0

We have an application which creates/updates users in Azure AD B2C using Azure AD Graph API, which was retired by MS February 1, 2025 We opted in for the prolonging to June 30 2025 using the

AuthenticationBehaviors.BlockAzureADGraphAccess = false

as described here

However, I would expect that if I set

AuthenticationBehaviors.BlockAzureADGraphAccess = true

then I should get an error when I attempt to create a new User using Azure AD Ms Graph. This does not happen though, even after February 1. It still works. The code I am using is something like this

    var credential = new ClientCredential(_clientId, _clientSecret);
    AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.windows.net/", credential);
    HttpClient http = new HttpClient();
    string url = "https://graph.windows.net/" + _tenant + "/users" + "?api-version=1.6";
    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
    request.Content = new StringContent(json, Encoding.UTF8, "application/json");
    HttpResponseMessage response = await http.SendAsync(request);

Does someone have any idea on why it still works?

Improve this question
2
  • The behavior you're experiencing may be due to the fact that while you have set AuthenticationBehaviors.BlockAzureADGraphAccess = true, the Azure AD Graph API is still accessible until the complete retirement on June 30, 2025, for applications that were created before August 31, 2024. If your application was created before this date, it might still be able to make requests to the Azure AD Graph API despite the block setting. Commented Feb 12 at 12:05
  • Additionally, the transition to Microsoft Graph API is encouraged, and any reliance on the Azure AD Graph API will cease to function after its retirement. It is important to ensure that your application is updated to use Microsoft Graph API as soon as possible to avoid any disruptions. Commented Feb 12 at 12:05

1 Answer 1

Reset to default
1

As mentioned by you and mentioned in the MsDoc, to avoid using Azure AD Graph API you need to do a PATCH request to the application and body as "blockAzureADGraphAccess": true.

Initially, I tried to create user using Azure AD Graph API and the user got created successfully:

public class AzureADService
{
    private string _clientId = "ClientID";
    private string _clientSecret = "Secret";
    private string _tenant = "TenantID";
    private string _graphApiUrl = "https://graph.windows.net/";
    private async Task<string> GetAccessTokenAsync()
    {
        var authContext = new AuthenticationContext($"https://login.windows.net/{_tenant}");
        var credential = new ClientCredential(_clientId, _clientSecret);

        AuthenticationResult result = await authContext.AcquireTokenAsync(_graphApiUrl, credential);
        return result.AccessToken;
    }

    public async Task CreateUserAsync(string json)
    {
        string accessToken = await GetAccessTokenAsync();
        HttpClient httpClient = new HttpClient();
        string url = $"{_graphApiUrl}{_tenant}/users?api-version=1.6";
        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
        request.Content = new StringContent(json, Encoding.UTF8, "application/json");
        HttpResponseMessage response = await httpClient.SendAsync(request);
        if (response.IsSuccessStatusCode)
        {
            Console.WriteLine("User created successfully.");
        }
        else
        {
            string errorContent = await response.Content.ReadAsStringAsync();
            Console.WriteLine($"Error: {response.StatusCode} - {response.ReasonPhrase}");
            Console.WriteLine($"Error Content: {errorContent}");
        }
    }
      public async Task ExampleCreateUser()
    {
        string json = JsonConvert.SerializeObject(new
        {
            accountEnabled = true,
            displayName = "ruktest33",
            mailNickname = "ruktest33",
            userPrincipalName = "[email protected]",
            passwordProfile = new
            {
                password = "***" 
            }
        });

        await CreateUserAsync(json);
    }
}

public class Program
{
    public static async Task Main(string[] args)
    {
        AzureADService service = new AzureADService();
        await service.ExampleCreateUser();
    }
}

enter image description here

enter image description here

To block the application to use Azure AD Graph API, I executed the below query:

PATCH https://graph.microsoft.com/beta/applications/ObjectID/authenticationBehaviors
Content-Type: application/json

{
    "blockAzureADGraphAccess": true
}

enter image description here

After doing the above wait for few minutes, and then rerun the code:

I got the error as "Authentication_Unauthorized:Access blocked to AAD Graph API for this application" like below:

enter image description here

But it is suggested to use Microsoft Graph API endpoints (e.g., https://graph.microsoft.com/v1.0/users) to access users, groups etc.

  • It is important to ensure that your application is updated to use Microsoft Graph API as soon as possible to avoid any disruptions.

Reference:

Microsoft Graph overview - Microsoft Graph | Microsoft

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes I tried it a few days ago, and it worked as expected. Funnily it did not work as expected when I posted my question. And I waited for more than a few minutes.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.