation.Constraint.
For instance, to learn all consumer knowledge, use Person.Learn.All, and to write down to all consumer’s knowledge, use Person.ReadWrite.All.. However find out how to discover these permissions?
Graph Explorer is an effective way to start out. Let’s get the required scope to learn the consumer’s profile.
- Open your favourite browser, Edge, Chrome… no matter
- Navigate to Microsoft Graph Explorer
- Click on Useful resource tab
- scroll down and discover the Person
- develop it and choose [GET]Person or [POST]Person
- Click on on Modify Permission,
Choose essentially the most related permission you want within the connection scope. The permission features a description of what every one can do.
You may also click on on the Code snippets for a PowerShell instance with the required cmdlet to run.
Be certain to judge all of your script and get the required scope for any cmdlet that can use Graph API.
Authentication and Authorization PowerShell and Graph API.
When connecting to Graph API, there are two components to think about Authentication and Authorization. Beginning with the authentication. The authentication help two strategies as the next:
- Delegate Authentication: The one that executes the script should authenticate by typing a legitimate group username and password. Often, the sort of authentication opens a browser window for the consumer to authenticate.
- Software Authentication: received’t request the consumer to sort any username or password and received’t open any browser home windows. It’s excellent for background processes and automation.
The Azure admin ought to have beforehand registered an App in Azure Listing.
Write down the Consumer Key, Tenant id, and shopper credentials as these values are wanted to attach.
For authorization, if the delegate authentication is used, the consumer should consent and settle for the listing of permissions after the consumer is linked. This may seem straight after the consumer login.
But when the appliance authorization is used, there received’t be any message for the consumer to consent and settle for . The registered software is performing on behalf of the customers.
Azure admin ought to assign the registered software the required permission and consent them.
Which one to make use of?! No matter you need, be certain that at all times observe the least privileged permission. don’t assign read-write when solely learn permissions are wanted.
Learn extra about authentication and authorization and find out how to discover the required scope at Connecting and Utilizing Microsoft Graph API Utilizing PowerShell
Be certain that the Graph cmdlet you employ in your script helps the used authentication methodology. Some cmdlet received’t work if software authentication is used like utilizing New-MgChatMessage cmdlet. Such info can solely be discovered on the Microsoft Documentation web site.
Studying the Graph API Documentation To Discover The Alternative Cmdlets
Microsoft has made a pleasant map that exhibits every cmdlet with its changed cmdlet from the Graph API aspect. and typically, you will see your self returning to Microsoft Documentation for the Graph cmdlet assist. For instance, The Get-AzureADUser was changed by the Get-MgUser.
Try Discover Azure AD and MSOnline cmdlets in Microsoft Graph PowerShell to see the total map. Every cmdlet is linked to its rationalization web page together with examples.
Discovering the Alternative Cmdlets in Microsoft Graph utilizing Get-Comand cmdlet
What about guessing the cmdlet by utilizing Get-Command cmdlet? Let’s strive it. Open PowerShell and sort the next.
PS C:> Get-Command Get*Person* | the place {$_.Supply -like "Microsoft.Graph*"} | Choose-Object Title
Title
----
Get-MgUserMember
Get-MgUserMemberByRef
Get-MgUserTransitiveMember
Get-MgUserTransitiveMemberByRef
Get-MgUser
Get-MgUserCreatedObject
Get-MgUserCreatedObjectByRef
Get-MgUserDirectReport
Get-MgUserDirectReportByRef
Get-MgUserExtension
Get-MgUserLicenseDetail.
.
. Output trimmedThis could be a good begin to see any cmdlet that may assist in doing an identical job of Get-AzureADUser.
Utilizing Get-Assistance is one other manner of realizing what the cmdlet can do, the supported parameters, and every parameter worth sort. You need to use
Get-Assist Get-MgUser -Fullfor full assist. Maintain your assist recordsdata updated by operating Replace-Assist.
There’s a cmdlet named Get-MgUser. This appears to be like much like Get-AzureADUser. So let’s take a more in-depth look. run the next line to see the supported parameters.
