I'm trying to understand the main differences between the Graph module and the Entra module when it comes to managing cloud objects in Azure. Are there advantages to using one over the other?
My situation involves needing helpdesk to fill out some attributes (extensionAttribute 12, 13, 14, & 15) for users. I also have a script that runs as a scheduled task to parse on-prem Active Directory (it could also involve cloud attributes since these accounts are in sync). The goal is to add or remove users from a group based on out-of-country travel requests from management.
Here's how the workflow looks:
- Users submit a request for international travel with specified dates and country.
- Helpdesk fills in the attributes along with the ticket number.
- The script checks the on-prem AD for those attributes, and if the current date is within the specified travel dates, it adds the user to an appropriate group. If the travel is outside the date range, it will remove users from the group, clear the on-prem attributes, and delete the group if it's empty. If it's yet to start, the script does nothing.
I've completed the on-premise part, but I need to know how to interact with Entra and Graph for the specified commands related to the AD queries and the conditions outlined.
4 Answers
The Entra PS is a modern replacement for the old AzureAD/MSOnline modules, but remember that Graph covers the broader landscape by communicating with everything in M365. If you're just looking to update extension attributes and manage group membership, both can work. However, Microsoft is clearly steering users towards Graph, so it's best to go with that if you're starting fresh.
Microsoft originally had an AzureAD module focused on EntraID but shifted to Graph, which integrates EntraID with all services. They added the Graph module to simplify PowerShell interactions without messy API calls. Recently, Microsoft introduced the Entra module again, causing confusion over which to use. However, Graph still covers everything related to EntraID, so if your organization has already transitioned, I'd recommend sticking with Graph for consistency and support.
Graph is the way to go since it supports almost everything except the Exchange API for functionalities like mailbox management. For EntraID objects, Graph is fully supported, and you’ll get the most comprehensive features there. It’s a solid choice for any scripting and management tasks moving forward.
If you're syncing users with AADConnect, the extension attributes should sync too. You can set EA13 for start date, EA14 for end date, and EA15 to track allowed users. Create a dynamic group in Entra that adds users based on EA15 being set to 'Allowed'. Then, have your script check the start and end dates to manage the group memberships automatically without needing to delete groups.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically