Migrate your apps to access the license managements APIs from Microsoft Graph

What do you mean, "I remind" you? That is news to me. I just upgraded a PowerShell application from MSOnline to AzureAD this morning. What's going on? Is PowerShell being depreciated as a way to manage my tenant? How come there is no warning in the official documentation of AzureAD? Should I expect my PowerShell applications to start failing one after the other because the endpoitns for the cmdlets are being turned off one after the other in favor of Graph API and JavaScript?

Moving from Azure AD Graph to Microsoft Graph with the PowerShell management modules is appreciated, as it seems to be the Microsoft API for such topics. Unfortunately, the documentation status for the Microsoft Graph PowerShell modules is less-than-optimal, it's rather underwhelming in fact.

We had an initial look at some of Microsoft.Graph.Identity.DirectoryManagement and Microsoft.Graph.Users PowerShell modules' licensing cmdlets, as we use both MSOnline and AzureADPreview PowerShell modules for license management, and the documentation is merely a list of parameters. They're missing helpful descriptions, examples, etc.

Even if customers are willing to migrate their scripts to the new API, the current level of documentation probably doesn't really help.

All Graph is completely undocumented as far as Powershell is concerned. Also, all Powershell logic (when and how parameters are used and should be used) is drifting to a "custom" logic for each of the Powershell Graph based cmdlets...

This is dissapointing unless real effort is put into:

1. Delivering proper training and documentation for the Graph APIs 

2. Delivering Powershell cmdlets to manage Azure AD, no matter the underlying endpoint/protocols/technology used

Making simple tasks like Azure AD management more complicated and unstandardized is not the way to go.

What is this? No dashes on operators any more?

Get-MgUser -Filter "DisplayName eq 'Lee Gu'"

I mean this is NOT how Poweshell syntax is supposed to be working.

Neither of the articles linked initially ("In June, I reminded you to...") Mention PowerShell.  

I am hoping that the "new License Management platform" will alleviate the need for me to use programmatic license assignment and this will all be moot. 

I am not looking forward to a whole new class of questions about License Assignment being asked on Reddit/StackExchange, etc.

Hi!! Is anyone aware of this new cmdlet?  if so can you please describe with an example pls. 
I would like to understand the use case of this new cmdlet, and there is no examples in the article 

https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.users.actions/set-mguserlicense?v...

We are struggling to understand the potential impact in regards to license reporting.

Do the following commands still provide the same information, after this change?

# get license information for a specific user

Get-MsolUser -UserPrincipalName %UPNofUser% | select Licenses

# get all license types

Get-AccountSkuIDs

Yes or no?

@Manuel_Mueller 
As the article only mentions specific cmdlets to be "retired" and generally points towards managing licenses (i.e. writing license states), I'd strongly suspect reading license states isn't impacted for now. I'd expect the latter to be impacted in some way in the near future though.

After putting some time into Microsoft Graph and trying to access it directly, without using the Graph PowerShell cmdlets, I find it rather satisfying. Putting most-used Graph requests into PowerShell scripts allows for the same ease of access as the currently existing cmdlets, with the added possibility to customize those scripts to match one's needs.

Its fair to say while I have no problem moving to MS Graph, the state of the documentation leaves a lot to be desired:

Compare the old
https://docs.microsoft.com/en-gb/powershell/module/msonline/set-msoluserlicense?view=azureadps-1.0
to new
https://docs.microsoft.com/en-gb/powershell/module/microsoft.graph.users.actions/set-mguserlicense?v...

No examples, more complex syntax and if you go the default route for looking this up you end up here which only lists the 'legacy' methods, and doesn't even mention MS Graph
https://docs.microsoft.com/en-us/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-micr...

I've been busy migrating scripts but MS isn't helping adoption with poor documentation, and the documented way frequently points to legacy methods. All this needs fixing first, then announce you are removing the old methods.

@JamesC95 Thanks for your detailed feedback! Yes, the docs should lead the way for users. We will improve the related docs as soon as we can. 

The documentation for Set-MgUserLicense is absolutely inscrutable. Microsoft needs to learn that real businesses are using this product, and it's not some toy to be played with without concern. Migration to new services is fine and understandable, but the planning from outside appears to be severely lacking.

