Document Correction Proposal: Migrating AzureADPreview PowerShell Module to Microsoft Graph PowerShell Module in Azure Functions

[SrideviM-5]

Documentation Reference:

Azure Functions Managed Dependencies for PowerShell

Microsoft Graph PowerShell SDK

Overview:

This request provides a step-by-step explanation for replacing the deprecated AzureADPreview PowerShell module with the Microsoft Graph PowerShell SDK in an Azure Function. Azure Functions run on PowerShell Core (v7.x), which is incompatible with AzureADPreview, necessitating this migration.

Using the Microsoft Graph SDK enables retrieving and processing disabled Azure AD user accounts dynamically, as demonstrated in the sample function demofunc1811.

Correction Details

This guide outlines:

1. How to enable system-assigned managed identity for an Azure Function.
2. How to grant Microsoft Graph API permissions required for the function.
3. How to use the Microsoft Graph SDK to replace AzureADPreview for retrieving disabled user accounts.

Steps

Prerequisites:

1. Create an Azure Function App.
2. Enable the system-assigned managed identity in the Function App.
3. Grant required API permissions to the managed identity:

• Directory.Read.All
• AuditLog.Read.All

These permissions should be granted with admin consent, as shown in the portal's Enterprise Application permissions page.

Steps to Migrate AzureADPreview to Microsoft Graph SDK

1. Update requirements.psd1 File

Add the following dependencies to the requirements.psd1 file of the Azure Function:

@{  
'Microsoft.Graph.Authentication' = '2.19.0'  
'Microsoft.Graph.Reports' = '2.19.0'  
'Microsoft.Graph.Users' = '2.19.0'  
}  

2. Modify the Azure Function Script

Replace the content of run.ps1 in your Azure Function with the following script:

using namespace System.Net

param($Request, $TriggerMetadata)

Write-Host "PowerShell HTTP trigger function processed a request."

# Connect to Microsoft Graph using Managed Identity  
Write-Host "Connecting to Microsoft Graph..."  
Connect-MgGraph -Identity

Get-MgContext

# Retrieve disabled users from Azure AD  
Write-Host "Retrieving disabled users..."  
$disabledUsers = Get-MgUser -Filter "accountEnabled eq false" | Select-Object UserPrincipalName

foreach ($disabledUser in $disabledUsers) {  
$logs = Get-MgAuditLogDirectoryAudit -Filter "targetResources/any(tr:tr/userPrincipalName eq '$($disabledUser.UserPrincipalName)' and activityDisplayName eq 'Disable account')" -Top 1

if ($logs) {  
foreach ($log in $logs) {  
$disabledDate = [DateTime]$log.ActivityDateTime  
$currentDate = (Get-Date)

if ($disabledDate -ge (Get-Date).AddDays(-1)) {  
Write-Host "Account $($disabledUser.UserPrincipalName) was disabled today."  
break  
}  
elseif ($disabledDate -lt (Get-Date).AddDays(-5)) {  
Write-Host "Account $($disabledUser.UserPrincipalName) disabled more than 5 days ago. Logs found."  
break  
}  
}  
}  
else {  
Write-Host "Account $($disabledUser.UserPrincipalName) disabled more than 30 days ago. Cannot find logs."  
}  
}

# Return a response  
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{  
StatusCode = [HttpStatusCode]::OK  
Body = "Operation completed successfully."  
})  

3. Restart the Function App

After updating the dependencies and script, restart the Azure Function to apply the changes.

Conclusion

By following this guide, users can:

1. Replace AzureADPreview with the Microsoft Graph SDK in Azure Functions.
2. Retrieve and process disabled Azure AD user accounts dynamically using managed identities and Microsoft Graph.

This correction ensures compatibility with PowerShell Core in Azure Functions while maintaining security and functionality.

[PesalaPavan]

@SrideviM-5
Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.