What is this for?

In general the Model Context Protocol (MCP) is a standard that lets AI models securely and consistently access external tools, data, and services.

In our case the MCP is adressing GraphAPI. Its abilities is defined by its MCP Server scopes. Of course you know some of them, like User.Read.All or Organization.Read.All.
🔴First key takeaway: the MCP has read-only scopes. In case you need more details on scopes, have a look here.
🔴Next takeaway is about licensing: There are no extra cost or separate licenses. But the right licenses are required for the data you want to access (for example Entra ID P2 licenses for Privileged Identity Management data)

The process how the MCP works looks like this:

You will recognize the single steps at the end of the post in my short ref case.

What do you have to do?

Honestly - just follow the Microsoft article because its on point. Let me outline the basic steps for you:

1. Install Microsoft.Entra.Beta PowerShell module (version 1.0.13 or later):

    Install-Module Microsoft.Entra.Beta -Force -AllowClobber
   

2. To register the MCP Server, you have to connect to Entra and consent to the required permissions:

    Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
   

3. Register the Microsoft MCP Server for Enterprise in your tenant and grant all permissions to Visual Studio Code:

    Grant-EntraBetaMCPServerPermission -ApplicationName VisualStudioCode
   

4. After the grant you will find some new Enterprise Applications:

   | Name | Globally unique appId (client ID) | | --- | --- | | Microsoft MCP Server for Enterprise | e8c77dc2-69b3-43f4-bc51-3213c9d915b4 | | Visual Studio Code | aebc6443-996d-45c2-90f0-388ff96faa56 |

   The “server“ app ships a service principal with the endpoint https://mcp.svc.cloud.microsoft/enterprise

   

   The “client“ app named “Visual Studio Code“ has the defined MCP scopes:

   

5. Connect to MCP using VS Code

   Go for it and click Install Microsoft MCP Server for Enterprise to open VS Code's MCP install page:

After a successfull authentication you and your MCP are set.

Prompting

I have started prompting in VS Code by an easy idea: I asked to evaluate the oldest user logins.
It’s fun to see how natural language is translated to proper Graph calls and vice versa:

To understand the documented process above about how the MCP Server works, I created a short recording. Every M365 admin should relate these daily basic tasks:

Monitoring

Because of the Enterprise App you can easily monitor the Microsoft MCP Server activity logs with KQL:

MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| project RequestId, TimeGenerated, UserId, RequestMethod, RequestUri, ResponseStatusCode

What’s next?

A next step I like to try, is to use a custom MCP client and not VS Code. In case this happens, I will let you know for sure. 😁
Another idea is to attach Azure Foundry as outlined here.
And the final takeaway: 🔴 In case you want more than just read stuff from your tenant - have a look at lokka.dev or just be patient because write access is on the roadmap:

“Support for write operations is planned for a future release.“

And to optimize the preview service, you can give feedback here.

But let’s start with the issue. Maybe you guys have encountered the following error:

Could not load file or assembly 'C:\Users\User\UsersOneDrive\Documents\PowerShell\Modules\ExchangeOnlineManagement\3.9.0\netCore\Microsoft.Identity.Client.dll'. The located assembly's manifest definition does not match the assembly reference.(0x80131040)

I faced that today (once again) after updating some modules. Thankfully I found an PowerShell module called MicrosoftGraphPS created by Microsoft MVP Morten Knudsen.

To get your PowerShell house keeping done, just install the module (I just ran it in my user context):

Install-Module -Name MicrosoftGraphPS -Repository PSGallery -Force -Scope CurrentUser

Then you can run it with the following options:

1. Show details only

    Manage-Version-Microsoft.Graph -Scope CurrentUser
   

2. Show details, install latest and clean-up old versions

    Manage-Version-Microsoft.Graph -CleanupOldMicrosoftGraphVersions -Scope CurrentUser
   

3. Install, Update and Clean-up older Microsoft Graph versions (except the latest available version)

    Manage-Version-Microsoft.Graph -InstallLatestMicrosoftGraph -CleanupOldMicrosoftGraphVersions -Scope CurrentUser
   

I stick to these options because these are the most practical for me. There are some more enforce a re-installation or remove all versions of the Graph modules (but that’s not happening EVER 😜). Check out the readme of the module for further details. You can also use a scheduled task to implement an automatic update cycle. At the moment I think I stick to the manual process, but let’s see…

