Merge pull request #9071 from MicrosoftDocs/main

Auto push to live 2025-06-05 10:02:01

Author: Deland-Han

support/azure/general/cannot-see-users-groups-list-iam.md

@@ -1,9 +1,9 @@
 ---
 title: Can't see list of users/groups to add permissions in IAM in Azure portal
 description: Resolves an issue in which you can't see list of users or groups when adding permissions in Access Control (IAM) in the Azure portal.
-ms.date: 08/14/2020
+ms.date: 06/05/2025
 ms.service: azure-common-issues-support
-ms.custom: has-azure-ad-ps-ref
+ms.custom: no-azure-ad-ps-ref
 ms.author: genli
 author: genlin
 ms.reviewer: 
@@ -37,31 +37,13 @@ To resolve this issue, use one of the following methods:
 
 ### Method 2: To allow only the one guest user or configure on a per user basis
 
-[!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-
-1. Open Windows PowerShell.
-2. Run the following cmdlet:
-
-    ```powershell
-    Import-Module AzureAd
-    ```
-
-     Make sure that the Azure Active Directory PowerShell for Graph is installed. For more information, see [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0&preserve-view=true).
-
-3. As a global administrator of the directory where the guest user was added, connect to Azure AD PowerShell and the directory:
+1. Make sure that the [Microsoft Graph PowerShell is installed](/powershell/microsoftgraph/installation).
+1. Use the `Connect-MgGraph` command to sign in with the required scopes. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+1. Run the [Update-MgUser](/powershell/module/microsoft.graph.users/update-mguser) cmdlet:
 
     ```powershell
-    Connect-AzureAD -TenantId 'Tenant_Directory_Id'
+   Update-MgUser -UserId '0ba17ca9-0000-0000-0000-a5e34bc4803b' -UserType Member
     ```
-
-    You can get the Tennat ID by looking at your Microsoft Entra ID Properties in the Azure portal.
-
-4. Run the following cmdlet:
-
-    ```powershell
-    Set-AzureADUser -ObjectId 'User_Object_Id' -UserType Member
-    ```
-
     You can get the users Object ID by looking at the Users Profile page within the Azure portal.
 
 [!INCLUDE [Azure Help Support](../../includes/azure-help-support.md)]

support/entra/entra-id/dir-dmns-obj/term-cmdlet-name-not-recognized-aad-cmdlet.md

@@ -4,7 +4,7 @@ description: Describes an issue in which you receive an error message when you t
 ms.date: 07/06/2020
 ms.reviewer: 
 ms.service: entra-id
-ms.custom: sap:Directory Management, has-azure-ad-ps-ref
+ms.custom: sap:Directory Management, no-azure-ad-ps-ref
 ---
 # Error when you try to run Azure Active Directory module for Windows PowerShell cmdlets: The term \<cmdlet name> is not recognized
 

support/entra/entra-id/dir-dmns-obj/troubleshoot-dynamic-groups.md

@@ -3,7 +3,7 @@ title: Troubleshoot dynamic groups
 description: This article helps you diagnose and resolve issues with dynamic groups.
 ms.date: 04/17/2025
 ms.service: entra-id
-ms.custom: sap:Groups, has-azure-ad-ps-ref
+ms.custom: sap:Groups, no-azure-ad-ps-ref
 ms.reviewer: mimart, v-weizhu, v-loeide, mbhargav, yuhko, barclayn
 ---
 # Troubleshoot dynamic groups
@@ -246,9 +246,7 @@ Before attempting to delete a group in Microsoft Entra ID, ensure you have [dele
 
 ### Delete a group<a id="21"></a>
 
-1. Groups can be deleted from the directory [using the Remove-AzureADGroup cmdlet in the Azure AD PowerShell module](/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets#delete-groups).
-
-   [!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
+1. Groups can be deleted from the directory [using the `Remove-MgGroup` cmdlet in the Microsoft Graph PowerShell](/powershell/module/microsoft.graph.groups/remove-mggroup).
 
 1. Before attempting to delete a group in Microsoft Entra ID, ensure you have [deleted all assigned licenses  to avoid errors](/azure/active-directory/users-groups-roles/licensing-group-advanced#deleting-a-group-with-an-assigned-license).
 

support/entra/entra-id/user-prov-sync/cannot-manage-objects.md

@@ -4,7 +4,7 @@ description: Resolves an issue that you can't manage or remove objects created t
 ms.date: 08/30/2021
 ms.reviewer: 
 ms.service: entra-id
-ms.custom: sap:Microsoft Entra Connect Sync, has-azure-ad-ps-ref
+ms.custom: sap:Microsoft Entra Connect Sync, no-azure-ad-ps-ref
 ---
 # Can't manage or remove objects that were synchronized through the Azure Active Directory Sync tool
 
@@ -34,24 +34,23 @@ This issue may occur if one or more of the following conditions are true:
 
 You want to manage objects in Office 365, Azure, or Intune and you no longer want to use directory synchronization.
 
-[!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-
-1. If you're not running Windows 10, install the 64-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi).
-1. Install the Microsoft Azure Active Directory module for Windows PowerShell:
-
-    1. Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
-    2. Run the `Install-Module MSOnline` command.
-
-1. Disable directory synchronization by running the following command:
+1. Make sure that [Microsoft Graph PowerShell is installed](/powershell/microsoftgraph/installation).
+1. Use the `Connect-MgGraph` command to sign in with the required scopes such as `Organization.ReadWrite.All`. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). 
+1. Disable directory synchronization by running the [Update-MgOrganization](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgorganization) command. 
 
     ```powershell
-     Set-MsolDirSyncEnabled -EnableDirSync $false
+    $organizationId = (Get-MgOrganization).Id
+    
+    $params = @{
+    onPremisesSyncEnabled = $False
+    }
+    
+    Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params
     ```
-
-1. Check that directory synchronization was fully disabled by using the Windows PowerShell. To do it, run the following command periodically:
+1. Check that directory synchronization was fully disabled. To do it, run the following command:
 
     ```powershell
-     (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
+     Get-MgOrganization | Select OnPremisesSyncEnabled
     ```
 
     This command will return **True** or **False**. Continue to run this command periodically until it returns **False**, and then go to the next step.
@@ -60,7 +59,7 @@ You want to manage objects in Office 365, Azure, or Intune and you no longer wan
 
 1. Try to update an object by using Windows PowerShell or by using the cloud service portal.
 
-     Step 4 may take a while to be completed. There's a process in the cloud service environment that computes attribute values. The process must be completed before the objects can be changed by using Windows PowerShell or by using the cloud service portal.
+     Step 3 may take a while to be completed. There's a process in the cloud service environment that computes attribute values. The process must be completed before the objects can be changed by using Windows PowerShell or by using the cloud service portal.
 
 ### You delete an object from an on-premises AD DS. However, the object isn't deleted from your cloud service subscription account
 
@@ -70,14 +69,20 @@ Force directory synchronization by using the steps on this article: [Start the S
 - If all updates and deletions aren't synchronized to the cloud service, contact Support.
 
     > [!NOTE]
-    > As an alternative resolution for this scenario, an object can be manually deleted in the cloud service. However, the object can't be updated in the cloud service. For more information about how to resolve this issue, see the following Microsoft Knowledge Base article: [Object deletions aren't synchronized to Microsoft Entra ID when using the Azure Active Directory Sync tool](https://support.microsoft.com/help/2709902).  
+    > As an alternative resolution for this scenario, an object can be manually deleted in the cloud service. However, the object can't be updated in the cloud service. For more information about how to resolve this issue, see the following Microsoft Knowledge Base article: [Object deletions aren't synchronized to Microsoft Entra ID when using the Azure Active Directory Sync tool](https://support.microsoft.com/help/2709902).  
 
