Azure AD Graph retirement

Mikolaj Fechner 0

According to MS documentation all new applications should not be able to use AD Graph anymore but I've tested it and created new app registry for our application and it was still able to use AD Graph calls. Can anyone tell me how is that possible?

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-09T18:03:51.2133333+00:00

Hi @Mikolaj Fechner
May I know where you noticed that it is using Azure AD graph? what cmd you have used to create a new app registry? can you please share the fiddler or HAR trace by send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:akhilesh
please read How to collect a network trace
Raja Pothuraju 10,760 Reputation points Microsoft Vendor

2025-01-10T03:21:05.49+00:00

Hello @Mikolaj Fechner,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I created an application in my tenant and attempted to add Azure Active Directory Graph API permissions. However, the option to add the permission was greyed out. Please refer to the screenshot below for reference.

Could you also attach a screenshot of the issue from your tenant? This will help me better understand the scenario and allow me to coordinate with my team to provide you with the best possible solution.

Thanks,
Raja Pothuraju.
Mikolaj Fechner 0 Reputation points

2025-01-10T08:27:01.7133333+00:00

Hi @Raja Pothuraju

Option to add AD Graph permission is grayed out but you can add them by editing manifest of application registry (copy from another application for example).

As you can see on screenshots below my application was created on December 2024 and it is still able to use AD Graph calls (it can be checked in recommendations tab for tenant).
Mikolaj Fechner 0 Reputation points

2025-01-10T08:32:12.8866667+00:00

Hi @Akhilesh Vallamkonda

Application was created manually on azure portal. Permissions to AD Graph were added by editing manifest - it was copied from other old application. And you can check that AD Graph calls are being made in tenant recommendation tab

3 answers

Deepanshu katara 12,875 Reputation points

2025-01-09T15:02:42.1733333+00:00
Hello , Welcome to MS Q&A

The documentation states that Azure AD Graph is deprecated, and while existing applications that use Azure AD Graph continue to work as Azure AD Graph can still be used, but it is deprecated, meaning it no longer receives security fixes or support from Microsoft. So, new or existing applications should ideally migrate to Microsoft Graph to ensure they are secure and supported. However, if new applications are still using Azure AD Graph, it may be due to a lack of awareness about the deprecation, or the developers may not have yet transitioned to the new Microsoft Graph APIs and lastly if you still i

References:

Overview of identity providers for Azure Stack Hub

Microsoft Entra recommendation: Migrate from Azure AD Graph APIs to Microsoft Graph

New name for Azure Active Directory

Please let us know if any questions

Thanks
Deepanshu
Please sign in to rate this answer.
Mikolaj Fechner 0 Reputation points

2025-01-09T15:19:08.3+00:00

But regarding to MS documentation new apps should not be able to use AD Graph when I tested it and AD Graph calls are still working for new application that I've created. By application I mean app registry in MS Entra
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andy David - MVP 151.1K Reputation points MVP

2025-01-09T15:07:56.27+00:00

Here is the timeline:

https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview
Please sign in to rate this answer.
Mikolaj Fechner 0 Reputation points

2025-01-09T15:17:35.8733333+00:00

I know but this timeline is no valid. As I mentioned I've created new application and it is still able to use AD Graph and I didn't opt in for extended access for this new app.

Andy David - MVP 151.1K Reputation points MVP

2025-01-10T13:20:09.2566667+00:00

Yea, keep in mind that Microsoft is famous for deadlines and then when they pass, they dont enforce that deadline until much later. Often its just to let people know that once the deadline passes, dont expect anything to work and if it does , then dont expect support. At some point, Im sure they will enforce this across the board for all tenants.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Raja Pothuraju 10,760 Reputation points Microsoft Vendor

2025-01-10T13:01:33.73+00:00

Hello @Mikolaj Fechner,

Thank you for your response.

Yes, it is currently possible to add Azure AD Graph API permissions via the App Manifest blade, but not through the API Permissions blade in the UI.

For reference, you can follow the guidance in this documentation: Update the application manifest in the Microsoft Entra admin center

As you mentioned, I understand that you were able to successfully make calls to the Azure AD Graph API endpoint (https://graph.windows.net). According to the blog post linked below, applications can make calls to Azure AD Graph API until January 31, 2025. After that date, all applications—both new and existing—will encounter errors when making requests to Azure AD Graph APIs unless they are explicitly configured to allow extended Azure AD Graph access.

Azure AD Graph API Retirement - June 2024 Update

This explains why you are still able to make calls to Azure AD Graph API, even for applications created after August 31, 2024.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.
Please sign in to rate this answer.
Mikolaj Fechner 0 Reputation points

2025-01-10T13:16:55.8433333+00:00

According to this blog you posted: my new application should not be able to work because I didn't set blockAzureADGraphAccess attribute to false. (Application created on December 24')

Mikolaj Fechner 0 Reputation points

2025-01-10T13:21:40.8733333+00:00

I didn't do this

So if I understand correctly my new application should not work with AD Graph even if I set permissions to it.

Raja Pothuraju 10,760 Reputation points Microsoft Vendor

2025-01-11T18:01:52.15+00:00

Hello @Mikolaj Fechner,

Thank you for your response.

As per the statement, it indicates that while it technically shouldn't work, there is still a temporary allowance for adding the API through the Manifest for those who are currently testing it and allowing it to make calls. However, adding the API via the API permissions blade is no longer possible.

The actual retirement of Azure AD Graph API will begin on February 1, 2025, affecting both new and existing apps. "New apps" refers to those created after August 31, 2024.

If you have not set blockAzureADGraphAccess to false, starting February 1, 2025, applications will no longer be able to make calls to the Azure AD Graph API.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks,
Raja Pothuraju.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure AD Graph retirement

3 answers

Your answer