Merge pull request #17357 from sethmanheim/hub-graph314

prmerger-automator[bot] · web-flow · commit 0e61984aa7d3 · 2025-03-17T16:21:59.000Z
Updates to Graph API retirement steps/script
diff --git a/azure-stack/operator/graph-api-retirement.md b/azure-stack/operator/graph-api-retirement.md
@@ -4,7 +4,7 @@ description: Learn how to mitigate the retirement of the Entra ID Graph API.
 author: sethmanheim
 ms.author: sethm
 ms.topic: conceptual
-ms.date: 02/25/2025
+ms.date: 03/14/2025
 ms.reviewer: rtiberiu
 
 ---
@@ -26,12 +26,12 @@ To ensure that your Azure Stack Hub environments that use Entra ID as an identit
 
 ## Run the script
 
-Run the following PowerShell script in your Entra ID environment that is used by Azure Stack Hub as the "home directory" (the main identity provider of your Azure Stack Hub). The script interacts with Azure, so you don't need to run it on a specific machine. However, you need at least "application administrator" privileges in the respective Entra ID tenant to run the script.
+Run the following PowerShell script in your Entra ID environment that's used by Azure Stack Hub as the *home directory* (the main identity provider of your Azure Stack Hub), as well as the Entra ID environment to which you registered your Azure Stack Hub system. This might be a different directory than your home directory. The script interacts with Azure, so you don't need to run it on a specific machine. However, you need at least **application administrator** privileges in the respective Entra ID tenant to run the script.
 
 Make sure to run the following script with administrator privileges on the local machine:
 
 ```powershell
-# Install the graph modules if necessary
+# Install the Graph modules if necessary
 #Install-Module Microsoft.Graph.Authentication
 #Install-Module Microsoft.Graph.Applications
  
@@ -42,22 +42,22 @@ Import-Module Microsoft.Graph.Applications
 # Repeat this flow for each of your target directory tenants
 $tenantId = 'MyTenantId'
  
-# Sign-in with admin permissions to read and write all application objects
+# Sign in with admin permissions to read and write all application objects
 Connect-MgGraph -TenantId $tenantId -Scopes Application.ReadWrite.All
  
 # Retrieve all applications in the current directory
 Write-Host "Looking-up all applications in directory '$tenantId'..."
 $applications = Get-MgApplication -All -Property id, displayName, appId, identifierUris, requiredResourceAccess, authenticationBehaviors
 Write-Host "Found '$($applications.Count)' total applications in directory '$tenantId'"
  
-# Find all the unique deployment guids, each one representing an Azure Stack deployment in the current directory
+# Find all the unique deployment GUIDs, each one representing an Azure Stack deployment or registration in the current directory
 $deploymentGuids = $applications.IdentifierUris |
-    Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' } |
+    Where-Object { $_ -like 'https://management.*' -or $_ -like 'https://adminmanagement.*' -or $_ -like 'https://azurebridge.*' } |
     ForEach-Object { "$_".Split('/')[3] } |
     Select-Object -Unique
-Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments in directory '$tenantId'"
+Write-Host "Found '$($deploymentGuids.Count)' total Azure Stack deployments or registrations in directory '$tenantId'"
  
-# Find all the Azure Stack application objects for each deployment
+# Find all the Azure Stack application objects for each deployment or registration
 $azureStackApplications = @()
 foreach ($application in $applications)
 {
@@ -66,19 +66,22 @@ foreach ($application in $applications)
         if (($application.IdentifierUris -join '') -like "*$deploymentGuid*")
         {
             $azureStackApplications += $application
+            break
         }
     }
 }
  
-# Find which Azure Stack applications require access to Legacy Graph Service
+# Find which Azure Stack applications require access to the legacy Graph Service
 $azureStackLegacyGraphApplications = $azureStackApplications |
-    Where-Object { $_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000' }
+    Where-Object {
+        ($_.RequiredResourceAccess.ResourceAppId -contains '00000002-0000-0000-c000-000000000000') -or
+        ($_.IdentifierUris | Where-Object { $_ -like 'https://azurebridge.*' }) }
  
-# Find which of those applications need to have their authentication behaviors patched to allow access to Legacy Graph
+# Find which of those applications need to have their authentication behaviors patched to allow access to legacy Graph
 $azureStackLegacyGraphApplicationsToUpdate = $azureStackLegacyGraphApplications |
     Where-Object { -not ($ab = $_.AdditionalProperties.authenticationBehaviors) -or -not $ab.ContainsKey(($key='blockAzureADGraphAccess')) -or $ab[$key] }
  
-# Update the applications which require their authentication behaviors patched to allow access to Legacy Graph
+# Update the applications that require their authentication behaviors patched to allow access to legacy Graph
 Write-Host "Found '$($azureStackLegacyGraphApplicationsToUpdate.Count)' total Azure Stack applications which need permission to continue calling Legacy Microsoft Graph Service"
 $count = 0
 foreach ($application in $azureStackLegacyGraphApplicationsToUpdate)
