TODO: Move from the Azure AD Graph API to the Microsoft Graph API

Directions on Microsoft

Last month, Microsoft has announced the deprecation of the Azure Active Directory Graph API (graph.windows.net). Going forward, the Microsoft Graph API (graph.microsoft.com) is the supported way to gain access to Azure Active Directory programmatically.

 

What will happen?

Let’s look at the timeline shared by Microsoft:

End of Support Timeline for the Azure AD Graph API

For the next two years, applications and tools communicating to the Azure Active Directory Graph API will continue to work. However, no new features will be made available to the Azure AD Graph API, only to the Microsoft Graph API. There will be security updates for the Azure AD Graph API in the next two years, but after that time, the Azure AD Graph API shuts down.

 

Benefits of using the Microsoft Graph API

Now, you might ask yourself why you’d want to move to the Microsoft Graph API from the Azure Active Directory Graph API, short from the deprecation notice above.

More secure and more resilient

Microsoft Graph API offers more secure and more resilient access to the information in Azure Active Directory.

New features

Microsoft will offer new authentication features to the Microsoft Graph API. The Azure AD Graph API remains as-is.

Switch to Microsoft Graph today to take advantage of Microsoft 365 group management, external user invitations, the ability to restore users and Microsoft 365 groups after they’ve been deleted, Azure AD Privileged Identity Management (PIM), Access Review and Terms of Use.

The gateway to everything

Microsoft Graph offers access to many more services than just Azure Active Directory. It's the API gateway to all of Microsoft 365.

 

Migrating to the Microsoft Graph API

To migrate your apps to the Microsoft Graph API from the Azure Active Directory Graph API, perform these high-level steps:

Review the differences between the APIs

In many respects, the Microsoft Graph API is similar to the Azure AD Graph API. In many cases, simply changing the endpoint from graph.windows.net to graph.microsoft.com and taking care of the versioning difference takes care of everything.

However, there are differences. Certain resources, properties, methods, and core capabilities have changed.

Specifically, look for differences in the following areas:

Examine how your applications and tools use the APIs

When you know the differences between the two APIs, you can examine the APIs used by your applications and tools and the permissions they require.

You should verify that the APIs your applications and tools need are generally available in Microsoft Graph v1.0 and that these APIs work the same way; In some cases, new capabilities and features are designed to replace earlier approaches.

Review app details

Of course, when you switch from one API to another in your applications and tools, you should take care of the proper app registrations and consent.

It is a best practice, to update the authentication library from the Azure Active Directory Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL), too.

Deploy, test, and extend your app

Before updating your app for everyone, ensure you test thoroughly and stage your rollout to your customer audience.

 

Concluding

In two years time, Microsoft plans to shut down the Azure AD Graph API. If your applications and tools communicate with this API, then it’s time to start migrating to the Microsoft Graph API. Don’t get caught by surprise.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.