I hate Graph powershell as a replacement for the AzureAD module
Posted by sham_hatwitch@reddit | sysadmin | View on Reddit | 87 comments
I am updating our user onboarding script to not use the AzureAD module.
I used to have a very simple check to find groups that are not synced from on-prem and are not mail-enabled security (if so it would go to ExchangeOnline).
Trying to do this in Graph feels like the wheel was reinvented. Some properties are in -Property, others are buried in .GroupDetails, OnPremisesSyncEnabled can't be retrieved so instead I need to get the last sync time and select ones that are Null.
Oh and you can't just search for groups the user is a member of, it doesn't find them all so you have to do a Get-MgUserTransitiveMemberOf instead.
I can't even figure out the GroupType, it outputs "dynamic" for a dynamic group, and Null for every other group, it seems types like unified, mail enabled, etc... are buried in different properties all over the place.
Worst of all is if you ask Co-Pilot for help, it will confidently spit out commands that error because the property it's calling doesn't exist, then you will tell it that didn't work, it'll try something else that doesn't work, then if you complain it will spit out the first non-working command again.
racomaizer@reddit
We are releasing all the Lego bricks and you can do whatever you want with them. Oh you want a completed dragon with those Lego? Nah you have to flex your creativity, and we have already provided you all the foundation, aren’t you thankful?! /s
sham_hatwitch@reddit (OP)
I find it's even worse than that, it's like half the bricks have Kinex connectors too.
Like if I could just retrieve an object and see every kind of property about it in 1 spot I would be happy.
DiseaseDeathDecay@reddit
I've felt this way about powershell modules for like 10 years.
It's like the people making the modules don't really use powershell very much. One modules will want you to pipe commands not really work if you don't, and the next piping just doesn't work.
Some are good about the default output from a cmdlet being the actual object, and the next one will constantly spit out constructed members that don't actually exist so you have to start digging if you want to do anything with the data.
Then there's just the junk that you're talking about where stuff is hidden with no good, obvious way to get it without reading documentation, which just blatantly goes against the design philosophy of powershell usage being discoverable.
racomaizer@reddit
Get creative and make your own adapter ;)
Honestly I “feel” most software companies are doing this to outsource development to users…
7ep3s@reddit
the problem is i spend more time building adapters than implementing useful code...
Any_Particular_Day@reddit
“Get creative and make your own adapter ;)”
Like the early days of Linux… oh, your video card isn’t supported? Just write your own device drivers, n00b
william_tate@reddit
Linux would be considered more stable and reliable than Microsoft at this point. Keeping abreast of all the changes and trying to work Graph is retarded. I actually want to go and do something else but I’m stuck at the moment.
fatbergsghost@reddit
This. I'm never going to complain about Lego. If people are able to make more creative and inventive stuff out of Lego than I can, I'm still going to enjoy my blocky little house, and wonder if I can make a horsie out of it one day.
At the end of the day, the block connects to the other block, and that's all you need to know. Give me that, and none of the time I can spend trying to use it is going to be wasted. It just turns out that I know more about 2x2 blocks than I do about 2x8 blocks and those weird curved pieces.
I feel like at this point there's not really a way to dive into this that feels like it would teach me anything all that useful.
dodexahedron@reddit
Man. When I was a kid, a grandma bought me knex instead of Legos one Christmas, when all I had were tons of legos... and it was some sort of random parts assortment, too - not an actual kit to build a thing. 🤦♂️
So I had this one oddball little space ship I made out of the set, which was forever the red-headed step child of my collection
But it's still intact, as are most of my favorite Lego creations, 20+ years later. 😅
sham_hatwitch@reddit (OP)
You have to get a pic of that!
OutsidePerson5@reddit
With the old AzureAD module I could use one command piped to another to mirror user A's groups to user B.
I tried figuring out how to do the same in Graph powershell and... yeah. What you said. It's a flipping nightmare. How the hell can going from one single useful command to a zillion things scattered across dozens of commands and properties be considered an improvement?
It almost seems like they went looking for the most useful functions and killed out of pure malice.
sham_hatwitch@reddit (OP)
After my rant I did some reading on the new Microsoft.Graph.Entra module, which may bridge the gap between the old module and graph.
It sounds like Graph is basically a wrapper for raw access to the API, which is not necessarily in a traditional powershell format (ie: the syntax of filtering or expanding something), there were no real usecases in mind. While modules like AzureAD were hand-written with syntax, piping and things like that in mind.
I discovered there are 3 or 4 attributes that will help you deduce what kind of group something is, and edited the OP with it.
OutsidePerson5@reddit
Thanks, that does look better than the raw.
ginolard@reddit
Well, this is a nice find. Seems like a nice middle-ground replacement for AzureAD module
OutsidePerson5@reddit
Or, and I know this is crazy, MS could stop stealing the useful stuff and give us back the thing that worked instead of any middle ground between the thing that worked and a total shitfest that doesn't work.
Not being critical of OP, what they found is definitely better than nothing but I don't reafeel generous to MS about things like this. We pay them a fortune and in exchange we get buggy crap that they keep actively making worse. That's not right.
cantstandmyownfeed@reddit
It'd be nice if I could learn something and for it be relevant for more than 14 minutes.
OutsidePerson5@reddit
Yeah, I've been working with pnp-powershell and it's like guys I get that you're improving but JFC man the docs aren't able to keep up with the releases, changes, and alterations so now when you check the docs you have no idea if the command they're referring to is the same, depreciated, changed, or something else entirely.
DiseaseDeathDecay@reddit
Are the built-in powershell help tools kept up-to-date?
reddit_is_sh1tty@reddit
as someone who never used the pnp stuff to having to restore 20 million deleted Sharepoint files, I feel this. Then 3 people at my company asked me how I got it to work. Mind you, MS Support pointed them to this solution and the docs but they didn’t get far.
PoopingWhilePosting@reddit
And that's why I've given up and just counting down the years until retirement. I don't have the time, energy or inclination to keep up with this nonsense.
Pict@reddit
This factor has largely led to me checking out a bit, and planning to “retire” from the industry before I am well and truly too old to keep up.
It’s depressing as fuck.
william_tate@reddit
Me too
senectus@reddit
I feel this comment
ez_doge_lol@reddit
Shuttup you fly, your life cycle is 24 hours 😉
FireLucid@reddit
Me: How many 'r's are there in strawberry?
GPT: There are two
Me: That is incorrect
GPT: Sorry, there is one r in strawberry
Godcry55@reddit
Haha this!
purplemonkeymad@reddit
I don't really see this as a stupid LLM as it never gets to see the word. Everything is turned into a numerical token and then fed in. The output is the same, just numbers that are replaced with words or symbols.
I mean how many people on the internet would ask that exact question? It's not going to be in the dataset.
fatbergsghost@reddit
It's a very interesting position, though, because it's kind of the opposite of what computers are good at.
How many 'r's are there in 'strawberry'?
People can count that easy. Although, if you quickfire that at people, people have to count.
How many 'r's are there in 'strawberrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrry'?
Computer can do this easy. People can do it, but it sucks.
purplemonkeymad@reddit
Yea I think there is still an expectation gap with AI especially in LLMs. If you don't know how they work, it looks like it understands the words, if you do, then it makes sense what it finds hard.
dodexahedron@reddit
As usual, the new thing also doesn't have everything the old thing has.
But the docs for the only way to do the few things that only the old module can do still insist that you should use the new module and new docs anyway (just the blanket message at top), but that results in a link loop as you go to the "new version" that doesn't have the page and then navigate through the new docs to that page...which takes you back to the old one again...
Come on, MS. That's bad.
Puzzleheaded-Sink420@reddit
As only working in it for 5 years i felt like i was the only one whos stupid and doesnt unterstand that shit.
Threep1337@reddit
Yea I don’t know if I’m just dumb or what but every time I try and do anything with graph it’s a huge pain. Commands that were simple one liners become long painful processes of making some huge hash table with stuff in a specific format.
Jmoste@reddit
There is a new module called microsoft.graph.enta.
I haven't used it but it might have some better functionality.
I'm just building my own wrapper functions because it so terrible to work with. I hate having named parameters and using GUIDs for everything.