PS C:> (Get-Command Get-Mguser).Parameters
Key Worth
--- -----
UserId System.Administration.Automation.ParameterMetadata
InputObject System.Administration.Automation.ParameterMetadata
ExpandProperty System.Administration.Automation.ParameterMetadata
Property System.Administration.Automation.ParameterMetadata
Filter System.Administration.Automation.ParameterMetadata
Search System.Administration.Automation.ParameterMetadata
Skip System.Administration.Automation.ParameterMetadata
Type System.Administration.Automation.ParameterMetadata
High System.Administration.Automation.ParameterMetadata
ConsistencyLevel System.Administration.Automation.ParameterMetadata
Break System.Administration.Automation.ParameterMetadata
HttpPipelineAppend System.Administration.Automation.ParameterMetadata
HttpPipelinePrepend System.Administration.Automation.ParameterMetadata
Proxy System.Administration.Automation.ParameterMetadata
ProxyCredential System.Administration.Automation.ParameterMetadata
ProxyUseDefaultCredentials System.Administration.Automation.ParameterMetadata
PageSize System.Administration.Automation.ParameterMetadata
All System.Administration.Automation.ParameterMetadata
CountVariable System.Administration.Automation.ParameterMetadata
Verbose System.Administration.Automation.ParameterMetadata
Debug System.Administration.Automation.ParameterMetadata
ErrorAction System.Administration.Automation.ParameterMetadataThere are related parameters to Get-AzureADUser. Check out the desk under.
| Get-MgUuser | Get-AzureADUser |
| UserId | ObjectId |
| Filter | Filter |
| All | All |
| Property | SearchString |
| ExpandProperty | High |
| InputObject | |
| Break | |
| ConsistencyLevel | |
| Search |
Why not additionally test the worth sort the parameter UserId settle for? This helps us know what sort of enter ought to present to the parameter, whether or not it’s a string, array, hashtable…and many others.
(Get-Command Get-MgUser).Parameters.UserIDThe UserID in Get-MgUser is a string, so we’re good for now and may proceed with the subsequent step.
We are able to use the UserID parameter with the Get-MgGraph cmdlet and go the consumer UPN to get consumer info. However wait, keep in mind to search out the required scope.
Utilizing Discover-MgGraphCommand To Discover The Required Permission Scope.
Use the Discover-MgGraphCommand cmdlet to get an inventory of all of the potential permission to execute the Get-MgUser cmdlet. Learn the listing to search out essentially the most correct permission that matches your requirement. On this case, it’s Person.Learn.All.
PS C:> (Discover-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 ).Permissions | Choose-Object Title,Description
Title Description
---- -----------
DeviceManagementApps.Learn.All Learn Microsoft Intune apps
DeviceManagementApps.ReadWrite.All Learn and write Microsoft Intune apps
DeviceManagementManagedDevices.Learn.All Learn gadgets Microsoft Intune gadgets
DeviceManagementManagedDevices.ReadWrite.All Learn and write Microsoft Intune gadgets
DeviceManagementServiceConfig.Learn.All Learn Microsoft Intune configuration
Listing.Learn.All Learn listing knowledge
Listing.ReadWrite.All Learn and write listing knowledge
Person.Learn.All Learn all customers' full profiles
Person.ReadBasic.All Learn all customers' primary profiles
Person.ReadWrite.All Learn and write all customers' full profilesSome permission may not be wanted to execute the cmdlet, reminiscent of DeviceManagementApps.Learn.All, that is a part of the Intune apps. all that you simply want is essentially the most relative one in your use.
Maintain Microsoft Documentation in your bookmark as you want to open it to find different parameters.
Particse is the important thing, you’ll keep in mind all this stuff by attempting.
Let’s strive all of it. As for now, we discovered that the scope is Person.Learn.All
[email protected]('Person.Learn.All')
Join-Graph -Scopes $ScopeStrive the Get-MgUser cmdlet with the UserID UPN, and let see
PS C:> Get-MgUser -UserId [email protected]
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
616ed1f3-3210-3210-9acd-9acdd9acd92a Person Take a look at One [email protected] [email protected]
Strive the -All parameter
PS C:> Get-MgUser -all
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
616ed1f3-3210-3210-9acd-9acdd9acd92a Person Take a look at One [email protected] [email protected]
c74d2588-4173-4173-aa1a-7c74d257704a Person Take a look at Two [email protected] [email protected]All working high quality, sure. That is cool and straight to the purpose.
Issues Are Not All the time Straight To The Level
Let’s see find out how to change Set-MsolUserLicense from the Microsoft Graph API module.
