Loading...

June 2024 update on Azure AD Graph API retirement

June 2024 update on Azure AD Graph API retirement

One year ago, we shared an update on the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will occur in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs. We’re revising the date for this first stage from June 30 to August 31, and only applications created after August 31, 2024 will be impacted. After January 31, 2025, all applications – both new and existing – will receive an error when making requests to Azure AD Graph APIs, unless they’re configured to allow extended Azure AD Graph access.  

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We’re providing an optional configuration through the authenticationBehaviors property, which will allow an application to use Azure AD Graph APIs through June 30, 2025. Azure AD Graph will be fully retired after June 30, 2025, and no API requests will function at this point, regardless of the application’s configuration. 

 

If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You’ll either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, as described below, and ensure that your customers are prepared for the change. If you’re using applications supplied by a vendor that use Azure AD Graph APIs, work with the software vendor to update to a version that has migrated to Microsoft Graph APIs.  

 

How do I find Applications in my tenant using Azure AD Graph APIs? 

 

The Microsoft Entra recommendations feature provides recommendations to ensure your tenant is in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.  

 

We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.

 

Figure 1: Microsoft Entra Recommendations for Azure AD Graph migrationFigure 1: Microsoft Entra Recommendations for Azure AD Graph migration

 

For more information, reference Recommendation to migrate to Microsoft Graph API

 

Configuring an application for an extension of Azure AD Graph access

 

To allow an application created to have an extension for access to Azure AD Graph APIs through June 30, 2025, you must make a configuration change on the application after it’s created. This configuration change is done through the AuthenticationBehaviors interface. By setting the blockAzureADGraphAccess flag to false, the newly created application will be able to continue to use Azure AD Graph APIs until further in the retirement cycle.

 

Note: In this first stage, only Applications created after August 31, 2024 will be impacted. Existing applications will be able to continue to use Azure AD Graph APIs even if the authenticationBehaviors property is not configured. Once this change is rolled out, you may also choose to set blockAzureADGraphAccess to true for testing or to prevent an existing application from using Azure AD Graph APIs. 

 

Microsoft Graph REST API examples

 

Read the authenticationBehaviors property for a single application:

GET https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

PATCH https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

Content-Type: application/json

{

    "blockAzureADGraphAccess": false

}

 

Microsoft Graph PowerShell examples

 

Read the authenticationBehaviors property for a single application:

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Scopes "Application.Read.All"

 

Get-MgBetaApplication -ApplicationId afe88638-df6f-4d2a-905e-40f2a2d451bf -Property "id,displayName,appId,authenticationBehaviors"

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

Import-Module Microsoft.Graph.Beta.Applications 
Connect-MgGraph -Scopes "Application.ReadWrite.All" 

$params = @{ 

authenticationBehaviors = @{ 

blockAzureADGraphAccess = $false 

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params 

 

What happens to applications using Azure AD Graph after August 31, 2024? 

 

  • Any existing applications that use Azure AD Graph APIs and were created before this date will not be impacted at this stage of the retirement cycle.
  • Any applications created after August 31, 2024 will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors configuration for the application. 

 

What happens to applications using Azure AD Graph after January 31, 2025? 

 

  • After January 31, 2025, all applications – new and existing - will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors property for the application.

 

What happens to applications using Azure AD Graph after June 30, 2025? 

 

  • Azure AD Graph APIs will no longer be available to any applications after this point, and any requests to Azure AD Graph APIs will receive an error, regardless of the authenticationBehaviors configuration for the application. 

 

Current support for Azure AD Graph

 

Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes.

 

About Microsoft Graph

 

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Entra and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

 

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

 

What about Azure AD and Microsoft Online PowerShell modules?

 

As of March 30, 2024, AzureAD, AzureAD-Preview, and Microsoft Online (MSOL) PowerShell modules are deprecated and will only be supported for security fixes. These modules will be retired and stop working after March 30, 2025. You should migrate these to Microsoft Graph PowerShell. Please reference this update for more information. 

 

Available tools

 

 

Kristopher Bash 

Product Manager, Microsoft Graph 

LinkedIn 

 

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Published on:

Learn more
Azure Active Directory Identity Blog articles
Azure Active Directory Identity Blog articles

Azure Active Directory Identity Blog articles

Share post:

Related posts

Azure Database for PostgreSQL Flexible Server - Elastic Clusters, faster disks, and AI updates

Increase scalability, optimize performance, and integrate advanced AI features with Azure Database for PostgreSQL Flexible Server. Scale up wi...

2 days ago

Dynamics 365 Business Central: How to import/read files from OneDrive to Business Central via AL (Graph API)

Hi, Readers.We discussed Dynamics 365 Business Central: How to use OAuth 2.0 in AL with SecretText (Using codeunit 501 OAuth2) a few weeks ago...

2 days ago

Oversharing Control at Enterprise Scale | Updates for Microsoft 365 Copilot in Microsoft Purview

Minimize risks that come with oversharing and potential data loss. Use Microsoft Purview and its new Data Security Posture Management (DSPM) f...

3 days ago

Power Platform & M365 Dev Community Call – November 21st, 2024 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

3 days ago

Viva Engage: Community analytics update

Microsoft is set to roll out updates to its community analytics features for Viva Engage, allowing users to keep up with their community's act...

3 days ago

Microsoft Teams admin center: Manage external access policies for users in your organization

Microsoft Teams Admin Center is releasing a new feature that allows admins to manage external access policies for users in their organization ...

3 days ago

SharePoint: Enhanced functionalities to manage SharePoint Embedded Containers through SharePoint Admin Center

The most recent update to SharePoint, as described in this post by M365 Admin, enhances the functionality of SharePoint Embedded Containers fo...

3 days ago

Microsoft Fabric API for GraphQL – Everything you need to know!

Although API for GraphQL might not look like a groundbreaking feature at first glance and probably won’t be frequently used by data engineers ...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy