azure icon indicating copy to clipboard operation
azure copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Support Microsoft Graph

Open tman5 opened this issue 4 years ago • 6 comments

SUMMARY

The Azure AD Graph API is no longer being updated come June 30, 2020. End of life is June 2022. I have tried to use the newer Graph API permissions for a service principal in Azure and it does not work. The Ansible module returns an insufficient permissions error.

ISSUE TYPE
  • Support Microsoft Graph API
COMPONENT NAME

I have tested with azure_rm_adgroup_info to get group info with a service principal having Graph API permissions and it will fail with insufficient permissions even though the service principal account has the permissions. The only workaround is to apply the legacy Microsoft Graph API permissions and then it works successfully.

ADDITIONAL INFORMATION

Here is the post from Microsoft about the issue. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363

tman5 avatar Jul 06 '21 18:07 tman5

@tman5 Can you refer to question #573? It will help to you! Thank you very much! https://github.com/ansible-collections/azure/issues/573#issuecomment-875920457

Fred-sun avatar Jul 08 '21 00:07 Fred-sun

@tman5 Can you set "auth_source: cli" in the playbook to retry? The current 'ad' related modules only support CLI Credentials (az login). Thank you very much!

Fred-sun avatar Aug 13 '21 02:08 Fred-sun

In similar vein, I received this email from Microsoft today:

Update your apps that use Azure AD Graph before 30 June 2022

You're receiving this email because you use Azure Active Directory Graph (Azure AD Graph).

On 30 June 2022, we'll retire Azure AD Graph. Before that date, you'll need to update your apps that use it to instead use Microsoft Graph, which provides all of the functionality of Azure AD Graph plus new features, including:

  • A single endpoint for APIs from Azure AD and other services, such as Microsoft Teams, Exchange, and Intune.
  • Built-in support for retry handling, secure redirects, transparent authentication, and payload compression.

Required action

To avoid service disruptions, Identify your apps that use Azure AD Graph and update them to use Microsoft Graph before 30 June 2022.

If you have questions, ask community experts in Microsoft Q&A or contact us.

l3ender avatar Aug 20 '21 01:08 l3ender

So @Fred-sun we currently cannot use a service principal to authenticate with if we aren't using graph yet?

tman5 avatar Aug 23 '21 15:08 tman5

@tman5 I am successfully using a service principal with AD modules but had to grant access to the legacy APIs. See https://github.com/ansible-collections/azure/issues/573#issuecomment-875920457.

l3ender avatar Aug 23 '21 16:08 l3ender

See also: https://github.com/ansible-collections/azure/issues/477.

l3ender avatar Oct 15 '21 00:10 l3ender

@tman5 Would you give a try? those dependence file has upgrade to new. Thank you very much!

Fred-sun avatar Feb 15 '23 14:02 Fred-sun

Any hints on when support for the Microsoft Graph API (and removing dependency on deprecated Windows Azure Active Directory) is to be expected?

d2a-pnagel avatar Mar 09 '23 13:03 d2a-pnagel

@d2a-pnagel Being upgraded!

Fred-sun avatar Mar 10 '23 00:03 Fred-sun

@l3ender @tman5 @d2a-pnage It has supported in PR #1112, Please review! Thank you very much!

Fred-sun avatar Mar 20 '23 01:03 Fred-sun

@tman5 Already support msgraph-sdk in version 2.1.0. Thank you very much!

Fred-sun avatar Jan 11 '24 13:01 Fred-sun