Azure AD Graph to Microsoft Graph migration FAQ

This article provides answers to frequently asked questions about migrating from Azure Active Directory (Azure AD) Graph to Microsoft Graph.

How is Microsoft Graph different from Azure AD Graph and why should I migrate my apps?

The Azure AD Graph API offers access to only Azure AD services. The Microsoft Graph API offers a single unified endpoint to access Azure AD services and other Microsoft services such as Microsoft Teams, Microsoft Exchange, and Microsoft Intune.

Microsoft Graph is also more secure and resilient than Azure AD Graph. For this reason, Azure AD Graph has been on a deprecation path since June 30, 2020, and will be retired on June 30, 2022. After June 30, 2022, your apps will no longer receive responses from the Azure AD Graph endpoint. Migrate to Microsoft Graph to avoid loss of functionality.

As a developer, how do I identify apps that use Azure AD Graph?

Follow these steps to identify apps with a dependency on Azure AD Graph:

Step 1: Scan the application source code

If you own an application's source code, search for the https://graph.windows.net/ URI in the code. This is the Azure AD Graph endpoint and apps that call this endpoint use Azure AD Graph. Record the value of the affected app's app ID.

Step 2: Check the app's API permissions on the Azure portal

  1. Sign in to the Azure portal as a global administrator.

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. In the App registrations window, enable the App registrations search preview. Select the All Applications tab then select the Add filters option. Choose the Application (client) ID option from the list of available filters and select Apply. A filter pops up.

  5. In the text box, enter the app ID you retrieved in Step 1 and select Apply. The list has narrowed down to the specified app.

    Filter by apps by app ID.

  6. Select the app. This reveals the app's menu.

  7. From the left pane of the window, select API permissions. This reveals configured API permissions for your app, including Azure AD Graph permissions.

    An app's API permissions list from the Azure portal.

As an IT admin, how do I identify apps in my tenant that use Azure AD Graph?

Use one of the following three methods to identify apps in your tenant with a dependency on Azure AD Graph.

Method 1: Through network proxy logs

Check your network server traffic logs through a filter proxy for any apps calling the https://graph.windows.net/ endpoint. These apps use Azure AD Graph.

Method 2: Use the App registrations menu of the Azure portal

  1. Sign in to the Azure portal as a global administrator.

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. In the App registrations window, enable the App registrations search preview. Select the All Applications tab then select the Add filters option. Choose the Requested API option from the list of available filters and select Apply. The Requested API filter pops up.

    Filter apps by their requested API.

  5. Select Microsoft APIs. Select the Please select an API drop down and choose Azure Active Directory Graph. Select Apply. This lists all apps with a dependency on Azure AD Graph.

    Filter apps that use Azure AD Graph.

Method 3: Use a PowerShell script

Download and run this PowerShell script.

Microsoft sent me an email with a list of App IDs for apps using Azure AD Graph. How do I find the details of each app, including its owner?

  1. Sign in to the Azure portal as a global administrator.

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. In the App registrations window, enable the App registrations search preview. Select the All Applications tab then select the Add filters option. Choose the Application (client) ID option from the list of available filters and select Apply. A filter pops up.

  5. Enter an app ID in the text box and select Apply. The list has narrowed down to the specified app.

    Filter by apps by app ID.

  6. Select the app. This reveals the app's menu. From the left pane of the window, menu options such as Owners allow you to retrieve the app's details.

Microsoft sent me an email with a list of App IDs for apps using Azure AD Graph. Are these all the affected apps?

This list captures only apps used within the last 28 days and that called the Azure AD Graph endpoint. Because some apps may have seasonal use, their app ID might be captured in one month's list but not in another. To retrieve the full list of affected apps, we recommend you follow one of the three methods listed previously.

I'm a subscription Owner and Microsoft sent me an email about Azure AD Graph deprecation with a list of App IDs. What should I do?

The email you receive includes the tenant IDs linked to the app IDs. Follow these steps to retrieve the technical contact details for the specific tenants.

  1. Sign in to the Azure portal as an administrator.

  2. If you're a subscription owner in multiple Azure AD tenants, first switch to the relevant tenant or directory.

    1. On the top right of the window, select your profile icon and choose Switch directory. This reveals the Portal settings | Directories + subscriptions window.
    2. From the list, use the Switch tab to switch to the directory whose Directory ID matches the tenant ID you received in the email. The active directory is marked Current.
    3. Close the window.
  3. In the relevant directory, search for and select Azure Active Directory. This reveals a menu for your active tenant.

  4. From the left pane of the window, under Manage, select Properties.

  5. In the Tenant properties window, first verify the value of Tenant ID matches a tenant ID you received in the email. Retrieve the Technical contact details to contact the tenant so they can be aware of the deprecation.

    Find technical contact of a tenant.

I know apps that are using Azure AD Graph. How do I migrate them to Microsoft Graph?

To migrate your apps from Azure AD Graph to Microsoft Graph, follow the App migration planning checklist.

I don't own some apps in my tenant but they use Azure AD Graph. How do I migrate them to Microsoft Graph API? Can I find the owner of such apps?

First, confirm the full list of apps owned by your tenant or third-party applications integrated in your tenant.

  1. Sign in to the Azure portal as an administrator.

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. In the App registrations window, select the All Applications tab.

  5. Select the app. This reveals the app's menu.

  6. From the left pane of the window, menu options reveal the app's details including its Owners.

    Find app owners.

Can I request for an exception if I'm unable to meet the June 30, 2022 migration deadline?

There are no exceptions to this deprecation. Your apps will no longer receive responses from the Azure AD Graph endpoint after June 30, 2022.

My organization runs Azure Stack Hub. What actions should I take?

If your organization runs Azure Stack Hub, the most important action is to follow the Azure Stack Hub servicing policy.

If necessary, Azure Stack Hub will continue using Azure AD Graph beyond June 30, 2022, to ensure all systems migrate to using Microsoft Graph. To migrate, customers will be notified through the Azure Stack Hub admin portal to update their home and guest tenant directories. The migration to Microsoft Graph will be managed by the integrated system update experience.

I need to add new Azure AD Graph permissions to my app, but I can't select Azure AD Graph as a required permission for my app registration. How can I add the Azure AD Graph permissions?

First, we recommend that you follow the App migration planning checklist to help you transition your apps to the Microsoft Graph API.

If you've identified a gap where Microsoft Graph doesn't support a feature available in Azure AD Graph, let us know through Microsoft Q&A by using the tag azure-ad-graph-deprecation.

If you still need to configure Azure AD Graph permissions for your applications, use one of the following workarounds.

  • Use the Azure portal to find the APIs your organization uses
  • Update the application manifest on the Azure portal
  • Use the application API in Microsoft Graph to update the requiredResourceAccess object
  • Use the Update-MgApplication cmdlet in Microsoft Graph PowerShell SDK

For examples using the listed workarounds, see Use Microsoft Graph to configure required Azure AD Graph permissions for an app registration

Note: Adding Azure AD Graph permissions using these workarounds won't be supported after June 30, 2022. Any app using Azure AD Graph will still stop functioning after June 30, 2022.

See also