Azure AD Graph Migration

Azure AD Graph is reaching an end of life on June 30 before this date administrators will need to update to a version of Pritunl that has support for Microsoft Graph. This will be indicated by the OAuth v2 Azure Regions shown in the top right settings. After updating to a supported version change the Azure Region to one of the (OAuth v2) regions. Then set the Azure API Version to Microsoft Graph and click Save. If issues continue refer to the Azure Single Sign-On Documentation and follow the guide to verify all the settings match. A new API secret should be created as it appears the new API enforces earlier expiration of API secrets. Permissions should only be added, existing permissions should remain in place as explained below.

After doing this users will continue to connect with Azure AD Graph OAuth tokens until they open the web console and complete the Sign in with Azure authentication process. After completing this it will generate new Microsoft Graph OAuth tokens. Eventually these tokens will be forced to Microsoft Graph which may continue to work but are these are not guaranteed to work indefinitely.

If connection single sign-on is configured this update will occur automatically the next time the user completes a connection without cached authentication. No user action is needed with these configurations.

The new API has a reduced scope and will only require the permissions below. Refer to the Azure Single Sign-On Documentation on how to add these new permissions. The existing permissions must remain in place until all users have completed a new sign-in.

Attempting to fix issues by creating a new sign-on application on Azure will require all users to immediately complete an OAuth authorization and will disconnect users who have not when the hourly single sign-on update occurs. This should only be done after attempting all other fixes.

Azure AD Permissions

New Microsoft Graph Permissions