Support Microsoft Graph

[tman5]

SUMMARY

The Azure AD Graph API is no longer being updated come June 30, 2020. End of life is June 2022. I have tried to use the newer Graph API permissions for a service principal in Azure and it does not work. The Ansible module returns an insufficient permissions error.

ISSUE TYPE

• Support Microsoft Graph API

COMPONENT NAME

I have tested with azure_rm_adgroup_info to get group info with a service principal having Graph API permissions and it will fail with insufficient permissions even though the service principal account has the permissions. The only workaround is to apply the legacy Microsoft Graph API permissions and then it works successfully.

ADDITIONAL INFORMATION

Here is the post from Microsoft about the issue.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363

[Fred-sun]

@tman5 Can you refer to question #573? It will help to you! Thank you very much!
#573 (comment)

[Fred-sun]

@tman5 Can you set "auth_source: cli" in the playbook to retry? The current 'ad' related modules only support CLI Credentials (az login). Thank you very much!

[l3ender]

In similar vein, I received this email from Microsoft today:

Update your apps that use Azure AD Graph before 30 June 2022

You're receiving this email because you use Azure Active Directory Graph (Azure AD Graph).

On 30 June 2022, we'll retire Azure AD Graph. Before that date, you'll need to update your apps that use it to instead use Microsoft Graph, which provides all of the functionality of Azure AD Graph plus new features, including:

• A single endpoint for APIs from Azure AD and other services, such as Microsoft Teams, Exchange, and Intune.
• Built-in support for retry handling, secure redirects, transparent authentication, and payload compression.

Required action

To avoid service disruptions, Identify your apps that use Azure AD Graph and update them to use Microsoft Graph before 30 June 2022.

If you have questions, ask community experts in Microsoft Q&A or contact us.

[tman5]

So @Fred-sun we currently cannot use a service principal to authenticate with if we aren't using graph yet?

[l3ender]

@tman5 I am successfully using a service principal with AD modules but had to grant access to the legacy APIs. See #573 (comment).

[l3ender]

See also: #477.

[Fred-sun]

@tman5 Would you give a try? those dependence file has upgrade to new. Thank you very much!

[d2a-pnagel]

Any hints on when support for the Microsoft Graph API (and removing dependency on deprecated Windows Azure Active Directory) is to be expected?

[Fred-sun]

@d2a-pnagel Being upgraded!

[Fred-sun]

@l3ender @tman5 @d2a-pnage It has supported in PR #1112, Please review! Thank you very much!

[Fred-sun]

@tman5 Already support msgraph-sdk in version 2.1.0. Thank you very much!