Time is up! Identify MSOL and AzureAD usage in your organization.

Timeline Summary

Outage Test Details

During the temporary outage tests of the MSOnline module, all MSOnline cmdlets will fail with a message indicating MSOnline PowerShell is disallowed. Between January 20 2025 and March 30 2025, organizations will experience at least two temporary outages for MSOnline PowerShell each between 3 to 8 hours in duration and at different times of the day. After March 2025, all organizations will experience a temporary outage of longer duration for final preparation for retirement.

Identify usage of MSOnline and AzureAD PowerShell modules via SignIn logs

Entra ID

Microsoft Entra Sign-In logs can be used to identify logins from MSOnline and AzureAD PowerShell. To do so, perform the following steps:

1) Navigate to https://entra.microsoft.com.

2) Expand the Identity column and click ‘Show more’.

3) Under ‘Monitoring & Health’, select ‘Sign-in logs’.

4) Select the ‘User sign-ins (interactive) tab, then click ‘Add filters’ and select ‘Application’ with value ‘Azure Active Directory PowerShell’.

5) Click ‘Add filters’ again and select ‘Status’ with value ‘Success’.

6) Repeat these steps for the ‘User sign-ins (non-interactive)’ logs as well.

Both MSOnline PowerShell and AzureAD PowerShell sign-in events appear in these logs.

Note: We include the ‘Success’ status in the filter, since brute force attacks on this Application are regularly happening. Filtering on successful sign-ins remove the clutter for your investigations. If you are a MDR customer of The Collective, do not worry about the failed sign-ins, we are monitoring them.

Microsoft Sentinel/ Log Analytics

If you export your Entra ID Sign-in logs into Microsoft Sentinel or a Log Analytics workspace, you can identify usage with the below query:

union SigninLogs, AADNonInteractiveUserSignInLogs

| where AppDisplayName == "Azure Active Directory PowerShell"

| where ResultType == 0

Identify applications using AzureAD PowerShell modules

For AzureAD PowerShell (the module that will retire after 1 July 2025), you can use the Entra ID recommendations experience to find Applications relying on the obsolete Azure AD Graph API by searching for the “Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph” recommendation. You can find this by following the below steps:

1) Navigate to https://entra.microsoft.com.

2) Navigate to Identity column and click on “Overview”

3) On this page, click the ‘Recommendations’ tab and search for the “Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph” recommendation.

4) By clicking on the details page, you will find which applications needs migration to the Microsoft Graph.

Next Steps

If you have identified users or applications still using MSOnline PowerShell or AzureAD PowerShell, we recommend the following:

1) Educate employees to use Microsoft Graph PowerShell or Microsoft Entra PowerShell instead.

2) Contact the Application owners and ask on how they plan to move away from the MSOnline PowerShell or AzureAD PowerShell Modules.

If you are the one responsible for migrating an application or script to the new modules, Microsoft has very extensive documentation on how to get started:

• General guidance: Migrate from Azure AD PowerShell to Microsoft Graph PowerShell. | Microsoft Learn
• AzureAD PowerShell and Microsoft Graph PowerShell cmdlet mappings: Find Azure AD and MSOnline cmdlets in Microsoft Graph PowerShell | Microsoft Learn
• Detailed migration process from AzureAD Graph to Microsoft Graph: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph - Microsoft Graph | Microsoft Learn

When you want to search a folder with .ps1 files for any MSOL or Azure AD command usage, you can use the script we quickly created below:

# Get parameters
[CmdletBinding()]
param (
    [Parameter (Mandatory=$true)]
    [string] $folderPath = ""
)

# URL of the documentation page
$msolUrl = "https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?view=graph-powershell-1.0&pivots=msonline"
$azureAdUrl = "https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?view=graph-powershell-1.0&pivots=azure-ad-powershell"

# Use Invoke-WebRequest to get the content of the page
$msolResponse = Invoke-WebRequest -Uri $msolUrl
$azureAdResponse = Invoke-WebRequest -Uri $azureAdUrl

# Parse the content to find MSOnline, AzureAD, and AzureADPreview cmdlets
# This example assumes the cmdlets are listed in a specific HTML structure
# You may need to adjust the parsing logic based on the actual structure of the page
$msolCmdlets = @()
$azureAdCmdlets = @()
$msolCmdlets = [regex]::Matches($msolResponse.Content, '(\w+-Msol\w*)<') | ForEach-Object { $_.Groups[1].Value }
$azureAdCmdlets = [regex]::Matches($azureAdResponse.Content, '(\w+-AzureAD\w*)<') | ForEach-Object { $_.Groups[1].Value }
# Create regex of the cmdlets
$msolPatternRegex = ($msolCmdlets -join "|")
$azureAdPatternRegex = ($azureAdCmdlets -join "|")

# Get all the PS1 files for the provided path
$scriptFiles = Get-ChildItem -Path $folderPath -Filter *.ps1 -Recurse

# Loop through each file and read its content
foreach ($file in $scriptFiles) {
    # Read the content of the file
    $content = Get-Content -Path $file.FullName

    # Perform your checks on the content
    if ($content -match $msolPatternRegex) {
        Write-Output "The file $($file.FullName) contains MSOL modules"
    }
    if ($content -match $azureAdPatternRegex) {
        Write-Output "The file $($file.FullName) contains Azure AD modules"
    }
}

If you need any more guidance on how to get started with your migration, don't hesitate to reach out! We at The Collective Consulting would love to help you out.