Share via

Azure AD Graph retirement requires Application Registration updates ?

SCRIBE Patrice 41 Reputation points
2023-08-31T09:36:09.29+00:00

Hi,

A bit confused about what needs to be done if NOT using EXPLICITELY Azure AD Graph.

As soon as we created an app it seems it had previously the following permissions:

  • Azure Active Directory Graph: User.Read
  • Graph: user_impersonation

For later applications we have :

  • Microsoft Graph: User.Read

I asssume it is needed so that Microsoft Identity can handle user login for this application.

It seems the doc is talking about rather about updating permissions required explicitely by an application that is calling AAD Graph itself but I'm not 100% sure what to do for those "built in" permissions:

  1. should I add myself Microsoft Graph User.Read and maybe later remove permissions to the obsoleted API
  2. or will it be handled automatically at some point by MS as part of the migration process ?

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,274 questions
0 comments
Accepted answer
  1. Shweta Mathur 30,276 Reputation points Microsoft Employee
    2023-09-01T06:57:44.8566667+00:00

    Hi @SCRIBE Patrice ,

    Thanks for reaching out.

    To migrate your existing Azure AD Graph to use the new Microsoft Graph API:

    You need to add equivalent Microsoft Graph API permissions via portal.

    Remove old Azure AD Graph API permission scopes via portal(cleanup)

    User. Read is the least privileged permission added in application to allows the app to read information about the signed-in user.

    1.should I add myself Microsoft Graph User.Read

    For new applications User.Read permission is added by default. However, if it is not added by default. You need to add that permission explicitly to allow users to read your profile. If any application permission which is equivalent to Azure AD graph is added in MS graph, those permissions would require consent again.

    User's image

    If you do not require built in permission User.read , you can remove that permission too from MS Graph.

    2.and maybe later remove permissions to the obsoleted API

    If you have migrated your application fully to Microsoft Graph, then you need to manually remove the Azure Active Directory graph permissions from your applications.

    Reference: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-planning-checklist

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.