Loading...

June 2024 update on Azure AD Graph API retirement

June 2024 update on Azure AD Graph API retirement

One year ago, we shared an update on the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will occur in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs. We’re revising the date for this first stage from June 30 to August 31, and only applications created after August 31, 2024 will be impacted. After January 31, 2025, all applications – both new and existing – will receive an error when making requests to Azure AD Graph APIs, unless they’re configured to allow extended Azure AD Graph access.  

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We’re providing an optional configuration through the authenticationBehaviors property, which will allow an application to use Azure AD Graph APIs through June 30, 2025. Azure AD Graph will be fully retired after June 30, 2025, and no API requests will function at this point, regardless of the application’s configuration. 

 

If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You’ll either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, as described below, and ensure that your customers are prepared for the change. If you’re using applications supplied by a vendor that use Azure AD Graph APIs, work with the software vendor to update to a version that has migrated to Microsoft Graph APIs.  

 

How do I find Applications in my tenant using Azure AD Graph APIs? 

 

The Microsoft Entra recommendations feature provides recommendations to ensure your tenant is in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.  

 

We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.

 

Figure 1: Microsoft Entra Recommendations for Azure AD Graph migrationFigure 1: Microsoft Entra Recommendations for Azure AD Graph migration

 

For more information, reference Recommendation to migrate to Microsoft Graph API

 

Configuring an application for an extension of Azure AD Graph access

 

To allow an application created to have an extension for access to Azure AD Graph APIs through June 30, 2025, you must make a configuration change on the application after it’s created. This configuration change is done through the AuthenticationBehaviors interface. By setting the blockAzureADGraphAccess flag to false, the newly created application will be able to continue to use Azure AD Graph APIs until further in the retirement cycle.

 

Note: In this first stage, only Applications created after August 31, 2024 will be impacted. Existing applications will be able to continue to use Azure AD Graph APIs even if the authenticationBehaviors property is not configured. Once this change is rolled out, you may also choose to set blockAzureADGraphAccess to true for testing or to prevent an existing application from using Azure AD Graph APIs. 

 

Microsoft Graph REST API examples

 

Read the authenticationBehaviors property for a single application:

GET https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

PATCH https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

Content-Type: application/json

{

    "blockAzureADGraphAccess": false

}

 

Microsoft Graph PowerShell examples

 

Read the authenticationBehaviors property for a single application:

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Scopes "Application.Read.All"

 

Get-MgBetaApplication -ApplicationId afe88638-df6f-4d2a-905e-40f2a2d451bf -Property "id,displayName,appId,authenticationBehaviors"

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

Import-Module Microsoft.Graph.Beta.Applications 
Connect-MgGraph -Scopes "Application.ReadWrite.All" 

$params = @{ 

authenticationBehaviors = @{ 

blockAzureADGraphAccess = $false 

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params 

 

What happens to applications using Azure AD Graph after August 31, 2024? 

 

  • Any existing applications that use Azure AD Graph APIs and were created before this date will not be impacted at this stage of the retirement cycle.
  • Any applications created after August 31, 2024 will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors configuration for the application. 

 

What happens to applications using Azure AD Graph after January 31, 2025? 

 

  • After January 31, 2025, all applications – new and existing - will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors property for the application.

 

What happens to applications using Azure AD Graph after June 30, 2025? 

 

  • Azure AD Graph APIs will no longer be available to any applications after this point, and any requests to Azure AD Graph APIs will receive an error, regardless of the authenticationBehaviors configuration for the application. 

 

Current support for Azure AD Graph

 

Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes.

 

About Microsoft Graph

 

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Entra and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

 

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

 

What about Azure AD and Microsoft Online PowerShell modules?

 

As of March 30, 2024, AzureAD, AzureAD-Preview, and Microsoft Online (MSOL) PowerShell modules are deprecated and will only be supported for security fixes. These modules will be retired and stop working after March 30, 2025. You should migrate these to Microsoft Graph PowerShell. Please reference this update for more information. 

 

Available tools

 

 

Kristopher Bash 

Product Manager, Microsoft Graph 

LinkedIn 

 

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Published on:

Learn more
Azure Active Directory Identity Blog articles
Azure Active Directory Identity Blog articles

Azure Active Directory Identity Blog articles

Share post:

Related posts

Dynamics 365 Sales – Teams owned opportunities to be researched by Sales Opportunity Agent

We are announcing the ability to utilize the Sales Opportunity Agent to research opportunities owned by specific Owner teams in Dynamics 365 S...

9 hours ago

Teams frontline mobile onboarding guide retirement

Microsoft is retiring the Frontline Teams Personal Device Onboarding Wizard by late August 2026. Frontline workers will use existing Microsoft...

9 hours ago

Microsoft Teams: Enhanced file filtering in channel Shared tabs

Microsoft Teams now offers enhanced file filtering in the channel Shared tab, allowing users to filter files by type and media content in both...

9 hours ago

How to Integrate ChatGPT with Dynamics 365 Using Azure Functions (Complete 2026 Guide)

Introduction Artificial Intelligence is transforming enterprise applications, and Microsoft Dynamics 365 is no exception. Businesses are incre...

16 hours ago

Microsoft Teams: Explicit recording consent for PSTN participants now available in GCC High and DoD

We are introducing explicit recording consent support for PSTN participants joining Microsoft Teams meetings in GCC High and DoD environments....

20 hours ago

Microsoft Copilot (Microsoft 365): Session and Response Sharing in M365 Copilot

Session and Response Sharing let Microsoft 365 Copilot users share Copilot chat content through a link. Session Sharing shares a full chat ses...

20 hours ago

Microsoft 365 & Power Platform Community Call – July 16th, 2026 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

1 day ago

How to build long-running MCP tools on Azure Functions

Learn how to build long-running MCP tools on Azure Functions using Durable Functions. This post explains why synchronous tool calls break down...

1 day ago

Microsoft SharePoint Online: Restricted access control for sites enforced across Microsoft 365 search

Restricted Access Control (RAC) for SharePoint and OneDrive sites will be enforced across Microsoft 365 search, limiting search results to con...

1 day ago

Microsoft Teams: AI meeting archive file generation

Microsoft Teams will generate AI meeting archive files capturing key insights to enhance Microsoft 365 Copilot and Facilitator responses while...

1 day ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy