Blog Post

Microsoft Entra Blog

8 MIN READ

Action required: Azure AD Graph API retirement

krbash

Microsoft

Dec 05, 2024

Apps can’t make requests to Azure AD Graph APIs after February 1, 2025 – unless you take action to postpone the impact.

Applications are unable to make requests to Azure AD Graph APIs after February 1, 2025. Here’s how you can take action to extend access until June 30, 2025.

Retirement of the Azure AD Graph API service began in September 2024 and impacts both new and existing applications. We’re now completing the first phase of Azure AD Graph retirement, and new applications will not be able to use Azure AD Graph APIs unless they are configured for extended access. Microsoft Graph is the replacement for Azure AD Graph APIs, and we strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and limiting any further development using Azure AD Graph APIs.

We’ve communicated extensively about this retirement, but as a refresher, here are the key milestones:

Phase start date	Impact to existing apps	Impact to new apps
September 1, 2024	None.	All new apps must use Microsoft Graph. New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access until June 30, 2025 by setting to false.
February 1, 2025	Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false.    Take action to prepare via the steps in this blog post.
July 1, 2025	Azure AD Graph is fully retired. No Azure AD Graph API requests will function.

Required actions:

To avoid impact, it’s important to take action now to ensure that your tenant is ready for the Azure AD Graph retirement. Follow the two steps detailed below to identify and mitigate use of Azure AD Graph APIs by applications in your tenant.

Step one: Identify apps using Azure AD Graph APIs in your tenant

The first step in getting your tenant ready for the Azure AD Graph retirement is to identify applications that are using Azure AD Graph APIs. We’ve provided two Microsoft Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These recommendations are:

Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph - Details applications that are created in your tenant that are accessing Azure AD Graph APIs currently.
Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph: Details multi-tenant applications provided by a software vendor that are used in your tenant and are accessing Azure AD Graph APIs currently.

The information shown in these recommendations is based on actual usage of Azure AD Graph APIs in your tenant and is the best source to find apps that need attention for Azure AD Graph retirement. The recommendations list Applications and provide information about the operations the apps are performing. This can help clarify the usage of Azure AD Graph APIs that must be migrated.

You can access these recommendations in the Microsoft Entra admin center by browsing to: Identity > Overview > Recommendations

Figure 1: Microsoft Entra Recommendations for Azure AD Graph retirement.

Figure 2: Detailed view of Microsoft Entra recommendations for Azure AD Graph retirement.

Resources:

Learn more about these recommendations: Recommendation to migrate to Microsoft Graph API - Microsoft Entra ID | Microsoft Learn
Learn how to find and act upon recommendations in the Microsoft Entra admin center: How to use Microsoft Entra recommendations - Microsoft Entra ID | Microsoft Learn

Optional: Programmatically reporting on impacted applications

If you would like to export the information from the Microsoft Entra recommendations, or automate a periodic report, you can use the Microsoft Entra Recommendations APIs or Microsoft Graph PowerShell.

PowerShell example:

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Scopes "Application.Read.All", "User.Read.All", "DirectoryRecommendations.Read.All"

$appsRecommendationType = "aadGraphDeprecationApplication"

$spRecommendationType = "aadGraphDeprecationServicePrincipal"

function getImpactedResources($recommendationType){

$recommendation = Get-MgBetaDirectoryRecommendation -Filter "recommendationType eq `'$recommendationType`'"

$resources =""

if($recommendation){

$resources = Get-MgBetaDirectoryRecommendationImpactedResource -RecommendationId $recommendation.id -Filter "Status eq 'active'" | select DisplayName, Id, Status

}

$resources | ft

}

Write-Output "Applications to migrate from Azure AD Graph to Microsoft Graph"

getImpactedResources $appsRecommendationType

Write-Output "Service Principals to migrate from Azure AD Graph to Microsoft Graph"

getImpactedResources $spRecommendationType

Step 2: Preparing applications for Azure AD Graph retirement

Action will be needed for each application using Azure AD Graph APIs identified by the two Microsoft Entra Recommendations. Applications shown in both the Migrate Applications recommendation and the Migrate Service Principals recommendation will need to be updated by the developer to use Microsoft Graph APIs instead of Azure AD Graph APIs. An extension can be configured to allow an application to use Azure AD Graph through June 30, 2025.

The next steps and who needs to take action will be different for applications created in your tenant versus service principals for vendor-supplied applications.

Applications created in your tenant

Impacted resources shown in the Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph are applications that are created in your tenant. You must take action for any application listed in this recommendation before 1 February 2025.

Contact the application owners or developers in your organization and ensure that they’re aware of Azure AD Graph retirement and have a plan to migrate to Microsoft Graph APIs. You can find the owners for the application by clicking on More Details and then the application name in the Microsoft Entra Recommendation, or by finding the application in the App Registrations list in the Microsoft Entra portal.
If the application will not be migrated to Microsoft Graph APIs by February 1, 2025, you can configure an extension for the application, allowing access through June 30, 2025. This is done by setting blockAzureADGraphAccess:false in the app’s authenticationBehaviors configuration. This can be done through Microsoft Graph Explorer or Microsoft Graph PowerShell. Learn more: Manage application authenticationBehaviors.
The application developer should reference our documentation on migrating applications from Azure AD Graph to Microsoft Graph, and plan on completing this migration by June 30, 2025 (if the extension has been set for the application).
- Learn more: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph and Azure Active Directory (Azure AD) Graph app migration checklist
Note: If you are using service principal login for applications like Microsoft Azure PowerShell or Microsoft Azure CLI, and the application is using Azure AD Graph APIs, it will show on the Migrate Applications recommendation. In this case, the application’s identity is registered in your tenant, and you must take action. For these cases, you should update the installed version of the software to eliminate Azure AD Graph API usage, and/or set the extension for the app defined in your tenant.

Service Principals for vendor-supplied applications

Impacted resources shown in the Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph are service principals – multi-tenant applications provided by a software vendor that are used in your tenant. We have ensured that all Microsoft ‘first-party’ applications that are still using Azure AD Graph APIs have the extension through June, 2025.

However, action is still needed for each service principal listed in this recommendation. In many cases, an update will already be available that has replaced calls to Azure AD Graph APIs with Microsoft Graph APIs, and you will need to install the newer version. For apps provided by software vendors other than Microsoft, you will need to confirm readiness with the software vendor:

If an update is available, you will need to plan to update the client software to the newer version.
If there is not an update available:

1. Ask the vendor if they have configured the application for an extension to continue using Azure AD Graph APIs through June 30, 2025. If needed, you can direct the vendor to this documentation.
2. Confirm that the vendor has a plan to provide an update to the client software that replaces use of Azure AD Graph APIs with Microsoft Graph APIs.

Microsoft-provided applications

You may see applications provided by Microsoft in the Migrate Service Principals recommendation. These are using Azure AD Graph APIs in your tenant. As the software vendor for these applications, Microsoft has configured the extension for any “first-party” applications that are actively using Azure AD Graph APIs. To identify first-party applications, you can reference here and a more thorough list here. This means that they will not be impacted in the retirement phase starting 1 February 2025.

However, most Microsoft-provided applications that you may see in this recommendation have an update available that uses Microsoft Graph instead of Azure AD Graph APIs. You should take action for these to avoid impact later in 2025. Examples include:

Appid	App Name	Action required
1b730954-1685-4b74-9bfd-dac224a7b894	Azure AD PowerShell	Azure AD PowerShell is deprecated and will be retired soon. You should migrate to Microsoft Graph PowerShell SDK. For more information, reference: Migrate from Azure AD PowerShell to Microsoft Graph PowerShell.
04b07795-8ddb-461a-bbee-02f9e1bf7b46	Azure CLI	Update to version 2.66.0 or later. For more information, see Microsoft Graph migration.
1950a258-227b-4e31-a9cf-717495945fc2	Azure PowerShell	Update to version 12.4.0 or later: PowerShell Gallery \| Az 12.4.0
04f0c124-f2bc-4f59-8241-bf6df9866bb	Visual Studio	Update Microsoft Visual Studio 2022 to version 17.7 or later: Visual Studio 2022 version 17.7 Release Notes

You should plan to update any other Microsoft-provided applications listed in this recommendation.

Extending Azure AD Graph access for an app

If you have not fully completed app migrations to Microsoft Graph, you can extend this retirement. If you set the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.

New applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this setting is set to false. For all existing applications that will not complete migration to Microsoft Graph in 2024, you should plan to set this configuration now.

Learn more: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn

Benefits of migrating to Microsoft Graph

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

Resources:

Migrating to Microsoft Graph from Azure AD Graph is made easier with the following tools and documentation:

And – if needed – you can extend access for your applications until June 30, 2025: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn

Kristopher Bash

Product Manager, Microsoft Graph 
LinkedIn

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Updated Mar 12, 2025

Version 4.0

announcements and product news

krbash

Microsoft

Joined August 21, 2019

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

20 Comments

Matthew Levy
MVP
Feb 05, 2025
krbash
"All new apps must use Microsoft Graph. New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access"

It's the 5th of February, and I created an app registration on 3rd February 2025 with AAD Graph API access and I'm using it today. It has not been configured with the authenticaionBehaviors exception.

So I'm just wondering is the blocking of these apps slowly rolling out to tenants "starting" on 1st February 2025?

Is there a way for me to see the progress of the deprecation on my tenant?

I have not seen the "Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph" recommendation show up yet even though from my KQL Query, I can clearly see the app is using the Azure AD Graph API. How often does the secure score recommendation assess the tenant?

AADServicePrincipalSignInLogs | where TimeGenerated >= ago(4d) | where ResourceDisplayName == "Windows Azure Active Directory" | project TimeGenerated, AppId, ServicePrincipalName, ResourceDisplayName, ResultType
Mikfec09
Copper Contributor
Jan 08, 2025
krbashAccording to this blog new applications should not be able to use AD Graph anymore but I've created new app on December and it is still able to use AD Graph calls. Has something changed in your schedule?
RUGMBR
Copper Contributor
Dec 06, 2024
Same problem here.

