Microsoft Entra PowerShell Module: A Game-Changer

As all of you know all too well, the transition from the deprecated MSOnline and AzureAD PowerShell modules (starting on the 30. March 2025) to managing Microsoft Entra via the Microsoft Graph PowerShell SDK has not been without its challenges. Many in the Microsoft community have expressed dissatisfaction with the loss of these familiar tools, and the Graph SDK has often been critiqued for its lack of comprehensive documentation.

On the 29. January 2025, the general availability (short GA) of the Microsoft Entra PowerShell module was announced—a powerful, scenario-focused tool designed to enhance the way administrators and developers manage and automate Microsoft Entra resources. This milestone marks a significant leap in Microsoft’s commitment to providing comprehensive command-line tools and a seamless integration experience with the Microsoft Graph PowerShell SDK.

However, despite these advancements, the frustrations from the abrupt shift of their beloved MSOnline and AzureAD PowerShell modules still affect many IT administrators today. While the new module aims to streamline resource management, it hasn’t eliminated the complexities and learning curves that many of you face with the Microsoft Graph PowerShell SDK. In this article, we will explore the features of the Microsoft Entra PowerShell module, examine the transition hurdles faced by IT admins, and discuss practical strategies to navigate the new reality of managing Entra resources. Join us as we delve into the possibilities and pitfalls of this latest evolution in Microsoft’s cloud PowerShell tool.


Overview of the Microsoft Entra PowerShell Module

The Microsoft Entra PowerShell module supports efficient management of various Entra ID components, including users, groups, applications, service principals, policies, and more. This module is built on the Microsoft Graph PowerShell SDK, but better documented 😉 .

Key Features

  • Backward Compatibility: Almost all of your PowerShell scripts that utilize the deprecated AzureAD PowerShell module can be easily migrated to the new Microsoft Entra PowerShell module.

  • Multi-Platform Support: Compatible with Windows PowerShell 5.1 and PowerShell 7+, with recommendations for PowerShell 7 or later for optimal performance across Windows, Linux, and macOS.

Benefits of Microsoft Entra PowerShell

  1. Usability: Features human-readable parameters, inline documentation, and core PowerShell fundamentals.

  2. Migration Ease: Over 98% compatibility with AzureAD PowerShell and simple script updates (setting aliases to the AzureAD commands) using Enable-EntraAzureADAlias.

  3. Flexible Authorization: Supports granular administrative consent and allows using service principals or user-assigned managed identities.

  4. Open Source: Encourages community collaboration for enhancements and adaptations.

Known Issues

While the Microsoft Entra PowerShell module is still new, there are already some known issues to be aware of:

Feature Issue Workaround/Comments
All parameter The -All boolean parameter is not supported as it was in the Azure AD PowerShell module. -All is supported as a switch parameter. Replace -All:$true with -All in your scripts.
SearchString parameter The -SearchString parameter might not work as expected. No specific workaround available; monitor for updates.

Authentication Scenarios of the Microsoft Entra PowerShell Module

The Microsoft Entra PowerShell module supports two major and common authentication scenarios. Here’s a summary of the these key scenarios:

Common Authentication Methods

  1. Delegated Authentication (Interactive):
    In this scenario, the application acts on behalf of a signed-in user, accessing resources based on the user’s permissions. Delegated permissions are granted to both the client and the user, with access levels determined by Microsoft Entra role-based access control (Entra ID roles) (short RBAC).

    • Example: Connect-Entra -Scopes 'User.Read.All'
  2. App-Only Authentication (Non-Interactive):
    This scenario allows the application to function independently of a signed-in user, making it suitable for automation or background processes. It relies on app roles or application permissions granted to the client app, enabling access to data without user interaction.

    • Example: Connect-Entra -Identity -ClientId 'User_Assigned_Managed_Identity_Client_Id'

For more information, please visit: Microsoft Entra PowerShell authentication scenarios

Other Authentication Scenarios

  • Signing in to a National Cloud: For users with accounts in national clouds (sovereign clouds), it’s necessary to specify the environment during sign-in, using the -Environment parameter. For example, signing in to Azure China can be done with the command: Connect-Entra -Environment China

  • Connecting as a Different Identity: To sign in as an identity other than the current user, use the -ContextScope parameter: Connect-Entraa -ContextScope 'Process'

Best Practices In Aspects Of Security

To enhance the security of your Microsoft Entra resources, adhere to the principle of least privilege by limiting sign-in permissions. It is advisable to use a custom application to isolate and restrict permissions, ensuring that access is only granted as necessary.

