# Azure AD Migration [**Azure AD Graph**](https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview) is reaching an end of life on June 30 before this date administrators will need to update to a version of Pritunl that has support for Microsoft Graph. This will be indicated by the OAuth v2 Azure Regions shown in the top right settings. After updating to a supported version change the *Azure Region* to one of the (OAuth v2) regions. Then set the *Azure API Version* to *Microsoft Graph* and click *Save*. **If issues continue refer to the** [**Azure Single Sign-On Documentation**](/kb/vpn/sso/azure.md) **and follow the guide to verify all the settings match. A new API secret should be created as it appears the new API enforces earlier expiration of API secrets. Permissions should only be added, existing permissions should remain in place as explained below.** **Additionally as older version Azure users expire users should be instructed to login to the Pritunl server web console with Azure to reauthorize the OAuth token with the newer Azure version.** After doing this users will continue to connect with Azure AD Graph OAuth tokens until they open the web console and complete the *Sign in with Azure* authentication process. After completing this it will generate new Microsoft Graph OAuth tokens. Eventually these tokens will be forced to *Microsoft Graph* which may continue to work but are these are not guaranteed to work indefinitely. If [**connection single sign-on**](/kb/vpn/sso/connection-authentication.md) is configured this update will occur automatically the next time the user completes a connection without cached authentication. No user action is needed with these configurations. The new API has a reduced scope and will only require the permissions below. **Refer to the** [**Azure Single Sign-On Documentation**](/kb/vpn/sso/azure.md) **on how to add these new permissions. The existing permissions must remain in place until all users have completed a new sign-in.** **Attempting to fix issues by creating a new sign-on application on Azure will require all users to immediately complete an OAuth authorization and will disconnect users who have not when the hourly single sign-on update occurs. This should only be done after attempting all other fixes.** #### Azure AD Permissions #### New Microsoft Graph Permissions --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pritunl.com/kb/vpn/sso/azure-ad-migration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.