The New Drop-Dead Date is March 30, 2024

In an update released July 29, 2022, Microsoft pushed out plans to retire the license assignment cmdlets in the Azure AD and Microsoft Online Services (MSOL) PowerShell modules from August 26, 2022. Pushback from customers struggling to update their scripts to update code with cmdlets from the Microsoft Graph PowerShell SDK caused Microsoft to pause their plans to deprecate the cmdlets.

The new plan divides tenants into two categories:

  • New tenants created after November 1, 2022, won’t be able to use the Azure AD and MSOL cmdlets for license management of Azure AD accounts.
  • Existing tenants can continue using the license management cmdlets like Set-AzureADUserLicense until March 31, 2023.

Microsoft warns that “Customers may notice performance delays as we approach the retirement deadline” and recommends migrating to Microsoft Graph-based code as quickly as possible.

Update (June 16, 2023): Microsoft has moved the retirement date out by nine months to 30 March 2024.

Will the Deadline Hold?

Declaring a deadline for a service or feature deprecation and then pushing out the deadline as it approaches is a classic routine from the Microsoft cloud services playbook. The original deadline serves to inform customers that change is coming while the later amended deadline is the real thing.

Or maybe not. Multiple deadline changes have happened, as in the case of the Exchange Online deprecation of basic authentication for seven mail connectivity protocols. However, to be fair to Microsoft, removing something that affects hundreds of millions of users is a process that needs to be handled with sensitivity, and the current October 1 deadline is holding and will, I believe, happen.

Upgrade Scripts Now

The important thing here is to react to the heads-up warning implicit in the new deadline. It’s likely that March 31, 2023, will be the real drop-dead date. Although the additional seven months gives a welcome breathing space to organizations that haven’t been able to update their scripts, it’s no excuse to relax and go work on other things. Schedule the time now to:

  • Find all scripts that use the Azure AD and MSOL cmdlets for license management.
  • Determine the appropriate cmdlet to move to using the Azure AD and MSOL to Microsoft Graph PowerShell SDK cmdlet map (you can also use the underlying Graph API requests like user assignLicense).
  • Upgrade scripts to use SDK cmdlets or Graph API requests.
  • Test the upgraded scripts.
  • Release to production.

See this article for examples of assigning and removing licenses (like Office 365 E3) and service plans (like Yammer) to Azure AD accounts.

An Opportunity for Personal Enrichment (Maybe)

One of the unique joys of working in the cloud is having to react to decisions made by service providers. On the downside, decisions like this create extra work. On the upside, isn’t it nice to sharpen new skills in Graph-based license assignments?

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Watto

    Hope they will create Microsoft graph replacement command for set-msoluser -StrongAuthenticationRequirements parameter.

    Example bellow:

    $user = “testMFADisabled@sometenant.onmicrosoft.com
    $auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $auth.RelyingParty = “*”
    $auth.State = “Enforced”
    $authst = @($auth)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $authst

      1. Watto

        Thank you Tony for the article you shared, it is very useful when it comes to reporting of MFA status of available users accounts.
        What we need to accomplish same behavior when you set MFA auth state to Enforced using MSOL module, but this time using graph API.
        Setting MFA status to “Enforced” for particular user forces that user to register at least one MFA Authentication method and use it as default each time he signs in, if not then the user is not allowed to sign in.

  2. Mike Patterson

    I guess they finally figured out not all the commands available in the 2 are in either of the Graph options.

  3. Bennett

    Is this exclusive to license assignments or will it be the whole of the AzureAD module that is being pushed back to this date?

Leave a Reply