Migrating from Get-Msol to Microsoft Graph Get-Mg (Get-MsolUser, Get-MsolDevice, Get-MgUser, Get-MgDevice, Get-AzureADAuditSignInLogs, Get-MgBetaAuditLogSignIn)

I've had a couple of PowerShell scripts to monitor users and devices in Entra. I was looking for device join type (Hybrid joined, Entra joined or Entra registered), Entra roles assigments, login logs and M365 provisioning errors.

As of March 30, 2024, Azure AD, Azure AD Preview, and MS Online PowerShell modules are deprecated. Support will only be offered for critical security fixes. They will continue to function through March 30, 2025. Note: Only MSOnline versions 1.1.166.0 (2017) and later are assured to function through March 30, 2025. Use of versions earlier than 1.1.166.0 may experience disruptions after June 30, 2024. - source

Microsoft also published a "translation" for the alternative cmdlets in Microsoft Graph.

But, things are not always straight forward, it is not a matter of just replacing the cmdlets. Let's see how I migrated the code.

1. Getting login logs:

AzureAD:

$SignIn = Get-AzureADAuditSignInLogs -Filter $filter

$SignIn = Get-MgBetaAuditLogSignIn -Filter $filter

2. M365 user provisioning errors:

$ProvisioningError = (Get-MsolUser -UserPrincipalName "$userId").Errors

$uri = "https://graph.microsoft.com/v1.0/users/"+$userId+"/serviceProvisioningErrors"

$ProvisioningError = Invoke-MSGraphRequest -HttpMethod GET -Url $uri

3. Entra roles (eligible)

AzureAD:

$roles = Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId $resourceId -Filter ("SubjectId eq '" + $userObjectId + "'")

$roles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -Filter  "principalId eq '$userId'" -ExpandProperty roleDefinition

* there is a change from ObjectId using Get-AzureAdUser to Id using Get-MgUser

4. Entra roles Display Name (eligible)

AzureAD:

$roleDisplayName = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $resourceId -Id $role.RoleDefinitionId).DisplayName

$roleDisplayName = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "Id eq '$roleID'").DisplayName

5. Entra device join type (trust type)

Msol:

(Get-MsolDevice -DeviceID $EntraDevice.DeviceId).DeviceTrustType

• Domain Joined = Hybrid Joined
• Workplace Joined = Entra registered
• AzureAD Joined = Entra joined

Mirosoft Graph:

(Get-MgDevice -DeviceId $EntraDevice.Id).TrustType