question

AleksandrDorogush avatar image
0 Votes"
AleksandrDorogush asked amanpreetsingh-msft edited

How do I know if my app is using AD Graph

We at miro.com own the app https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.realtimeboard
Our customer approached us and said they used this guide https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-faq to find the apps that use deprecated AD Graph. And our app showed up.
Could you please tell us if this is true and our app is using this AD Graph?

If it's true then I have more questions:
- How exactly it is used?
- How can we disable it?
- What are the consequences of disabling it?
- Is it safe for our customers to continue using our app?
If it is false then why did our app showed up?



azure-ad-graph-deprecation
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @AleksandrDorogush • Thank you for reaching out.

Yes, the steps mentioned under As a developer, how do I identify apps that use Azure AD Graph? are to identify the applications that are still using Azure AD Graph API. Azure Active Directory (Azure AD) Graph is deprecated. To avoid loss of functionality, you must migrate your applications to Microsoft Graph before June 30, 2022 when Azure AD Graph API endpoints will stop responding to requests.

  • How exactly it is used?
    Applications generally use Graph API to fetch information about Users/Groups/Applications/Devices/servicePrincipals from Azure AD. Applications that are still using Azure AD Graph API use the https://graph.windows.net endpoint to make the calls. The applications that use Microsoft Graph API, the https://graph.microsoft.com endpoint is used.

  • How can we disable it?
    You should not disable it as the application might not be able to fetch the required details from Azure AD and will result in unexpected errors/behavior. You should instead choose to migrate your application from Azure AD Graph to Microsoft Graph as per the steps mentioned in the App migration planning checklist. As part of the migration, you might need to update the application code to federate it with Azure AD from ADAL to MSAL as ADAL uses Azure AD Graph and MSAL uses Microsoft Graph. Please refer to How to migrate to MSAL for this purpose.

  • What are the consequences of disabling it?
    The major consequence is the application will not be able to fetch any required details from Azure AD, which may break the application's core functionality. If you are disabling Azure AD Graph, you must configure the application to use Microsoft Graph.

  • Is it safe for our customers to continue using our app?
    Microsoft will continue technical support and apply security fixes for Azure AD Graph until June 30, 2022, when all functionality and support will end. If you fail to migrate your applications to Microsoft Graph before June 30, 2022, you put their functionality and stability at risk.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AleksandrDorogush avatar image AleksandrDorogush ·

We at Miro have a test account in Azure where we have a bunch of Miro apps registered. I checked their list of "API Permissions" and none has "AD Graph". Yet we have a customer that states the opposite. How is it possible?

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft AleksandrDorogush ·

@AleksandrDorogush · It is possible to add any API under the API Permissions blade regardless of whether those permissions are being used or not. As I have mentioned in my answer above, if the application is NOT making any Graph Call using the https://graph.windows.net endpoint, you can safely remove the Azure AD Graph API permissions. On the other hand, if the application makes the Graph Calls using the https://graph.windows.net endpoint, you must migrate to Microsoft Graph before removing these permissions.

1 Vote 1 ·
AleksandrDorogush avatar image AleksandrDorogush ·

Thank you for details.
Unfortunately, I don't know all the details about our app, who from the company created it, where is the source code and what is the complete list of functionality.
Our Customers primarily use it for SSO and SCIM provisioning. These features we test ourselves and I confirm they work without "AD Graph" permission.
Speaking about our customer who reported "AD Graph" permission. Do I understand correctly:
More likely is that the app in fact doesn't require this permission, doesn't query the "AD Graph" and it has been granted permission by mistake specifically by this customer? Hence it's safe to remove this permission.
As an extra measure we can ask our customer to check on their side if there are actual calls to https://graph.windows.net/ logged. How exactly can they check this?


0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft AleksandrDorogush ·

@AleksandrDorogush • You can capture a fiddler trace for this purpose. Please follow the below instructions to capture a Fiddler trace:
Setup:
• Download and install Fiddler from here: https://www.telerik.com/fiddler
• Follow these instructions to enable HTTPS capture: https://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS (do step 1 and 2)
To get traces:
• Start fiddler (it will start capturing)
• Access the application and try to perform various operations from the app that you think may require querying Azure AD.
• Stop fiddler capturing by hitting the F12 key.
• Save all sessions in .saz file and check if there are any calls that are being made for https://graph.windows.net or https://graph.microsoft.com
Note: Fiddler may have credentials in plain text, So, I would suggest you to use a temporary test account to reproduce the issue while capturing the fiddler.
I have shared more details on the second issue in the other post. Feel free to tag me if you have any further questions.

0 Votes 0 ·
ZehuiYaoMSFT-7151 avatar image
0 Votes"
ZehuiYaoMSFT-7151 answered ZehuiYaoMSFT-7151 rolled back

Hi @AleksandrDorogush, This is the official documentation of Microsoft Graph, so you can use it with confidence. I suggest to judge whether your app uses AD Graph according to the method given in the document.
At the same time, Azure AD Graph has been on a deprecation path since June 30, 2020, and will be retired on June 30, 2022. After June 30, 2022, your apps will no longer receive responses from the Azure AD Graph endpoint. So I suggest to Migrate to Microsoft Graph to avoid loss of functionality if you verified that your app is using Azure AD Graph.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.