Microsoft Entra ID Graph API 停用

Microsoft Entra ID(前称为 Azure Active Directory 或 Azure AD)Graph API 服务即将停用。 此次停用是简化 Microsoft Entra ID 平台和改进 Microsoft Entra ID 开发人员体验的更广泛努力的一部分。

缓解步骤

图形 API 停用会影响使用 Entra ID 作为标识提供者的所有 Azure Stack Hub 客户,并要求对所有受影响的应用程序运行本文中包含的脚本。 如果应用程序需要继续访问 Graph API,脚本会设置一个标志,用于为扩展配置这些应用程序,该扩展允许这些特定应用程序继续调用旧版图形 API。

本文中提供的 PowerShell 脚本为每个应用程序设置一个标志,以便为每个 Azure Stack Hub 的 Entra ID 标识提供者配置图形 API 扩展。

为了确保使用 Entra ID 作为标识提供者的 Azure Stack Hub 环境继续正常运行,应在 2025 年 2 月底之前运行此脚本。

注释

如果在 2025 年 2 月之后延迟添加此标志,身份验证将失败。 然后,可以运行此脚本,确保 Azure Stack Hub 根据需要运行。

运行脚本

在 Azure Stack Hub 用作主目录(Azure Stack Hub 的主要标识提供程序)的 Entra ID 环境中,以及向其注册了 Azure Stack Hub 系统的 Entra ID 环境中,运行以下 PowerShell 脚本。 这可能与主目录不同。 该脚本与 Azure 交互,因此无需在特定计算机上运行它。 至少需要在相应的 Entra ID 租户中具有 应用程序管理员 的特权才能运行脚本。

请确保在本地计算机上具有管理员权限运行以下脚本:

# Install the Graph modules if necessary
#Install-Module Microsoft.Graph.Authentication
#Install-Module Microsoft.Graph.Applications
 
$ErrorActionPreference='Stop'
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
 
# Target your Azure Cloud instance name; use Get-MgEnvironment to list available clouds and Add-MgEnvironment to add new ones as needed for custom private/secure clouds
$envName = 'Global'

# Repeat this flow for each of your target directory tenants
$tenantId = 'MyTenantId'

# Sign in with admin permissions to read and write all application objects
Connect-MgGraph -Environment $envName -TenantId $tenantId -Scopes Application.ReadWrite.All
 
# Retrieve all applications in the current directory
Write-Host "Looking-up all applications in directory '$tenantId'..."
$applications = Get-MgApplication -All -Property id, displayName, appId, identifierUris, requiredResourceAccess, authenticationBehaviors
Write-Host "Found '$($applications.Count)' total applications in directory '$tenantId'"
 
# Find all the unique deployment GUIDs, each one representing an Azure Stack deployment or registration in the current directory
$deploymentGuids = $applications.IdentifierUris |
    Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' -or $_ -like 'https://azurebridge*' } |
    ForEach-Object { "$_".Split('/')[3] } |
    Select-Object -Unique
Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments or registrations in directory '$tenantId'"
 
# Find all the Azure Stack application objects for each deployment or registration
$azureStackApplications = @()
foreach ($application in $applications)
{
    foreach ($deploymentGuid in $deploymentGuids)
    {
        if (($application.IdentifierUris -join '') -like "*$deploymentGuid*")
        {
            $azureStackApplications += $application
            break
        }
    }
}
 
# Find which Azure Stack applications require access to the legacy Graph Service
$azureStackLegacyGraphApplications = $azureStackApplications |
    Where-Object {
        ($_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000') -or
        ($_.IdentifierUris | Where-Object { $_ -like 'https://azurebridge*' }) }
 
