Does anyone know how to use Connect-MsolService with a system-assigned managed identity? I need it for the purpose of getting MFA status data about the organisation's employees. MSGraph seems to have zero data on this, except for the User Registration Details report, which again does not show MFA status.

Hey Lain,The below error is thrown when I use the system managed identity to connect to Az like so:Connect-AzAccount -IdentityError thrown:Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.The system managed identity has all of the necessary permissions. Could I instead use an app registration?

Jonesy6123 Hi, Jack. I haven't yet had a reason to use managed service identities, however, it seems it should be possible. Connect-AzAccount (Az.Accounts) | Microsoft Learn I'll have a proper look when time permits. Cheers,Lain

Jonesy6123 Hi, Jack. Independent of whether the Graph modules have precisely what you seek, the MSOnline module is right on the cusp of deprecation (March 2024). Microsoft Entra new feature and change announcements - Microsoft Community HubImportant: Azure AD Graph Retirement and Powershell Module Deprecation - Microsoft Community HubInstall MSOnline | Microsoft Learn They won't cease working for at least six months after deprecation, however, building solutions on MSOnline now simply means the solution will need to be recreated using Graph potentially as soon as seven months down the track (from the time of writing). With respect to Graph, you can obtain some authentication details via the Get-MgUserAuthenticationMethod commandlet. It's clunky and inefficient to use (this data really should by now be rolled up unto the /user endpoint, filterable and compliant with the delta endpoint, but it's currently none of those things), but it does exist and can be used to determine which authentication methods a user has enabled and when. Get-MgUserAuthenticationMethod (Microsoft.Graph.Identity.SignIns) | Microsoft Learn In order to use a system-assigned managed identity with MSOnline, you'd need to: Connect to Graph using either the Microsoft.Graph.Authentication or Az.Accounts module (other options do exist but I'm sticking to commonly-used modules for brevity);Obtain the token (harder to do with the Graph module than Az, but still doable);Use that token in the Connect-MSOnline call. Some references: Connect-MsolService (MSOnline) | Microsoft LearnConnect-MgGraph (Microsoft.Graph.Authentication) | Microsoft LearnConnect-AzAccount (Az.Accounts) | Microsoft LearnGet-AzAccessToken (Az.Accounts) | Microsoft Learn Cheers,Lain

Hey there,Thank you so much for responding to this. Your information was very well written and easy to understand.I have in fact tried all of the above approaches prior to writing this post. It appears that calling for an API access token from MSGraph does not in fact work for MSOnline. I get an error regarding "the key was not found in the dictionary.", which means that an expected array of access tokens did not contain my specified token. I searched this up and found that it's purely because it expects and Az graph access token. The API's and these modules that organisations rely on are clearly a shambles.As far as you're aware, the only way to get this kind of information is with your Get-MgUser.. method? I am currently access the UserRegistrationDetails environment, but no such StrongAuthenticationRequirements parameter can be found, that IS found in the MSOnline module. (Which is what I really need)Can you please just confirm to your best knowledge that it is currently not possible to get that level of information until MS migrates that data over to the MSGraph? I want to iterate that I can do it with my own access credentials (with any method including using MSOnline module) but I need to be able to automate it in a weekly report.

Jonesy6123 Hi, Jack. First, here's how you can procure an Azure AD Graph token for use with the MSOnline module. I should add a disclaimer that I have not used the MSOnline module for many years now and only ran a quick Get-MsolUser comamndlet post sign-in as confirmation the sign-in was valid. The version of MSOnline I used for this authentication test is 1.1.183.57. $Token = Get-AzAccessToken -ResourceUrl "https://graph.windows.net"; Connect-MsolService -AdGraphAccessToken ($Token).Token; Output So, if I'd signed into Az first with the servicePrincipal, then the above steps show how to procure a token that's usable in MSOnline - or it should (I'' double-check with a servicePrincipal and CBA later when time permits). Next, when it comes to replicating the functionality of MSOnline, I can't answer that as I don't use MSOnline and therefore have no point of comparison. I'd imagine that most if not all of it could be emulated using Graph, whether that's with the Microsoft.Graph.* commandlets or if they have gaps, the native REST calls. It may just be the case that there's no single Microsoft.Graph commandlet that behaves precisely as the MSOnline commandlet, meaning some extra effort may be required in joining things together. Cheers,Lain

How can I use a System Managed Identity with Connect-MsolService

11 Replies

LainRobertson
Silver Contributor
Feb 09, 2024
Jonesy6123

Hi, Jack.