Matthew Levy

MVP

Dec 06, 2024

krbash you said:
"Some Microsoft applications, including Microsoft Office, Microsoft Visual Studio Legacy, and Microsoft Intune, do not yet have an update available without Azure AD Graph API usage. For these, we will provide future Azure AD Graph API retirement blog updates when a replacement version is available. These apps will be granted extended access for Azure AD Graph and sufficient time will be given to update the applications when an update is made available."

Is there an extensive list of the applications please? I am seeing things like:

Azure VPN

Business Value Programs

Microsoft Business Solutions

Microsoft Demos

Microsoft Educator Community

Microsoft events

Microsoft Flow Launch Panel

Microsoft Intune PowerShell

Microsoft Learning

Microsoft Photos

Modern Workplace Tools

Windows Virtual Desktop

Windows Virtual Desktop Client

krbash
Microsoft
Dec 06, 2024
Matthew Levy
I'm working towards providing a more thorough list. Can I ask if the list you shared is an aggregation of App names from both the "applications" and "service principals" recommendations?
- Matthew Levy
  MVP
  Dec 09, 2024
  The list I got is from a third party reporting tool called App Governance Accelerator by ENOW software. The list was a selected few of the obvious Microsoft Enterprise Apps (Service principals) that are using Azure AD Graph API (Windows Azure Active Directory) - The tenant I'm refrencing only shows 1 app in the Service Principals recommendation, and like others that commented, it is for "Microsoft Office" with no details - pretty useless actually.
  
  I also have a report of App Registrations from ENOW which shows a few app registrations and this tenant does not even have the Microsoft "Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph". So hard to trust these recommendations!

skingery
Copper Contributor
Dec 06, 2024
I guess you all missed this part:
Some Microsoft applications, including Microsoft Office, Microsoft Visual Studio Legacy, and Microsoft Intune, do not yet have an update available without Azure AD Graph API usage. For these, we will provide future Azure AD Graph API retirement blog updates when a replacement version is available. These apps will be granted extended access for Azure AD Graph and sufficient time will be given to update the applications when an update is made available.
- BinaryStars
  Copper Contributor
  Dec 06, 2024
  Probably because we are all searching around for the object ID in a vain attempt to get some useful information - searching for "Microsoft Office" is a bit too vague these days.
  
  We now in the situation where we have an error and need to remember at some unknown point in the future to go and look at a long forgotten blog..
- jwmtn
  Copper Contributor
  Dec 06, 2024
  Yep...but yet another example of Microsoft's inability to get things fixed before telling everyone the sky is falling. I.e., fix their own stuff before sending out unnecessary notices.
  - __trj
    Brass Contributor
    Dec 07, 2024
    Yep...but yet another example of Microsoft's inability to get things fixed before telling everyone the sky is falling. I.e., fix their own stuff before sending out unnecessary notices.
    Counterpoint: They are giving you an even longer heads-up while they are working on updating their own applications, so you have even more time to fix yours. Microsoft is not just one giant team. There are different teams working on different products, and some of those teams (Office, Intune) are customers of other teams (Graph API). What would be the point in them waiting until the Office and Intune teams fix their dependencies before letting you know about the dependencies that you can get started on fixing? But I get it... "Microsoft bad".
jwmtn
Copper Contributor
Dec 06, 2024
Same
ernst_mulder
Copper Contributor
Dec 06, 2024
Same issue here. So far with just one tenant.
service-principal: Microsoft Office: Read User
BinaryStars
Copper Contributor
Dec 06, 2024
I have this also, on multiple tenants - if I list all the apps in my tenant it doesn't even show up
Azure AD Graph to Microsoft Graph migration FAQ - Microsoft Graph | Microsoft Learn
Additional details shows it being active
clicking on that link to Microsoft office just gives a blank screen
- TristanPanek
  Copper Contributor
  Dec 06, 2024
  Exactly the same here. It's just gibberish to me. Clear as mud, like most MS information.
- VictoriaCleaton
  Copper Contributor
  Dec 06, 2024
  about 15 of our tenants alerted for exactly this about microsoft office, ie nothing we can do. I really hope none of these tenants had other apps because it's just going to lead to us missing the actual problem applications.
AlexRF
Copper Contributor
Dec 06, 2024
Our clients are receiving this with resource ID: d3590ed6-52b3-4102-aeff-aad2292ab01c which from what I can see on Microsoft documentation: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in is Microsoft Office, what can we do about this.
- Werner_Pertl
  Copper Contributor
  Dec 09, 2024
  Same here!
- Laurie_Aldam
  Brass Contributor
  Dec 06, 2024
  Same issue here
- MrChainsaw
  Copper Contributor
  Dec 06, 2024
  Exactly the same issue here across multiple tenants.
  - JvB
    Copper Contributor
    Dec 07, 2024
    Also exact the same issue with multiple tenants.