So for get-mggroup, I do a try catch block. The try looks for the group by id and the catch uses a filter by displayname. I'm working on a parameter set right now that makes filtering a little better. I'm thinking if a * is the first character is do a startswith filter and if it's the last character do a endswith.
My add group member/owner uses upn and you don't need to make the uri or odata.
Oh I'm also have pipeline input. Trying to get a few more functions done before I publish.
End of story, graph is an annoying beast.
realslacker@reddit
If the string matches '.+@.+..+’ or you can cast it to a GUID you can use it in the UserId field, otherwise do your fallback. If you always try one and wait for failure you are eating up the API calls unnecessarily.
VeryRareHuman@reddit
I am try this module! But I have no hope! It's based on MS Graph!
SheepsFE@reddit
From experience it abstracts away a lot of the stuff that makes graph irritating , so it's worth trying
sham_hatwitch@reddit (OP)
Interesting, I will look into that.
Dynamic groups for memberships is a bigger battle we are fighting for, but in the mean time we are cloning the groups from an existing user, and I need to do a bunch of crap like exclude committees, only find groups that graph is capable of adding (maybe another route will just be to try every group and ignore errors), then go to ExchangeOnline for everything else.
Khue@reddit
Graph Powershell is defintely a bolt on solution. It's little more than a wrapper for curl for us dumbass sysadmins that want to leverage sysadmin tools instead of relying on RestAPI like calls for everything. If you want to know real pain, try to figure out how to leverage Graph Powershell for querying ADB2C records... god forgive you if you have custom attributes.
randomman87@reddit
Woah careful with that Copilot slander. Haven't you been paying attention to MS Ignite? It's writing 79 million lines of code a month. You must be doing something wrong.
/S in case
evasive_btch@reddit
In a few years programmers won't exist!
Gravybees@reddit
Graph is the absolute worst. I can’t for the life of me understand why they decommissioned modules that were wonderful only to replace them with graph and zero documentation. And don’t even get me started with Search-Mailbox. That may have been the best thing Microsoft ever did, so of course they removed it…
tankerkiller125real@reddit
I switched to C# when they did that. Seriously, I find it much easier to work with the C# SDKs than dealing with the bullshit that is the Graph PowerShell module.
Flannakis@reddit
What is the main difference between powershell sdk and C#? Is it because c# is a lower level language and you can do more? Just wondering if it’s with me as an admin to start using C# for graph api
tankerkiller125real@reddit
In my experience (so far) the C# SDK does not require writing JSON directly, and I've been able to do everything with proper functions, classes, objects, etc. with all the type hinting and what not that comes with it.
Honestly, I'd recommend that every IT professional should have at least one good programming language of choice in their toolbox. I love PowerShell scripting just as much as the next Windows Admin, but I have found that a proper programming language (in my case C#) has gotten me out of a lot of tough spots, and made automation much easier in some cases.
Whether C# is for you specifically is for you to decide, there's also of course many other languages to choose from, but given I deal with Microsoft products most often, and Microsoft publishes SDKs for basically all of their products, C# just made the most sense for me (plus it's what the engineering team at work uses).
Confy@reddit
Have you by any chance come across any courses or similar that teach C# from an Operations perspective? As a sysadmin who now works primarily with Azure and other MS Cloud services, I'm really intrigued by the case you've made above.
ConsoleDev@reddit
You're looking for - "Powershell to C# and Back"
DJTheLQ@reddit
You could copy/paste/tweak the SDK docs example code. But you'd get much further with any intro to C# tutorial.
