Azure Active Directory Graph API Deprecation and Impact to MobiControl Customers

Issue 

Starting June 30th, 2022, Microsoft will end support for Azure Active Directory (AD) Graph APIs and will no longer provide technical support or security updates. MobiControl will no longer receive responses from the Azure AD Graph endpoint after this date. 

What is Azure AD Graph API? 

Azure AD graph APIs provide programmatic access to Azure AD to retrieve information about users, groups, and permissions. MobiControl utilizes Azure AD Graph APIs to authenticate users and grant them access based on their available permissions within the organization. 

Who is impacted by this change? 

Customers that are using MobiControl v13.0.0 or higher and are utilizing Azure AD for one of the following MobiControl features will be impacted by this change: 

• Device Enrollment 
• Users and Permissions 
• Web Console Access 
• Shared Device 
• Assigning User to Device 
• Configuring Email Server 

Resolution 

The support for Microsoft Graph API’s will be introduced as of MobiControl v15.5.0. Impacted customers should make sure to upgrade to v15.5.0 or higher before June 30th, 2022, to avoid losing critical functionality within MobiControl. 

Before upgrading to MobiControl v15.5.0, customers need to set the required application permissions to equivalent Microsoft Graph permissions on the Microsoft Azure Portal. Note that the permissions set for Azure AD Graph API do not automatically transfer to Microsoft Graph API, therefore the user will have to manually update the permissions. 

In order to update the permissions on the Microsoft Azure Portal, you must navigate to your MobiControl application and then select the “API permissions” tab in the sidebar. From here, you can use the “Add a permission” button to add permissions for Microsoft Graph for your MobiControl application. 

Upon clicking the “Add a permission” button, a sidebar will appear which allows you to choose which API you wish to add a permission with. Select “Microsoft Graph” under “Microsoft APIs”. 

You will be asked what type of permission your application requires. Select “Application permissions” and search for the following permissions: 

• Device.ReadWrite.All 

• Directory.Read.All 
• Directory.ReadWrite.All 

Note that the permissions added before were Application permissions. Delegated permissions that were granted for Azure AD will implicitly be granted for Microsoft Graph as well, however we recommend manually adding your delegated permissions to Microsoft Graph as well for visibility. 

• Group.Read.All 
• Group.ReadWrite.All 

This covers all of the permissions that are necessary for regular MobiControl functionality. Any other Application and Delegated permissions that you wish to apply to your implementation of Microsoft Graph API can be added as well. 

Upon finishing upgrading to MobiControl version 15.5.0, if the MobiControl installer detects any existing Azure AD configuration, the API Address URL stored in the MobiControl database will be updated automatically to a corresponding address for Microsoft Graph API. Note that if the address previously used for the Azure Graph API was a proxy address, it must be manually changed to point to a valid Microsoft Graph API address (i.e., https://graph.microsoft.com) in the MobiControl configuration as shown below.