I hate Graph powershell as a replacement for the AzureAD module
Posted by sham_hatwitch@reddit | sysadmin | View on Reddit | 161 comments
I am updating our user onboarding script to not use the AzureAD module.
I used to have a very simple check to find groups that are not synced from on-prem and are not mail-enabled security (if so it would go to ExchangeOnline).
Trying to do this in Graph feels like the wheel was reinvented. Some properties are in -Property, others are buried in .GroupDetails, OnPremisesSyncEnabled can't be retrieved so instead I need to get the last sync time and select ones that are Null.
Oh and you can't just search for groups the user is a member of, it doesn't find them all so you have to do a Get-MgUserTransitiveMemberOf instead.
I can't even figure out the GroupType, it outputs "dynamic" for a dynamic group, and Null for every other group, it seems types like unified, mail enabled, etc... are buried in different properties all over the place.
Worst of all is if you ask Co-Pilot for help, it will confidently spit out commands that error because the property it's calling doesn't exist, then you will tell it that didn't work, it'll try something else that doesn't work, then if you complain it will spit out the first non-working command again.
nurbleyburbler@reddit
So any idea what to even look for to learn about this? I am not even sure what to Google. I just want to know what I need to know to manage Exchange online, 365 and basic Entra ID crap.
It sounds like I might need to take a programming class. APIs are scary dev stuff. PS is fine.
nurbleyburbler@reddit
Yuck., If I have to learn how to use APIs just to manage freaking email I am going to be so pissed. I barely got good with PS. API stuff is intimidating AF
MattHashTwo@reddit
I don't know if this would be of help to you?
https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?view=graph-powershell-1.0&pivots=azure-ad-powershell
It took me some getting used to but that made the migration much easier. Also Graph explorer, and selecting "beta" when working with some cmdlets gives you better results.
icebreaker374@reddit
I gave up on Graph PowerShell early on and switched to the API.
Drakoolya@reddit
Sorry can you explain, I thought Graph was the api.
enceladus7@reddit
You can interact with the Graph API directly e.g.
Or use the Graph PowerShell Modules, which are the Graph API endpoints wrapped into modules e.g.
Often the modules are half baked, and doing it directly can actually be easier. Especially when it comes to annoyances like different version dependencies for different graph modules and 'Assembly with name already loaded' that the modules often do.
tmontney@reddit
I'd recommend using
Invoke-MgGraphRequest. That way you can still useConnect-MgGraphRequest, instead of getting and maintaining the auth token yourself.iama_bad_person@reddit
Ooo thanks for the tip, was already starting to think about managing it when I read about using Invoke-RestMethod
tmontney@reddit
It's surprising the amount of recent documentation or MS Github samples that don't use that cmdlet. At least 100 lines of them fetching and managing the token manually.
Drakoolya@reddit
Thanks so much for the explanation.
moe681@reddit
You can either use the api through powershell modules or you can skip the modules and talk to the endpoint directly through invoke-restmethod instead.
jao_en_rong@reddit
I started with the API, then moved to graph cmdlets when they became more stable. Still have lots of issues between DLL and assembly mismatches between the MgGraph and Az modules, so when I have to use both, I revert to the API.
The real killer is the AutoREST cmdlet generation off the API endpoint. So instead of having a single get-azureaduser, we have 507 get-mguser cmds. And don't forget duplicates for get-mgbetauser.
And no single way to get ALL properties. Get-mgbetauser will return all of the base properties, but there are a bunch that will not return unless you explicitly call it with the -property parameter on either API profile. You have to know what these are ahead of time to include them. Plus nested properties outside of .AdditionalProperties that may or may not work with -expandproperty (because it's not a navigational property).
icebreaker374@reddit
For that exact reason I use the API and review the resource types JSON representation.
jao_en_rong@reddit
One of dozens of links I have saved, been down that page at least a hundred times and find stuff that's not documented. Part of it is I'm not the best at following documentation. I miss the old MSDN and technet pages.
Mntz@reddit
This is the way
incompetentjaun@reddit
That’s the direction I’m headed as well. Yay for learning?
racomaizer@reddit
We are releasing all the Lego bricks and you can do whatever you want with them. Oh you want a completed dragon with those Lego? Nah you have to flex your creativity, and we have already provided you all the foundation, aren’t you thankful?! /s
sham_hatwitch@reddit (OP)
I find it's even worse than that, it's like half the bricks have Kinex connectors too.
Like if I could just retrieve an object and see every kind of property about it in 1 spot I would be happy.
