Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2021-09-09) Azure AD Graph Deprecation – Are You Already Migrating?

Posted by Jorge on 2021-09-09


About more than a year ago, around June 30th 2020, Microsoft announced the deprecation of Azure AD Graph. At the same time everyone was told to start migrating away from Azure AD graph to Microsoft Graph. The latter supports both Azure AD and different Microsoft online services such Exchange, Sharepoint, Teams, etc.

At a very high level Microsoft said:

Azure Active Directory (Azure AD) Graph is deprecated. To avoid loss of functionality, migrate your applications to Microsoft Graph before June 30, 2022 when Azure AD Graph API endpoints will stop responding to requests. Microsoft will continue technical support and apply security fixes for Azure AD Graph until June 30, 2022 when all functionality and support will end. If you fail to migrate your applications to Microsoft Graph before June 30, 2022, you put their functionality and stability at risk.

Most of the time people read this and may think: “I’ll look at that later”. With that thought, time goes by and suddenly it June 30th 2022! Oops!

Well, it’s not too late, yet. In less then a year, everything still using Azure AD graph will stop working. Microsoft provides documentation and guidance on how to determine where Azure AD graph is being used and how to migrate to Microsoft graph. Information about this can be found through the following links:

Please be aware that changes might be more work than you would expect. For example, if you look at the Azure AD PowerShell module it uses Azure AD graph in the backend. Today already the Azure AD PowerShell module already supports the Microsoft graph in addition to the Azure AD graph. For example, taking a the CMDLet “New-AzureADgroup” as example, Microsoft did not change that CMDlet to suddenly start using Microsoft graph. No, they introduced a replacement CMDlet “New-AzureADMSGroup” that targets Microsoft graph. If you have scripts, please be aware it might not be as simple as changing from *-AzureAD* to *-AzureADMS* . Due to the change of the CMDlet and therefore the endpint, there are also (subtle) schema changes. The easiest example is the change from ObjectID to ID.

Also be aware that new features will be implement in Microsoft graph only, and anything that leverages it. An example of such is the ability of assigning Azure AD groups to Azure (AD) roles. When creating a group in the Azure AD portal, you need to enabled the option “Azure AD roles can be assigned to the group”. Now, through PowerShell you need to use the CMDlet “New-AzureADMSGroup” with the parameter “-IsAssignableToRole”

Now, if you have not started yet migrating away from Azure AD graph to Microsoft graph, make sure to start A.S.A.P.!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################

IAMTEC

Identity | Security | Recovery

https://iamtec.eu/
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: