Microsoft.Graph vs. Microsoft.Entra PowerShell Modules

Introduction

With the imminent deprecation and retirement of legacy PowerShell modules in April 2025 such as AzureAD, AzureADPreview, MSOnline, I thought I would write a blog post detailing the new supported modules—Microsoft.Graph and Microsoft.Entra—and their differences.

These modern modules ensure long-term support, improved security, and compatibility with Microsoft’s cloud-first approach. In this post, we’ll explore their authentication methods, capabilities, and which legacy modules they replace.

What is Microsoft.Graph?

Microsoft.Graph is a unified PowerShell module that allows administrators to manage Microsoft Entra ID, Exchange Online, Teams, SharePoint, Intune, and other Microsoft 365 services through the Microsoft Graph API. This module is the successor to various older service-specific PowerShell modules.

Key Capabilities:

  • Unified Management: Manage identities, security, compliance, devices, and apps across Microsoft 365.

  • Cross-Platform Support: Works on Windows, macOS, and Linux.

  • Modern Authentication (MSAL): Uses the Microsoft Authentication Library (MSAL) for secure authentication.

  • Explicit Permission Model: Requires specifying scopes for authentication.

  • Complex but Powerful: More capabilities but requires additional configuration for authentication.

Installation and Authentication

Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "User.Read.All"

Command Structure

  • Get-MgUser (Replaces Get-AzureADUser)

  • Get-MgGroup (Replaces Get-AzureADGroup)

  • New-MgUser (Replaces New-AzureADUser)

What Does Microsoft.Graph Replace?

Microsoft.Graph replaces multiple legacy modules, including:

  • AzureAD (Azure Active Directory module)

  • AzureADPreview (Preview version of AzureAD module)

  • MSOnline (Microsoft Online Services module)

  • ExchangeOnlineManagement (Exchange Online PowerShell)

  • MicrosoftTeams (Teams PowerShell module)

  • SharePointPnPPowerShell (SharePoint Online module)

  • IntuneGraph (Intune PowerShell module)

Essentially, Microsoft.Graph serves as the single PowerShell module for managing all Microsoft 365 services, eliminating the need for multiple legacy modules.

What is Microsoft.Entra?

Microsoft.Entra is a newer, streamlined PowerShell module designed exclusively for managing Microsoft Entra ID. While Microsoft.Graph provides broader Microsoft 365 management, Microsoft.Entra is tailored specifically for identity and access management.

Key Capabilities:

  • Simplified Entra ID Management: Optimized for managing users, groups, and roles.

  • Uses Microsoft Graph API: Just like Microsoft.Graph, but with a focus on Entra ID.

  • Simpler Authentication: Does not require specifying scopes like Microsoft.Graph.

  • More Familiar Experience: Designed to provide an easier transition from AzureAD.

Installation and Authentication

Install-Module Microsoft.Entra -Scope CurrentUser
Import-Module Microsoft.Entra
Connect-MicrosoftEntra

Command Structure

  • Get-MicrosoftEntraUser (Replaces Get-AzureADUser)

  • Get-MicrosoftEntraGroup (Replaces Get-AzureADGroup)

  • New-MicrosoftEntraUser (Replaces New-AzureADUser)

What Does Microsoft.Entra Replace?

Microsoft.Entra replaces:

  • AzureAD (Legacy Entra ID module)

  • AzureADPreview (Preview version of AzureAD)

While it does not replace MSOnline, organizations still using MSOnline should migrate to Microsoft.Graph for broader management.

Comparison: Microsoft.Graph vs. Microsoft.Entra

Feature Microsoft.Graph Microsoft.Entra
Scope Microsoft 365 Services (Entra ID, Teams, Intune, SharePoint, etc.) Only Microsoft Entra ID
API Used Microsoft Graph API Microsoft Graph API
Cross-Platform Yes (Windows, macOS, Linux) Yes (Windows, macOS, Linux)
Authentication Connect-MgGraph -Scopes "User.Read.All" (Requires Explicit Scopes) Connect-MicrosoftEntra (Simplified Authentication)
Command Syntax Get-MgUser, Get-MgGroup, etc. Get-MicrosoftEntraUser, Get-MicrosoftEntraGroup, etc.
Explicit Permissions Required? Yes (Graph API permissions) No (Role-Based)
Ease of Use More complex but powerful Easier for Entra tasks
Replaces AzureAD, MSOnline, ExchangeOnlineManagement, MicrosoftTeams, SharePointPnPPowerShell, IntuneGraph AzureAD

Which One Should You Use?

  • Use Microsoft.Graph if you need to manage Microsoft Entra ID along with other Microsoft 365 services including Intune.
  • Use Microsoft.Entra if you only manage Microsoft Entra ID and want a simpler, more focused experience.
  • Do NOT use AzureAD or MSOnline, as they are deprecated.

Final Thoughts

Microsoft is moving towards a Graph API-first approach for PowerShell automation. While Microsoft.Graph offers the most flexibility, Microsoft.Entra provides a more streamlined experience for identity management. If you’re still using AzureAD, MSOnline, or other legacy modules, now is the time to migrate to one of these modern alternatives.

For a seamless transition, assess your needs:

  • If you’re managing only Entra ID, go with Microsoft.Entra.

  • If you’re managing multiple services, go with Microsoft.Graph.

By embracing these new modules, you ensure your scripts remain compatible, secure, and future-proof.

Let me know if you need help migrating your scripts! 

References

Action required: MSOnline and AzureAD PowerShell retirement – 2025 info and resources

Frequently Asked Questions on PowerShell Deprecation for Azure AD, Azure AD-Preview, and MS Online

Microsoft.Graph vs. Microsoft.Entra PowerShell Modules
Tagged on:                     

Amir Joseph Sayes

Cloud | EUC | Virtualisation | Enterprise Mobility | DevOps | Automation | Part-Time Blogger | Fitness

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Amir Sayes

Subscribe now to keep reading and get access to the full archive.

Continue reading