Alaknar@reddit
How about, instead of that, we give you a
-filterparameter that takes completely different input format in various cmdlets and never document what that format is?sham_hatwitch@reddit (OP)
How about we give you a cmdlet to retrieve groups, but we don’t tell you it can’t retrieve all groups, for that we’ve made a selector
-all. And we won’t tell you that it’s not possible to filter with this selector, and the documentation describes it as “list all pages”Good luck!
aes_gcm@reddit
I loved K'nex, how dare you.
DiseaseDeathDecay@reddit
I've felt this way about powershell modules for like 10 years.
It's like the people making the modules don't really use powershell very much. One modules will want you to pipe commands not really work if you don't, and the next piping just doesn't work.
Some are good about the default output from a cmdlet being the actual object, and the next one will constantly spit out constructed members that don't actually exist so you have to start digging if you want to do anything with the data.
Then there's just the junk that you're talking about where stuff is hidden with no good, obvious way to get it without reading documentation, which just blatantly goes against the design philosophy of powershell usage being discoverable.
sham_hatwitch@reddit (OP)
For real, why does the admin panel tell me that a group is a "mail-enabled security" or "M365 Group", but there is no such descriptor in the object properties, I have to calculate it based on other properties?
Don't even get me started on how Graph/Entra has no authority to manage Exchange Online or On-Prem objects, but do you think the documentation for the cmdlets might mention that? No chance in hell.
DiseaseDeathDecay@reddit
I'm just getting Azure Update Manager spun up and it's really frustrating that the portal for VMs and for Azure Update Manager can list all VMs, but if you want to do that with PowerShell you have to jump through hoops. Like, I know you can read/edit VMs in other subscriptions\contexts, why is there no way to say, "Gimme all my VMs?"
racomaizer@reddit
Get creative and make your own adapter ;)
Honestly I “feel” most software companies are doing this to outsource development to users…
Any_Particular_Day@reddit
“Get creative and make your own adapter ;)”
Like the early days of Linux… oh, your video card isn’t supported? Just write your own device drivers, n00b
william_tate@reddit
Linux would be considered more stable and reliable than Microsoft at this point. Keeping abreast of all the changes and trying to work Graph is retarded. I actually want to go and do something else but I’m stuck at the moment.
Any_Particular_Day@reddit
My comment was from something I was told when I was messing around with Linux some 20+ years ago. Pretty much put me off at the time and I wasn’t until Ubuntu came a,long with its make-it-easier ethos I got back into it.
Like the OP, I struggle with what little I have to do in Graph. Just glad we’re still running hybrid so 95% of my interactions are local AD.
AGsec@reddit
Crowd sourcing is becoming more and more popular. Even support is crowd sourced. Why have dedicated engineers and support teams working to solve a problem and present a solution to paying customers, when you can give them a message board and let them figure it out themselves?
7ep3s@reddit
the problem is i spend more time building adapters than implementing useful code...
dodexahedron@reddit
Man. When I was a kid, a grandma bought me knex instead of Legos one Christmas, when all I had were tons of legos... and it was some sort of random parts assortment, too - not an actual kit to build a thing. 🤦♂️
So I had this one oddball little space ship I made out of the set, which was forever the red-headed step child of my collection
But it's still intact, as are most of my favorite Lego creations, 20+ years later. 😅
DiseaseDeathDecay@reddit
How about getting one of the first sets of Mega Bloks that was this awesome tank and then not realizing until after mixing the bricks with my giant crate full of Legos that they didn't fit perfect and would pop off of Legos after a bit.
Like, they seemed like they fit when you were assembling, but they would just snap off eventually.
Sorting them out wasn't horrible because they were this military green that Lego didn't use, but it was still annoying and disappointing. Luckily for me I was a teenager and not super invested in Legos anymore, but my little brother was so salty about them.
sham_hatwitch@reddit (OP)
You have to get a pic of that!
fatbergsghost@reddit
This. I'm never going to complain about Lego. If people are able to make more creative and inventive stuff out of Lego than I can, I'm still going to enjoy my blocky little house, and wonder if I can make a horsie out of it one day.
At the end of the day, the block connects to the other block, and that's all you need to know. Give me that, and none of the time I can spend trying to use it is going to be wasted. It just turns out that I know more about 2x2 blocks than I do about 2x8 blocks and those weird curved pieces.
I feel like at this point there's not really a way to dive into this that feels like it would teach me anything all that useful.
cantstandmyownfeed@reddit
It'd be nice if I could learn something and for it be relevant for more than 14 minutes.
OutsidePerson5@reddit
Yeah, I've been working with pnp-powershell and it's like guys I get that you're improving but JFC man the docs aren't able to keep up with the releases, changes, and alterations so now when you check the docs you have no idea if the command they're referring to is the same, depreciated, changed, or something else entirely.
reddit_is_sh1tty@reddit
as someone who never used the pnp stuff to having to restore 20 million deleted Sharepoint files, I feel this. Then 3 people at my company asked me how I got it to work. Mind you, MS Support pointed them to this solution and the docs but they didn’t get far.
OutsidePerson5@reddit
I think SharePoint is a total shitshow and I cannot believe it's a decade old product they think is ready for prime time.
I got turned into my org's SharePoint admin and it's lime every day I find something really damn basic it just can't do without a convoluted powershell script and sometimes it doesn't work even with powershell.
Like, adding group/person A with permission B to all items in a site.
You could do that in every damn file server version since NT. But not SharePoint.
UNKN@reddit
I recently tried importing an Excel file into a SharePoint list only to find out the data has to be in a Table format. So now I have to create a script to take these auto-generated Excel files and put their data into table form. Seems simple enough but why, why make that required.
ipreferanothername@reddit
the way microsoft products interoperate is insanely bad at times. windows infra/ AD/MECM guy here, i do loads of powershell
MECM doesnt like verbose output from scripts. powershell natively knows when to ignore it - so lets say you populate $stuff = @(get-childitem -path 'c:\windows\ccm' -recurse -verbose)
powershell is fine with it, the array wont have verbose output if it appears - you will see it in the shell, but not the array afterwards.
mecm just shits itself, says OH THERES OUTPUT, and decides your script is done and happy and it can ignore other stuff you wanted to do, like....detect an app install or something.
its a huge company with a ton of products that...are just aggravating AF to work with way too often
SecurityHamster@reddit
Different groups doing their own thing and then being tied together at the end.
My favorite? pim roles.
Privileged access admin role lasts up to 9 hours. All the others cap at 8
You need security admin to access everything in the security dashboard, while most areas of the compliance dashboard require compliance admin. Most. Not all. Some require security admin instead. It’s aggravating never being sure which role to PIM into.
raip@reddit
The duration of PIM role activation is a configuration option. We have all of ours set for 10 hours.
We also have our roles tied to groups and you activate the groups, because we didn't want to create custom roles for people and numerous teams are expected to have various roles active. IE: our SharePoint admins also manage exchange and teams, their team is called Workspace Admins. We assigned all the admin roles to a group called Workspace Admin and they just activate that group when they start their shift. This strategy might help your woes with PIM.
SecurityHamster@reddit
This is great to know. I’m obviously not the one who configures this, but I will have a conversation and see if we can at least bump up the lengths of the other roles, if not creating a group that ties them together.
Federal_Ad2455@reddit
Great is that it doesn't support fido auth. The pnp module kind of does but not for all commands 😒
Willuz@reddit
You forgot the "s" on the end of decade. SharePoint is 24 years old and hasn't improved since I was a SharePoint admin back in 2002.
DiseaseDeathDecay@reddit
Are the built-in powershell help tools kept up-to-date?
OutsidePerson5@reddit
Maybe? Often my issue isn't the options for a command but rather the existence of a command.
Is it pnp-getfolderfolder or is is pnp-getfolderinfolder or is it pnp-getfolders? Good luck figuring it out because at some point it's been all three, online resources reference all three, but only one is valid now.
DiseaseDeathDecay@reddit
Goes get-command get-folder return ones that are no longer valid?
OutsidePerson5@reddit
Well now I feel stupid. Thanks!
DiseaseDeathDecay@reddit
You can also specify a module with get-command.
I also use get-help a lot with -examples, -parameters, or -online a decent amount too.
lvlint67@reddit
Most of my bash scripts still work... have had to update things for systemd over the years....
Windows admins live in a special kind of hell... Microsoft doesn't want you rolling your own automation. Pay them or don't get it.
senateurDupont@reddit
The older I get, the more I realize that the breakneck speed at which things change in IT is not caused by innovation but by a lack of maturity that our industry maintains because there is money to be made in reinventing the wheel.
Pict@reddit
This factor has largely led to me checking out a bit, and planning to “retire” from the industry before I am well and truly too old to keep up.
It’s depressing as fuck.
ipreferanothername@reddit
i worry about needing the same , and im in an odd place over it
my team is the windows infra team - AD, windows servers, citrix, MECM, DNS, etc. my manager is chill and note REMOTELY assertive, and most of the team are old luddites afraid of change and deathly afraid of using any shell or text file to do work. its crazy. its Healthcare, so we are always behind the IT curve - we have no cloud infra to even test or toy with. and honestly, the on prem infra is shit - its up to date, but the management and configuration is awful for 95% of whats out there. its often done by hand, inconsistently, at random, without notification.
so anyway, i dont HAVE To keep up with much of a learning curve currently - thats nice, it lets me get other work done, right?
but its not great for my career long term. now, my wife is disabled, i WFH and can take decent care of her in my role. if i had a new job i wouldnt have that luxury, probably - my manager is chill and happy with me so i can get away with a lot. if i want a new job? oy....it wont be in cloud anything, i never touched it! wont be using newer languages or even PS Core/7 or something, because....im just doing on prem windows work.
im learning mecm and powerbi but i dont really enjoy them, its just all i can grab onto this minute to try and keep the resume fresh. powerbi is a big pain in the ass, and i HATE MECM for so many reasons :-/
sham_hatwitch@reddit (OP)
I am in the financial world, and we are generally ahead of the curve, E5 licensing, defender atp up the ying yang, full on Intune and Autopilot.
For the most part I've enjoyed learning all of it, but graph powershell is just one thing that makes me want to pull my hair out.
william_tate@reddit
Me too
snottyz@reddit
Ugh so much this. I only have to mess with Entra powershell stuff periodically and every time I go back to it I'm basically starting from scratch. I can't keep up with all the new stuff in all of my systems, it just keeps coming.
imrand@reddit
Why improve an existing product when they can release a new one? I'm sure new products look better on their yearly reviews and resumes.
ITGuyThrow07@reddit
I thought the idea behind Graph was that it was consolidating everything, but they of course just released a new Azure module.
PoopingWhilePosting@reddit
And that's why I've given up and just counting down the years until retirement. I don't have the time, energy or inclination to keep up with this nonsense.
senectus@reddit
I feel this comment
ez_doge_lol@reddit
Shuttup you fly, your life cycle is 24 hours 😉
fdeyso@reddit
You can use the graph explorer for finding the right command/api template, it makes them figuring out a bit easier, but i still hate it.
What’s next? Submitting code in Assembly to the cloud servers?
Jmoste@reddit
There is a new module called microsoft.graph.enta.
I haven't used it but it might have some better functionality.
I'm just building my own wrapper functions because it so terrible to work with. I hate having named parameters and using GUIDs for everything.
So for get-mggroup, I do a try catch block. The try looks for the group by id and the catch uses a filter by displayname. I'm working on a parameter set right now that makes filtering a little better. I'm thinking if a * is the first character is do a startswith filter and if it's the last character do a endswith.
My add group member/owner uses upn and you don't need to make the uri or odata.
Oh I'm also have pipeline input. Trying to get a few more functions done before I publish.
End of story, graph is an annoying beast.
VeryRareHuman@reddit
I am try this module! But I have no hope! It's based on MS Graph!
SheepsFE@reddit
From experience it abstracts away a lot of the stuff that makes graph irritating , so it's worth trying
VeryRareHuman@reddit
At this point after 20 scripts with Graph, now I can try anything.
realslacker@reddit
If the string matches '.+@.+..+’ or you can cast it to a GUID you can use it in the UserId field, otherwise do your fallback. If you always try one and wait for failure you are eating up the API calls unnecessarily.
Jmoste@reddit
Yeah I'm trying to work on some logic especially for group and device names.
I would much rather be able to search for XXX-TIER1 than a guid. Maybe using regex to match the guid pattern would work. I'll give it a try.
realslacker@reddit
You can do something like:
if ( $UserId -as [GUID] ) { #use GUID }
If the cast fails the result is false, otherwise the string is a valid GUID.
Alaknar@reddit
Is this the released Microsoft.Graph.Beta or something completely different?
sham_hatwitch@reddit (OP)
Interesting, I will look into that.
Dynamic groups for memberships is a bigger battle we are fighting for, but in the mean time we are cloning the groups from an existing user, and I need to do a bunch of crap like exclude committees, only find groups that graph is capable of adding (maybe another route will just be to try every group and ignore errors), then go to ExchangeOnline for everything else.
peacefinder@reddit
I went through this a couple years ago. My conclusion was that the mg-graph module for powershell is quarter-assed, and not worth the pain and suffering.
I pulled up Graph Explorer and learned to do it with API calls directly, and am now much happier. Hell of a learning curve though.
chrissb1e@reddit
I spent most of the day trying to install the module and I failed at that
chaosphere_mk@reddit
Huh? It's literally just Install-Module -Name Microsoft.Graph
What were you struggling with?
knowsshit@reddit
Graph puts a lot of folders and files in my Documents folder that OneDrive doesn't like and it starts complaining. I got annoyed and deleted them. I wish you could exclude certain folders in onedrive...
chaosphere_mk@reddit
Set the powershell and windows powershell folders to always available offline.
You'll have to do this on each computer that the modules are installed on.
knowsshit@reddit
How does that help? That just means that OneDrive will always download copies of the files from the cloud. It doesn't stop OneDrive from trying to sync the folders to the cloud, which is what it doesn't like to do.
chaosphere_mk@reddit
Well at the very least, it won't ever switch to files on demand, which is its own layer of problems.
I feel you on this though. I tried to cobble together a solution to this and the only one I could come up with is changing your default powershell path, which I don't like to do. So I dont.
Zeggitt@reddit
Installing the entire module like that can take ages and/or time out. Better to just install the parts you need.
chaosphere_mk@reddit
It doesn't take that long...
Personally, I've never seen it time out and I've installed this module at least 50 times. Not to say that others haven't experienced that.
Zeggitt@reddit
It's taken close to an hour for me before, but its entirely possible it's my network/some other environmental factor.
sham_hatwitch@reddit (OP)
Installing the module isn't so much the problem its the import. You should connect with the scope of required permissions only, and import only the cmdlets for those scopes.
chrissb1e@reddit
I guess I technically got it installed. But every time I try to interact with it it's like it's not there
chaosphere_mk@reddit
After you install it, close out of powershell and re-open powershell.
Also, if your documents folder is redirected to OneDrive, then set the powershell and windows powershell folders to be "always available offline" before you install the module.
chrissb1e@reddit
Turns out it was an easy fix. I followed you steps but was still having the same problem. I then actually read the top of the documentation and tried Powershell 7 and I can finally log in. I will take me being incompetent as the problem over a vender problem any day.
wakko666@reddit
laughs in Bash
Maybe just install WSL and use tools that understand the concept of stable user interfaces?
rcp9ty@reddit
I hate powershell can we just go back to visual basic and batch files.... This is how you sound right now.
Not every new technology is going to work the way you expect it to work and be glad you have AI to try and help you find the answers instead of 1000 page books where learning meant reading it and using it as a reference and the exact answer was found through trial and error.
tmontney@reddit
As someone who's been working with MS Cloud API's for PowerShell for years, this is NOT what he (or anyone else here) is saying. The AzureAD module was great, and their transition to MgGraph simply wasn't great.
More than not, the documentation is incomplete or a straight up placeholder. AI isn't much better as it's using available information, so it will simply give you a non-existent cmdlet or a real cmdlet with a fake parameter. This isn't a matter of knowing how to use PowerShell, but how to use their libraries.
sham_hatwitch@reddit (OP)
I will give you the perfect example of this...
If I do a Get-MGGroup filtered by DisplayName "contoso group" and view the details, I can see ContosoGroup has a grouptypes of unified.
If I then do a Get-MGGroup filtered by type unified, it outputs many groups, but contoso is not there.
I learned that
Get-MGGroup -allsomehow finds extra groups. But goto the Documentation of Get-MGGroup: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/get-mggroup?view=graph-powershell-1.0It describes Get-MGGroup's cmdlet as
This example retrieves a list of groups.No explanation of what groups.If I scroll down to the description of -all, it is
List all pages.How on earth does this make sense, this is mental.
sham_hatwitch@reddit (OP)
If that were true then Microsoft wouldn't be working on Graph.Entra, which is a hand-written module.
rcp9ty@reddit
We all hate the learning process equally. AI won't have all the answers just like the books didn't have the exact answer I was looking for either. I wish you luck my friend. I don't have the answer you're looking for but I can say I understand the process of learning something new when you're used to something old. I miss the days where the only command I needed to know was for changing the drive letter and running doom.exe or dukenukem.exe or pinball.exe ( epic pinball ) but things always change. If all else fails you can always ask people for help finding an alternative to what you're doing or a different resource besides something that can't even follow basic Boolean functions. If I tell copilot or chatgpt or Gemini to find me videos that are not ASMR all my results are ASMR... Thus I gave up on AI doing my work for me.
fatbergsghost@reddit
The books existed specifically to teach people how things worked. It didn't have all the answers, but it would give you an overview from which you should have expected to extrapolate and do some learning.
The problem with AI is that it doesn't exist for that purpose. It exists to give you the answer, without you having to learn, and that's a problem because AI doesn't know the answer, and it doesn't go away and learn about your specific use case, and specific problem, and the problems you're experiencing. It also doesn't actually know. It does its best to quickly reference plagiarised sources, but if it doesn't have them, then it will lie to you. Which means that you spend 2 days trying to troubleshoot something that the book would not have told you existed.
Thotaz@reddit
No he's not. He is complaining about the Graph module being a step down which is just the objective truth. The commands are mostly auto generated with ridiculous command and parameter names.
Even Snover have called the graph modules shit on Twitter when asked about them (in a more PC tone of course).
rswwalker@reddit
I only have one thing to say about Graph, I thought PowerShell was suppose to make scripting easier…
Anybody here wish they just wrote some Python modules and been done with it?
m9832@reddit
MSOL gang where you at
iama_bad_person@reddit
I've started doing this for my org and god it is such bullshit. Nice, simple one-line calls to get the data I want and sifting through it after has turned into sometimes 10 lines of Graph bullshit pulling the data I need from different areas.
tankerkiller125real@reddit
I switched to C# when they did that. Seriously, I find it much easier to work with the C# SDKs than dealing with the bullshit that is the Graph PowerShell module.
WantDebianThanks@reddit
My employer decided it would be easier to pay for automation software from a third party then to even try scripting a solution.
And when that company failed to deliver, they repeated with a second company that makes automation software.
When this company fails to deliver, I hope they just let me make something in python.
Flannakis@reddit
What is the main difference between powershell sdk and C#? Is it because c# is a lower level language and you can do more? Just wondering if it’s with me as an admin to start using C# for graph api
tankerkiller125real@reddit
In my experience (so far) the C# SDK does not require writing JSON directly, and I've been able to do everything with proper functions, classes, objects, etc. with all the type hinting and what not that comes with it.
Honestly, I'd recommend that every IT professional should have at least one good programming language of choice in their toolbox. I love PowerShell scripting just as much as the next Windows Admin, but I have found that a proper programming language (in my case C#) has gotten me out of a lot of tough spots, and made automation much easier in some cases.
Whether C# is for you specifically is for you to decide, there's also of course many other languages to choose from, but given I deal with Microsoft products most often, and Microsoft publishes SDKs for basically all of their products, C# just made the most sense for me (plus it's what the engineering team at work uses).
Confy@reddit
Have you by any chance come across any courses or similar that teach C# from an Operations perspective? As a sysadmin who now works primarily with Azure and other MS Cloud services, I'm really intrigued by the case you've made above.
tankerkiller125real@reddit
I learned just by doing projects (as I've learned basically everything), and some guidance from the engineering team at work. I started in .NET Framework 4.7, and have since migrated to .NET (currently 8 LTS).
Honestly C# and Powershell are incredibly similar (PowerShell can use .NET packages fun fact) so the learning curve is actually fairly straight forward.
ConsoleDev@reddit
You're looking for - "Powershell to C# and Back"
DJTheLQ@reddit
You could copy/paste/tweak the SDK docs example code. But you'd get much further with any intro to C# tutorial.
Flannakis@reddit
Thanks for the comprehensive answer
vermyx@reddit
In a broader sense C# isn't a "lower level" language than powershell. they are both based on dotnet so their relationship is more like cousins. Lower level languages will usually have stricter types around data, allow you to manipulate memory, essentially allow you to break the system easily. Dotnet will usually have more streamlined objects because they are developed under the same team, while powershell modules are developed by the team handling a particular product (i.e. exchange objects are different constructs and ideas vs azuread vs pnp etc. etc. etc.). This is why you will have a more consistent experience with dotnet than with powershell. The thing is that you can instantiate said objects within powershell too, so it is pretty easy to embed c# code into your powershell so you can instantiate the c# objects within powershell. I do this all the time with selenium because selenium pops out c# code and I have a script that basically translates that into powershell to execute. Yes I can compile said code into executables but sometimes im just lazy and dont want to spend the extra few steps and time compiling executables.
brokerceej@reddit
+1 to this. The C# SDKs for Graph are somehow very much easier to work with than the Powershell equivalents. If you're a sysadmin with solid Powershell experience, C# is a very easy transition to make. The syntax is very similar since Powershell rides on top of .NET.
OutsidePerson5@reddit
With the old AzureAD module I could use one command piped to another to mirror user A's groups to user B.
I tried figuring out how to do the same in Graph powershell and... yeah. What you said. It's a flipping nightmare. How the hell can going from one single useful command to a zillion things scattered across dozens of commands and properties be considered an improvement?
It almost seems like they went looking for the most useful functions and killed out of pure malice.
sham_hatwitch@reddit (OP)
After my rant I did some reading on the new Microsoft.Graph.Entra module, which may bridge the gap between the old module and graph.
It sounds like Graph is basically a wrapper for raw access to the API, which is not necessarily in a traditional powershell format (ie: the syntax of filtering or expanding something), there were no real usecases in mind. While modules like AzureAD were hand-written with syntax, piping and things like that in mind.
I discovered there are 3 or 4 attributes that will help you deduce what kind of group something is, and edited the OP with it.
Alaknar@reddit
Have you tried recreating your MgGraph shenanigans with the Entra module yet? I'd love to hear if it's actually easier to implement and read by a human person.
I have a bunch of ideas for automation but I just can't get into it, because I'm furious that my 10+ years of honing PowerShell skills was, essentially, time wasted.
OutsidePerson5@reddit
Thanks, that does look better than the raw.
ginolard@reddit
Well, this is a nice find. Seems like a nice middle-ground replacement for AzureAD module
OutsidePerson5@reddit
Or, and I know this is crazy, MS could stop stealing the useful stuff and give us back the thing that worked instead of any middle ground between the thing that worked and a total shitfest that doesn't work.
Not being critical of OP, what they found is definitely better than nothing but I don't reafeel generous to MS about things like this. We pay them a fortune and in exchange we get buggy crap that they keep actively making worse. That's not right.
chaosphere_mk@reddit
You want the Entra powershell module and you can enable the aliases for the Azure AD module or learn the equivalent Entra module commands.
Graph module is there to allow you to do whatever you want.
So not sure you should be getting angry. You just didn't know.
sham_hatwitch@reddit (OP)
Oh and also the aliases will stop working when the older modules become deprecated any way. If I'm going to spend the time to learn and redesign scripts, I'll do it a way that won't cause them to stop working in the near future.
chaosphere_mk@reddit
Oh I totally agree with that. I'm just trying to soften the blow tbh 😅
sham_hatwitch@reddit (OP)
The Entra Module still doesn't change the properties. It won't tell you that a group is a mail-enabled-security, you have to deduce that from the various properties it spits out.
ParinoidPanda@reddit
Ironically, the Microsoft.Graph.Beta version of graph has more functionality and has so far had the commands missing from MSOnline and AzureAD modules that didn't make it to MG.
sham_hatwitch@reddit (OP)
Right now those commands are basically a backwards compatible type of thing, when the actual modules become deprecated they will stop working.
It's a stop gap designed to help people speed up their migration, but if I'm going to spend x hours to relearn and redesign a script, in my opinion I'd rather do it in a way that's not going to stop working in the near future lol.
pAceMakerTM@reddit
Microsoft has maxed out ADHD
tmontney@reddit
I like the fact they're trying to consolidate. I hate the fact there isn't feature parity or documentation to back it. The whole
AdditionalPropertiesthing feels like a dumping ground, as if it were a placeholder. Far as I can tell, you can't useFilteron them. Makes the whole ODATA thing pretty useless.Federal_Ad2455@reddit
Yes I hate it too https://doitpshway.com/graph-api-and-microsoft-graph-sdk-module-tips-gotchas 🙂
It took me several months to get used to it
F_Synchro@reddit
Don't get me fucking started on Graph.
Ever since they castrated Intune device management and made it rather mandatory to work with MgGraph my automated intune packaging scripts have been paralyzed/non-functional and I have not been able to fix it at all.
Graph is strong, but it fucking sucks, documentation is all over the place and none of the documentation fits the reality, let alone that Copilot comes with the proper solutions because it tries to go through old documentation (Connect-MsGraph for example...) and keeps providing deprecated solutions.
And the worst part is, once you do get it working, it will break again next fucking week because Microsoft decides a property should no longer return a value because they just renamed the fucking thing.
Absolute god damn ass.
There's no changelog, there's no testing, it's a completely unreliable framework to succesfully script/program against.
dnuohxof-1@reddit
But you’re doing the testing. MA customers are QA
/s
GoogleDrummer@reddit
Why the "/s"? I thought this was basically truth at this point.
dodexahedron@reddit
As usual, the new thing also doesn't have everything the old thing has.
But the docs for the only way to do the few things that only the old module can do still insist that you should use the new module and new docs anyway (just the blanket message at top), but that results in a link loop as you go to the "new version" that doesn't have the page and then navigate through the new docs to that page...which takes you back to the old one again...
Come on, MS. That's bad.
the_painmonster@reddit
I feel like this scenario is going to become a recurring nightmare for me one day. Kind of like those dreams people have for years after leaving school where suddenly there's an exam they forgot to study for.
Puzzleheaded-Sink420@reddit
As only working in it for 5 years i felt like i was the only one whos stupid and doesnt unterstand that shit.
TinkerBellsAnus@reddit
Powershell was created to be easy to read, easy to understand and easy to learn as a scripting language.
Graph is the Epstein of that poor child's dream.
Nitricta@reddit
When I started out using PowerShell, I quickly got that "Damn, no way in life without this!"-feeling. With Graph, it's like the bad version of PowerShell that didn't make it last time.
ScoobyGDSTi@reddit
I hate it, too.
It's cmdlets are basically nothing more than glorified invoking of rest APIs and JSON parsing.
It's not PowerShell. It's shit is what it is.
FireLucid@reddit
Me: How many 'r's are there in strawberry?
GPT: There are two
Me: That is incorrect
GPT: Sorry, there is one r in strawberry
Godcry55@reddit
Haha this!
purplemonkeymad@reddit
I don't really see this as a stupid LLM as it never gets to see the word. Everything is turned into a numerical token and then fed in. The output is the same, just numbers that are replaced with words or symbols.
