Configuring the Secure App Model for PowerShell / API / Graph scripting with GDAP for Partners

bKeski ,

Correct, and as others have noted: Per-User MFA isn't yet fully available in the MS Graph API, though parts of it are in the beta end-point:

https://learn.microsoft.com/en-us/graph/api/resources/userregistrationdetails?view=graph-rest-beta

You can add your voice to speed this up:

https://feedbackportal.microsoft.com/feedback/idea/12d10bfb-10e3-ec11-a81b-000d3a03dba2

Sadly, while the MS Online and Azure AD Graph based modules will be deprecated March 30th, 2024 [and "Once these modules are deprecated, they will continue to work for a minimum of six (6) months before being retired"], they are currently not receiving any new features:

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270#:~:text=Current%20support%20for%20Azure%20AD%20Graph%20and%20legacy%20PowerShell%20modules

I assume this means making them work with GDAP - they only support DAP.

So while they may continue to work throughout most of 2024 they won't work for Partners using GDAP (which is now required) since they rely upon DAP. I don't have an answer for that.

Maybe JillArmour can dig into things on the Microsoft side of things and see what we're supposed to do: we must use GDAP not DAP, but that means using MS Graph, but it doesn't support Per-User MFA actions, and the older MSOnline module relies upon the older Azure AD Graph which doesn't support GDAP. So we're stuck.

And Per-User MFA is still supported, even if it's not the ideal way of managing MFA.

   --Saul

bKeski 

You really shouldn't be using per user MFA anymore.

Hi bKeski,

That is correct, as of now this cannot be done via MS Graph.

Nevertheless, the old PowerShell modules will been discontinued until March 2024:

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-new-feature-and-change-announcements/ba-p/3796396