Microsoft Entra ID Graph API retirement
The Microsoft Entra ID (formerly Azure Active Directory or Azure AD) Graph API service is being retired. This retirement is part of a broader effort to streamline the Microsoft Entra ID platform and improve the Microsoft Entra ID developer experience.
Mitigation steps
The Graph API retirement affects all Azure Stack Hub customers, and requires you to run the script included in this article for all impacted applications. If you have applications that need continued access to the Graph APIs, the script sets a flag that configures these applications for an extension that allows these specific applications to continue calling the legacy Graph API until June 2025.
The PowerShell script provided in this article sets a flag for each application to configure the Graph API extension for each Entra ID identity provider of Azure Stack Hub.
To ensure that your Azure Stack Hub environments that use Entra ID as an identity provider continue functioning, you should run this script by the end of February 2025.
Note
If you delay adding this flag beyond February 2025, authentication will fail. You can then run this script to ensure your Azure Stack Hub functions as needed.
Run the script
Run the following PowerShell script in your Entra ID environment that is used by Azure Stack Hub as the "home directory" (the main identity provider of your Azure Stack Hub). The script interacts with Azure, so you don't need to run it on a specific machine. However, you need at least "application administrator" privileges in the respective Entra ID tenant to run the script.
Make sure to run the following script with administrator privileges on the local machine:
# Install the graph modules if necessary
#Install-Module Microsoft.Graph.Authentication
#Install-Module Microsoft.Graph.Applications
$ErrorActionPreference='Stop'
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
# Repeat this flow for each of your target directory tenants
$tenantId = 'MyTenantId'
# Sign-in with admin permissions to read and write all application objects
Connect-MgGraph -TenantId $tenantId -Scopes Application.ReadWrite.All
# Retrieve all applications in the current directory
Write-Host "Looking-up all applications in directory '$tenantId'..."
$applications = Get-MgApplication -All -Property id, displayName, appId, identifierUris, requiredResourceAccess, authenticationBehaviors
Write-Host "Found '$($applications.Count)' total applications in directory '$tenantId'"
# Find all the unique deployment guids, each one representing an Azure Stack deployment in the current directory
$deploymentGuids = $applications.IdentifierUris |
Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' } |
ForEach-Object { "$_".Split('/')[3] } |
Select-Object -Unique
Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments in directory '$tenantId'"
# Find all the Azure Stack application objects for each deployment
$azureStackApplications = @()
foreach ($application in $applications)
{
foreach ($deploymentGuid in $deploymentGuids)
{
if (($application.IdentifierUris -join '') -like "*$deploymentGuid*")
{
$azureStackApplications += $application
}
}
}
# Find which Azure Stack applications require access to Legacy Graph Service
$azureStackLegacyGraphApplications = $azureStackApplications |
Where-Object { $_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000' }
# Find which of those applications need to have their authentication behaviors patched to allow access to Legacy Graph
$azureStackLegacyGraphApplicationsToUpdate = $azureStackLegacyGraphApplications |
Where-Object { -not ($ab = $_.AdditionalProperties.authenticationBehaviors) -or -not $ab.ContainsKey(($key='blockAzureADGraphAccess')) -or $ab[$key] }
# Update the applications which require their authentication behaviors patched to allow access to Legacy Graph
Write-Host "Found '$($azureStackLegacyGraphApplicationsToUpdate.Count)' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service"
$count = 0
foreach ($application in $azureStackLegacyGraphApplicationsToUpdate)
{
$count++
Write-Host "$count/$($azureStackLegacyGraphApplicationsToUpdate.Count) - Updating application '$($application.DisplayName)' (appId=$($application.AppId)) (id=$($application.Id))"
Update-MgApplication -ApplicationId $application.Id -BodyParameter @{
authenticationBehaviors = @{ blockAzureADGraphAccess = $false }
}
}
The script displays the following sample output:
Looking-up all applications in directory '<ID>'...
Found '###' total applications in directory '<ID>'
Found '1' total Azure Stack deployments in directory '<app ID>'
Found '16' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service
1/16 - Updating application 'Azure Stack - AKS' (appId=<app ID>) (id=<ID>)
2/16 - Updating application 'Azure Stack - Hubs' (appId=<app ID>) (id=<ID>)
3/16 - Updating application 'Azure Stack - Portal Administration' (appId=<app ID>) (id=<app>)
4/16 - Updating application 'Azure Stack - RBAC Administration' (appId=<app ID>) (id=ID)
5/16 - Updating application 'Azure Stack - Container Registry' (appId=<app ID>) (id=ID)
6/16 - Updating application 'Azure Stack - RBAC' (appId=<app ID>) (id=ID)
7/16 - Updating application 'Azure Stack - Hubs Administration' (appId=<app ID>) (id=ID)
8/16 - Updating application 'Azure Stack - Deployment Provider' (appId=<app ID>) (id=ID)
9/16 - Updating application 'Azure Stack - Deployment' (appId=<app ID>) (id=ID)
10/16 - Updating application 'Azure Stack - KeyVault' (appId=<app ID>) (id=ID)
11/16 - Updating application 'Azure Stack' (appId=<app ID>) (id=ID)
12/16 - Updating application 'Azure Stack - Administration' (appId=<app ID>) (id=ID)
13/16 - Updating application 'Azure Stack - Policy Administration' (appId=<app ID>) (id=ID)
14/16 - Updating application 'Azure Stack - Policy' (appId=<app ID>) (id=ID)
15/16 - Updating application 'Azure Stack - Portal' (appId=<app ID>) (id=ID)
16/16 - Updating application 'Azure Stack - KeyVault Administration ' (appId=<app ID>) (id=ID)
Run the script a second time to verify that all applications were updated. The script should return the following output if all applications were successfully updated:
Looking-up all applications in directory '<ID>'...
Found '####' total applications in directory '<ID>>'
Found '1' total Azure Stack deployments in directory '<ID>>'
Found '0' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service