After firing these cmdlets everything worked again and all conflicts are gone. In my case 18 older versions were removed:

How do you manage your modules and compatibilities? Please comment your approach. And now enjoy being on the latest and greatest version - also of yourself 👑

Intro

If you want your objects in sync in both directories you can have to options:

1. Entra Connect Sync (also known als Azure AD Connect in the good ol’ days)

2. Entra Cloud Sync

Today’s post is about the Connect Sync service. Long story short: The engine enables synchronization between on-premises Active Directory, Entra ID, and other third-party systems, ensuring consistency across the entire identity ecosystem.

Key components include the Connector, which links to source directories and manages data flow, and the Synchronization Engine, which handles the logic of mapping and transforming identity data between systems. The Agent is a lightweight service installed on the server, responsible for executing synchronization tasks:

In case you want to learn more about it, I recommend:

• Microsoft Entra Connect Sync: Technical concepts - Microsoft Entra ID | Microsoft Learn

• Microsoft Entra Connect Sync: Understanding the architecture - Azure - Microsoft Entra ID | Microsoft Learn

Issue

Back to business - the sync engine has to be updated. Auto Upgrade is eligible in some cases:

Ok, great but this post is because if a “Breaking Change on Entra Connect Sync”:

The latest version at the moment I am typing here is 2.4.129.0 and you have to have at least 2.4.18 (for commercial clouds) or 2.4.21.0 (for non-commercial clouds).
If you do not upgrade by the deadline of April 7,2025 the impacts are:

• All authentication requests to Microsoft Entra ID on the Microsoft Entra Connect wizard will fail.

• Configuration of Active Directory Federation Services (ADFS) scenarios through Microsoft Entra Connect wizard won't work.

• Configuration of PingFederate scenarios through the Microsoft Entra Connect wizard won't work.

But the good thing about that: The sync service will continue doing it’s job! ✅

Using Graph API

In case you want to automate the reporting on the Connect servers, where the agent is installed you should use Graph API. Back in the days I used the MSOL PowerShell module for that, but now this is gone, because of it’s deprecation. Since then I struggled finding the attributes which I was able to fetch back then by running:

Get-MsolCompanyInformation | select DisplayName,InitialDomain,DirSyncClientMachineName,DirSyncClientVersion,DirSyncServiceAccount,DirectorySynchronizationEnabled, DirectorySynchronizationStatus, LastDirSyncTime, LastPasswordSyncTime

Especially the DirSyncClientVersion is the attribute I am looking for. Mapping old cmdlets to new ones can be done via Find Azure AD and MSOnline cmdlets in Microsoft Graph PowerShell | Microsoft Learn. But both the Get-MgOrganization and the Get-MgBetaOrganization did not get me these insights. So I had a look at the native Graph API and found directory/onPremisesSynchronization.

For quick access to Graph API, you should use Graph Explorer or Postman. So I called https://graph.microsoft.com/beta/directory/onPremisesSynchronization to get some insights:

GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization

Sadly, I did only get some configuration features. I just tried then the beta version of the API by calling:

GET https://graph.microsoft.com/beta/directory/onPremisesSynchronization

And there it is: synchronizationClientVersion‼️

While writing this post, I checked the Get-MgBetaDirectoryOnPremiseSynchronization. And here we go:

Nevertheless: I hope, if someone looks for that attribute he will find it here 😁

Last but not least… Consider moving to Microsoft Entra Cloud Sync. This is where I come back to the beginning, mentioning Entra Cloud Sync as second option. This approach is a SaaS that works from the cloud and allows to set up and manage their sync preferences online. But before you migrate, please evaluate first, because Cloud Sync does not fully support all hybrid scenarios like Connect Sync: https://aka.ms/EvaluateSyncOptions

Stay in sync 🔄️

…and follow for part two if you want to see how to script your report!

As we all know, sometimes things do not work as expected…in this case somebody uploaded a bunch of files resulting in extensive SharePoint storage usage. And of course the data has been deleted, but the site is configured for retention.

