Disable Azure AD Graph API with blockAzureADGraphAccess
We have an application which creates/updates users in Azure AD B2C using Azure AD Graph API, which was retired by MS February 1, 2025 We opted in for the prolonging to June 30 2025 using the
AuthenticationBehaviors.BlockAzureADGraphAccess = false
as described here
However, I would expect that if I set
AuthenticationBehaviors.BlockAzureADGraphAccess = true
then I should get an error when I attempt to create a new User using Azure AD Ms Graph. This does not happen though, even after February 1. It still works. The code I am using is something like this
var credential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.windows.net/", credential);
HttpClient http = new HttpClient();
string url = "https://graph.windows.net/" + _tenant + "/users" + "?api-version=1.6";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await http.SendAsync(request);
Does someone have any idea on why it still works?
Solution
As mentioned by you and mentioned in the MsDoc, to avoid using Azure AD Graph API you need to do a PATCH request to the application and body as "blockAzureADGraphAccess": true.
Initially, I tried to create user using Azure AD Graph API and the user got created successfully:
public class AzureADService
{
private string _clientId = "ClientID";
private string _clientSecret = "Secret";
private string _tenant = "TenantID";
private string _graphApiUrl = "https://graph.windows.net/";
private async Task<string> GetAccessTokenAsync()
{
var authContext = new AuthenticationContext($"https://login.windows.net/{_tenant}");
var credential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync(_graphApiUrl, credential);
return result.AccessToken;
}
public async Task CreateUserAsync(string json)
{
string accessToken = await GetAccessTokenAsync();
HttpClient httpClient = new HttpClient();
string url = $"{_graphApiUrl}{_tenant}/users?api-version=1.6";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await httpClient.SendAsync(request);
if (response.IsSuccessStatusCode)
{
Console.WriteLine("User created successfully.");
}
else
{
string errorContent = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Error: {response.StatusCode} - {response.ReasonPhrase}");
Console.WriteLine($"Error Content: {errorContent}");
}
}
public async Task ExampleCreateUser()
{
string json = JsonConvert.SerializeObject(new
{
accountEnabled = true,
displayName = "ruktest33",
mailNickname = "ruktest33",
userPrincipalName = "ruktest33@xxx.onmicrosoft.com",
passwordProfile = new
{
password = "***"
}
});
await CreateUserAsync(json);
}
}
public class Program
{
public static async Task Main(string[] args)
{
AzureADService service = new AzureADService();
await service.ExampleCreateUser();
}
}
To block the application to use Azure AD Graph API, I executed the below query:
PATCH https://graph.microsoft.com/beta/applications/ObjectID/authenticationBehaviors
Content-Type: application/json
{
"blockAzureADGraphAccess": true
}
After doing the above wait for few minutes, and then rerun the code:
I got the error as "Authentication_Unauthorized:Access blocked to AAD Graph API for this application" like below:
But it is suggested to use Microsoft Graph API endpoints (e.g., https://graph.microsoft.com/v1.0/users) to access users, groups etc.
- It is important to ensure that your application is updated to use Microsoft Graph API as soon as possible to avoid any disruptions.
Reference:
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions