Action required: Azure AD Graph API retirement

Applications are unable to make requests to Azure AD Graph APIs after February 1, 2025. Here’s how you can take action to extend access until June 30, 2025.

Retirement of the Azure AD Graph API service began in September 2024 and impacts both new and existing applications. We’re now completing the first phase of Azure AD Graph retirement, and new applications will not be able to use Azure AD Graph APIs unless they are configured for extended access. Microsoft Graph is the replacement for Azure AD Graph APIs, and we strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and limiting any further development using Azure AD Graph APIs. 

We’ve communicated extensively about this retirement, but as a refresher, here are the key milestones:

Required actions: 

To avoid impact, it’s important to take action now to ensure that your tenant is ready for the Azure AD Graph retirement. Follow the two steps detailed below to identify and mitigate use of Azure AD Graph APIs by applications in your tenant.

Step one: Identify apps using Azure AD Graph APIs in your tenant

The first step in getting your tenant ready for the Azure AD Graph retirement is to identify applications that are using Azure AD Graph APIs. We’ve provided two Microsoft Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These recommendations are:

• Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph - Details applications that are created in your tenant that are accessing Azure AD Graph APIs currently.
• Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph: Details multi-tenant applications provided by a software vendor that are used in your tenant and are accessing Azure AD Graph APIs currently.

The information shown in these recommendations is based on actual usage of Azure AD Graph APIs in your tenant and is the best source to find apps that need attention for Azure AD Graph retirement. The recommendations list Applications and provide information about the operations the apps are performing. This can help clarify the usage of Azure AD Graph APIs that must be migrated.

You can access these recommendations in the Microsoft Entra admin center by browsing to: Identity > Overview > Recommendations 

Figure 1: Microsoft Entra Recommendations for Azure AD Graph retirement.

Figure 2: Detailed view of Microsoft Entra recommendations for Azure AD Graph retirement.

Resources: 

• Learn more about these recommendations: Recommendation to migrate to Microsoft Graph API - Microsoft Entra ID | Microsoft Learn
• Learn how to find and act upon recommendations in the Microsoft Entra admin center: How to use Microsoft Entra recommendations - Microsoft Entra ID | Microsoft Learn 

Optional: Programmatically reporting on impacted applications

If you would like to export the information from the Microsoft Entra recommendations, or automate a periodic report, you can use the Microsoft Entra Recommendations APIs or Microsoft Graph PowerShell.

PowerShell example:

Step 2: Preparing applications for Azure AD Graph retirement

Action will be needed for each application using Azure AD Graph APIs identified by the two Microsoft Entra Recommendations. Applications shown in both the Migrate Applications recommendation and the Migrate Service Principals recommendation will need to be updated by the developer to use Microsoft Graph APIs instead of Azure AD Graph APIs. An extension can be configured to allow an application to use Azure AD Graph through June 30, 2025.

The next steps and who needs to take action will be different for applications created in your tenant versus service principals for vendor-supplied applications.

Applications created in your tenant

Impacted resources shown in the Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph are applications that are created in your tenant. For each of these, you should:

1. Contact the application owners or developers in your organization and ensure that they’re aware of Azure AD Graph retirement and have a plan to migrate to Microsoft Graph APIs. You can find the owners for the application by clicking on More Details and then the application name in the Microsoft Entra Recommendation, or by finding the application in the App Registrations list in the Microsoft Entra portal.
2. If the application will not be migrated to Microsoft Graph APIs by February 1, 2025, you can configure an extension for the application, allowing access through June 30, 2025. This is done by setting blockAzureADGraphAccess: false in the app’s authenticationBehaviors configuration. This can be done through Microsoft Graph Explorer or Microsoft Graph PowerShell. Learn more: Manage application authenticationBehaviors - Microsoft Graph | Microsoft Learn
3. The application developer should reference our documentation on migrating applications from Azure AD Graph to Microsoft Graph, and plan on completing this migration by June 30, 2025 (if the extension has been set for the application).

Documentation:

• Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
• Azure Active Directory (Azure AD) Graph app migration checklist

Service Principals for vendor-supplied applications

Impacted resources shown in the Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph are service principals – applications provided by a software vendor that are used in your tenant.

For each of these service principals, check with the vendor who supplied the application to see if there is an update already available that has replaced calls to Azure AD Graph APIs with Microsoft Graph APIs.

• If an update is available, you will need to plan to update the client software to the newer version.
• If there is not an update available:

1. 1. Ask the vendor if they have configured the application for an extension to continue using Azure AD Graph APIs through June 30, 2025. If needed, you can direct the vendor to this documentation.
   2. Confirm that the vendor has a plan to provide an update to the client software that replaces use of Azure AD Graph APIs with Microsoft Graph APIs.

Some of the service principals using Azure AD Graph in your tenant may be provided by Microsoft. Most of these have an update available that uses Microsoft Graph, instead of Azure AD Graph APIs, such as:

• Azure AD PowerShell: AzureAD PowerShell is deprecated and will be retired soon. You should migrate to Microsoft Graph PowerShel SDK
• Azure CLI: Microsoft Graph migration
• Azure PowerShell: PowerShell Gallery | Az 12.4.0
• Visual Studio: Visual Studio 2022 version 17.7 Release Notes

Some Microsoft applications, including Microsoft Office, Microsoft Visual Studio Legacy, and Microsoft Intune, do not yet have an update available without Azure AD Graph API usage. For these, we will provide future Azure AD Graph API retirement blog updates when a replacement version is available. These apps will be granted extended access for Azure AD Graph and sufficient time will be given to update the applications when an update is made available.

Extending Azure AD Graph access for an app 

If you have not fully completed app migrations to Microsoft Graph, you can extend this retirement. If you set the blockAzureADGraphAccess attribute to false in the app’s authenticationBehaviors configuration, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.  

New applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this setting is set to false. For all existing applications that will not complete migration to Microsoft Graph in 2024, you should plan to set this configuration now.

Learn more: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn

Benefits of migrating to Microsoft Graph

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Microsoft Entra services and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

Resources:

Migrating to Microsoft Graph from Azure AD Graph is made easier with the following tools and documentation:

• Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph
• Azure AD Graph app migration planning checklist 
• Azure AD Graph to Microsoft Graph migration FAQ 

And – if needed – you can extend access for your applications until June 30, 2025: Allow extended Azure AD Graph access until June 30, 2025 - Microsoft Graph | Microsoft Learn 

Kristopher Bash

Product Manager, Microsoft Graph  
LinkedIn

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community