
I have been asked a number of times by connections and in DMs over the last few weeks about Microsoft Graph and Azure PowerShell – so I figured I would put together a post on this topic – afterall knowledge sharing is knowledge learned.
Both Microsoft Graph and Azure PowerShell are powerful tools for managing Microsoft cloud services, but they serve different purposes.
Microsoft Graph is the unified REST API that spans across Microsoft 365 services (Azure AD, Teams, Exchange, SharePoint, etc.), while Azure PowerShell refers to the PowerShell modules for managing Azure resources (and previously Azure AD) in a command-line context.
Understanding the differences is important for administrators, especially as Microsoft is moving more functionality to Graph (and deprecating some older Azure PowerShell modules). In this post, I will compare their key differences, see how each can be used in practice, and discuss transitioning from Azure PowerShell (AzureAD/MSOL) to Microsoft Graph.
Below is a comparison of key aspects of Microsoft Graph (PowerShell SDK) and Azure PowerShell (specifically the AzureAD PowerShell module for Azure Active Directory tasks, as an example):
To illustrate the difference in execution, consider a practical scenario:
Creating a new user in Entra ID (Azure AD).
Below are two script snippets that achieve the same goal – one using Microsoft Graph PowerShell and one using the AzureAD PowerShell module. Both will create a new user account, but notice the differences in how they authenticate and the cmdlet syntax:
# Connect to Microsoft Graph with the necessary scope (permission) for user management Connect-MgGraph -Scopes "User.ReadWrite.All" # Define a password profile for the new user $passwordProfile = @{ Password = "P@ssw0rd!" } # Create a new user via Microsoft Graph API (through the Graph PowerShell SDK) New-MgUser -DisplayName "John Doe" ` -UserPrincipalName "john.doe@contoso.com" ` -MailNickname "john.doe" ` -AccountEnabled $true ` -PasswordProfile $passwordProfile # The above commands connect to Microsoft Graph and then create a new Azure AD user named John Doe with the specified UPN and password. # Benefit: This uses Microsoft Graph’s up-to-date API, allowing access to the latest Azure AD features and ensuring compatibility with future updates (Graph is the modern approach).
# Connect to Azure AD using the AzureAD module Connect-AzureAD # Prepare a password profile object for the new user (AzureAD module requires a specific object type) $newUserPassword = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphPasswordProfile $newUserPassword.Password = "P@ssw0rd!" # Create a new user using AzureAD PowerShell module New-AzureADUser -DisplayName "John Doe" ` -UserPrincipalName "john.doe@contoso.com" ` -MailNickname "john.doe" ` -AccountEnabled $true ` -PasswordProfile $newUserPassword # This connects to Azure AD and creates the same user. # Benefit: AzureAD cmdlets are simple and were purpose-built for Azure AD tasks, which made them easy to use for administrators familiar with PowerShell.
In the Graph script, we use Connect-MgGraph with an OAuth scope, reflecting Graph’s need for consent to specific permissions. We then call New-MgUser – a Graph cmdlet – to create the user.
In the AzureAD version, we simply do Connect-AzureAD (which uses your account’s credentials) and then New-AzureADUser.
One immediate difference is authentication; Graph encourages a scoped OAuth token (more secure and fine-grained), whereas AzureAD module uses your account context directly. Also, Graph’s cmdlet is part of a broader SDK that can manage more than just users, whereas New-AzureADUser is from a module solely focused on Azure AD.
# Update Note # Original $newUserPassword in the AzureAD module was: $newUserPassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile # Changed to: $newUserPassword = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphPasswordProfile # Change Reason: #Microsoft.Open.AzureAD.Model.PasswordProfile was the part of Azure AD for Graph (Azure AD v2), and Azure AD for Graph (Azure AD v2) is deprecated.
With Microsoft’s shift toward Graph, many organisations are transitioning from AzureAD/MSOL PowerShell modules to Microsoft Graph PowerShell. In fact, Microsoft Graph PowerShell is the official replacement for the AzureAD and MSOL modules. Here are some key points and best practices for migrating and working across both tools:
In summary, migrating from Azure PowerShell (AzureAD/MSOL) to Microsoft Graph is a necessary step as the old modules retire on 30 March, 2025. Follow the official guidance, test your changes, and take advantage of Graph’s improvements (security, cross-service capability, support for new features). By doing so, you’ll ensure your automation remains reliable and future-proof.
Both Microsoft Graph and Azure PowerShell are important in the library of a cloud administrator – the key is to use the right tool for the right scenario.
Microsoft Graph (with its PowerShell SDK) shines when you need to work across Microsoft 365 services or leverage the latest capabilities in Azure AD/Microsoft Entra, especially as legacy modules are retired.
Azure PowerShell (Az modules and other service-specific modules) remains crucial for Azure infrastructure management and will continue to be used for those scenarios.
As we approach the retirement of older Azure AD PowerShell modules, it’s clear that the future is with Graph for identity and Microsoft 365 tasks. Administrators should plan their transition accordingly – https://tinyurl.com/yrx6hra6, ensuring that scripts are updated and teams are familiar with the new commands. By staying proactive and embracing the newer tools, you’ll ensure a smooth transition with minimal disruption.
Remember, planning ahead and testing your changes are key – with that in place, you can confidently leverage both Graph and PowerShell to manage your environment effectively.
Microsoft Solution Architect, Senior Project Manager, and Mental Health Advocate