Get-MSOL* and Get-AzureAD*

Dale Peterson 61 Reputation points
2022-01-24T02:45:02.67+00:00

Hello.

I haven't been to the forums for a while. I didn't see a category to post this under so I'm hoping it's all being handled by tags. Sorry if it's posted in the wrong spot.

I am studying for a MS exam and I'm really confused on when to use the Get-MSOL* and Get-AzureAD* cmdlets. If you want to know how many users have registered with MFA in your AAD tenant, you run Get-MsolUser. I would have thought that was something that was included in Get-AzureAD*. Is there a way to determine which of these cmdlets you should be run for a specific task? I would have thought anything to do with the Azure tenant would use the AzureAD cmdlets and MSOL for the M365 subscription. That logic doesn't seem to work with this though.

Any advice on this would be helpful.

Thanks!

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,926 Reputation points
    2022-01-24T15:18:59.487+00:00

    Hello DalePeterson

    Get-AzureAD: allows user to manage Active Directory objects only, [where directory is hosted in Azure].

    Get-MSOL: apart from managing Active Directory allows more administrative tasks such as Domain management, configure single sign-on etc.

    Hope this clarifies your doubt. Reference

    https://learn.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

    https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0

    -----------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-01-24T06:24:44.883+00:00

    Hi @Dale Peterson • Thank you for reaching out.

    All the identity information (Users, Groups, Applications, ServicePrincipals, Managed Identities, etc.) is stored in Azure AD. That means, if you use Get-MSOLUser or Get-AzureADUsers, the users' information will eventually be fetched from Azure Active Directory.

    However, depending on which cmdlet you use, a different API is used in the backend to fetch the information from Azure AD.

    • If you use the Get-MSOLUser cmdlet, the API used in the backend will be https://provisioningapi.microsoftonline.com
    • If you use the Get-AzureADUsers cmdlet, it will use Graph API ( https://graph.windows.net/ or https://graph.microsoft.com)

    Note: The information that you are trying to fetch, might be exposed via one API but not the other. E.g., you don't get the below properties with the Get-AzureADUsers cmdlet, which is why you need to use Get-MsolUser to know how many users have registered with MFA.

    • StrongAuthenticationMethod
    • StrongAuthenticationPhoneAppDetails
    • StrongAuthenticationProofupTime
    • StrongAuthenticationRequirements
    • StrongAuthenticationUserDetails
    • StrongPasswordRequired

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.