Independent of whether the Graph modules have precisely what you seek, the MSOnline module is right on the cusp of deprecation (March 2024).

Microsoft Entra new feature and change announcements - Microsoft Community Hub
Important: Azure AD Graph Retirement and Powershell Module Deprecation - Microsoft Community Hub
Install MSOnline | Microsoft Learn

They won't cease working for at least six months after deprecation, however, building solutions on MSOnline now simply means the solution will need to be recreated using Graph potentially as soon as seven months down the track (from the time of writing).

With respect to Graph, you can obtain some authentication details via the Get-MgUserAuthenticationMethod commandlet. It's clunky and inefficient to use (this data really should by now be rolled up unto the /user endpoint, filterable and compliant with the delta endpoint, but it's currently none of those things), but it does exist and can be used to determine which authentication methods a user has enabled and when.

Get-MgUserAuthenticationMethod (Microsoft.Graph.Identity.SignIns) | Microsoft Learn

In order to use a system-assigned managed identity with MSOnline, you'd need to:

Connect to Graph using either the Microsoft.Graph.Authentication or Az.Accounts module (other options do exist but I'm sticking to commonly-used modules for brevity);
Obtain the token (harder to do with the Graph module than Az, but still doable);
Use that token in the Connect-MSOnline call.

Some references:

Connect-MsolService (MSOnline) | Microsoft Learn
Connect-MgGraph (Microsoft.Graph.Authentication) | Microsoft Learn
Connect-AzAccount (Az.Accounts) | Microsoft Learn
Get-AzAccessToken (Az.Accounts) | Microsoft Learn

Cheers,
Lain
- Jonesy6123
  Copper Contributor
  Feb 20, 2024
  Hey there,
  
  Thank you so much for responding to this. Your information was very well written and easy to understand.
  
  I have in fact tried all of the above approaches prior to writing this post. It appears that calling for an API access token from MSGraph does not in fact work for MSOnline. I get an error regarding "the key was not found in the dictionary.", which means that an expected array of access tokens did not contain my specified token. I searched this up and found that it's purely because it expects and Az graph access token. The API's and these modules that organisations rely on are clearly a shambles.
  
  As far as you're aware, the only way to get this kind of information is with your Get-MgUser.. method? I am currently access the UserRegistrationDetails environment, but no such StrongAuthenticationRequirements parameter can be found, that IS found in the MSOnline module. (Which is what I really need)
  
  Can you please just confirm to your best knowledge that it is currently not possible to get that level of information until MS migrates that data over to the MSGraph? I want to iterate that I can do it with my own access credentials (with any method including using MSOnline module) but I need to be able to automate it in a weekly report.
  - LainRobertson
    Silver Contributor
    Feb 21, 2024
    Jonesy6123
    
    Hi, Jack.
    
    First, here's how you can procure an Azure AD Graph token for use with the MSOnline module.
    
    I should add a disclaimer that I have not used the MSOnline module for many years now and only ran a quick Get-MsolUser comamndlet post sign-in as confirmation the sign-in was valid.
    
    The version of MSOnline I used for this authentication test is 1.1.183.57.
    
    $Token = Get-AzAccessToken -ResourceUrl "https://graph.windows.net"; Connect-MsolService -AdGraphAccessToken ($Token).Token;
    
    Output
    
    So, if I'd signed into Az first with the servicePrincipal, then the above steps show how to procure a token that's usable in MSOnline - or it should (I'' double-check with a servicePrincipal and CBA later when time permits).
    
    Next, when it comes to replicating the functionality of MSOnline, I can't answer that as I don't use MSOnline and therefore have no point of comparison.
    
    I'd imagine that most if not all of it could be emulated using Graph, whether that's with the Microsoft.Graph.* commandlets or if they have gaps, the native REST calls. It may just be the case that there's no single Microsoft.Graph commandlet that behaves precisely as the MSOnline commandlet, meaning some extra effort may be required in joining things together.
    
    Cheers,
    Lain

Forum Discussion

How can I use a System Managed Identity with Connect-MsolService

11 Replies

Output

Resources