Migrating from Get-Msol to Microsoft Graph Get-Mg (Get-MsolUser, Get-MsolDevice, Get-MgUser, Get-MgDevice, Get-AzureADAuditSignInLogs, Get-MgBetaAuditLogSignIn)

April 28, 2024

I've had a couple of PowerShell scripts to monitor users and devices in Entra. I was looking for device join type (Hybrid joined, Entra joined or Entra registered), Entra roles assigments, login logs and M365 provisioning errors.

As of March 30, 2024, Azure AD, Azure AD Preview, and MS Online PowerShell modules are deprecated. Support will only be offered for critical security fixes. They will continue to function through March 30, 2025. Note: Only MSOnline versions (2017) and later are assured to function through March 30, 2025. Use of versions earlier than may experience disruptions after June 30, 2024. - source

Microsoft also published a "translation" for the alternative cmdlets in Microsoft Graph.

But, things are not always straight forward, it is not a matter of just replacing the cmdlets. Let's see how I migrated the code.

  1. Getting login logs:


$SignIn = Get-AzureADAuditSignInLogs -Filter $filter
Microsoft Graph:
$SignIn = Get-MgBetaAuditLogSignIn -Filter $filter
  1. M365 user provisioning errors:

$ProvisioningError = (Get-MsolUser -UserPrincipalName "$userId").Errors
Microsoft Graph:
$uri = "https://graph.microsoft.com/v1.0/users/"+$userId+"/serviceProvisioningErrors"

$ProvisioningError = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
  1. Entra roles (eligible)


$roles = Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId $resourceId -Filter ("SubjectId eq '" + $userObjectId + "'")
Microsoft Graph:
$roles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -Filter  "principalId eq '$userId'" -ExpandProperty roleDefinition

* there is a change from ObjectId using Get-AzureAdUser to Id using Get-MgUser

  1. Entra roles Display Name (eligible)


$roleDisplayName = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $resourceId -Id $role.RoleDefinitionId).DisplayName
Microsoft Graph:
$roleDisplayName = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "Id eq '$roleID'").DisplayName
  1. Entra device join type (trust type)


(Get-MsolDevice -DeviceID $EntraDevice.DeviceId).DeviceTrustType
  • Domain Joined = Hybrid Joined
  • Workplace Joined = Entra registered
  • AzureAD Joined = Entra joined

Mirosoft Graph:

(Get-MgDevice -DeviceId $EntraDevice.Id).TrustType
  • ServerAd = Hybrid Joined
  • Workplace = Entra registered
  • AzureAd = Entra joined



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.