This article provides answers to frequently asked questions about PowerShell Deprecation for Azure AD, Azure AD-Preview, and MS Online.
 

Table of Contents

What change is happening? 
How does this change impact Okta’s integration with Microsoft?
What has Okta done to mitigate this change?
We have an Office 365 app that uses Single Sign-On integrations. What should I do?
How do you identify the use of MSOnline and AzureAD PowerShell modules in your Microsoft tenants?
Is Microsoft enforcing any outage for this change?
How long do I have to make these changes?
I have migrated Office 365's Single Sign-On to MS Graph. What action do I need to take?
What’s happening with AzureAD PowerShell?
How do I update an Office 365 App instance to support Microsoft Graph?
After the upgrade, we are still seeing connections from the PowerShell endpoint used for authentication. Will this impact our tenant during the Microsoft outage or after Microsoft discontinues the use of PowerShell?

Q: What change is happening?

A: Microsoft has announced the deprecation of the MSOnline and Azure AD PowerShell modules, effective March 30, 2025. The retirement process for the MSOnline PowerShell module will commence in early April 2025 and is expected to conclude by late May 2025. 

Q: How does this change impact Okta’s integration with Microsoft?

A: Historically, Okta has utilized MSOnline PowerShell modules for Office 365 Single Sign-On (WSFed Auto & Manual) integrations. We anticipate that customers who have not migrated their Single Sign-On integrations by March 30, 2025, may experience disruptions.

Q: What has Okta done to mitigate this change?

A: Last year, we upgraded our Single Sign-On (WSFed Auto) integrations to eliminate the need for Azure Administrator credentials. This upgrade introduced a modern and secure OAuth-based flow leveraging the Microsoft Graph framework. We provided guidance on transitioning to MSGraph Cmdlets (Connect-MgGraph) for federation for customers using the Manual with PowerShell configuration.

Q: We have an Office 365 app that uses Single Sign-On integrations. What should I do?

A: For detailed instructions on transitioning these integrations to Microsoft Graph, please refer to the articles below.

• For Single Sign-On (WS-Fed Auto): Customers with an Office 365 app in Okta configured with WS-Fed Auto should follow this step-by-step guide.

• For Single Sign-On (WS-Fed Manual): Customers with an Office 365 app in Okta configured with WS-Fed Manual should follow this step-by-step guide.

Q: How do you identify the use of MSOnline and AzureAD PowerShell modules in your Microsoft tenants?

A: Microsoft Entra sign-in logs can be used to identify logins from MSOnline and AzureAD PowerShell. These log events provide information about the client and user for the PowerShell session. To use them:  

• Navigate to the Microsoft Entra Admin Center

• Expand Identity and click Show more.

• Under Monitoring & Health, select Sign-in logs.

• Select the User sign-ins (non-interactive) tab, then click Add filters to launch the Pick a field object picker.

  • Select Application and click Apply.

  • In the Application prompt, enter Azure Active Directory PowerShell and click Apply.

• Repeat these steps for user sign-ins (interactive) logs 

Both MSOnline PowerShell and AzureAD PowerShell sign-in events appear with the Application Name Azure Active Directory PowerShell.  

Q: Is Microsoft enforcing any outage for this change?

A: To prepare customers for the retirement of MSOnline PowerShell, Microsoft will implement a series of temporary outages from January through March 2025. MSOnline cmdlets will fail during these outages, displaying a message indicating that MSOnline PowerShell is disallowed. The anticipated timeline for these temporary outages is as follows:

• Between January 20, 2025, and February 28, 2025, tenants will experience at least two (2) temporary outages for MSOnline PowerShell, each lasting between 3 to 8 hours at different times of the day.

• During March 2025, all tenants will undergo a longer temporary outage for final preparations for the retirement of MSOnline PowerShell, starting in April 2025.

After each of these temporary outages, functionality will be restored to allow continued migration of MSOnline PowerShell usage.

Q: How long do I have to make these changes?

A: Microsoft has announced that in March 2025, all tenants will experience a temporary extended outage as part of the final preparations for the retirement of MSOnline PowerShell. To reduce the impact, Okta strongly recommends that all customers move to the upgraded integrations by March 30, 2025.

Q: I have migrated Office 365's Single Sign-On to MS Graph. What action do I need to take?

A: There is no other action needed.

Q: What’s happening with AzureAD PowerShell?

A: Microsoft has officially announced that the deprecation notice period for AzureAD PowerShell will conclude on March 30, 2025. After this date, Microsoft will cease all maintenance and support for the service, with plans to retire AzureAD PowerShell in the third quarter of 2025.

Q: How do I update an Office 365 App instance to support Microsoft Graph?

A: To update an Office 365 App instance to support Microsoft Graph, refer to Update Office 365 App Instance to Support Microsoft Graph.

​​​​​​Q: After the upgrade, we are still seeing connections from the PowerShell endpoint used for authentication. Will this impact our tenant during the Microsoft outage or after Microsoft discontinues using PowerShell?

A: Okta does not use a PowerShell endpoint to connect to AAD. Okta uses the latest MS Graph endpoint, but the client-appId sent in the request is for PowerShell. That is why the Audit log shows as “Azure AD PowerShell." This is a cosmetic change and does not impact any functionality, and authentication requests will continue to work.