I received the email with a link to this article and the message: "You are receiving this message because our reporting indicates one or more of your applications are using ADAL."

We don't develop our own apps and want to find which ones are using ADAL. However, there doesn't seem obvious choices in the Azure support area for that... Which should I select?

Thanks

I received the email with a link to this article and the message: "You are receiving this message because our reporting indicates one or more of your applications are using ADAL."

So now I want to know how I can get a report of the applications that are using ADAL.

Same as the two comments above.  I have had the email to say we are using ADAL.

The only thing I can think of for me is our Hybrid Exchange or Azure AD Connect service?

Again same as all above comments, email to say we are using ADAL but no idea what would be using it, we do not develop our own apps. The only service I can think of is Azure AD Connect.

We are working on the new feature in the Azure AD Portal with which we can provide you this list of applications which are using ADAL and/or Azure AD Graph. Now we have also updated the blog post which talks about the product enhancements. 

@Jeevan Desarda- Thanks for that.

Can you confirm if AD Connect and Exchange Hybrid use either of the soon-to-be-depreciated methods?

Then, those of us non-developers can relax and wait for updates from Microsoft.

Hello, I'm trying to create a script that dumps all the IAM roles (Get-AzRoleAssignment). Using service principal to login. When using the Microsoft Graph API permissions, I get Microsoft.Rest.Azure.CloudException. When debugging, it meant my SP is unauthorized. But when I'm  using the legacy API (Azure Active Directory Graph) permissions, it works great. Any idea? 

@Jeevan Desarda 
when we can expect the new feature be able to see easy which apps are affected, we have thousands reason why asking.

Thanks for this post, Alex (getting an error about invalid HTML in message when @ mentioning you, so removing that link). As the others before me have stated, I'm looking for documentation for how to determine which applications are currently using ADAL. I did find another article from April 2019 about how to use ADAL, so I suspect that our Developers will need to comb through configuration files, looking for the code.

I'm a little confused...your initial paragraph says "Azure Active Directory (Azure AD), Authentication Library (ADAL) and Azure AD Graph API" are going away. 

But...your link to Microsoft Build 2020 says "MSAL makes it easy to implement the right authentication patterns that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts".

Meanwhile...if I Google "Is Azure AD going away"...I get different answers such as "Azure AD Basic is going away" (whatever that means).

• Is Azure AD going away?
• Or is Azure AD simply changing?
• What about B2C and B2B?  What happens if Azure AD goes away?  Or do they change (somehow)?
• Is MSAL and the Microsoft Graph API completely replacing Azure AD?
• Or, are MSAL and the Microsoft Graph API going to "fit into" a new version of Azure AD?
  
  And lastly...
  
  
• Is there a video that clarifies all of this?

Thanks for the help.

I am a little confused...your initial paragraph says "Azure Active Directory (Azure AD), Authentication Library (ADAL) and Azure AD Graph API" are going away.

But...the Microsoft Build 2020 link says "MSAL makes it easy to implement the right authentication patterns that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts"

Meanwhile...if I Google "Is Azure AD going away" I get differing results, such as "Azure AD Basic is going away." (whatever that means).

So...

• Is Azure AD going away?
• Or, is Azure AD simply changing in some manner?
• What about B2C or B2B?  What happens to them?
  
  Lastly...
  
  
• Do you have a video that explains all this?

Thanks for clarifying this for me.

It's 'Azure Active Directory Authentication Library (ADAL)' that is going away; not Azure AD.

We have implemented azure b2c to control access to one of our applications.  As part of this process we have User flows for the signup process but we also (within our application itself) use MS graph to create users directly into azure b2c that we can then link to our application. 

We also have a user portal where they are able to update their password - we are using MS graph to update the users password via the call

This all works fine in our UAT environment - using a b2c tenant that i setup Feb 2020 i was able to setup API permissions both application and delegate and able to set the following permission under API permissions for the application

This (i believe enables the above call to work)

When we then went live - we setup a production environment and production version of b2c we were unable to set this permission as a delegate permission on Microsoft graph and this therefore stops us being able to update the users password from within the users web portal.  All the other functionality is working fine e.g. creating users through MS Graph.  When we try and call the update password method (on production) we get the following;

Now i know that i can use user flows (which we do have in place as part of the registration process) but we want a seamless (as is working on our UAT environment) user experience so wish to do the password update through MS Graph.

Any thoughts on this, i have logged the issues through Microsoft support and chatted to their Tek experts but they don't seem to have an answer for this.

I'm facing the issue "AADSTS65001: The user or administrator has not consented to use the application with ID '' named ''. Send an interactive authorization request for this user and resource." when upgrading from ADAL to MSAL.

I'm using the on behalf flow to get access token. The ADAL I used before always works, but the MSAL always throws this exception.

This code uses MSAL got this error.

This code uses ADAL work for me

Hello,  I'm researching for my application, if there any impacting with end of support with "Azure AD & ADAL", when I look into the code, I see we are calling IAuthenticationProvider.GetAuthToken(clientId, appKey); 

           Based on my research, we are using microsoft graph client only. So there may not be any impact with end of support Azure AD & ADAL . Can you please confirm.

Much appreciated in advance.

Instructions unclear, ****** stuck in blender.

I'm not aware what your marking calls things today but we are authenticating O365 users for our services. We initiate the authentication by redirecting users to

https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https://graph.windows.net&client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URL

and then later request data from https://login.windows.net/common/oauth2/token and we are only interested in the "oid" data. If available, we also show "given_name" and "family_name" back to the user but we don't actually need those. We don't use any libraries except standard HTTP over TLS implementation.

Do we need to use ADAL or MSAL in the future or is this API going to work in future, too?

The Azure portal UI does have warnings such as

Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.

Publisher domain: Unverified
The application’s consent screen will show ‘Unverified’.

Due to temporary differences in supported functionality, we don't recommend enabling personal Microsoft accounts for an existing registration. If you need to enable personal accounts, you can do so using the manifest editor.

This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources.

 and everything still works just fine. Should I just ignore all those warnings, whatever they try to say?

Are they going to do a production release anytime soon of the @azure/msal-angular package any time soon? It says NOT FOR Production

@Alex Simons (AZURE) 

I need to create Application Id (by registering app in the AAD) so that I can use that in making the connection to MS Dynamics via C#. For connection, I will be using the CRMServiceClient (from Microsoft.Xrm.Tooling.Connector) with OAuth authentication. 

Previously, I was using OrganizationService endpoint to make the connection but as it will be expiring soon, I have taken a route using CRMServiceClient with AuthType 'OAuth'.

I am worried if the app registration in AAD is deprecated then how can I create the Application Id.

Will you please help me know if this change will impact creating an Application Id?

@Developer150 App registration in AAD is not getting deprecated. The ADAL libraries published are the ones that will be reaching end of support by June 30th, 2022. So this will not impact creating application Ids in Azure AD. 

Hello,

Can you please confirm if we should do anything with this situation:

1. We have some Microsoft apps and our own apps registered or added via enterprise apps

2. For all those apps, under the Azure App Registration->Permissions section, we see the message: "This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources.  Learn more"

3. If we change manually the Permissions grant from Azure Active Directory Graph to Microsoft Graph, then the message disappears

But should we do this for all apps, like for all that we have registered or added via the Enterprise apps section or it can be kept with Azure Active Directory Graph,

Because any new app registered or added via Enterprise apps still by default receives the Azure Active Directory Graph permissions grant.

Or we should walk one by one app and change from Azure Active Directory Graph to Microsoft Graph? Or this will be done automatically from the Microsoft side when the date comes (June 30th, 2022)?

And if we should do this manually, should it be done for Microsoft Apps and for 3rd-party registered? 

And if we should do this manually, is it possible to replace it automatically using a PowerShell script?

@Alex Simons (AZURE) 

Alex Simons (AZURE)

Published Jun 22 2020 09:00 AM 

...

 

In the coming months, we'll be providing reporting in the Azure portal to help you self-identify which of your apps are using ADAL or Azure AD Graph. 

Hi! The Sign-ins workbook can now report the ADAL items, but is there some kind of ready-to-go report for the Azure AD Graph API as well?

I ran the PowerShell: Get-AzureADApplication | Select-Object DisplayName,AppId -ExpandProperty RequiredResourceAccess |where{$_.ResourceAppId -eq "00000002-0000-0000-c000-000000000000"} and got a list of apps using Azure AD Graph API, but was wondering if there is any report for this about usage?

Thanks!