My general approach of deleting data, which is on hold is more or less the same:

1. If there are Retention Policies in place, exclude the site or group from the retention policy.

2. Close existing eDiscovery cases with a hold

3. Disable Data loss prevention (DLP) policies, if there are some

In my specific case I double-checked all parts of the game, but only had to set the retention policy exclusion. Five minutes later (after the policy status showed success) I browsed the Preservation Hold Library. Important to mention that this library keeps copies of all modified or deleted files as enforced by the Retention policy or eDiscovery holds. You can reach it by using “PreservationHoldLibrary“ as a suffix on your SharePoint site URL: https://TenantDomain.sharepoint.com/sites/SiteName/PreservationHoldLibrary

I tried to delete some files…and tried and tried. Every M365 admin knows that 5 minutes is not the appropriate period of time to get things changed. So I kept trying after 24 hours… But the error still told me very kind:

“Request was cancelled by event received. If attempting to delete a non-empty folder, it’s possible that it’s on hold.”

Of course the status of the retention policy was showing success and not pending. So I assumed the group site is excluded. I also tried to get insights with PowerShell and used the Invoke-HoldRemovalAction cmdlet to find applied holds. But there were no holds applied, so I still had to search for them:

The version history was still showing that the files are not expiring because they are on hold:

During a helpful Microsoft support case a guy told me to use the “Help & support“ in the M365 Admin Center to find and remove invalid retention policies by searching for: Remove invalid retention policy from SharePoint or OneDrive

Just run the test and magic happens: it shows the invalid policy, which still applies:

Just acknowledge and update in the wizard and there you go 🪄 Now I was ready to delete files and so I let it be, let it be, let it be, let it be… 🎶

Wow! Lesson learned - this thing is actually good for something!

And just in case you have to delete a lot of files use PowerShell with the PNP module.

$siteURL = "https://yourtenant.sharepoint.com/sites/yoursite"
$listName = "Preservation Hold Library"

# install PNP module [https://pnp.github.io/powershell/articles/installation.html]
Install-Module PnP.PowerShell -Scope CurrentUser

# register EntraID app for PnP PowerShell interactive login approach [https://pnp.github.io/powershell/articles/registerapplication.html]
Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP.App" -Tenant yourtenant.onmicrosoft.com -Interactive

# connect to SPO with PNP
Connect-PnPOnline -Url $siteURL -Interactive -ClientId <client id of your Entra ID Application Registration>

# get list
$list = Get-PnPList -Identity $listName 

# retrieves all list items from the list in pages of 1000 items and delete each item
Get-PnPListItem -List $list -PageSize 1000 -ScriptBlock {
        Param($items)
        Invoke-PnPQuery 
        } | ForEach-Object {
            # remove files without confirmation
            Remove-PnPListItem -Identity $_ -Force
        }

Time for a shout-out for my favorite site about SharePoint is https://www.sharepointdiary.com. Finally don’t forget to remove the exclude setting in the retention policy afterwards 😉

Hoping this blog will be alive - even if it looks like Frankenstein itself…

What`s the idea here?

Even if I like the idea and the simplicity of the mentioned binary system, there is more than black and white in all our everyday. I stick to that concept except for this blog design and coffee. Coffee should always and only be black - and honestly Starbucks offers no coffee.

But well - in case I consult customers about Microsoft 365 or Azure services I try to grey-scale at least. Because most cases allow different ways of technical solutions. In my opinion the task of the consultant is to break down some technical options with its advantages and drawbacks for the customer. Best case scenario would be to implement the best suitable concept.
Now answering the header question: Creativity

I want to share some exciting technical approaches or features out of the Microsoft universe. And of course there will be challenges, troubleshooting, drawbacks, issues and many more such things here, because everybody is aware of Microsoft`s well established blue screen of death, right? And that thing is absolutely the symbol of smash sumthin` …

Creativity, hm?!

Yepp - because this is what all IT architects, consultants, engineers unites: finding inventive solutions.
As well as job titles, too.

But yes, the Microsoft universe is a big one and I am far to humble to think I know a lot of it - so what can you expect here? Some key skills of good consultants are demarcation and honesty, so I define some topics, which you will find here:

• Microsoft 365

• Microsoft Entra

• Microsoft Security

• Scripting

• Automation

• Microsoft Microsoft

and of course things I forgot and sarcasm as well.