The New Drop-Dead Date is March 31, 2023
In an update released July 29, 2022, Microsoft pushed out plans to retire the license assignment cmdlets in the Azure AD and Microsoft Online Services (MSOL) PowerShell modules from August 26, 2022. Pushback from customers struggling to update their scripts to update code with cmdlets from the Microsoft Graph PowerShell SDK caused Microsoft to pause their plans to deprecate the cmdlets.
The new plan divides tenants into two categories:
- New tenants created after November 1, 2022, won’t be able to use the Azure AD and MSOL cmdlets for license management of Azure AD accounts.
- Existing tenants can continue using the license management cmdlets like Set-AzureADUserLicense until March 31, 2023.
Microsoft warns that “Customers may notice performance delays as we approach the retirement deadline” and recommends migrating to Microsoft Graph-based code as quickly as possible.
Will the Deadline Hold?
Declaring a deadline for a service or feature deprecation and then pushing out the deadline as it approaches is a classic routine from the Microsoft cloud services playbook. The original deadline serves to inform customers that change is coming while the later amended deadline is the real thing.
Or maybe not. Multiple deadline changes have happened, as in the case of the Exchange Online deprecation of basic authentication for seven mail connectivity protocols. However, to be fair to Microsoft, removing something that affects hundreds of millions of users is a process that needs to be handled with sensitivity, and the current October 1 deadline is holding and will, I believe, happen.
Upgrade Scripts Now
The important thing here is to react to the heads-up warning implicit in the new deadline. It’s likely that March 31, 2023, will be the real drop-dead date. Although the additional seven months gives a welcome breathing space to organizations that haven’t been able to update their scripts, it’s no excuse to relax and go work on other things. Schedule the time now to:
- Find all scripts that use the Azure AD and MSOL cmdlets for license management.
- Determine the appropriate cmdlet to move to using the Azure AD and MSOL to Microsoft Graph PowerShell SDK cmdlet map (you can also use the underlying Graph API requests like user assignLicense).
- Upgrade scripts to use SDK cmdlets or Graph API requests.
- Test the upgraded scripts.
- Release to production.
See this article for examples of assigning and removing licenses (like Office 365 E3) and service plans (like Yammer) to Azure AD accounts.
An Opportunity for Personal Enrichment (Maybe)
One of the unique joys of working in the cloud is having to react to decisions made by service providers. On the downside, decisions like this create extra work. On the upside, isn’t it nice to sharpen new skills in Graph-based license assignments?
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.Learn More
Hope they will create Microsoft graph replacement command for set-msoluser -StrongAuthenticationRequirements parameter.
$user = “testMFADisabled@sometenant.onmicrosoft.com
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = “*”
$auth.State = “Enforced”
$authst = @($auth)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $authst
In the Graph world, these are called authentication methods and you can script them with cmdlets in the Microsoft Graph PowerShell SDK. Here’s an example of reporting authentication methods for Azure AD accounts: https://office365itpros.com/2022/10/07/authentication-methods-scripts/
Thank you Tony for the article you shared, it is very useful when it comes to reporting of MFA status of available users accounts.
What we need to accomplish same behavior when you set MFA auth state to Enforced using MSOL module, but this time using graph API.
Setting MFA status to “Enforced” for particular user forces that user to register at least one MFA Authentication method and use it as default each time he signs in, if not then the user is not allowed to sign in.
That issue is being discussed with the Graph SDK development team at https://github.com/microsoftgraph/microsoft-graph-docs/issues/17374
I have pinged some folks that I know to see what the current state of play might be.
I guess they finally figured out not all the commands available in the 2 are in either of the Graph options.
Is this exclusive to license assignments or will it be the whole of the AzureAD module that is being pushed back to this date?
License assignment cmdlets will stop working on the dates as stated. The modules are due for deprecation in early 2023. I imagine Microsoft will align this with the March 31, 2023 date for license assignment.