Microsoft will remove the Azure AD Graph API from “early September 2025” according to an official post at the end of last week, completing a process that began six years ago and has been repeatedly delayed.

Azure AD, now called Entra ID, is the directory used by Office 365 and other Microsoft cloud applications. Custom applications used the API and associated libraries to authenticate users from their business or partner organizations.

In 2020, a post from Alex Simons, now corporate VP of cloud services and enterprise security, said the Azure AD Graph API and Azure AD Authentical Library (ADAL) would be feature-frozen from June 2022, in favour of the Microsoft Graph API and Microsoft Authentication Library (MSAL) which have a richer set of features and support for Microsoft (personal) as well as Entra ID accounts.

ADAL end of support was later postponed until June 2023 because of “feedback about the challenges of migrating such a critical dependency,” after which Microsoft said “while ADAL apps may continue to work, no support or security fixes will be provided.”

The new post states that affected applications will no longer work at all once the deadline is reached. In addition, organizations can “expect one to two temporary outage tests of 8-24hrs in duration” between July and September. 

Why outage tests? We presume that the company is worried about customer or perhaps internal app breakage when the API is removed, and that the temporary outage could smoke these problems out before it is too late.

Although Microsoft has come up with migration guides, migration is not always easy. One issue is knowing which applications use these libraries. API usage should show up in Microsoft Entra Recommendations in the Entra ID admin center. The company has devised a sign-ins workbook introduced one year ago, which shows sign-in information for applications including which library is used.

There are both Microsoft and third-party applications which use ADAL or the Azure AD Graph API, including PowerShell modules and libraries such as Microsoft.Azure.KeyVault and Microsoft.Azure.Management.Automation. It is not obvious that these packages, which are also deprecated, depend on the API which is being removed. This is why viewing the API activity centrally is the only reliable way to identify them.

Many older SDKs are impacted, including for .NET, JavaScript, Java, Python, Android and iOS.

Developers tasked with migrating applications, or creating new ones, that use Entra ID for authentication can expect to navigate some complexity. Microsoft has come up with extensive sample code such as this for ASP.NET Core web applications, for using the new up-to-date libraries, and while the existence of these samples is welcome, it also shows some annoying limitations and complications, and that some features require premium Entra ID subscriptions.

Despite these issues, having applications that use Entra ID for authentication and authorization is a big win for customers of Microsoft’s cloud, since it allows central management of this aspect of security.