Microsoft Entra ID Graph API 停止使用
Microsoft Entra ID(先前稱為 Azure Active Directory 或 Azure AD)Graph API 服務將停止使用。 此淘汰是簡化 Microsoft Entra ID 平臺,並改善 Microsoft Entra ID 開發人員體驗的更廣泛努力的一部分。
風險降低步驟
圖形 API 淘汰會影響所有使用 Entra ID 作為識別提供者的 Azure Stack Hub 客戶,並要求您針對所有受影響的應用程式執行本文中包含的腳本。 如果您有需要繼續存取 Graph API 的應用程式,腳本會設定旗標來設定這些應用程式的擴充功能,以允許這些特定應用程式在 2025 年 6 月之前繼續呼叫舊版 Graph API。
本文中提供的PowerShell腳本會設定每個應用程式的旗標,以針對 Azure Stack Hub 的每個 Entra ID 識別提供者設定圖形 API 延伸模組。
為了確保使用 Entra ID 做為識別提供者的 Azure Stack Hub 環境繼續運作,您應該在 2025 年 2 月底之前執行此腳本。
注意
如果您延遲在 2025 年 2 月之後新增此旗標,驗證將會失敗。 然後,您可以執行此腳本,以確保 Azure Stack Hub 會視需要運作。
執行腳本
在 Azure Stack Hub 使用的 Entra ID 環境中執行下列 PowerShell 腳本作為「主目錄」(Azure Stack Hub 的主要識別提供者)。 腳本會與 Azure 互動,因此您不需要在特定電腦上執行它。 不過,您必須在個別的 Entra ID 租使用者中至少需要「應用程式管理員」許可權,才能執行腳本。
請務必在本機電腦上以系統管理員許可權執行下列文稿:
# Install the graph modules if necessary
#Install-Module Microsoft.Graph.Authentication
#Install-Module Microsoft.Graph.Applications
$ErrorActionPreference='Stop'
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
# Repeat this flow for each of your target directory tenants
$tenantId = 'MyTenantId'
# Sign-in with admin permissions to read and write all application objects
Connect-MgGraph -TenantId $tenantId -Scopes Application.ReadWrite.All
# Retrieve all applications in the current directory
Write-Host "Looking-up all applications in directory '$tenantId'..."
$applications = Get-MgApplication -All -Property id, displayName, appId, identifierUris, requiredResourceAccess, authenticationBehaviors
Write-Host "Found '$($applications.Count)' total applications in directory '$tenantId'"
# Find all the unique deployment guids, each one representing an Azure Stack deployment in the current directory
$deploymentGuids = $applications.IdentifierUris |
Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' } |
ForEach-Object { "$_".Split('/')[3] } |
Select-Object -Unique
Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments in directory '$tenantId'"
# Find all the Azure Stack application objects for each deployment
$azureStackApplications = @()
foreach ($application in $applications)
{
foreach ($deploymentGuid in $deploymentGuids)
{
if (($application.IdentifierUris -join '') -like "*$deploymentGuid*")
{
$azureStackApplications += $application
}
}
}
# Find which Azure Stack applications require access to Legacy Graph Service
$azureStackLegacyGraphApplications = $azureStackApplications |
Where-Object { $_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000' }
# Find which of those applications need to have their authentication behaviors patched to allow access to Legacy Graph
$azureStackLegacyGraphApplicationsToUpdate = $azureStackLegacyGraphApplications |
Where-Object { -not ($ab = $_.AdditionalProperties.authenticationBehaviors) -or -not $ab.ContainsKey(($key='blockAzureADGraphAccess')) -or $ab[$key] }
# Update the applications which require their authentication behaviors patched to allow access to Legacy Graph
Write-Host "Found '$($azureStackLegacyGraphApplicationsToUpdate.Count)' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service"
$count = 0
foreach ($application in $azureStackLegacyGraphApplicationsToUpdate)
{
$count++
Write-Host "$count/$($azureStackLegacyGraphApplicationsToUpdate.Count) - Updating application '$($application.DisplayName)' (appId=$($application.AppId)) (id=$($application.Id))"
Update-MgApplication -ApplicationId $application.Id -BodyParameter @{
authenticationBehaviors = @{ blockAzureADGraphAccess = $false }
}
}
文稿會顯示下列範例輸出:
Looking-up all applications in directory '<ID>'...
Found '###' total applications in directory '<ID>'
Found '1' total Azure Stack deployments in directory '<app ID>'
Found '16' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service
1/16 - Updating application 'Azure Stack - AKS' (appId=<app ID>) (id=<ID>)
2/16 - Updating application 'Azure Stack - Hubs' (appId=<app ID>) (id=<ID>)
3/16 - Updating application 'Azure Stack - Portal Administration' (appId=<app ID>) (id=<app>)
4/16 - Updating application 'Azure Stack - RBAC Administration' (appId=<app ID>) (id=ID)
5/16 - Updating application 'Azure Stack - Container Registry' (appId=<app ID>) (id=ID)
6/16 - Updating application 'Azure Stack - RBAC' (appId=<app ID>) (id=ID)
7/16 - Updating application 'Azure Stack - Hubs Administration' (appId=<app ID>) (id=ID)
8/16 - Updating application 'Azure Stack - Deployment Provider' (appId=<app ID>) (id=ID)
9/16 - Updating application 'Azure Stack - Deployment' (appId=<app ID>) (id=ID)
10/16 - Updating application 'Azure Stack - KeyVault' (appId=<app ID>) (id=ID)
11/16 - Updating application 'Azure Stack' (appId=<app ID>) (id=ID)
12/16 - Updating application 'Azure Stack - Administration' (appId=<app ID>) (id=ID)
13/16 - Updating application 'Azure Stack - Policy Administration' (appId=<app ID>) (id=ID)
14/16 - Updating application 'Azure Stack - Policy' (appId=<app ID>) (id=ID)
15/16 - Updating application 'Azure Stack - Portal' (appId=<app ID>) (id=ID)
16/16 - Updating application 'Azure Stack - KeyVault Administration ' (appId=<app ID>) (id=ID)
第二次執行文稿,以確認所有應用程式都已更新。 如果已成功更新所有應用程式,文稿應該會傳回下列輸出:
Looking-up all applications in directory '<ID>'...
Found '####' total applications in directory '<ID>>'
Found '1' total Azure Stack deployments in directory '<ID>>'
Found '0' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service