Begin by discovering the cmdlet that may relate to Set-MsolUserLicense, for instance, one thing with Set*UserLicense*. and discover the obtainable parameters
#Discover the cmdlet
PS C:> Get-Command Set*UserLicense* | the place {$_.Supply -like "Microsoft.Graph*"} | Choose-Object Title
Title
----
Set-MgUserLicense
#Discover the Supported Parameters
PS C:> (get-command Set-MgUserLicense).Parameters
Key Worth
--- -----
UserId System.Administration.Automation.ParameterMetadata
InputObject System.Administration.Automation.ParameterMetadata
BodyParameter System.Administration.Automation.ParameterMetadata
AddLicenses System.Administration.Automation.ParameterMetadata
AdditionalProperties System.Administration.Automation.ParameterMetadata
RemoveLicenses System.Administration.Automation.ParameterMetadata
Break System.Administration.Automation.ParameterMetadata
HttpPipelineAppend System.Administration.Automation.ParameterMetadata
HttpPipelinePrepend System.Administration.Automation.ParameterMetadata
Proxy System.Administration.Automation.ParameterMetadatGet the required permission to run the cmdlet.
PS C:> (Discover-MgGraphCommand -Command Set-MgUserLicense -ApiVersion v1.0).permissions | choose Title, Description
Title Description
---- -----------
Listing.ReadWrite.All Learn and write listing knowledge
Person.ReadWrite.All Learn and write all customers' full profilesEvaluating the 2 cmdlets appears to be like good.
| Set-MsolUserLicense | Set-MgUserLicense |
| ObjectId | UserID |
| AddLicenses | AddLicenses |
| RemoveLicenses | RemoveLicenses |
Issues appears to be right, so the code ought to work as anticipated if the road is written like the next. Sure ?!
Set-MgUserLicense -UserId '[email protected]' -AddLicenses "PowerShellCenter:SPE_E5"The reply is No, as talked about earlier than. you want to test the worth sort for these parameters. There are two used parameters used within the Set-MsolUserLicense cmdlet. The UserID, and the AddLicenses.
The parameter sort for the UserID is a string, as proven under.
(Get-Command Set-MgUserLicense).Parameters.Userid.ParameterType
However let’s test the AddLicenses parameter sort. The Title is IMicrosoftGraphAssignedLicense[], and the BaseType is System.Array.
(Get-Command Set-MgUserLicense).Parameters.AddLicenses.parametertypeIsPublic IsSerial Title BaseType
-------- -------- ---- --------
True True IMicrosoftGraphAssignedLicense[] System.ArraySo now what to do?!! The reply is Microsoft Documentation. We have to know what sort of worth we have to present to this parameter to work.
Based on Microsoft, the AddLicenses parameter wants the next
ADDLICENSES : <MicrosoftGraphAssignedLicense[]>:.
–[DisabledPlans ]: A group of the distinctive identifiers for plans which have been disabled.
–[SkuId <String>]: The distinctive identifier for the SKU.Microsoft.com
So, the construction is Set-MgUserLicense -AddLicenses [SkuId=”SKU Identifier”]. This key and worth are hashtable and are written between curly brackets. @{Key=Worth}
The AddLicenses parameter worth ought to be AddLicenses @{SkuId="06ebc4ee-1bb5-47dd-8120-11324bc54e06"}
Numerous the Graph API cmdlet worth sort are hashtables. So its -ParameterName @{Key=Worth}. Its additionally potential for the Key worth to be an array, reminiscent of -ParameterName @{[email protected](Value1,Value2,Value3)}.
Set-MgUserLicense -UserId '[email protected]' -AddLicenses @{SkuId="06ebc4ee-1bb5-47dd-8120-11324bc54e06"} -RemoveLicenses @() Additionally, by reviewing the documentation, you want to present an extra parameter RemoveLicenses. Working the Set-MgUserLicense with out the -RemoveLicenses returns the next error.
Set-MgUserLicense_AssignExpanded1: A number of parameters of the operate import ‘assignLicense’ are lacking from the request payload. The lacking parameters are: removeLicenses.
Guidelines to Migrate From MSOnline and AzureAD to Graph API
Here’s a fast guidelines:
- Consider your outdated script, and see the place are all of the cmdlets associated to MSOnline and AzureAD. Take a word.
- Authentication and Permissions
- How the script will likely be executed utilizing the Person context of the appliance context?
- Consider the required permission to execute the script, and don’t the least privilege idea. Solely assign the consumer/software the required permission.
- Use Graph Explorer and
Discover-MgGraphCommandto search out the required scope. - Microsoft Documentation is at all times an amazing start line.
- Whereas evaluating the choice cmdlet, take a look at the supported parameter to know find out how to construction the parameters and the supported worth sort.
- It’s okay for issues to not work from the primary time.
- Microsoft Documentation is at all times an amazing start line
- Learn to use Microsoft Graph Explorer.
Conclusion
There could be some challenges whereas migrating your script to the Graph API. However when you perceive the idea, you discover it straightforward.
Let me know within the remark your methodology of such migration.
