New API endpoints for Azure and Azure Client Credentials
Note:This feature is available with SaaS Management.
The SaaS Management Microsoft Azure and Azure Client Credentials integrations have migrated from Microsoft Azure AD APIs to Microsoft Graph APIs. The Azure AD Graph API is now deprecated. Starting June 30, 2022, support ends for Azure AD Graph. Apps using Azure AD Graph after June 30, 2022 will no longer receive responses from the Azure AD Graph endpoint. We ask that you migrate to the Microsoft Graph APIs and refer to the following details.
• | Action required for new SaaS Management integrations with Azure and Azure Client Credentials |
• | Actions required for existing SaaS Management Integrations with Azure and Azure Client Credentials |
• | Only publisher verified applications now display in SaaS Management |
Action required for new SaaS Management integrations with Azure and Azure Client Credentials
You must grant permissions for Microsoft Graph API instead of Azure AD Graph API. Refer to the new API endpoints below.
New Azure and Azure Client Credentials API endpoints
Below are the new Microsoft Graph API endpoints.
HR Roster
https://graph.microsoft.com/v1.0/users
Application Discovery
https://graph.microsoft.com/v1.0/servicePrincipals
SSO Application Access
https://graph.microsoft.com/v1.0/auditLogs/signIns
SSO Application Roster
https://graph.microsoft.com/v1.0/users/<UserID>/appRoleAssignments
Actions required for existing SaaS Management Integrations with Azure and Azure Client Credentials
Due to SaaS Management’s migration from Microsoft Azure AD APIs to Microsoft Graph APIs, existing Azure and Azure Client Credentials integrations will fail due to a 401 Unauthorized Error.
Actions for Existing Azure integrations
• | Once the Azure integration tasks start failing, you must reauthorize the integration. |
• | For granting access to Microsoft Graph APIs, an Offline_access permission is also necessary for the refresh token generation. |
Complete the following action to prevent this error for Existing Azure Client Credentials integrations
Update the existing permissions to the required Microsoft Graph API permissions:
• | AuditLog.Read.All |
• | Directory.Read.All |
Important:The Azure integration with SaaS Management will fail if consent is not given to both the AuditLog.Read.All and the Directory.Read.All permissions. For details, refer to the Microsoft List signIns documentation section.
Only publisher verified applications now display in SaaS Management
Previously, the SaaS Management Application Discovery integration task captured unverified and verified application publishers. Now the Application Discovery task only captures verified application publishers who have verified their identity using their Microsoft Partner Network (MPN) account and have associated this MPN account with their app registration. For details, see the Microsoft documentation Mark your app as publisher verified.
As a result:
• | Only publishers verified by the Microsoft Partner Network would be fetched. |
• | For applications with unverified publishers, the following will display in the managed SaaS application's Integrated Applications tab: |
• | SSO Integration column by default will be set to false. |
• | Publisher column will display “unverified”. |