Where can I find a list of all affected cmdlets?
We use the cmdlets in real business, not demo. Essentially, it is unnecessary for the user of a cmdlet to find out if the cmdlet uses the Azure AD Graph API internally or not. This article does not identify what needs to be modified.
To accomplish that, some logic changes are necessary. It does not provide the necessary information for that.
It is not reasonable to end support for the Azure AD Graph API in this state.

@shigeyoshihiraiwa 
What you should consider basically is the 'msonline' and 'azuread' modules are deprecated and you should be using Microsoft.Graph modules in the long term. This announcement is the first of probably many that will be the slow death of these modules (which will obviously cause breakage to scripts as the syntax of the graph cmdlets and output is different, so its not just a matter of installing the new module and updating the cmdlet with the new one)

One complaint is the general state of the Graph documentation is very lacking in certain areas and not as friendly to use as the classic cmdlets

On the positive side though, I see the documentation for assigning licenses in 365 has been updated at least now to include the MS Graph commands
https://docs.microsoft.com/en-us/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-micr...

I noticed the mention of Allotments.
I have been working with Alloments for quite some time now and I am surprised that it is now available, as there is quite a few issues to be solved yet:

- Reporting non-existant

- Alerts of over-assignment

- Moving groups with more than one product to the Allotment

- Possibility to decrease the alloted quantity (if it causes shortage of licenses)

- Errors on moving groups with licenses that have Apps disabled

You say...

Below are some of the operations that will no longer receive a successful response

Please can some become ALL.

If I use an agile approach - stop using msonline licensing in the first sprint, then remove msonline entirely over future sprints, then I need to know which cmdlets will stop working on 2022-08-26 | August 26 2022 | 26 August 2022.

please Please PLEASE can there be a comprehensive list?

Get-MgSubscription does not return any information. of which Get-MsolSubscription is an equivalent

Example. : Get-MsolSubscription -TenantId '505995e6-6f1a-4f22-8cd1-3f35f84e9adc' -ErrorAction SilentlyContinue | select Status,DateCreated, TotalLicenses ,SkuPartNumber, NextLifecycleDate, OcpSubscriptionId,SkuId | ConvertTo-Json 

Is there an option to opt into this change to disable license management APIs early in our tenants so that we can take advantage of nest group licensing?

Searching for something else I stumbled on this page, and made me turn pale!

Normally with this kind of changes we get notifications in the Microsoft 365 admin center.

This change is nowhere to be found!

And if mentioned, we should be reminded a lot and it should be tagged as 'Admin Impact' and 'Major update'.

So far for blowing off steam.

Where can we find more information of this deadline and where can we request to postpone this?

If this is a hard deadline we only have several weeks left to go trough all our scripting and rewrite our code.
All our licensing for about 24,000 accounts is done by PowerShell scripting.

@Ron Ron It only took me about 2 to 3 days to re-write my Powershell scripts over to MS Graph.  In fact, I had converted them last summer.  What was not made clear to me until a few days ago was the whole MSOnline and AzureAD modules were going away, not just licensing cmdlets, so I still had commands such as Get-MSOLUser in my scripts and I had to replace those with Get-MgUser.   This site here was a big help getting there: https://practical365.com/microsoft-365-license-graph-sdk/

Thank you for the link aleinss, I will certainly look into it.

But still not amused with @Pernille-Eskebo , why didn't we receive this information in O365 message center?

@Ron RonIts fairly easy to re-write the scripts. But yes with the retirement of Azure AD Graph, nobody should be using MSOnline or AzureAD modules any more. If you have these modules in your scripts, its time to update them!

So every AzureAD cmdlet should be replaced with MgGraph?
Every script with Get-AzureADUser/Group etc?
Or only the ones that are for licensing? Because the articles are a little ambiguous.

One time it says AzureAD module, other time they explicitly talk about AzureAD Graph.

Please advice because if AzureAD commands are still valid until end June 2023 it will take the pressure off immensely. 

@Ron Ron 
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announce...

Licensing Assignment API/Posh Retirement  

We have updated the retirement date of the Azure AD Graph and MSOnline PowerShell licensing assignment APIs and PowerShell cmdlets for existing tenants to March 31, 2023

Azure AD Graph API  

Azure AD Graph will continue to function until June 30, 2023

PowerShell deprecation 

As we continue to support your migration efforts, we'll be extending the planned deprecation date of the three PowerShell Modules (Azure AD, Azure AD Preview, and MS Online) to June 30, 2023

TL;dr
They may continue to work after this time, but its clear that they can break without notice after this date

Thank you for your answer JamesC95 but maybe I'm not clear enough with my question.

