Windows Server Posted January 16 Posted January 16 Hey Folks, We wanted to get this news at the top of your inbox for 2025: Applications will be unable to make requests to Azure AD Graph APIs starting February 1, 2025. We're proceeding with the Retirement of the Azure AD Graph API service, which began in September 2024. Our next big milestone starts February 1st, when existing applications will be prevented from calling Azure AD Graph APIs. You may not see impact right away, as we’re rolling out this change in stages across tenants. We anticipate full deployment of this change by the end of February. Microsoft Graph is the replacement for Azure AD Graph APIs. We strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and ceasing any further use of Azure AD Graph APIs. Phase start date Impact to existing apps Impact to new apps September 1, 2024 None. All new apps must use Microsoft Graph. New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access until June 30, 2025 by setting to false. February 1, 2025 Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false. July 1, 2025 Azure AD Graph is fully retired. No Azure AD Graph API requests will function. Urgent: Review the applications on your tenant Please review our December 2024 post, Action required: Azure AD Graph API retirement | Microsoft Community Hub for more detailed guidance. If you have not already, it is now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access and mitigate or migrate these before the February 1st cutoff date. Review Recommendations in the Microsoft Entra admin center As we discussed in our December post, Microsoft Entra Recommendations can help you identify applications in your tenant that will be impacted by the retirement of Azure AD Graph API access. You can find your tenant’s Recommendations in the Microsoft Entra admin center (Identity > Overview > Recommendations). The two recommendations for Azure AD Graph retirement summarize usage of Azure AD Graph APIs by applications in your tenant over the last 30 days. The Recommendations also list which Azure AD Graph operations the application is using. Recommendation 1: Migrate Applications from the Retiring Azure AD Graph APIs to Microsoft Graph Impacted resources shown in this recommendation are applications that are created in your tenant. You must take action for any application listed in this recommendation before 1 February 2025. If you’re using service principal login for applications like Microsoft Azure PowerShell or Microsoft Azure CLI, and the application is using Azure AD Graph APIs, it will show on the Migrate Applications recommendation. In this case, the application’s identity is registered in your tenant, and you must configure the app for extended access or update to a version of the software that no longer calls Azure AD Graph APIs. For applications that are registered in your tenant, you can configure extended access for the application until June 30, 2025. Recommendation 2: Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph Impacted resources shown with this recommendation are service principals—multi-tenant applications provided by a software vendor that are used in your tenant. Applications provided by Microsoft These applications are already extended until June. However, you will need to update these to a newer version by June 2025 to ensure continued operation. Vendor-provided applications All applications registered in your tenant, including those written by independent, external, and third-party software vendors, are subject to Azure AD Graph API retirement. If an application that you do not own shows up on your Recommendations, please contact the software vendor and ask them to update their application. Note: Microsoft is working with vendors of popular apps to set access extensions to avoid disruptions. These applications will still appear in the “Migrate Service Principals…” Recommendation. Please work with your vendor for details. How to extend Azure AD Graph access for an app If you have an application that requires access to Azure AD Graph APIs after February, you must update that application’s configuration, setting the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration. After February, applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this configuration setting is set to false. With this flag in place, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here. Learn more: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn Benefits of migrating to Microsoft Graph Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression. Resources: Migrating to Microsoft Graph from Azure AD Graph is made easier with the following tools and documentation: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph Azure AD Graph app migration planning checklist Azure AD Graph to Microsoft Graph migration FAQ Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn Ric Lewis Product Manager, Microsoft Graph LinkedIn Learn more about Microsoft Entra Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. Microsoft Entra News and Insights | Microsoft Security Blog Microsoft Entra blog | Tech Community Microsoft Entra documentation | Microsoft Learn Microsoft Entra discussions | Microsoft Community View the full article Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.