We have an application which creates/updates users in Azure AD B2C using Azure AD Graph API, which was retired by MS February 1, 2025 We opted in for the prolonging to June 30 2025 using the
AuthenticationBehaviors.BlockAzureADGraphAccess = false
as described here
However, I would expect that if I set
AuthenticationBehaviors.BlockAzureADGraphAccess = true
then I should get an error when I attempt to create a new User using Azure AD Ms Graph. This does not happen though, even after February 1. It still works. The code I am using is something like this
var credential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("/", credential);
HttpClient http = new HttpClient();
string url = "/" + _tenant + "/users" + "?api-version=1.6";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await http.SendAsync(request);
Does someone have any idea on why it still works?
We have an application which creates/updates users in Azure AD B2C using Azure AD Graph API, which was retired by MS February 1, 2025 We opted in for the prolonging to June 30 2025 using the
AuthenticationBehaviors.BlockAzureADGraphAccess = false
as described here
However, I would expect that if I set
AuthenticationBehaviors.BlockAzureADGraphAccess = true
then I should get an error when I attempt to create a new User using Azure AD Ms Graph. This does not happen though, even after February 1. It still works. The code I am using is something like this
var credential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.windows/", credential);
HttpClient http = new HttpClient();
string url = "https://graph.windows/" + _tenant + "/users" + "?api-version=1.6";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await http.SendAsync(request);
Does someone have any idea on why it still works?
Share Improve this question edited Feb 4 at 8:14 qkfang 1,7871 silver badge20 bronze badges asked Feb 3 at 13:04 Jihad HaddadJihad Haddad 6423 gold badges9 silver badges22 bronze badges 2- The behavior you're experiencing may be due to the fact that while you have set AuthenticationBehaviors.BlockAzureADGraphAccess = true, the Azure AD Graph API is still accessible until the complete retirement on June 30, 2025, for applications that were created before August 31, 2024. If your application was created before this date, it might still be able to make requests to the Azure AD Graph API despite the block setting. – Rukmini Commented Feb 12 at 12:05
- Additionally, the transition to Microsoft Graph API is encouraged, and any reliance on the Azure AD Graph API will cease to function after its retirement. It is important to ensure that your application is updated to use Microsoft Graph API as soon as possible to avoid any disruptions. – Rukmini Commented Feb 12 at 12:05
1 Answer
Reset to default 1As mentioned by you and mentioned in the MsDoc, to avoid using Azure AD Graph API you need to do a PATCH request to the application and body as "blockAzureADGraphAccess": true.
Initially, I tried to create user using Azure AD Graph API and the user got created successfully:
public class AzureADService
{
private string _clientId = "ClientID";
private string _clientSecret = "Secret";
private string _tenant = "TenantID";
private string _graphApiUrl = "https://graph.windows/";
private async Task<string> GetAccessTokenAsync()
{
var authContext = new AuthenticationContext($"https://login.windows/{_tenant}");
var credential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync(_graphApiUrl, credential);
return result.AccessToken;
}
public async Task CreateUserAsync(string json)
{
string accessToken = await GetAccessTokenAsync();
HttpClient httpClient = new HttpClient();
string url = $"{_graphApiUrl}{_tenant}/users?api-version=1.6";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await httpClient.SendAsync(request);
if (response.IsSuccessStatusCode)
{
Console.WriteLine("User created successfully.");
}
else
{
string errorContent = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Error: {response.StatusCode} - {response.ReasonPhrase}");
Console.WriteLine($"Error Content: {errorContent}");
}
}
public async Task ExampleCreateUser()
{
string json = JsonConvert.SerializeObject(new
{
accountEnabled = true,
displayName = "ruktest33",
mailNickname = "ruktest33",
userPrincipalName = "[email protected]",
passwordProfile = new
{
password = "***"
}
});
await CreateUserAsync(json);
}
}
public class Program
{
public static async Task Main(string[] args)
{
AzureADService service = new AzureADService();
await service.ExampleCreateUser();
}
}
To block the application to use Azure AD Graph API, I executed the below query:
PATCH https://graph.microsoft/beta/applications/ObjectID/authenticationBehaviors
Content-Type: application/json
{
"blockAzureADGraphAccess": true
}
After doing the above wait for few minutes, and then rerun the code:
I got the error as "Authentication_Unauthorized:Access blocked to AAD Graph API for this application" like below:
But it is suggested to use Microsoft Graph API endpoints (e.g., https://graph.microsoft/v1.0/users) to access users, groups etc.
- It is important to ensure that your application is updated to use Microsoft Graph API as soon as possible to avoid any disruptions.
Reference:
Microsoft Graph overview - Microsoft Graph | Microsoft