For guidance on creating a custom application and granting permissions, refer to the resources on building a custom application to connect with Microsoft Entra PowerShell.

Getting Started with the Microsoft Entra PowerShell Module

You can find the Microsoft Entra PowerShell module in the PowerShell Gallery or access it directly via this link: PowerShell Gallery.

Installation

To install the Microsoft Entra PowerShell module, use the following command, which pulls resources from the PowerShell Gallery: Install-Module -Name Microsoft.Entra -Repository PSGallery -Scope CurrentUser -Force -AllowClobber 

If you want to work with the Beta module that manages Microsoft Graph resources using the “/beta” API version, run: Install-Module -Name Microsoft.Entra.Beta -Repository PSGallery -Scope CurrentUser -Force -AllowClobber

Authentication

To sign in to Microsoft Entra ID, utilize the Connect-Entra command. You can choose between delegated access (interactive) or application-only access (noninteractive) as described above.

Finding Commands

To list all available commands in the Microsoft Entra PowerShell module, run: Get-Command -Module Microsoft.Entra*

Getting Help

For detailed information about specific cmdlets, including syntax, parameters, descriptions, and usage examples, use the Get-Help command. For instance, to learn more about the Get-EntraUser cmdlet, execute: Get-Help Get-EntraUser -Full

Migrating from AzureAD PowerShell Module

You can run your existing AzureAD PowerShell scripts with minimal modifications using Microsoft Entra PowerShell. To do so, just follow these steps.

In my tests, the mappings for some commands, such as Get-AzureADGroups or Get-AzureADApplication, did not work as expected. This might be due to the module still being new and potentially having some inconsistencies.

You can find a documentation that provides mappings from the old PowerShell commands to the new Microsoft Entra PowerShell commands here.

Example: Setting Usage Location with the Microsoft Entra PowerShell and the Microsoft Graph PowerShell

For both methods, make sure you have the necessary prerequisites:

  • The Microsoft Entra PowerShell and the Graph PowerShell SDK modules are installed.
  • Run Microsoft Entra PowerShell as a user with the License Administrator role. This requires User.ReadWrite.All and Organization.Read.All permissions.

Using Microsoft Entra PowerShell

  1. Connect to Microsoft Entra with Required Scopes: Connect-Entra -Scopes 'User.ReadWrite.All', 'Organization.Read.All'
  2. Find Users Without a Usage Location: $users = Get-EntraUser | Where-Object { $_.UsageLocation -eq $null -and $_.UserType -eq 'Member' }
    $users | Select-Object Id, DisplayName, UserPrincipalName, UsageLocation
  3. Assign a Usage Location to a User: Set-EntraUser -UserId '[email protected]' -UsageLocation 'CH'

Using Microsoft Graph PowerShell

  1. Connect to Microsoft Graph with Required Scopes: Connect-MgGraph -Scopes 'User.ReadWrite.All', 'Organization.Read.All'

  2. Find Users Without a Usage Location: $users = Get-MgUser -Filter "usageLocation eq 'null' and userType eq 'Member'" -All

You may find that the Graph module incorrectly reports that no users lack a usage location. However, upon checking in the Azure portal, you see that there are indeed users without a defined usage location. Typical Graph…

Conclusion

The Microsoft Entra PowerShell module marks a significant leap forward in managing Entra resources, providing IT administrators with a user-friendly toolkit that streamlines the transition from the soon to be deprecated MSOnline and AzureAD PowerShell modules.

Equipped with features such as backward compatibility, multi-platform support, and improved usability, the module facilitates efficient management of users, groups, and various other Entra components.

In my opinion, the Microsoft Entra PowerShell module serves as an excellent alternative to both the AzureAD and MSOnline PowerShell modules, as well as a viable option alongside Microsoft Graph PowerShell.

 

Sources:

 

You might also like
Tags: Microsoft, Microsoft Entra

More Similar Posts