I mean how many people on the internet would ask that exact question? It's not going to be in the dataset.
fatbergsghost@reddit
It's a very interesting position, though, because it's kind of the opposite of what computers are good at.
How many 'r's are there in 'strawberry'?
People can count that easy. Although, if you quickfire that at people, people have to count.
How many 'r's are there in 'strawberrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrry'?
Computer can do this easy. People can do it, but it sucks.
purplemonkeymad@reddit
Yea I think there is still an expectation gap with AI especially in LLMs. If you don't know how they work, it looks like it understands the words, if you do, then it makes sense what it finds hard.
Threep1337@reddit
Yea I don’t know if I’m just dumb or what but every time I try and do anything with graph it’s a huge pain. Commands that were simple one liners become long painful processes of making some huge hash table with stuff in a specific format.
Khue@reddit
Graph Powershell is defintely a bolt on solution. It's little more than a wrapper for curl for us dumbass sysadmins that want to leverage sysadmin tools instead of relying on RestAPI like calls for everything. If you want to know real pain, try to figure out how to leverage Graph Powershell for querying ADB2C records... god forgive you if you have custom attributes.
randomman87@reddit
Woah careful with that Copilot slander. Haven't you been paying attention to MS Ignite? It's writing 79 million lines of code a month. You must be doing something wrong.
/S in case
evasive_btch@reddit
In a few years programmers won't exist!
Gravybees@reddit
Graph is the absolute worst. I can’t for the life of me understand why they decommissioned modules that were wonderful only to replace them with graph and zero documentation. And don’t even get me started with Search-Mailbox. That may have been the best thing Microsoft ever did, so of course they removed it…
Fresh_Dog4602@reddit
what about the new entra-id powershell module? doesn't that work for you ?
walkasme@reddit
It is a pain that how it worked 3 months ago doesn't work the same now.
I found a bug in SharePoint Online PowerShell module. Log a call with Microsoft Enterprise Support blah, 5 engineers later all telling me, it is a script I wrote, not their problem to eventually, oh wait there is a problem (it happens when you have many thousands of sites (OneDrive is a SharePoint site) with a 20k+ users. You cannot replicate the issue in a lab with 10 users. Anyway it was sent to product team to investigate. Next update came and the feature was "deprecated". Thanks Microsoft. I landed up having to loop through thousands of sites to get some data which took an hour plus (there API getting overloaded) verses getting the data in 1 API call and min of execution.
This was meant to be an interim solution for a month or 3. It was still in use 4 years later, when it is was really broken with all the API/PS Module updates....
bmfrade@reddit
why do they even deprecate these ps modules and then make things 10x harder?
TU4AR@reddit
You hate it? I guess I'll push it through prod.
Lmk once you start getting used to it, I'll release MS. Viewport, the follow-up.
hoeskioeh@reddit
The worst thing?
These inconsistencies and weird lookups will stay with us for the foreseeable future.
"Backwards compatibility"
zerotol4@reddit
The powershell module is probably being largley auto generated directly from the graph API which is designed for developers not IT users. Which is why you get objects in other objects etc its not very nice to use and the folkes at MS making the decisions on this are probably not the ones using it.
whitefox040@reddit
This is the reason I switched to using the Microsoft API and coding it in GoLang/Rust. I’m over modules expiring and constantly updating scripts. I only use powershell as a last resort, it’s still definitely useful but damn am I glad I ditched it where there’s alternatives
pabskamai@reddit
It all started with hosting exchange in their servers, I never signed up for all of this BS.
Section212@reddit
This....
dustojnikhummer@reddit
We were just thinking about building these onboarding scripts (currently manually) and seeing your posts makes me reconsider this decision.
SwiftSloth1892@reddit
And what if I don't want to be a full blown programmer... I was doing just fine scripting in powershell. Took me a week to replace a simple deprecated command with graph.
ccosby@reddit
I moved our internal onboarding and offboarding script to graph earlier this year along with everything else we had scripted that was running the depricated modules. Ended up having to use beta graph for a bunch of it. Really haven't been impressed overall.
elpollodiablox@reddit
Graph Explorer helps take some of the pain out of it for me, but yes, how granular it is makes me insane sometimes.
Grrl_geek@reddit
Graph BLOWS.
JohnL101669@reddit
Graph commands are powerful but yes, learning to use them sucks ass as base commands are very lacking. Keep at it. There are ways to get what you need but you have to do some tricky coding to get it.
nsdeman@reddit
Have you tried the Entra PowerShell module?
I've not used it myself but feel free to have a read here
VeryRareHuman@reddit
I am very lucky that wall is closer to my desk in Office. I can go bang on the wall before and after I did script based on graph. PowerShell is not fun when we use Graph! It's mess.
gorramfrakker@reddit
Yells at cloud.
W3tTaint@reddit
Get off my lawn!