Overview
This article explains why an error occurs when using an Azure Active Directory (Azure AD) connection in Auth0. The issue affects Auth0 tenants that provide the option to configure Azure AD (or Entra ID) connections using either the Microsoft Identity Platform (v2) or the deprecated Azure Active Directory (v1) Identity Application Programming Interface (API). This v1 API option is typically present only in older tenants, as newer tenants default to v2. Microsoft deprecated the v1 API as of February 1, 2025 (refer to Microsoft documentation for details).
If an Azure AD connection still uses the deprecated v1 API, authentication flows may fail to include groups from Azure AD (Entra ID), and the following error might appear in Auth0 logs:
Unable to get extended attributes: {“odata.error”:{“code”:“Authentication_Unauthorized”,“codeForMetrics”:“Authentication_Unauthorized”,“message”:{“lang”:“en”,“value”:“Access blocked to AAD Graph API for this application. https://<url>/AzureADGraphMigration.”}}}
Applies To
- AzureAD Enterprise Connection
Cause
Microsoft has deprecated Graph API v1 from their platform. Connections currently using this Identity API option will begin to see a deterioration in service.
Solution
Update the Identity API option to use the supported Microsoft Identity Platform (v2).