MSOnline module is not in place anymore, we've already replaced that with AzureAD commands.

For licensing: Clear, we have to re-write our scripting, because this will be retired.

But is Azure AD Graph API (exactly) the same as the complete AzureAD module, or is the Graph API bit another endpoint?
That's why I'm curious if the 'plane', old school AzureAD cmdlets will still be gone after June 2023.

Unfortunately no answer so maybe someone can take away my doubt:

The AzureAD module, like Get-AzureADUser, New-AzureADGroup etc. won't work anymore after June 2023 and all this commands have to be replace by an MgGraph counterpart?

@Ron Ron 
Its easy to find out
1) Connect to Azure AD Powershell

2) Run a command like get-azureaduser

Check
C:\Users\username\AppData\Local\Microsoft\AzureAD\Powershell

In the log file you should see something like
2023-01-30T13:47:10.7905904Z Info GetUser Request URL: https://graph.windows.net/123123a-233-132-9123f-c1231231231237/users/email address removed for priva...

Graph.windows.net is Azure AD graph
Graph.microsoft.com is Microsoft Graph

Thank you James!

I see that it is making the calls to graph.windows.net:

Connecting to graph resource URL: https://graph.windows.net

So all that scripting has to be replaced by Microsoft Graph counterparts before end of June?
Not glad with this findings but at least we have some time left.

Hi Alex

can you please tell me if even the GET operations like Get-MsolAccountSku are going to not work after the 31st of March for existing tenants? or ONLY the SET will be impacted?

Thanks,

Carmine

For folks struggling with the transition to the Microsoft Graph PowerShell SDK licensing cmdlets, this article might help: https://practical365.com/microsoft-365-license-graph-sdk/.

There's also an example of using the SDK cmdlets to report license assignments: https://practical365.com/create-licensing-report-microsoft365-tenant/

There are some foibles of dealing with SDK cmdlets that you should be aware of: https://office365itpros.com/2023/02/13/microsoft-graph-powershell-sdk-prob/  and the debug option might help https://office365itpros.com/2022/07/11/debug-microsoft-graph-powershell-sdk/ 

Finally (big ad), check out chapter 23 in the Office 365 for IT Pros eBook where we go through SDK cmdlets and Graph API requests in detail. 

https://gum.co/O365IT/

 Is there any more news on the new licensing management platform? We have a large number of A5/E5 but also a lot of A1/E1 and are particularly keen on being able to exploit the group based licensing to move people between the SKUs.

Thanks.

I have some issues with the statement for nested groups. If we look at the group based licensing documentation it still says group based licensing is not supported with nested groups. Group-based licensing additional scenarios - Microsoft Entra | Microsoft Learn. It is stated here that it will work. Which one is it, because currently I have a strange scenario, in which one nested group gets the license and the other one does not. 

really bad news, my scripts based in msol are useless now, what is happening with Microsoft?

@racielmc83  To be fair to Microsoft, they delayed the retirement several times to allow people more time to update their scripts. The community has generated many examples of how to use the Graph SDK to replace MSOL, so you should be able to find tips and code to help (for example, https://practical365.com/microsoft-365-license-graph-sdk/ and https://practical365.com/create-licensing-report-microsoft365-tenant/). If you run into a specific problem, ask the question here and I'm sure you'll get a response.

So does Set-MsolUserLicense no longer work? If I go read this article https://office365itpros.com/2023/04/04/azure-ad-powershell-deprecation-2/ it looks like it got extended.....any input would be great!

The retirement date for the modules was extended by Microsoft until March 2024. However, the Set-MSOLUserLicense cmdlet doesn'r work any longer. Use the Microsoft Graph PowerShell SDK instead. Here's an example: https://practical365.com/bulk-license-assignment-with-the-microsoft-graph-powershell-sdk/

Is there a new command for this:

Set-MsolUser -UserPrincipalName $user -BlockCredential $true

This might help (to block a user account):

https://office365itpros.com/2023/04/18/revoke-access-for-azure-ad-account/

Hi,

I'd like to know, if there a procedure to get support for Azure Boards Services. I'm a non experienced new user.

Regards.