Overview
This article addresses an issue where groups configured for an Azure AD Enterprise connection using the Azure Active Directory v1 Identity API stop displaying as expected. Warnings related to this issue appear in the tenant logs.
Unable to get extended attributes: {“odata.error”:{“code”:“Authentication_Unauthorized”,“codeForMetrics”:“Authentication_Unauthorized”,“message”:{“lang”:“en”,“value”:"Access blocked to AAD Graph API for this application. https:///AzureADGraphMigration."}}}
Applies To
- Azure AD Enterprise Connection
Cause
Microsoft is deprecating the Azure AD Graph API. For more details, see Migrate your apps from Azure AD Graph to Microsoft Graph | Microsoft.
- Applications on the Azure side may block AD Graph API requests if the Azure application has not opted into extending Azure AD Graph API access (available through June 30th, 2025).
Solution
Migrate the Azure connection’s Identity API found in the connection’s settings to Microsoft Identity Platform v2.
The Microsoft Graph delegated permissions listed below must be enabled on the Azure application to allow Auth0 to sign in users and read profiles. Details are available in Add permissions | Connect Your App to Microsoft Azure Active Directory.
| Delegated Permissions | Description |
|---|---|
| Users > User.Read | So your app can sign in users and read the signed-in users’ profiles. |
| Directory > Directory.Read.All | So your app can read directory data on the signed-in user’s behalf. |
All Azure AD connections should be moved to Microsoft Identity Platform v2 before Microsoft’s June 30th, 2025 deprecation.