Blog Post

Microsoft Entra Blog

4 MIN READ

Important: Azure AD Graph Retirement and Powershell Module Deprecation

Microsoft

Jun 15, 2023

In 2019, we announced deprecation of the Azure AD Graph service. One year ago we communicated that Azure AD Graph will be retired and stop functioning after June 30, 2023. We also previously communicated that three legacy PowerShell modules (Azure AD, Azure AD Preview, and MS Online) would be deprecated on June 30, 2023.

We want to provide an update on timelines for these changes and offer further clarity on what to expect going forward. No new investment is going into Azure AD Graph and the three PowerShell modules, making it very important that all customers prioritize migration to Microsoft Graph APIs and Microsoft Graph PowerShell SDK to ensure continued support and functionality.

However, we understand that many customers are not yet complete with these migrations and we confirm our continued commitment to work with our customers during this migration period to minimize and avoid impact.

Azure AD Graph Updates:

No changes will be made to Azure AD Graph availability on June 30, 2023, and no applications using Azure AD Graph will be impacted on this date.
June 30, 2023 marks the completion of a 3-year notice period for deprecation of Azure AD Graph. We will now enter the retirement cycle for Azure AD Graph APIs.
We will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes.
We will retire Azure AD Graph in incremental steps, with the intention of allowing sufficient time for migration of applications to Microsoft Graph APIs. The first step will involve blocking newly created applications from using Azure AD Graph APIs. We will clarify the date for this first step in a future update, with three (3) months of advance notice.
We will provide regular updates on the steps for this retirement cycle with further details on what to expect and required actions.

PowerShell Module Updates:

As previously communicated, the legacy licensing assignment PowerShell cmdlets (Set-AzureADUserLicense, Set-MsolUserLicense, -LicenseAssignment or -LicenseOptions parameters of New-MsolUser) and Azure AD Graph API (assignLicense) are retired. For customers who were provided an extension for these cmdlets and API, migrations to Microsoft Graph licensing APIs/PowerShell must be completed by September 30, 2023.
We recognize that the legacy PowerShell modules are required for some scenarios not yet available in Microsoft Graph PowerShell SDK. Therefore, we are postponing the deprecation date for MS Online, AzureAD, and AzureAD Preview PowerShell modules to March 30, 2024.

What happens to applications using Azure AD Graph on June 30, 2023?

There will be no impact to applications using Azure AD Graph at the June 30, 2023 milestone. Applications will continue to function, but Azure AD Graph APIs do not have SLA or maintenance commitments beyond security-related fixes. We will provide a near future update to clarify the timeline and details of our first step of retirement – blocking newly created applications from using Azure AD Graph.

What happens to PowerShell scripts using Azure AD, Azure AD-Preview, or MS Online modules on June 30, 2023?

There will be no impact to PowerShell scripts using these legacy modules on or after June 30, 2023. They will continue to function and be supported until deprecation announcement.

What happens to PowerShell scripts using Azure AD, Azure AD-Preview, or MS Online modules after March 30, 2024?

We plan to deprecate Azure AD, Azure AD-Preview, and MS Online PowerShell modules on March 30, 2024. After this date, the only support offered for these PowerShell modules will be support in migrating to Microsoft Graph PowerShell SDK. Only security fixes will be offered for these PowerShell modules after deprecation is announced. Once these modules are deprecated, they will continue to work for a minimum of six (6) months before being retired.

We are committed to working with our customers to enable smooth migration to the Microsoft Graph platform. We will provide further communication, updates on tools to help these migrations, and clarifying information regularly throughout this process.

Current support for Azure AD Graph and legacy PowerShell modules:

Azure AD Graph is currently deprecated and will be supported with only security-related fixes.
Azure AD, Azure AD Preview, and MS Online PowerShell modules are not yet deprecated. These modules are supported, but no new feature capabilities are being added to them.

Required Actions

1. Identify and migrate applications that are using Azure AD Graph to use equivalent Microsoft Graph APIs. Microsoft Graph is a feature rich API platform that provides a unified API surface for many Microsoft services, including Microsoft Entra, Exchange, Teams, SharePoint, and the full Microsoft 365 portfolio.
Reference: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph

2. Identify and update PowerShell scripts that use the legacy modules to use the Microsoft Graph PowerShell SDK.
Reference: Migrate from Azure AD PowerShell to Microsoft Graph PowerShell.