 ## More information
 
-To re-enable directory synchronization, run the following command:
+To re-enable directory synchronization, run the following commands:
 
 ```powershell
-Set-MsolDirSyncEnabled -EnableDirSync $true
+$organizationId = (Get-MgOrganization).Id
+
+$params = @{
+onPremisesSyncEnabled = $True
+}
+
+Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params
 ```
 
 It's important to plan carefully when you re-enable directory synchronization. If you used the cloud service portal or Windows PowerShell to make any changes directly to the objects that were originally synchronized from on-premises AD DS, the changes will be overwritten by on-premises attributes and settings the first time that synchronization occurs after directory synchronization is re-enabled.

support/entra/entra-id/user-prov-sync/object-deletions-not-sync.md

@@ -1,12 +1,12 @@
 ---
-title: Object deletions aren't synchronized to Microsoft Entra ID when using the Azure AD Connect
+title: Object deletions aren't synchronized to Microsoft Entra ID when using the Microsoft Entra ID Connect
 description: Describes an issue in which a deleted on-premises Active Directory object isn't removed from Microsoft Entra ID when directory synchronization is used in Office 365, Azure, or Microsoft Intune.
 ms.date: 10/19/2023
 ms.reviewer: 
 ms.service: entra-id
-ms.custom: sap:Microsoft Entra Connect Sync, has-azure-ad-ps-ref
+ms.custom: sap:Microsoft Entra Connect Sync, no-azure-ad-ps-ref
 ---
-# Object deletions aren't synchronized to Microsoft Entra ID when using the Azure AD Connect
+# Object deletions aren't synchronized to Microsoft Entra ID when using the Microsoft Entra ID Connect
 
 _Original product version:_   Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management  
 _Original KB number:_   2709902
@@ -32,31 +32,22 @@ This issue may occur if one of the following conditions is true:
 
 To fix this issue, follow these steps:
 
-1. Ensure that the ADSyncTools module is installed for PowerShell. For more information, see [Microsoft Entra Connect: ADSyncTools PowerShell Reference](/azure/active-directory/hybrid/connect/reference-connect-adsynctools).
+1. Make sure that the [Microsoft Graph PowerShell module](/powershell/microsoftgraph/installation) and [ADSyncTools PowerShell module](/azure/active-directory/hybrid/connect/reference-connect-adsynctools ) are installed.
 1. Run the following ADSync command to force directory synchronization:
     ```powershell
     Start-ADSyncSyncCycle -PolicyType Initial
     ```
-1. If sync is working correctly but the Active Directory object deletion is still not propagated to Microsoft Entra ID, manually remove the orphaned object. To do so, use one of the following cmdlets in Azure Active Directory module for Windows PowerShell:
+1. If sync is working correctly but the Active Directory object deletion is still not propagated to Microsoft Entra ID, manually remove the orphaned object. To do so, use one of the following Microsoft Graph PowerShell cmdlets:
 
-    ```powershell
-    Remove-MsolContact
-    ```
-
-    ```powershell
-    Remove-MsolGroup
-    ```
-
-    ```powershell
-    Remove-MsolUser
-    ```
-
-    [!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
+    - [Remove-MgContact](/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgcontact)
+    - [Remove-MgGroup](/powershell/module/microsoft.graph.groups/remove-mggroup)
+    - [Remove-MgUser](/powershell/module/microsoft.graph.users/remove-mguser)
 
     For example, to manually remove orphaned user ID `[email protected]` that was originally created by using directory synchronization, you would run the following cmdlet:
 
      ```powershell
-     Remove-MsolUser -UserPrincipalName [email protected]
+     $user = Get-MgUser -Filter "userPrincipalName eq '[email protected]'"
+     Remove-MgUser -UserId $user.id
      ```
 
 [!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/user-prov-sync/password-writeback-error-code-sspr-009.md

