If you start with scripting O365 or Azure AD, you soon realize that PowerShell is your choice. But even then you have to choose the module you use to connect to the cloud and access the objects. Or is there even a possibility to do it without any module, just knowing the right API calls and script some HTPP/REST magic? For pure AzureAD access, there are basically 4 different ways to do it and in the beginning, it’s a bit confusing to know what you have to choose.
If it comes to do some things with objects in Exchange Online, Teams, Sharepoint Online and others, you will need to install even more modules. So let’s have a look at the modules and APIs for PowerShell to connect to AzureAD / O365. Most of them are available through the PSGallery and can be installed easily with a simple “Install-Module” command.
Here is the quick overview:
Good old MSOL module (with cmdlets à la ‘Get-MsolUser‘). Good if you want to do basic Azure AD / O365 account or group management.
It was the first PowerShell module and was often believed obsolete and soon depreciated. But it is still valid because it can do things all the others can’t. Like displaying or restoring deleted O365 accounts, getting MFA related properties for users, or getting group license assignment information. The official name for this module is Azure Active Directory Module for Windows PowerShell. Please remember that Microsoft encouraged admins to use the newer AzureAD module (see below) instead of this module. So whenever you can do the same task with the newer module, you should replace the MSOL script code.
There is a detailed blog article “How to install and use the MSOL PowerShell module“.
This was intended as the successor to the MSOL, it has cmdlets like ‘Get-AzureADUser’. For environments with a large number of Azure AD user accounts or group objects, you get faster results from the cmdlets than in the MSOL module (I say three words: Server Side Filters). This module is technically based on the Graph API (see below), and in some cases, you get other properties and more info for some object types. The official name for this module is Azure Active Directory PowerShell for Graph. There is a preview version of this module named “AzureADPreview” which contains the most modern features available to play around with.
There is a detailed blog article “How to install and use the AzureAD PowerShell module“.
In this case, you do not install any modules. You just script some REST commands with HTTP GETs and PUTs and you talk to the Microsoft Graph endpoint URLs to access Azure AD and O365. The handling of the API calls here is inconveniently complex. You cannot just authenticate with some admin credentials, you first have to register an application object in the Azure AD tenant you want to access. Then you have to configure some properties of this application (like delegating API permissions, creating secret keys or certificates…). In your script, you have to acquire the access token for this app and then start your REST calls based on this token. Results are mostly returned in JSON format….. all in all, you could say this API is more for developers than for scripting admins, right?
But wait: You can access some areas of administration which all the other modules can not! It’s not only about users and groups. Microsoft Graph is also for accessing the Exchange Online related things – or many many other parts of the O365 administration. For example, if you want to read the log for risky sign-ins, or want to access the Conditional Access policies, or want to list the To-Do’s from the Microsoft 365 secure score, Graph is your friend. No other module can do such things for you.
There is a detailed blog article “How to use the Microsoft Graph API with Powershell“.
This is the modern Exchange Online PowerShell V2 module (or just EXO V2 module). Please forget “New-PSSession -ConnectionUri https://outlook.office365 ……” and so on. Or even “Connect-EXOPSSession” with the old Exchange Online PowerShell module. Don’t use it anymore – just replace this in your Exchange Online scripts and use the new V2 module.
You can continue to use the normal “Get-Mailbox”-ish cmdlets like before. There are a few new versions of important cmdlets (like “Get-EXOMailbox”), but these should be examined in a dedicated blog post. A goody which is also hidden in this module: You can connect to the Security and Compliance Center PowerShell and can do some administration there with scripts.
As the name indicates, this is the PowerShell module for administering Teams. It contains cmdlets like ‘Get-Team’ or ‘Get-TeamChannel’. The Official Name for the module is Microsoft Teams Powershell. Like in the AzureAD module, there is an additional preview version of this module available that provides extended possibilities.
This module provides the cmdlets for Sharepoint Online administration like ‘Get-SPOSite’. The official name is SharePoint Online Management Shell. As OneDrive for Business is technically based on Sharepoint Online, there are also some cmdlets for OneDrive administration in this module.