Available tools:

PowerShell Cmdlet mapping to Microsoft Graph PowerShell SDK
Microsoft Graph PowerShell Compatibility Adapter
Azure AD Graph app migration planning checklist
Script to identify Apps that might be using Azure AD Graph

Learn more about Microsoft Entra:

See recent Microsoft Entra blogs
Dive into Microsoft Entra technical documentation
Join the conversation on the Microsoft Entra discussion space and Twitter
Learn more about Microsoft Security

Updated Jun 20, 2023

Version 2.0

announcements and product news

krbash

Microsoft

Joined August 21, 2019

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

20 Comments

trythisandthat
Copper Contributor
Aug 09, 2023
I've recently encountered some potential throttling issues with certain Microsoft PowerShell cmdlets that they have extended support for. I wanted to reach out and see if anyone else in the community has had similar experiences or observed any unusual rate limits?
JamesC95
Brass Contributor
Jul 21, 2023
While I feel like I've done my job and migrated scripts and workflows to MS graph, its disappointing when using current MS tools that they haven't done the same

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
This still using MSOnline to configure its-self

I followed the guidance to check app registrations API requirements to find Azure App proxy is still using Azure AD graph. Removing these permissions, breaks the application

Its not good enough that even MS hasn't got their house in order here. I expect next year there will be another extension since the progress has been so glacial
NS1066
Copper Contributor
Jun 30, 2023
While I'm sure it brings some degree of relief to many, there has to be a concern regarding the notice of this significant deadline shift, which was provided only two weeks prior to the original date!

This can lead to frustrations and cost implications, particularly for large organizations that may have already engaged contractors or undergone substantial project reorganizations in order to meet the initial deadline. In my opinion, receiving news of the extension at such a late stage can be regarded as a bit of a "communication challenge" (to put it politely). It evokes a metaphorical resemblance to the "Cry Wolf" fable. Unfortunately, I feel this is not an uncommon theme with recent Microsoft announcements.
Samarth99
Copper Contributor
Jun 27, 2023
There seems to be no Microsoft Graph powershell mapping for Privileged Role Management cmdlets ( Eg: Get-AzureADMSPrivilegedRoleDefinition from AzureADPreview module. It will be a big impact for those of us who have leverged AzureADPreview module to automate PIM tasks.

Can you please let us know how to migrate ?
Mike O'Neill
Microsoft
Jun 26, 2023
And with this page that you referenced: https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?view=graph-powershell-1.0 There are many cmdlets on the left, with no cmdlets on the right. What are customers supposed to do if there is no equivalate?

Also, 'Fred' wrote a script process to help customers re-write their code: https://github.com/FriedrichWeinmann/PSAzureMigrationAdvisor

Thank you.

Mike
Dmitry Kirushev
Brass Contributor
Jun 21, 2023
Can you fire engineers who don’t know anything except the Rest API and bring back the normal ones who will work for people and not for the fashionable unfinished tools?
crodriguez1
Brass Contributor
Jun 21, 2023
There should be a way to get Per-User MFA with Microsoft Graph Powershell. Currently this can only be done with MsOnline (not even AzureAD module)
Even the official documentation still uses MsOnline
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#convert-per-user-mfa-enabled-and-enforced-users-to-disabled

We know MFA with conditional access is the way to go but Per-User Mfa is still a feature and we should be able to script it
belaie
Brass Contributor
Jun 19, 2023
Please let us migrate first our apps with internal developers, before you "turn it off". I think it would be sensible to provide customers with AzureAD recommendation on tenants to provide which apps are still using AzureAD Graph API so we can internally coordinate change and create a migration plan please do not turn it off anytime after 30.06.2023. We need this change with end of date (turn off) date to be decided by customers and clear message with date time.
MelmixDK
Brass Contributor
Jun 18, 2023
Please don't disable using the old modules before you've moved more basic functionality out of beta. We can't use beta for production.
magichappenz
Brass Contributor
Jun 16, 2023
I see many notes about deprecated and unsupported modules but no initiative to update existing docs. Could you please shed some light on that? Knowing the modules are deprecated but finding them recommended every here and then in another doc is quite annoying. Finding the right Graph call or SDK command is frustrating as well. Update your docs or at least publish a reference document where we can lookup the equivalent commands of the outdated modules.
If you need an example, I just read here this morning: https://learn.microsoft.com/en-US/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide.