Blog Post

Microsoft Entra Blog
4 MIN READ

Take action by February 1: Azure AD Graph is retiring

RicLewisIdentity's avatar
Jan 16, 2025

Apps can’t make requests to Azure AD Graph APIs after February 1, 2025 – unless you take action to postpone the impact.

Hey Folks, 

We wanted to get this news at the top of your inbox for 2025: Applications will be unable to make requests to Azure AD Graph APIs starting February 1, 2025. 

We're proceeding with the Retirement of the Azure AD Graph API service, which began in September 2024.  

Our next big milestone starts February 1st, when existing applications will be prevented from calling Azure AD Graph APIs. You may not see impact right away, as were rolling out this change in stages across tenants.  We anticipate full deployment of this change by the end of February. 

Microsoft Graph is the replacement for Azure AD Graph APIs. We strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and ceasing any further use of Azure AD Graph APIs. 

 

Phase start date 

Impact to existing apps 

Impact to new apps 

September 1, 2024  

None.  

All new apps must use Microsoft Graph. New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access until June 30, 2025 by setting  to false.  

February 1, 2025   

Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false. 

July 1, 2025  

Azure AD Graph is fully retired. No Azure AD Graph API requests will function.  

 

Urgent: Review the applications on your tenant 

Please review our December 2024 post, Action required: Azure AD Graph API retirement | Microsoft Community Hub for more detailed guidance. 

If you have not already, it is now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access and mitigate or migrate these before the February 1st cutoff date. 

Review Recommendations in the Microsoft Entra admin center 

As we discussed in our December post, Microsoft Entra Recommendations can help you identify applications in your tenant that will be impacted by the retirement of Azure AD Graph API access. You can find your tenant’s Recommendations in the Microsoft Entra admin center (Identity > Overview > Recommendations).  

The two recommendations for Azure AD Graph retirement summarize usage of Azure AD Graph APIs by applications in your tenant over the last 30 days. The Recommendations also list which Azure AD Graph operations the application is using. 

Recommendation 1:   

Migrate Applications from the Retiring Azure AD Graph APIs to Microsoft Graph 

Impacted resources shown in this recommendation are applications that are created in your tenant. You must take action for any application listed in this recommendation before 1 February 2025.

If youre using service principal login for applications like Microsoft Azure PowerShell or Microsoft Azure CLI, and the application is using Azure AD Graph APIs, it will show on the Migrate Applications recommendation. In this case, the application’s identity is registered in your tenant, and you must configure the app for extended access or update to a version of the software that no longer calls Azure AD Graph APIs. 

For applications that are registered in your tenant, you can configure extended access for the application until June 30, 2025.   

Recommendation 2 

Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph 

Impacted resources shown with this recommendation are service principals—multi-tenant applications provided by a software vendor that are used in your tenant.  

  • Applications provided by Microsoft 

These applications are already extended until June.  However, you will need to update these to a newer version by June 2025 to ensure continued operation. 

  • Vendor-provided applications 

All applications registered in your tenant, including those written by independent, external, and third-party software vendors, are subject to Azure AD Graph API retirement.  If an application that you do not own shows up on your Recommendations, please contact the software vendor and ask them to update their application. 

Note:  Microsoft is working with vendors of popular apps to set access extensions to avoid disruptions. These applications will still appear in the “Migrate Service Principals…” Recommendation. Please work with your vendor for details. 

How to extend Azure AD Graph access for an app 

If you have an application that requires access to Azure AD Graph APIs after February, you must update that application’s configuration, setting the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration. 

After February, applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this configuration setting is set to false.  

With this flag in place, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.   

Learn more: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn 

Benefits of migrating to Microsoft Graph 

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph 

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression. 

Resources: 

Migrating to Microsoft Graph from Azure AD Graph is made easier with the following tools and documentation:  
 

 

Ric Lewis 

Product Manager, Microsoft Graph   
LinkedIn   

 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Updated Jan 15, 2025
Version 1.0
  • Priyadharshini's avatar
    Priyadharshini
    Copper Contributor

    Need to reauthorize the service principal for all the tenants if owner update the extended access in their registered tenant?

  • Hi RicLewisIdentity 

    If I understand correctly:

    1. I can't do anything about service principals in my tenant that are from 3rd party vendors where the app registration is not in my tenant, but rather in their tenant?
    2. I can request extended access to AAD Graph API for App registrations that are in my tenant, by setting the authenticationBehaviors parameter?

    What really confuses me, is that I have 8 app registrations that show up in App Registrations when I filter by "requested API: Azure Active Directory Graph",


    yet none of these are showing in the recommendation, in fact I don't even see the recommendation "Migrate Applications from the Retiring Azure AD Graph APIs to Microsoft Graph". Some of these apps only have AAD Graph API permissions, and not MS Graph API permissions. So why is the recommendation missing these apps?

    I have updated the authenticationBehaviors for these apps using the Graph Explorer, but I can't see the change reflected in PowerShell:

    ╰─❯ Get-MgBetaApplication -Filter "appId eq '2c877393-cb82-4c38-b958-d5aecd92268b'" | select -ExpandProperty authenticationBehaviors | fl

    BlockAzureAdGraphAccess       :
    RemoveUnverifiedEmailClaim    :
    RequireClientServicePrincipal :
    AdditionalProperties          : {}

    What will happen to these apps come 1st February 2025??

    Furthermore, I DO get the "Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph" recommendation, but there are 0 service principals impacted. I have found using ENow AppGovScore that I have 57 service principals that are using Azure Active Directory Graph (Display name is actually Windows Azure Active Directory). So I don't know if I have 3rd Party vendors to contact to mitigate the issue or not??

    I know that the majority of those 57 service principals are Microsoft 1st party apps that are already extended until June.  However, I will need to update these to a newer version by June 2025 to ensure continued operation. 

    Please help me by providing more clarity on how to proceed!