Flannakis@reddit
Thanks for the comprehensive answer
vermyx@reddit
In a broader sense C# isn't a "lower level" language than powershell. they are both based on dotnet so their relationship is more like cousins. Lower level languages will usually have stricter types around data, allow you to manipulate memory, essentially allow you to break the system easily. Dotnet will usually have more streamlined objects because they are developed under the same team, while powershell modules are developed by the team handling a particular product (i.e. exchange objects are different constructs and ideas vs azuread vs pnp etc. etc. etc.). This is why you will have a more consistent experience with dotnet than with powershell. The thing is that you can instantiate said objects within powershell too, so it is pretty easy to embed c# code into your powershell so you can instantiate the c# objects within powershell. I do this all the time with selenium because selenium pops out c# code and I have a script that basically translates that into powershell to execute. Yes I can compile said code into executables but sometimes im just lazy and dont want to spend the extra few steps and time compiling executables.
brokerceej@reddit
+1 to this. The C# SDKs for Graph are somehow very much easier to work with than the Powershell equivalents. If you're a sysadmin with solid Powershell experience, C# is a very easy transition to make. The syntax is very similar since Powershell rides on top of .NET.
rcp9ty@reddit
I hate powershell can we just go back to visual basic and batch files.... This is how you sound right now.
Not every new technology is going to work the way you expect it to work and be glad you have AI to try and help you find the answers instead of 1000 page books where learning meant reading it and using it as a reference and the exact answer was found through trial and error.
sham_hatwitch@reddit (OP)
If that were true then Microsoft wouldn't be working on Graph.Entra, which is a hand-written module.
rcp9ty@reddit
We all hate the learning process equally. AI won't have all the answers just like the books didn't have the exact answer I was looking for either. I wish you luck my friend. I don't have the answer you're looking for but I can say I understand the process of learning something new when you're used to something old. I miss the days where the only command I needed to know was for changing the drive letter and running doom.exe or dukenukem.exe or pinball.exe ( epic pinball ) but things always change. If all else fails you can always ask people for help finding an alternative to what you're doing or a different resource besides something that can't even follow basic Boolean functions. If I tell copilot or chatgpt or Gemini to find me videos that are not ASMR all my results are ASMR... Thus I gave up on AI doing my work for me.
fatbergsghost@reddit
The books existed specifically to teach people how things worked. It didn't have all the answers, but it would give you an overview from which you should have expected to extrapolate and do some learning.
The problem with AI is that it doesn't exist for that purpose. It exists to give you the answer, without you having to learn, and that's a problem because AI doesn't know the answer, and it doesn't go away and learn about your specific use case, and specific problem, and the problems you're experiencing. It also doesn't actually know. It does its best to quickly reference plagiarised sources, but if it doesn't have them, then it will lie to you. Which means that you spend 2 days trying to troubleshoot something that the book would not have told you existed.
Thotaz@reddit
No he's not. He is complaining about the Graph module being a step down which is just the objective truth. The commands are mostly auto generated with ridiculous command and parameter names.
Even Snover have called the graph modules shit on Twitter when asked about them (in a more PC tone of course).
Fresh_Dog4602@reddit
what about the new entra-id powershell module? doesn't that work for you ?
F_Synchro@reddit
Don't get me fucking started on Graph.
Ever since they castrated Intune device management and made it rather mandatory to work with MgGraph my automated intune packaging scripts have been paralyzed/non-functional and I have not been able to fix it at all.
Graph is strong, but it fucking sucks, documentation is all over the place and none of the documentation fits the reality, let alone that Copilot comes with the proper solutions because it tries to go through old documentation (Connect-MsGraph for example...) and keeps providing deprecated solutions.
And the worst part is, once you do get it working, it will break again next fucking week because Microsoft decides a property should no longer return a value because they just renamed the fucking thing.
Absolute god damn ass.
There's no changelog, there's no testing, it's a completely unreliable framework to succesfully script/program against.
walkasme@reddit
It is a pain that how it worked 3 months ago doesn't work the same now.
I found a bug in SharePoint Online PowerShell module. Log a call with Microsoft Enterprise Support blah, 5 engineers later all telling me, it is a script I wrote, not their problem to eventually, oh wait there is a problem (it happens when you have many thousands of sites (OneDrive is a SharePoint site) with a 20k+ users. You cannot replicate the issue in a lab with 10 users. Anyway it was sent to product team to investigate. Next update came and the feature was "deprecated". Thanks Microsoft. I landed up having to loop through thousands of sites to get some data which took an hour plus (there API getting overloaded) verses getting the data in 1 API call and min of execution.