@@ -1,10 +1,10 @@
 ---
 title: Microsoft Entra Administrators can't reset their own password from cloud
 description: "Troubleshoot error SSPR_009: You can't reset your own password because password reset isn't turned on for your organization."
-ms.date: 02/11/2022
+ms.date: 06/05/2025
 ms.reviewer: jarrettr, nualex, v-leedennis
 ms.service: entra-id
-ms.custom: sap:User Sign-in or password Problems, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
+ms.custom: sap:User Sign-in or password Problems, no-azure-ad-ps-ref, azure-ad-ref-level-one-done
 keywords:
 #Customer intent: As a user with a Microsoft Entra Administrator role, I want to avoid SSPR_009 errors so that I can reset my own password from the cloud.
 ---
@@ -33,10 +33,16 @@ The old SSPR-A implementation is used when a Microsoft Entra account has an admi
 
 ## Solution
 
-Enable SSPR-A on the tenant by running the [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings) PowerShell cmdlet, as follows:
+Enable SSPR-A on the tenant by running the [Update-MgPolicyAuthorizationPolicy](/powershell/module/microsoft.graph.identity.signins/update-mgpolicyauthorizationpolicy) Microsoft Graph PowerShell cmdlet, as follows:
 
 ```powershell
-Set-MsolCompanySettings -SelfServePasswordResetEnabled $true
-```
+Import-Module Microsoft.Graph.Identity.SignIns
+
+$params = @{
+	allowedToUseSSPR = $true
+}
 
+Update-MgPolicyAuthorizationPolicy -BodyParameter $params
+```
+For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started)
 [!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/user-prov-sync/pwd-hash-sync-auto-enable.md

@@ -4,7 +4,7 @@ description: Fixes a problem in which Password Hash Synchronization is automatic
 ms.date: 05/28/2020
 ms.reviewer: 
 ms.service: entra-id
-ms.custom: sap:Microsoft Entra Connect Sync, has-azure-ad-ps-ref
+ms.custom: sap:Microsoft Entra Connect Sync, no-azure-ad-ps-ref
 ---
 # Password Hash Sync is automatically enabled during Microsoft Entra Connect Pass-through Authentication
 
@@ -74,11 +74,8 @@ Optionally, if you want to clear password hashes that are already synchronized t
    2. Select the **Customize synchronization options** task.
    3. On the **Optional features** page, clear the **Password writeback** feature check box.
    4. Complete the wizard.
-2. Use the [Set-MsolUserPassword](/powershell/module/msonline/set-msoluserpassword?view=azureadps-1.0&preserve-view=true) cmdlet to set random passwords on all affected users. You have to run this cmdlet five times for each user because Microsoft Entra ID stores the last four password hashes in the password hash history.
-
-[!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-
->[!NOTE]
-> The Set-MsolUserPassword cmdlet does not work if the user is using a federated domain. To clear password hashes for the user in the federated domain, you must change the UPN of the user to a non-federated domain, and then run the cmdlet to set the random password. After that, revert the UPN of the user to the original state.
+2. Use the [Reset-MgUserAuthenticationMethodPassword](/powershell/module/microsoft.graph.identity.signins/reset-mguserauthenticationmethodpassword) cmdlet to set random passwords on all affected users. You have to run this cmdlet five times for each user because Microsoft Entra ID stores the last four password hashes in the password hash history.
 
+    >[!NOTE]
+    >If the cmdlet doesn't work for a federated domain user, you may need to temporarily change the UPN of the user to a non-federated domain, and then run the cmdlet to set the random password. After that, revert the UPN of the user to the original state.
 [!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/user-prov-sync/troubleshoot-aad-connect-objects-attributes.md

@@ -5,7 +5,7 @@ ms.date: 03/04/2025
 ms.reviewer: nualex, v-weizhu
 editor: v-jesits
 ms.service: entra-id
-ms.custom: sap:Microsoft Entra Connect Sync, has-azure-ad-ps-ref
+ms.custom: sap:Microsoft Entra Connect Sync, no-azure-ad-ps-ref
 ---
 
 # End-to-end troubleshooting of Microsoft Entra Connect objects and attributes