Description
Various commands, such as Remove-MgUser, do not flag the impact of the change as HIGH and therefore do not invoke the confirmation dialog.
For example, running Remove-MgUser -UserId <objectId> does not request the user confirm the change. I haven't done an exhaustive look at all cmdlets but this seems to be quite prevalent throughout the Microsoft.Graph identity related cmdlets. The default $confirmPreference in Powershell is HIGH (both 5.x and 7.x). Remove actions should be considered HIGH by default.
Looking at all the modules I could see, it looks like Microsoft has set the confirm impact as medium for all Remove cmdlets. Given that the Remove verb is meant to delete objects, this could be extremely dangerous and lead to accidental deletions. You could see this (at least with all the modules I'm using) like this:
PS C:\Temp> $impact = [regex]::new("ConfirmImpact='(?<ConfirmImpact>\S+)'")
PS C:\Temp> Get-Command -module Microsoft.Graph.* -Verb Remove | foreach { $commandRef = [PSCustomObject]@{Name = $_.Name; Source = $_.Source; ConfirmImpact = $Impact.Match($_.Definition).Groups['ConfirmImpact'].Value}; $commandRef } | group -Property ConfirmImpact,Source | ft Name,Count -AutoSize
Name Count
---- -----
Medium, Microsoft.Graph.Applications 21
Medium, Microsoft.Graph.DirectoryObjects 1
Medium, Microsoft.Graph.Groups 30
Medium, Microsoft.Graph.Identity.DirectoryManagement 25
Medium, Microsoft.Graph.Identity.Governance 37
Medium, Microsoft.Graph.Identity.SignIns 59
Medium, Microsoft.Graph.Reports 1
Medium, Microsoft.Graph.Users 15
Is this by design? It's been a long standing best practice that remove actions should be set to HIGH to prevent accidental deletions (or minimize them). All the modules above are v1.21.0.
Thanks!