This was meant to be an interim solution for a month or 3. It was still in use 4 years later, when it is was really broken with all the API/PS Module updates....
bmfrade@reddit
why do they even deprecate these ps modules and then make things 10x harder?
chrissb1e@reddit
I spent most of the day trying to install the module and I failed at that
chaosphere_mk@reddit
Huh? It's literally just Install-Module -Name Microsoft.Graph
What were you struggling with?
knowsshit@reddit
Graph puts a lot of folders and files in my Documents folder that OneDrive doesn't like and it starts complaining. I got annoyed and deleted them. I wish you could exclude certain folders in onedrive...
icebreaker374@reddit
I gave up on Graph PowerShell early on and switched to the API.
Mntz@reddit
This is the way
Drakoolya@reddit
Sorry can you explain, I thought Graph was the api.
moe681@reddit
You can either use the api through powershell modules or you can skip the modules and talk to the endpoint directly through invoke-restmethod instead.
enceladus7@reddit
You can interact with the Graph API directly e.g.
Or use the Graph PowerShell Modules, which are the Graph API endpoints wrapped into modules e.g.
Often the modules are half baked, and doing it directly can actually be easier. Especially when it comes to annoyances like different version dependencies for different graph modules and 'Assembly with name already loaded' that the modules often do.
incompetentjaun@reddit
That’s the direction I’m headed as well. Yay for learning?
TU4AR@reddit
You hate it? I guess I'll push it through prod.
Lmk once you start getting used to it, I'll release MS. Viewport, the follow-up.
hoeskioeh@reddit
The worst thing?
These inconsistencies and weird lookups will stay with us for the foreseeable future.
"Backwards compatibility"
zerotol4@reddit
The powershell module is probably being largley auto generated directly from the graph API which is designed for developers not IT users. Which is why you get objects in other objects etc its not very nice to use and the folkes at MS making the decisions on this are probably not the ones using it.
whitefox040@reddit
This is the reason I switched to using the Microsoft API and coding it in GoLang/Rust. I’m over modules expiring and constantly updating scripts. I only use powershell as a last resort, it’s still definitely useful but damn am I glad I ditched it where there’s alternatives
pabskamai@reddit
It all started with hosting exchange in their servers, I never signed up for all of this BS.
Section212@reddit
This....
dustojnikhummer@reddit
We were just thinking about building these onboarding scripts (currently manually) and seeing your posts makes me reconsider this decision.
SwiftSloth1892@reddit
And what if I don't want to be a full blown programmer... I was doing just fine scripting in powershell. Took me a week to replace a simple deprecated command with graph.
ccosby@reddit
I moved our internal onboarding and offboarding script to graph earlier this year along with everything else we had scripted that was running the depricated modules. Ended up having to use beta graph for a bunch of it. Really haven't been impressed overall.
ParinoidPanda@reddit
Ironically, the Microsoft.Graph.Beta version of graph has more functionality and has so far had the commands missing from MSOnline and AzureAD modules that didn't make it to MG.
chaosphere_mk@reddit
You want the Entra powershell module and you can enable the aliases for the Azure AD module or learn the equivalent Entra module commands.
Graph module is there to allow you to do whatever you want.
So not sure you should be getting angry. You just didn't know.
sham_hatwitch@reddit (OP)
The Entra Module still doesn't change the properties. It won't tell you that a group is a mail-enabled-security, you have to deduce that from the various properties it spits out.
elpollodiablox@reddit
Graph Explorer helps take some of the pain out of it for me, but yes, how granular it is makes me insane sometimes.
Grrl_geek@reddit
Graph BLOWS.
JohnL101669@reddit
Graph commands are powerful but yes, learning to use them sucks ass as base commands are very lacking. Keep at it. There are ways to get what you need but you have to do some tricky coding to get it.
nsdeman@reddit
Have you tried the Entra PowerShell module?
I've not used it myself but feel free to have a read here
VeryRareHuman@reddit
I am very lucky that wall is closer to my desk in Office. I can go bang on the wall before and after I did script based on graph. PowerShell is not fun when we use Graph! It's mess.
gorramfrakker@reddit
Yells at cloud.
W3tTaint@reddit
Get off my lawn!