# Find which of those applications need to have their authentication behaviors patched to allow access to legacy Graph
$azureStackLegacyGraphApplicationsToUpdate = $azureStackLegacyGraphApplications | Where-Object {
    $oldLocationSet = $false -eq $_.AdditionalProperties.authenticationBehaviors.blockAzureADGraphAccess
    $newLocationNotSet = $false -eq $_.AuthenticationBehaviors.BlockAzureAdGraphAccess
    return (-not $oldLocationSet -and -not $newLocationNotSet)
}
 
# Update the applications that require their authentication behaviors patched to allow access to legacy Graph
Write-Host "Found '$($azureStackLegacyGraphApplicationsToUpdate.Count)' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service"
$count = 0
foreach ($application in $azureStackLegacyGraphApplicationsToUpdate)
{
    $count++
    Write-Host "$count/$($azureStackLegacyGraphApplicationsToUpdate.Count) - Updating application '$($application.DisplayName)' (appId=$($application.AppId)) (id=$($application.Id))"
    Update-MgApplication -ApplicationId $application.Id -BodyParameter @{
        authenticationBehaviors = @{ blockAzureADGraphAccess = $false }
    }
}

该脚本显示以下示例输出:

Looking-up all applications in directory '<ID>'... 
Found '###' total applications in directory '<ID>'
Found '1' total Azure Stack deployments in directory '<app ID>'
Found '16' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service
1/16 - Updating application 'Azure Stack - AKS' (appId=<app ID>) (id=<ID>)
2/16 - Updating application 'Azure Stack - Hubs' (appId=<app ID>) (id=<ID>)
3/16 - Updating application 'Azure Stack - Portal Administration' (appId=<app ID>) (id=<app>)
4/16 - Updating application 'Azure Stack - RBAC Administration' (appId=<app ID>) (id=ID)
5/16 - Updating application 'Azure Stack - Container Registry' (appId=<app ID>) (id=ID)
6/16 - Updating application 'Azure Stack - RBAC' (appId=<app ID>) (id=ID)
7/16 - Updating application 'Azure Stack - Hubs Administration' (appId=<app ID>) (id=ID)
8/16 - Updating application 'Azure Stack - Deployment Provider' (appId=<app ID>) (id=ID)
9/16 - Updating application 'Azure Stack - Deployment' (appId=<app ID>) (id=ID)
10/16 - Updating application 'Azure Stack - KeyVault' (appId=<app ID>) (id=ID)
11/16 - Updating application 'Azure Stack' (appId=<app ID>) (id=ID)
12/16 - Updating application 'Azure Stack - Administration' (appId=<app ID>) (id=ID)
13/16 - Updating application 'Azure Stack - Policy Administration' (appId=<app ID>) (id=ID)
14/16 - Updating application 'Azure Stack - Policy' (appId=<app ID>) (id=ID)
15/16 - Updating application 'Azure Stack - Portal' (appId=<app ID>) (id=ID)
16/16 - Updating application 'Azure Stack - KeyVault Administration ' (appId=<app ID>) (id=ID) 

再次运行脚本以验证是否已更新所有应用程序。 如果成功更新了所有应用程序,脚本应返回以下输出:

Looking-up all applications in directory '<ID>'...
Found '####' total applications in directory '<ID>>'
Found '1' total Azure Stack deployments in directory '<ID>>'
Found '0' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service 

该命令的 Get-MgEnvironment 以下输出显示安装 Graph 模块时包括的默认云实例:

C:\> Get-MgEnvironment

Name     AzureADEndpoint                   GraphEndpoint                           Type    
----     ---------------                   -------------                           ----    
USGovDoD https://login.microsoftonline.us  https://dod-graph.microsoft.us          Built-in
Germany  https://login.microsoftonline.de  https://graph.microsoft.de              Built-in
USGov    https://login.microsoftonline.us  https://graph.microsoft.us              Built-in
China    https://login.chinacloudapi.cn    https://microsoftgraph.chinacloudapi.cn Built-in
Global   https://login.microsoftonline.com https://graph.microsoft.com             Built-in

后续步骤

Azure Stack Hub 发行说明