Microsoft has deprecated two formerly key authentication APIs for Azure Active Directory and many scripts and applications will stop working after June 30th 2022, including older versions of official utilities.
While it is Google that has the reputation for killing products, Google Cloud promised last month to keep its enterprise APIs stable. This time it is Microsoft customers that will feel the pain, with end of support for the Active Directory Authentication Library (ADAL) and the Azure AD Graph API.
Microsoft publishes all its Azure deprecations on GitHub, but while there are over 70 listed (with 11 more listed yesterday) it is the ADAL / AD Graph change that is the most problematic, even though the end of life dates were announced over a year ago.
The Azure AD Graph API is not to be confused with the Microsoft Graph API, which is alive and well. The Azure AD Graph API is an earlier effort, a REST API for managing users (create, read, update, delete) and groups in Azure AD, the directory used by Microsoft 365.
ADAL is a .NET library which issues authentication tokens enabling access to Microsoft APIs, or to custom applications that require an Azure AD login. ADAL was last updated in June 2020. The replacement for ADAL is the Microsoft Authentication Library (MSAL).
On June 30, 2022, “apps using Azure AD Graph after this time will no longer receive responses from the Azure AD Graph endpoint. Apps using ADAL on existing OS versions will continue to work after this time but will not get any technical support or security updates,” Microsoft said.
This deprecation/discontinuation is difficult for all sorts of reasons.
Use of these APIs is generally hidden from view, even sometimes to developers. A developer might have checked an option in a Visual Studio project template for “Authentication with Azure Active Directory” and ended up with an application that uses these APIs. The application perhaps got deployed to Azure App Service with another wizard, and there it sits, working well for the business until one day it does not.
A further complexity is that Microsoft itself used these APIs in its own tools and utilities. One example is the MSOnline module for PowerShell, used by admins to script user management operations.
“Customers are encouraged to use the newer Azure Active Directory V2 PowerShell module instead of this module,” say the docs. However, a user complained this week that “when I visit the new module there is nowhere near the level of functionality around domain management that there is with the version 1.0 module,” instancing APIs that no longer exist.
Microsoft’s official answer? “We don’t have an equivalent for
Get-MsolDomainAuthentication right now, but eventually these will be part of MS Graph module. The Azure AD module will die with the AAD graph shutdown in 2022.”
As the user then responded, it makes for difficult choices. “My concern is I am currently developing scripts for customers which will need to be replaced by the Graph APIs. While I am implementing as much as I can with Graph it is frustrating knowing that some of the scripts will need to be modified but I am unable to give the customers a timeline on when that will need to be done.”
Think of this as one small corner of a potentially substantial problem, with thousands of scripts in use which may either stop working or be unsupported in nine months. The ADAL library on Nuget has, as of today, 160,772,485 downloads.
My colleagues and I are quite tired of updating scripts to keep existing functionality when the previous modules work just fine
Another user said that Microsoft has a history of this kind of botched upgrade. “It’s quite frustrating that you never quite finish the job? We all started out writing PowerShell for the MSOL modules, and some stuff *still* requires that (like managing MFA). Then we all switched to the Azure AD modules, then the Azure AD modules which use MS Graph (like Get-AzureADMSGroup etc). Now we all have to switch to dedicated MS Graph modules… Since each of these changes involves rewriting automation scripts, how long will it be until you decide to change everything again? My colleagues and I are quite tired of updating scripts to keep existing functionality when the previous modules work just fine.”
Organizations using Azure AD Connect to synchronize on-premises AD with Azure AD must note that Microsoft has released AD Connect 2.0, saying that “the previous versions of Azure AD Connect shipped with the ADAL authentication library. This library will be deprecated in June 2022. The V2.0 release ships with the newer MSAL library.”
How do admins discover whether and how these deprecated APIs are in use? Microsoft has various bit of guidance such as this one, which notes that any application which calls https://graph.windows.net is affected.
The company is also emailing admins with lists of applications it can detect, and it is possible to get reports from the Azure portal. That document also states that “there are no exceptions to this deprecation. Your apps will no longer receive responses from the Azure AD Graph endpoint after June 30, 2022.”
This is the case even in cases where “Microsoft Graph doesn’t support a feature that is supported by Azure AD Graph,” the company advises. The situation with ADAL is less clear since it may continue to work on an unsupported basis.
Authentication libraries are unexciting but essential plumbing. The puzzle is why Microsoft is pulling the rug out from under so many applications and scripts, including its own.®