Just as a reminder to all who it concerns. Microsoft is deprecating ADAL and Azure AD Graph in June 2022. The notification all over the portals.
Table of Contents
Installing MS Graph modules
# Only for current user, no admin rights needed.
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -force
# Install for all users, need admin rights
Install-Module Microsoft.Graph -Scope AllUsers -AllowClobber -force
Connecting to Graph with PowerShell
First you need to connect and consent permissions to Graph API.
Connect-Graph -Scopes "User.Read","Application.Read.All"
And a familiar sign-in prompt will appear, when signed in select “Consent on behalf of your organization”
MS Graph App registrations
Azure AD App registrations
Listing Enterprise application with Graph
Why to upgrade?
Well, first of all it’s kind of mandatory but here a comparison for the differences made by Microsoft.
Get the list of application using ADAL
Basically you are sending your Azure AD sign-in logs to Monitor (Azure Monitor) and then use a Monitor workbooks to get apps that authenticate thru ADAL.
App migration planning checklist
Step 1: Review the differences between the APIs
In many respects, Microsoft Graph is similar to the earlier Azure Active Directory (Azure AD) Graph. In many cases, simply change the endpoint service name and version in your code, and everything should continue to work.
Nonetheless, there are differences. Certain resources, properties, methods, and core capabilities have changed.
Specifically, look for differences in the following areas:
- Request call syntax between the two services
- Feature differences, such as directory extensions, batching, differential queries, and so on
- Entity resource names and their types
- Properties of request and response objects
- Methods, including parameters and types
Examine the APIs used by your app, the permissions they require, and compare to the list of known differences.
Verify that the APIs your app needs are generally available in Microsoft Graph v1.0 and that these APIs work the same way.
In some cases, new capabilities and features are designed to replace earlier approaches.
Use Graph Explorer to experiment with new calls and to develop new approaches. For best results, sign in using the credentials of a test user in a test tenant so that you see what the API does over important data sets.
- App registration and consent changes (which should be none).
- Token acquisition and authentication libraries.
- For .NET applications, use of client libraries.
Before updating your app for everyone, ensure you test thoroughly and stage your rollout to your customer audience.
Now you’ve made the switch to Microsoft Graph, it’s never been easier for you to unlock many more datasets and features that are now at your fingertips. You can get a taste of what’s possible by looking at some of the Major services and features in Microsoft Graph.
Microsoft authentication library (MSAL) is now the recommended authentication library for use with the Microsoft identity platform. If you’re currently using the Azure Active Directory Authentication Library (ADAL), plan to switch to MSAL. See further guidance to migrate applications to the Microsoft Authentication Library (MSAL).
Differences between Delegated and Application permissions
From the on-premises world there one good example from IIS and how you will authenticate the users to different application pools.
Application permissions is like the User Impersonation was inside IIS and Delegated permissions is authenticating user on every request for every page in an application
- Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent.
- Application permissions are used by apps that run without a signed-in user present. For example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.