Facing Issues with MSOLService Deprecation — Best Practice for Azure SSO with OpenIAM?

straee · July 14, 2025, 5:36am

Hi everyone,

I’m working on integrating OpenIAM with Microsoft Entra ID (Azure AD) for SAML SSO.
The OpenIAM documentation still references using Connect-MsolService for some parts of the setup, but as you know, MSOL PowerShell is now deprecated, and my tenant has security defaults/modern auth, so MSOL calls fail with Access Denied.

Here’s my situation:

OpenIAM is the IdP — Entra ID (Azure) is the SP.
I have a working SAML metadata and can import it in Azure.
My domain is verified, and I added the DirectFedAuthUrl TXT record properly.
The Connect-MsolService part keeps failing due to the deprecation.
I can connect with Microsoft Graph PowerShell (Connect-MgGraph works).

What I want:

When users authenticate via OpenIAM, they get SSO access to Azure services.
When I create or update user accounts or passwords, the changes sync to Entra ID reliably.
No legacy MSOL dependency — fully modern Graph API flow.

My questions for the community:

Does anyone have a step-by-step for setting up SAML SSO with OpenIAM as IdP using only Microsoft Graph?
Any custom connectors or Groovy scripts people have made to replace the MSOL calls with Graph API?
How do you handle password writeback or syncing in this setup? Should I force OpenIAM to update AD and let AAD Connect handle the sync to Entra instead?

If you’ve done this with Graph only, please share:

Any working scripts
Updated connector config
Gotchas to watch for

I’m happy to test and share my results back with the community!

Thank you in advance — any tips would help a lot!

ameet_shah · July 14, 2025, 10:41pm

Hello Aaron,

Thank you for the post. I am checking with my team and will get back to you shortly.

Ameet

ameet_shah · July 15, 2025, 5:19pm

Hello Aaron,

I will post the reply from one of our engineers below:
**
The client have to use Microsoft Graph PowerShell SDK
Install Microsoft.Graph module via PowerShell:
Install-Module Microsoft.Graph -Scope AllUsers

After installing Microsoft.Graph module, need connect to Azure with Administrator privileges
Connect-MgGraph -Scopes “Domain.ReadWrite.All”

Please follow Cmdlets:
Get-MgDomainFederationConfiguration -DomainId “openiamdemo.com” | Format-List * --Check if domain is federated
New-MgDomainFederationConfiguration
Update-MgDomainFederation

github.com/MicrosoftDocs/entra-docs

docs/identity/hybrid/connect/how-to-connect-fed-saml-idp.md

main

---
title: 'Microsoft Entra Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure'
description: This document describes using a SAML 2.0 compliant Idp for single sign-on.

author: billmath
manager: femila
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
ms.service: entra-id
ms.tgt_pltfrm: na
ms.topic: how-to
ms.date: 04/09/2025
ms.subservice: hybrid-connect
ms.author: billmath

---

#  Use a SAML 2.0 Identity Provider (IdP) for Single Sign On

This document contains information on using a SAML 2.0 compliant SP-Lite profile-based Identity Provider as the preferred Security Token Service (STS) / identity provider. This scenario is useful when you already have a user directory and password store on-premises that can be accessed using SAML 2.0. This existing user directory can be used for sign-on to Microsoft 365 and other Microsoft Entra ID-secured resources. The SAML 2.0 SP-Lite profile is based on the widely used Security Assertion Markup Language (SAML) federated identity standard to provide a sign-on and attribute exchange framework.

This file has been truncated. show original

Soon we will update our documentation with using Microsoft Graph PowerShell SDK
**

Please let me know if you have any questions.

Thanks,
Ameet

Topic		Replies	Views
Microsoft Graph PowerShell Connector for Azure Application Onboarding	5	92	April 14, 2025
Further documentation on User Synchronization with MsGraph Powershell connector Application Onboarding	13	81	May 8, 2025
7. Integrating OpenIAM with your IdP Getting Started with OpenIAM	12	92	June 18, 2025
8. Integrating OpenIAM as your IdP Getting Started with OpenIAM	1	26	December 11, 2024
Adding an identity to a user after onboarding an application Application Onboarding	4	45	May 23, 2025

Facing Issues with MSOLService Deprecation — Best Practice for Azure SSO with OpenIAM?

Related topics