Microsoft Entra ID Graph API 停用
Microsoft Entra ID(前称为 Azure Active Directory 或 Azure AD)Graph API 服务即将停用。 此次停用是简化 Microsoft Entra ID 平台和改进 Microsoft Entra ID 开发人员体验的更广泛努力的一部分。
缓解步骤
图形 API 停用会影响使用 Entra ID 作为标识提供者的所有 Azure Stack Hub 客户,并要求对所有受影响的应用程序运行本文中包含的脚本。 如果应用程序需要继续访问 Graph API,则脚本会设置一个标志,用于为扩展配置这些应用程序,该扩展允许这些特定应用程序在 2025 年 6 月之前继续调用旧版图形 API。
本文中提供的 PowerShell 脚本为每个应用程序设置一个标志,以便为每个 Azure Stack Hub 的 Entra ID 标识提供者配置图形 API 扩展。
为了确保使用 Entra ID 作为标识提供者的 Azure Stack Hub 环境继续正常运行,应在 2025 年 2 月底之前运行此脚本。
注释
如果在 2025 年 2 月之后延迟添加此标志,身份验证将失败。 然后,可以运行此脚本,确保 Azure Stack Hub 根据需要运行。
运行脚本
在 Entra ID 环境中,运行以下 PowerShell 脚本,该环境被 Azure Stack Hub 用作“主目录”(Azure Stack Hub 的主要身份提供者)。 该脚本与 Azure 交互,因此无需在特定计算机上运行它。 但是,在相应的 Entra ID 租户中,至少需要“应用程序管理员”权限才能运行脚本。
请确保在本地计算机上具有管理员权限运行以下脚本:
# Install the graph modules if necessary
#Install-Module Microsoft.Graph.Authentication
#Install-Module Microsoft.Graph.Applications
$ErrorActionPreference='Stop'
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
# Repeat this flow for each of your target directory tenants
$tenantId = 'MyTenantId'
# Sign-in with admin permissions to read and write all application objects
Connect-MgGraph -TenantId $tenantId -Scopes Application.ReadWrite.All
# Retrieve all applications in the current directory
Write-Host "Looking-up all applications in directory '$tenantId'..."
$applications = Get-MgApplication -All -Property id, displayName, appId, identifierUris, requiredResourceAccess, authenticationBehaviors
Write-Host "Found '$($applications.Count)' total applications in directory '$tenantId'"
# Find all the unique deployment guids, each one representing an Azure Stack deployment in the current directory
$deploymentGuids = $applications.IdentifierUris |
Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' } |
ForEach-Object { "$_".Split('/')[3] } |
Select-Object -Unique
Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments in directory '$tenantId'"
# Find all the Azure Stack application objects for each deployment
$azureStackApplications = @()
foreach ($application in $applications)
{
foreach ($deploymentGuid in $deploymentGuids)
{
if (($application.IdentifierUris -join '') -like "*$deploymentGuid*")
{
$azureStackApplications += $application
}
}
}
# Find which Azure Stack applications require access to Legacy Graph Service
$azureStackLegacyGraphApplications = $azureStackApplications |
Where-Object { $_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000' }
# Find which of those applications need to have their authentication behaviors patched to allow access to Legacy Graph
$azureStackLegacyGraphApplicationsToUpdate = $azureStackLegacyGraphApplications |
Where-Object { -not ($ab = $_.AdditionalProperties.authenticationBehaviors) -or -not $ab.ContainsKey(($key='blockAzureADGraphAccess')) -or $ab[$key] }
# Update the applications which require their authentication behaviors patched to allow access to Legacy Graph
Write-Host "Found '$($azureStackLegacyGraphApplicationsToUpdate.Count)' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service"
$count = 0
foreach ($application in $azureStackLegacyGraphApplicationsToUpdate)
{
$count++
Write-Host "$count/$($azureStackLegacyGraphApplicationsToUpdate.Count) - Updating application '$($application.DisplayName)' (appId=$($application.AppId)) (id=$($application.Id))"
Update-MgApplication -ApplicationId $application.Id -BodyParameter @{
authenticationBehaviors = @{ blockAzureADGraphAccess = $false }
}
}
该脚本显示以下示例输出:
Looking-up all applications in directory '<ID>'...
Found '###' total applications in directory '<ID>'
Found '1' total Azure Stack deployments in directory '<app ID>'
Found '16' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service
1/16 - Updating application 'Azure Stack - AKS' (appId=<app ID>) (id=<ID>)
2/16 - Updating application 'Azure Stack - Hubs' (appId=<app ID>) (id=<ID>)
3/16 - Updating application 'Azure Stack - Portal Administration' (appId=<app ID>) (id=<app>)
4/16 - Updating application 'Azure Stack - RBAC Administration' (appId=<app ID>) (id=ID)
5/16 - Updating application 'Azure Stack - Container Registry' (appId=<app ID>) (id=ID)
6/16 - Updating application 'Azure Stack - RBAC' (appId=<app ID>) (id=ID)
7/16 - Updating application 'Azure Stack - Hubs Administration' (appId=<app ID>) (id=ID)
8/16 - Updating application 'Azure Stack - Deployment Provider' (appId=<app ID>) (id=ID)
9/16 - Updating application 'Azure Stack - Deployment' (appId=<app ID>) (id=ID)
10/16 - Updating application 'Azure Stack - KeyVault' (appId=<app ID>) (id=ID)
11/16 - Updating application 'Azure Stack' (appId=<app ID>) (id=ID)
12/16 - Updating application 'Azure Stack - Administration' (appId=<app ID>) (id=ID)
13/16 - Updating application 'Azure Stack - Policy Administration' (appId=<app ID>) (id=ID)
14/16 - Updating application 'Azure Stack - Policy' (appId=<app ID>) (id=ID)
15/16 - Updating application 'Azure Stack - Portal' (appId=<app ID>) (id=ID)
16/16 - Updating application 'Azure Stack - KeyVault Administration ' (appId=<app ID>) (id=ID)
再次运行脚本以验证是否已更新所有应用程序。 如果成功更新了所有应用程序,脚本应返回以下输出:
Looking-up all applications in directory '<ID>'...
Found '####' total applications in directory '<ID>>'
Found '1' total Azure Stack deployments in directory '<ID>>'
Found '0' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service