June 2024 update on Azure AD Graph API retirement
One year ago, we shared an update on the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will occur in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs. We’re revising the date for this first stage from June 30 to August 31, and only applications created after August 31, 2024 will be impacted. After January 31, 2025, all applications – both new and existing – will receive an error when making requests to Azure AD Graph APIs, unless they’re configured to allow extended Azure AD Graph access.
We understand that some apps may not have fully completed migration to Microsoft Graph. We’re providing an optional configuration through the authenticationBehaviors property, which will allow an application to use Azure AD Graph APIs through June 30, 2025. Azure AD Graph will be fully retired after June 30, 2025, and no API requests will function at this point, regardless of the application’s configuration.
If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You’ll either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, as described below, and ensure that your customers are prepared for the change. If you’re using applications supplied by a vendor that use Azure AD Graph APIs, work with the software vendor to update to a version that has migrated to Microsoft Graph APIs.
How do I find Applications in my tenant using Azure AD Graph APIs?
The Microsoft Entra recommendations feature provides recommendations to ensure your tenant is in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.
We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.
For more information, reference Recommendation to migrate to Microsoft Graph API.
Configuring an application for an extension of Azure AD Graph access
To allow an application created to have an extension for access to Azure AD Graph APIs through June 30, 2025, you must make a configuration change on the application after it’s created. This configuration change is done through the AuthenticationBehaviors interface. By setting the blockAzureADGraphAccess flag to false, the newly created application will be able to continue to use Azure AD Graph APIs until further in the retirement cycle.
Note: In this first stage, only Applications created after August 31, 2024 will be impacted. Existing applications will be able to continue to use Azure AD Graph APIs even if the authenticationBehaviors property is not configured. Once this change is rolled out, you may also choose to set blockAzureADGraphAccess to true for testing or to prevent an existing application from using Azure AD Graph APIs.
Microsoft Graph REST API examples
Read the authenticationBehaviors property for a single application:
GET https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors |
Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:
PATCH https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors Content-Type: application/json { "blockAzureADGraphAccess": false } |
Microsoft Graph PowerShell examples
Read the authenticationBehaviors property for a single application:
Import-Module Microsoft.Graph.Beta.Applications Connect-MgGraph -Scopes "Application.Read.All"
Get-MgBetaApplication -ApplicationId afe88638-df6f-4d2a-905e-40f2a2d451bf -Property "id,displayName,appId,authenticationBehaviors" |
Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:
Import-Module Microsoft.Graph.Beta.Applications $params = @{ authenticationBehaviors = @{ blockAzureADGraphAccess = $false } } Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params |
What happens to applications using Azure AD Graph after August 31, 2024?
- Any existing applications that use Azure AD Graph APIs and were created before this date will not be impacted at this stage of the retirement cycle.
- Any applications created after August 31, 2024 will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors configuration for the application.
What happens to applications using Azure AD Graph after January 31, 2025?
- After January 31, 2025, all applications – new and existing - will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors property for the application.
What happens to applications using Azure AD Graph after June 30, 2025?
- Azure AD Graph APIs will no longer be available to any applications after this point, and any requests to Azure AD Graph APIs will receive an error, regardless of the authenticationBehaviors configuration for the application.
Current support for Azure AD Graph
Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes.
About Microsoft Graph
Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Entra and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.
Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.
What about Azure AD and Microsoft Online PowerShell modules?
As of March 30, 2024, AzureAD, AzureAD-Preview, and Microsoft Online (MSOL) PowerShell modules are deprecated and will only be supported for security fixes. These modules will be retired and stop working after March 30, 2025. You should migrate these to Microsoft Graph PowerShell. Please reference this update for more information.
Available tools
- Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
- Azure AD Graph app migration planning checklist
- Azure AD Graph to Microsoft Graph migration FAQ
Kristopher Bash
Product Manager, Microsoft Graph
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Published on:
Learn moreRelated posts
SharePoint Look Book: Human Resources
As part of my “SharePoint Look Book” series, I’m unpacking each of the templates in a video and will also supply the resourc...
Episode 118 – Latest announcements about Copilot for M365
https://www.youtube.com/embed/0grBPQ1Rvu4
Azure Virtual Network Manager mesh and direct connectivity are generally available
Azure Virtual Network Manager's mesh connectivity configuration and direct connectivity option in the hub and spoke connectivity configuration...
Announcing Instant GraphQL APIs with Hasura Data Connector for Azure Cosmos DB for NoSQL
We’re excited to partner with Hasura to launch a new Hasura native data connector that generates instant GraphQL APIs on Azure Cosmos DB for N...
Retirement of Office 365 connectors within Microsoft Teams
Starting August 15, 2024 we will be retiring the Office 365 connectors feature from Microsoft Teams and recommend Power Automate workflows as ...
Retirement of Office 365 connectors within Microsoft Teams
Starting August 15, 2024 we will be retiring the Office 365 connectors feature from Microsoft Teams and recommend Power Automate workflows as ...
Introducing Online Migration Capability for vCore-based Azure Cosmos DB for MongoDB in Azure Data Studio
We’re thrilled to announce a significant enhancement to the Azure Cosmos DB Migration for MongoDB extension! Now, you can seamlessly migrate y...
SharePoint Look Book: Crisis Management
As part of my “SharePoint Look Book” series, I’m unpacking each of the templates in a video and will also supply the resourc...
Teams to Begin Automatically Hiding Inactive Channels
From mid-July 2024, Teams will begin hiding inactive channels for users. The inactive channels can be unhidden, and users can opt out of the a...