@Markus Peltola We are releasing this PowerShell script for you which can provide you the list of applications using Azure AD Graph. microsoft/AzureADGraphApps: These are the applications which are using Azure AD Graph permissions in...

But we are very much near to provide this report inside the Azure Portal soon. Once we release that I will update this thread. Right now we are expecting it will be after summer.

Thanks.

@lightupdifire Now when you register a new application in App Registration you will see that MS Graph permissions are now added not the Azure AD Graph permissions. When you update the existing applications to use MS Graph Permissions you need to provide the consent again for the application as the permissions on the app are changing. Also you need to do this to only the applications which you have registered in your tenant i.e. single tenant apps and multi-tenant apps which you have published.

We will be doing the updates on the Microsoft apps and there is no specific action you have to take for Microsoft owned application. We can write the script to map the same permission sets from Azure AD Graph to MS Graph permissions but in that case also you need to provide consent again to those apps.  

Soon we will show this list of applications which are using Azure AD Graph permissions in your tenant. Then things will become easy as you can directly take action on it. This list we are building on the telemetry what we see on the Azure AD Graph endpoint and not just the apps which are using these Azure AD Graph permissions. 

Let me know if you still have questions.

Thanks,

Jeevan Desarda

Hi,

I'm using MSAL JS in order to authenticate users in a PWA application developed using Angular. Sometimes login works perfectly, redirecting users to the home page of the app. Other times login popup opens, users insert their login but then login procedure fails with this error:

BrowserAuthError: hash_empty_error: Hash value cannot be processed because it is empty. 
Please verify that your redirectUri is not clearing the hash. 

Will you please provide any suggestions or help

@Kondapalli1524 Can you please raise this as an issue under the MSAL.js GitHub sample? There our team can triage this and will provide the solution. 

@Jeevan Desarda 

Thanks for the answer! I did walk thru all apps in our tenant and updated them with exact same permissions as it was for AAD Graph.

Microsoft apps didn't even touch, so hopefully, all will be updated automatically :)

@lightupdifire Yes, no action is required from you on the Microsoft apps. As we update them they will automatically get updated in your tenant. 

Hello. Currently Azure AD B2C default app ('b2c-extensions-app') is using AAD Graph API. 'b2c-extensions-app' is under B2C system control. I'm not require do something? Is migrate automatically?

Hello - It looks like the AAD graph option is now greyed out and inaccessible
We have an app solution that needs to be able to add these permissions for the next few months at least until we migrate - is there any way to add the permissions via API still in the mean time?
The advertised deprecation is still about 9 months away so we have been caught a little off guard in the short term.

We're also in a bind because this is inaccessible. We are trying to on-board a new client, and one of our vendor solution hasn't updated yet. Why are we unable to use this 9 months ahead of the deadline???

Agree with the previous commenters, disabling the permissions 9 months ahead of the end-of-life was not expected. Has anyone tried adding these permissions directly via API yet?

Timelines above mention NOTHING regards greying out the option, which would have helped me plan the migration work to Graph API. Congratulations Microsoft, you have just blocked a large customer onboarding en-masse to your cloud. wait is that AWS over there....

dug this out of Microsoft, i hope it helps others that have been blindsided by this (note - obtain the values from an existing app reg):

"use the Manifest option from the app registration instead of API permissions. You will be able to add the permissions you need if you add a piece of code to this file in the requiredResourceAccess section. The resourceAppId "00000002-0000-0000-c000-000000000000" is the id used for AAD Graph API.

If you want to add delegated permissions, you need to use the type "Scope"  and if you want to use app permissions, you need to use "Role"."

We have tweet about it previously here https://twitter.com/Microsoft365Dev/status/1432810426442649603?s=20 Sorry if you have missed this announcement!!

The API and PowerShell approach still works to configure Azure AD Graph permissions with Azure AD. Our whole objective here is to reduce the new applications using Azure AD Graph permissions. So that you will have less number of apps to migrate and create a migration boundry for yourself. 

Starting Learn about graph before https://graph.windows.net/

than after migrate https://graph.windows.net/ 

directive for developer in this site https://developer.microsoft.com/en-us/graph

to explorer bellow ;

Microsoft Graph is the unified API for modern work

Use the data and intelligence in Microsoft 365 to build apps that interact with millions of users.

@Jeevan Desarda Thank you for all your time!

I am looking for a confirmation on the following: are apps using adal.js and v1 endpoints going to stop working on 1st July 2022? Or is it only the security updates and support that are going to be ended. As a context - we have a legacy angularjs app using ADAL.js and we would love having the freedom to not update it.

@BlackEnd Yes, your understanding is correct here. All the ADAL applications will continue to get the token from V1 endpoint after this deprecation date also. That means your application will continue to work as it is. Note that we will not be pushing any security updates or feature enhancement to these libraries although the protocol level changes are happening all the time. We will not recommend keeping the application in the same state but upgrading the application with MSAL new libraries decision is up to you here.

Are there any tutorials / documentation detailing licensing management with Microsoft Graph? Thank you.

Ok, need some clarification here. If we use apps that hit AAD Graph /ADAL and we don't update, what happens on 7/1/2022 ?

Apps using Azure AD Graph after this time will no longer receive responses from the Azure AD Graph endpoint. 

This statement sounds like all calls will fail 7/1/2022 or do you mean *only* apps that go directly to the Graph endpoint and don't use ADAL or MS Powershell modules that use ADAL ?

Apps using ADAL on existing OS versions will continue to work after this time but will not get any technical support or security updates.

Does this mean that if you're using ADAL.NET or MS powershell modules that use ADAL, that you will be ok, but no updates will be made for any issues , security or otherwise ?

How is it possible that the Python SDK for MS Graph is still in preview version 0.2.2 which is over one year old?

https://github.com/microsoftgraph/msgraph-sdk-python-core/tags

How can i migrate my python programs from ADAL to MS Graph when there are no production grade libraries?

Looking into the msgraph.core Github Repo it seems that the development work has stopped since beginning this year....

Hi, was there any update or is this still planned for December 2022? 

Bonjour

• Svp besoin de connaitre la procédure de migration de ADAL vers MSAL et aussi comment mettre à jour vos applications avec MSAL et Microsoft Graph. Je suis admin junior dans notre organisation et c'est vraiment ma première fois de jouer dans le tenant aussi sérieusement, Je n'aimerai pas faire de gaffes.

Merci d'avance

@Stephanie670 For ADAL to MSAL migration please see the detailed guidance from here https://learn.microsoft.com/azure/active-directory/develop/msal-migration For Azure AD Graph to MS Graph please start from here https://learn.microsoft.com/graph/migrate-azure-ad-graph-overview 

Merci Jeevan mais comment connaitre les applis qui utilisent l'authentification ADAL, comment dois je les repérer svp?

Merci d'avance

@roniy We have a new announcement here with all the updates on dates. https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announce...

@Stephanie670 That guidance is available here https://learn.microsoft.com/en-us/answers/questions/360928/information-how-to-find-apps-using-adal-i... 

Merci de votre réponse, c'est très apprécié mais lorsque je vais à la surveillance et que je clique sur Classeur, rien n'apparait y compris même sur  Log Analytics. Le message dit que notre locataire Azure AD n'est activé pour envoyer des journaux a Log. Par ailleurs j'ai essayé de créer un espace de Log Analytics, je n'ai pas pu l'ajouter dans le portal Azure car on me demande de m'abonner alors que j'ai déjà une licence AD Azure Premium 1 comme exigé et je suis administrateur général du tenant. J'ai fait une demande de support chez Microsoft, j'avoue qu'il y a beaucoup a lire la dessus et même après lecture je suis perdue,  peut être c'est moi qui ne suis pas le rythme, j'espère me retrouver. Néanmoins je peux juste voir les applications au niveau de Utilisation et Insights mais rien dans le Classeurs.

Merci de votre compréhension

Thank you for your reply, it is much appreciated but when I go to monitoring and click on Filing cabinet, nothing appears including even Log Analytics. The message says that our Azure AD tenant is only enabled to send logs to Log. I also tried to create a Log Analytics space, I could not add it in the Azure portal because I am asked to subscribe when I already have an AD Azure Premium 1 license as required and I am a general administrator of the tenant. I made a support request to Microsoft, I admit that there is a lot to read on it and even after reading I am lost, maybe it's me who does not follow the rhythm, I hope to find myself. Nevertheless I can just see the applications at the level of Use and Insights but nothing in the Workbooks.

Thank you for your understanding