AzureFeeds

Following a multi-year deprecation notice, the retirement of the Azure AD Graph API service began in September 2024. As of April 2025, any applications still using Azure AD Graph APIs were configured for extended access.  

We’re now entering the next phase of retirement for Azure AD Graph. In this update, we’ll share more information about the timeline and required actions. We understand that retirements can be disruptive, but this activity is an important part of our commitment to security and programmability for our customers’ tenants.  

Key points 

1. Applications that were configured for extended access that still depend on Azure AD Graph APIs will not be able to continue using these APIs starting in early September 2025.  


2. You should expect one to two temporary outage tests of 8-24hrs in duration between late July and early September 2025.  

It’s important to take action now, by migrating your applications using Azure AD Graph APIs to Microsoft Graph. Over the coming months, we’ll provide more specific timelines regarding impact of these retirements through M365 Message Center messages.  

Identifying use of Azure AD Graph APIs in your tenant 

We strongly encourage using the Microsoft Entra recommendations for Azure AD Graph retirement to identify apps require action. These reports are based on actual usage of Azure AD Graph APIs and provide the most accurate information on potential impact. While Sign-in logs can be useful to identify more information about users and clients getting tokens for this service, this retirement activity will impact the use of the retiring APIs, not token acquisition.  
 

Our blog post from December 2024 provides considerable detail on using these recommendations, including an example script for exporting the reports.  

Migrating applications to Microsoft Graph 

Action will be needed for each application using Azure AD Graph APIs identified by the two Microsoft Entra Recommendations. Apps listed in either Migrate Applications recommendation or the Migrate Service Principals recommendation will need to be updated by the developer to use Microsoft Graph APIs. However, required actions will be different for applications created in your tenant versus vendor-supplied applications used in your tenant. 

1. Apps registered in your tenant using Azure AD Graph APIs are listed in the Migrate Applications recommendation. Work with the application owner/developer in your organization to ensure they’ll replace AzureAD Graph APIs with Microsoft Graph APIs immediately. For more information, please reference: Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph – Microsoft Graph | Microsoft Learn 


2. Applications provided by a vendor (or other tenant) that you’re using and depend on Azure AD Graph APIs are listed in the Migrate Service Principals recommendation. Check with the vendor to identify a newer version of the software that uses only Microsoft Graph APIs. Be sure to update your software installation to the newer version.  

Note: Prioritize migration for applications registered in your tenant. We’re working with software vendors for popular applications on their migration to Microsoft Graph, and we’ll do our best to allow for sufficient notice and time to update before these apps are impacted. 

Some other considerations: 

• Microsoft-provided applications 
  You may see apps provided by Microsoft in the Migrate Service Principals recommendation. Most Microsoft-provided applications you see in this recommendation have a new version already available with no dependency on Azure AD Graph APIs. Update these to newer versions (some details can be found here). We’ll provide further notice before applications are impacted, but it’s a good idea to start upgrading the versions of these apps.  

• Service principal login 
  If you’re using service principal login for applications like Microsoft Azure PowerShell, Microsoft Azure CLI, or Terraform, and the application is using Azure AD Graph APIs, it’ll show on the Migrate Applications recommendation. When using service principal login, the application’s identity (for the service principal) is registered in your tenant. For such cases, you must update the installed version of the software to a newer version to eliminate Azure AD Graph API usage. 

Also using AzureAD PowerShell?

If you’re running scripts built on the AzureAD or AzureAD-Preview modules, be aware that these will stop working starting in mid-October 2025. Learn how to move to Microsoft Graph PowerShell or Microsoft Entra PowerShell.
 

Kristopher Bash 

More resources 

• Migrate from Azure Active Directory (Azure AD) Graph to Microsoft Graph  


• Microsoft Entra recommendations for Azure AD Graph 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog  


• ⁠⁠Microsoft Entra blog | Tech Community  


• ⁠Microsoft Entra documentation | Microsoft Learn 


• Microsoft Entra discussions | Microsoft Community