Why is Az 7 an important release for Azure PowerShell?

The Azure PowerShell team is proud to announce a new major version of the Az PowerShell module. Following our release cadence, this is the second breaking change release for 2021. Because this release includes updates related to security and the switch to MS Graph, we recommend that you review the release notes before upgrading.

MS Graph support

Azure PowerShell offers a set of cmdlets allowing basic management of AzureAD resources (Applications, Service Principal, Users, and Groups). Through Az 6.x, those cmdlets were using the AzureAD Graph API. Starting with Az 7, those cmdlets are now using the Microsoft Graph API. Because the AzureAD Graph API has announced its retirement, we highly recommend that you consider upgrading to Az 7 at your earliest convenience.

The parameters required depend on the API definition and so does the object returned on the response of the API. Our north star in this effort has been to minimize the breaking changes exposed by the cmdlets. Because of the behavior differences between MS Graph API and AzureAD Graph API, some breaking changes could not be avoided. For example, the MS Graph API does not allow setting the password when creating a Service Principal. We removed this parameter from the new cmdlets.
In some cases, cmdlets of a service transparently execute Azure AD operations. For example, when creating an AKS cluster, a service principal will be created if it is not provided. Az.KeyVault, Az.AKS, Az.SQL have been updated and now use Microsoft Graph for those transparent operations. Az.HDInsights, Az.StorageSync, Az.Synapse and Authorization cmdlets in Az.Resources will be updated shortly, this will be transparent.
For your convenience, we have compiled the breaking changes in the article: AzureAD to Microsoft Graph migration changes in Azure PowerShell.
Should you face issues with the Graph cmdlets, please consult our troubleshooting guide or open an issue on GitHub.

Invoke-AzRestMethod supports data plane and MS Graph.

The purpose of the `Invoke-AzRestMethod` cmdlet is to offer a backup solution for when a native cmdlet does not exist for a given resource.
Our initial implementation of this cmdlet supported only management plane operations for Azure Resource Manager. With the support for MS Graph, we updated this cmdlet so it could also serve as a backup to manage MS Graph resources. From the module implementation, the MS Graph API is considered like a data plane API so we added support for MS Graph any Azure data plane.
For example, the following command will retrieve information about the current signed in user via the MS Graph API:

Invoke-AzRestMethod –Uri https://graph.microsoft.com/v1.0/me

Security improvement

When connecting with a service principal, we identified that the secret associated with a service principal or the certificate password would be exposed in a nested property of the object returned by `Connect-AzAccount`. We removed the properties named `ServicePrincipalSecret` and `CertificatePassword` from this object.
Since this property could be exposed in logs or debugging traces of scripts running in automation environments like ADO, we highly recommend that you consider upgrading to the most recent version of Az.Accounts or Az.

Improved support for cloud native services (AKS and ACI updates)

We are continuing our efforts to improve the support of container-based services. In this release, we focused on AKS and ACI.
`Invoke-AzAksRunCommand` has been added to run a shell command using kubectl or helm against an AKS cluster. The response is available as a property of the returned object. This cmdlet greatly simplifies the management of the resources in a cluster. Since the cmdlet also supports file attachment, it is possible to manage Kubernetes clusters and associated applications (for example via a helm chart) directly from PowerShell.
We have greatly improved networking support of AKS clusters. We’ve added support for the following parameters: 'NetworkPolicy', 'PodCidr', 'ServiceCidr', 'DnsServiceIP', 'DockerBridgeCidr', 'NodePoolLabel', 'AksCustomHeader', 'EnableNodePublicIp', and 'NodePublicIPPrefixID’.
We also improved the manageability of nodes in an AKS cluster using Azure PowerShell. It is now possible to perform the following operations:

• Change the number of nodes in a node pool
• Upgrade cluster when node pool version does not match the cluster version

We made two additions to the ACI (Azure Container Instance) module:

• `Invoke-AzContainerInstanceCommand` now establishes a connection with the container and returns the output of the command that was executed within the container.
• `Restart-AzContainerGroup` has been added. If a container image has been updated, containers will run with the new version.

We will continue to improve the PowerShell experience with services running cloud native applications.

Additional resources

The Azure PowerShell team is listening to your feedback on the following channels:

• GitHub issues to report issues or feature requests. We triage issues several times a week and provide an initial answer as soon as we can.
• GitHub discussions to open discussions or share best practices.
• @AzurePosh on Twitter to engage informally with the team.

Thank you!

Damien,
on behalf of the Azure PowerShell team