Apps can’t make requests to Azure AD Graph APIs after February 1, 2025 – unless you take action to postpone the impact.
Hey Folks,
We wanted to get this news at the top of your inbox for 2025: Applications will be unable to make requests to Azure AD Graph APIs starting February 1, 2025.
We're proceeding with the Retirement of the Azure AD Graph API service, which began in September 2024.
Our next big milestone starts February 1st, when existing applications will be prevented from calling Azure AD Graph APIs. You may not see impact right away, as we’re rolling out this change in stages across tenants. We anticipate full deployment of this change by the end of February.
Microsoft Graph is the replacement for Azure AD Graph APIs. We strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and ceasing any further use of Azure AD Graph APIs.
Phase start date |
Impact to existing apps |
Impact to new apps |
September 1, 2024 |
None. |
All new apps must use Microsoft Graph. New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access until June 30, 2025 by setting to false. |
February 1, 2025 |
Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false. |
|
July 1, 2025 |
Azure AD Graph is fully retired. No Azure AD Graph API requests will function. |
Urgent: Review the applications on your tenant
Please review our December 2024 post, Action required: Azure AD Graph API retirement | Microsoft Community Hub for more detailed guidance.
If you have not already, it is now urgent to review the applications on your tenant to see which ones depend on Azure AD Graph API access and mitigate or migrate these before the February 1st cutoff date.
Review Recommendations in the Microsoft Entra admin center
As we discussed in our December post, Microsoft Entra Recommendations can help you identify applications in your tenant that will be impacted by the retirement of Azure AD Graph API access. You can find your tenant’s Recommendations in the Microsoft Entra admin center (Identity > Overview > Recommendations).
The two recommendations for Azure AD Graph retirement summarize usage of Azure AD Graph APIs by applications in your tenant over the last 30 days. The Recommendations also list which Azure AD Graph operations the application is using.
Recommendation 1:
Migrate Applications from the Retiring Azure AD Graph APIs to Microsoft Graph
Impacted resources shown in this recommendation are applications that are created in your tenant. You must take action for any application listed in this recommendation before 1 February 2025.
If you’re using service principal login for applications like Microsoft Azure PowerShell or Microsoft Azure CLI, and the application is using Azure AD Graph APIs, it will show on the Migrate Applications recommendation. In this case, the application’s identity is registered in your tenant, and you must configure the app for extended access or update to a version of the software that no longer calls Azure AD Graph APIs.
For applications that are registered in your tenant, you can configure extended access for the application until June 30, 2025.
Recommendation 2:
Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph
Impacted resources shown with this recommendation are service principals—multi-tenant applications provided by a software vendor that are used in your tenant.
- Applications provided by Microsoft
These applications are already extended until June. However, you will need to update these to a newer version by June 2025 to ensure continued operation.
- Vendor-provided applications
All applications registered in your tenant, including those written by independent, external, and third-party software vendors, are subject to Azure AD Graph API retirement. If an application that you do not own shows up on your Recommendations, please contact the software vendor and ask them to update their application.
Note: Microsoft is working with vendors of popular apps to set access extensions to avoid disruptions. These applications will still appear in the “Migrate Service Principals…” Recommendation. Please work with your vendor for details.
How to extend Azure AD Graph access for an app
If you have an application that requires access to Azure AD Graph APIs after February, you must update that application’s configuration, setting the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration.
After February, applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this configuration setting is set to false.
With this flag in place, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.
Learn more: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn
Benefits of migrating to Microsoft Graph
Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph
Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.
Resources:
Migrating to Microsoft Graph from Azure AD Graph is made easier with the following tools and documentation:
Ric Lewis
Product Manager, Microsoft Graph
LinkedIn
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Updated Jan 15, 2025
Version 1.0RicLewisIdentity
Microsoft
Joined November 18, 2019
Microsoft Entra Blog
Stay informed on how to secure access for workforce, customer, and workload identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions.