Share via

Error occurred while executing GetUsers

Jairo Javier Baleta Cali 286 Reputation points
2025-04-21T17:14:19.9266667+00:00

Good afternoon everyone.

Greetings.

I need help for an error that the Get-AzureADUser command started throwing:

Connect-AzureAD -TenantId $tenantid -CertificateThumbprint $appazurethumbprint -ApplicationId $appazureid
Get-AzureADUser -All $True

The error is the following:

Microsoft.Open.AzureAD16.Client.ApiException: Error occurred while executing GetUsers
Code: Authentication_Unauthorized
Message: Access blocked to AAD Graph API for this application. https://aka.ms/AzureADGraphMigration.
HttpStatusCode:Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
 at Microsoft.Open.AzureAD16.Client.Configuration.<>c.<.cctor>b__47_0(String methodName, IRestResponse response) in C:\__w\1\s\src\dev\PowerShell.V2\AzureAD16.Client\Client\Configuration.cs:line 188
 at Microsoft.Open.AzureAD16.Api.UserApi.GetUsersWithHttpInfo(String tenantId, String authorization, String cmdletName, String clientRequestId, String apiVersion, String objectId, Nullable`1 all, Nullable`1
top, String skiptoken, String filter, String orderby) in C:\__w\1\s\src\dev\PowerShell.V2\AzureAD16.Client\Api\UserApi.cs:line 4613
 at Microsoft.Open.AzureAD16.PowerShell.GetUsers.ProcessRecord() in C:\__w\1\s\src\dev\PowerShell.V2\AzureAD16.PowerShell\AzureAD16.PowerShell.AutoGen\API\UserApi.cs:line 2044
 at System.Management.Automation.Cmdlet.GetResults()
 at System.Management.Automation.Cmdlet.
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,673 questions
0 comments
Accepted answer
  1. SrideviM 3,975 Reputation points Microsoft External Staff Moderator
    2025-05-02T03:46:45.85+00:00

    Hello Jairo Javier Baleta Cali,

    I understand you're getting an error when running the Get-AzureADUser command. I ran your script in my test environment and saw the same error.

    enter image description here

    This happens because the AzureAD module uses an old API (Azure AD Graph) that Microsoft has started blocking.

    Since February 1, 2025, apps must be updated to allow temporary access to this old API. If not, they get a 403 Unauthorized error. This temporary access will only work until June 30, 2025. After that, the old API will stop working for all apps.

    If you need more time, you can turn on this access by updating the app settings. Microsoft explains how to do this here: Manage application authenticationBehaviors - Microsoft Graph

    The better option is to switch to Microsoft Graph, which is the new and supported way to connect. To do that, first install the new module:

    Install-Module Microsoft.Graph -Scope CurrentUser

    Then update your script like this:

    $tenantid = "tenantId"
$appazurethumbprint = "thumbprint"
$appazureid = "appId"

$cert = Get-Item "Cert:\CurrentUser\My\$appazurethumbprint"

Connect-MgGraph -TenantId $tenantid -ClientId $appazureid -Certificate $cert

Get-MgUser -All

    enter image description here

    Make sure the app has the right Graph permissions like User.Read.All or Directory.Read.All of Application type, and that admin consent has been given.

    Let me know if you have any other questions or need any further assistance.

    Hope this clarifies things a bit!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.