June 2024 update on Azure AD Graph API retirement

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Entra Blog articles.

One year ago, we shared an update on the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will occur in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs. We’re revising the date for this first stage from June 30 to August 31, and only applications created after August 31, 2024 will be impacted. After January 31, 2025, all applications – both new and existing – will receive an error when making requests to Azure AD Graph APIs, unless they’re configured to allow extended Azure AD Graph access.  

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We’re providing an optional configuration through the authenticationBehaviors property, which will allow an application to use Azure AD Graph APIs through June 30, 2025. Azure AD Graph will be fully retired after June 30, 2025, and no API requests will function at this point, regardless of the application’s configuration. 

 

If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You’ll either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, as described below, and ensure that your customers are prepared for the change. If you’re using applications supplied by a vendor that use Azure AD Graph APIs, work with the software vendor to update to a version that has migrated to Microsoft Graph APIs.  

 

How do I find Applications in my tenant using Azure AD Graph APIs? 

 

The Microsoft Entra recommendations feature provides recommendations to ensure your tenant is in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.  

 

We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.

 

Figure 1: Microsoft Entra Recommendations for Azure AD Graph migrationFigure 1: Microsoft Entra Recommendations for Azure AD Graph migration

 

For more information, reference Recommendation to migrate to Microsoft Graph API

 

Configuring an application for an extension of Azure AD Graph access

 

To allow an application created to have an extension for access to Azure AD Graph APIs through June 30, 2025, you must make a configuration change on the application after it’s created. This configuration change is done through the AuthenticationBehaviors interface. By setting the blockAzureADGraphAccess flag to false, the newly created application will be able to continue to use Azure AD Graph APIs until further in the retirement cycle.

 

Note: In this first stage, only Applications created after August 31, 2024 will be impacted. Existing applications will be able to continue to use Azure AD Graph APIs even if the authenticationBehaviors property is not configured. Once this change is rolled out, you may also choose to set blockAzureADGraphAccess to true for testing or to prevent an existing application from using Azure AD Graph APIs. 

 

Microsoft Graph REST API examples

 

Read the authenticationBehaviors property for a single application:

GET https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

PATCH https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

Content-Type: application/json

{

    "blockAzureADGraphAccess": false

}

 

Microsoft Graph PowerShell examples

 

Read the authenticationBehaviors property for a single application:

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Scopes "Application.Read.All"

 

Get-MgBetaApplication -ApplicationId afe88638-df6f-4d2a-905e-40f2a2d451bf -Property "id,displayName,appId,authenticationBehaviors"

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

Import-Module Microsoft.Graph.Beta.Applications 
Connect-MgGraph -Scopes "Application.ReadWrite.All" 

$params = @{ 

authenticationBehaviors = @{ 

blockAzureADGraphAccess = $false 

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params 

 

What happens to applications using Azure AD Graph after August 31, 2024? 

 

  • Any existing applications that use Azure AD Graph APIs and were created before this date will not be impacted at this stage of the retirement cycle.
  • Any applications created after August 31, 2024 will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors configuration for the application. 

 

What happens to applications using Azure AD Graph after January 31, 2025? 

 

  • After January 31, 2025, all applications – new and existing - will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors property for the application.

 

What happens to applications using Azure AD Graph after June 30, 2025? 

 

  • Azure AD Graph APIs will no longer be available to any applications after this point, and any requests to Azure AD Graph APIs will receive an error, regardless of the authenticationBehaviors configuration for the application. 

 

Current support for Azure AD Graph

 

Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes.

 

About Microsoft Graph

 

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Entra and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

 

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

 

What about Azure AD and Microsoft Online PowerShell modules?

 

As of March 30, 2024, AzureAD, AzureAD-Preview, and Microsoft Online (MSOL) PowerShell modules are deprecated and will only be supported for security fixes. These modules will be retired and stop working after March 30, 2025. You should migrate these to Microsoft Graph PowerShell. Please reference this update for more information. 

 

Available tools

 

 

Kristopher Bash 

Product Manager, Microsoft Graph 

LinkedIn 

 

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.