Blog Post

Microsoft Entra Blog
6 MIN READ

Introducing the Microsoft Entra PowerShell module

SteveMutungi's avatar
SteveMutungi
Brass Contributor
Jun 27, 2024
We’re thrilled to announce the public preview of the Microsoft Entra PowerShell module, a new high-quality and scenario-focused PowerShell module designed to streamline management and automation for ...
Updated Jun 28, 2024
Version 5.0
announcements and product news
SteveMutungi's avatar
Brass Contributor
Joined September 15, 2021
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
merillms's avatar
merillms
Icon for Microsoft rankMicrosoft
Jun 28, 2024

ians-uleth 

 

I would guess that one thing most administrators will be looking to see resolved is SDK-API finger pointing scenarios to come to an end.

We understand the frustration here and have worked with the Entra service owners to resolve issues when alerted. Please raise any issues you come across on Entra PowerShell in GitHub and we will work with service owners to have the issues fixed.

 

Will Microsoft Entra PowerShell use a pre-consented app like AzureAD or MSOnline modules? No

I don't really buy this argument....This is just lazy.

This is intentional. Pre-consented Graph permissions for Azure AD and MSOL have allowed threat actors and offensive tool builders to leverage this powerful service principle to gain API access to tenants. While we do understand admins can consent to privileged permissions, our goal is to provide a solution that is secure-by-design and secure-by-default. This will ensure the millions of tenants that don't use PowerShell, to be protected and gives the flexibility for admins to restrict the permission of the Graph client to specific users and permission scopes. In our updated docs we provide guidance on following a least privilege model.

 

On a side note, the Organization.ReadWrite.All is not a very privileged scope, maybe you were referring to Directory.ReadWrite.All? Even in this case it is limited to core directory permission and does not by default grant access to privileged operations such as updating conditional access policies.

 

...why continue pushing this API translation layer...

While the initial release of Entra PowerShell does rely on a translation layer, we don't plan on extending its use to new cmdlets.

 

...invested this time into improving the existing Graph SDK modules and their documentation...

Graph PowerShell SDK has a much wider use case and covers all of Microsoft 365, as such it aims to stay as close as possible to the Graph REST API. It also follows a very rapid release cycle based on auto generated content. 

 

The Entra and Graph PowerShell teams work together and have been working on improving the quality of Graph PowerShell docs. This can be seen in the improvements that have been made to the docs in the last few months including least privilege permission scopes, rich examples and cloud specific support. A good example is https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http