Azure AD Application Proxy Registration Uses

James Krueger 6 Reputation points

Hello all, looking for some clarification on whether the deprecation will affect the Azure AD Application Proxy app registration created by Microsoft's AAD Application Proxy Connector. Here's the background:

Per Update your applications to use Microsoft Authentication Library and Microsoft Graph API I understand that Azure Active Directory Graph API is being deprecated in June 2022, and should start using Microsoft Graph.

Per Migrate Azure AD Graph FAQ, we compiled a list of applications currently using the soon-to-be-deprecated API. We were able to update all these apps but one, and that one is actually a Microsoft app! Specifically, the Microsoft AAD Application Proxy Connector.

We use the Microsoft AAD Application Proxy Connector to expose an internal NDES server over a public URL. We set this up per Microsoft's instructions here: active-directory-app-proxy-protect-ndes. After completing step 16 of these instructions (adding an Enterprise Application entry corresponding to the Application Proxy,) we get a corresponding App Registration with API Permission of Azure Active Directory Graph/User.Read.

In this particular case, I don't believe a call is ever actually made against an Azure Active Directory Graph endpoint, because we have Preauthentication set to Passthrough on that Enterprise Application. Perhaps that permission is granted by default to all application registrations? I would like to be extra positive that the app itself will not break after Azure Active Directory Graph stops responding, that is my primary question here. Especially given that there is no mention of ADAL or MSAL in application-proxy-release-version-history, which hasn't seen an update since mid-2020.

Thank you for your time.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. James Krueger 6 Reputation points

    Ended up finding another thread that answers this aad-graph-is-used-by-azure-application-proxy.html

    tl;dr this won't affect the application negatively, and the permission can be removed.

    1 person found this answer helpful.
    0 comments No comments

  2. Siva-kumar-selvaraj 15,546 Reputation points

    Hello @James Krueger ,

    Thanks for reaching out.

    Yes, as I mentioned in another thread, Azure AD proxy doesn't use AADGraph User.Read permission in backend service at all. The reason it is added to the application is that it comes with the custom application template we use for all our apps. The services do not use this in runtime and no customer action is needed to update so you can safely ignore those.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments