How Do I Migrate Microsoft Azure Active Directory SSO Authentication to the Microsoft Graph API?
To change MS Azure Active Directory single sign-on (SSO) authentication configuration from Azure Active Directory Graph API to Microsoft Graph API, do the procedure in this topic.
Microsoft no longer supports the Azure Active Directory Graph API and recommends migrating to the Microsoft Graph API.
For help with this procedure, contact AgilePoint Professional Services.
Background and Setup
Prerequisites
- AgilePoint NX PrivateCloud or AgilePoint NX OnPremises v8.0
- AgilePoint Server
and AgilePoint NX Portal
are protected with Microsoft Azure Active Directory SSO Authentication
using the Azure Active Directory Graph API.
In the Microsoft Azure Portal, in the API Permissions section, the app created for AgilePoint NX Portal shows the API type.
- Sign in to the AgilePoint Server machine with your AgilePoint Service Account.
- An account that can update Microsoft Azure apps created for Microsoft Azure Active Directory SSO configuration.
Get the Microsoft Azure App ID
To get the Microsoft Azure app ID that is configured for AgilePoint Server and NX Portal, do the procedure in this topic.
Procedure
- On the AgilePoint Server machine, in a text editor, open this file:
(NX Portal installation folder - v8.0 and lower) C:\Program Files\AgilePoint\AgilePointWebApplication\AgilePointPortal\web.config
- In the file web.config, in the <appSettings> node, find the app IDs in these keys:
- <add key="ida:ClientID" value="[AgilePoint Portal app ID]"/>
- <add key="ida:WCFClientID" value="[AgilePoint Server app ID]"/>
If the value for the key "ida:WCFClientID" is null, find the key ida:WCFAppID, and copy the GUID from the key value. The copied value is the AgilePoint Server app ID.
<add key="ida:WCFAppID" value="api://mysite.onmicrosoft.com/22ee364a-046c-40a2-b287-a983e5130ce7"/>
If the app ID does not exist in the web.config file, you can find the AgilePoint Server app ID in the API Permissions section of AgilePoint Portal app created in Microsoft Azure.
Remove the Azure Active Directory Graph Permissions from the Microsoft Azure App
To remove the Azure Active Directory Graph permissions from the app configured for AgilePoint Server and AgilePoint NX Portal in Microsoft Azure, do the procedure in this topic.
Prerequisites
- The app ID for the AgilePoint Server app and AgilePoint NX Portal app in Microsoft Azure.
For more information, refer to Get the Microsoft Azure App ID.
Procedure
- Sign in to Microsoft Azure Portal:
- On the Microsoft Azure Portal screen, click App registrations.
- On the App registrations screen, click All applications.
- On the All applications tab, in the Search field, do the following:
- To remove permissions for the AgilePoint Server app, paste the ida:WCFClientID value from the web.config file.
- To remove permissions for the AgilePoint Portal app, paste the ida:ClientID value from the web.config file.
The search result shows the app associated with the specified app ID.
- Click the app.
- On the app, in the Manage section, click API permissions.
- On the API permissions screen, in the Azure Active Directory Graph section, delete these permissions.
- User.Read
- User.Read.All
- User.ReadBasic.All
To remove the permission, click Ellipses (...) > Remove permission.
- On the Remove Permission screen, click Yes, remove.
- Click Grant admin consent for AgilePoint.
- On the Grant admin consent for AgilePoint screen, select No, remove granted permissions.
- Click Grant admin consent.
- On the Grant admin consent confirmation message, click Yes.
Configure the Microsoft Graph API Permissions for the AgilePoint Portal App
To configure the Microsoft Graph API permissions for the app configured for AgilePoint NX Portal in Microsoft Azure, do the procedure in this topic.
Good to Know
- It is not required to add the Microsoft Graph API permissions for the AgilePoint Server app.
Procedure
- In Microsoft Azure, open the app configured for AgilePoint NX Portal.
- On the app, in the Manage section, click API permissions.
- On the API permissions screen, in the Configure permissions section, click Add a permission.
- On the Request API permissions screen, in the Microsoft APIs tab, click Microsoft Graph.
- On the Microsoft Graph section, in the What type of permissions does your application require? field,
click Delegated permissions.
- In the User section, select these permissions.
- User.Read
- User.ReadBasic.All
- Click Add Permissions.
- Click Grant admin consent for AgilePoint.
- Click Yes.
The API permissions screen shows the sucessful message.
Update the Portal web.config File to Support Microsoft Graph API
To update the portal web.config file to support Microsoft graph API, do the procedure in this topic.
Procedure
- On the AgilePoint Server machine, in a text editor, open this file:
(NX Portal installation folder - v8.0 and lower) C:\Program Files\AgilePoint\AgilePointWebApplication\AgilePointPortal\web.config
- In the file web.config, in the <appSettings> node, do the following:
- To support Microsoft Graph API, change the value of the ida:graphApiTarget key to msgraph.
<add key="ida:graphApiTarget" value="msgraph"/>
- To set the default authentication provider, change the value of the DefaultAuthProvider key to WAAD.
<add key="DefaultAuthProvider" value="WAAD"/>
- (Optional) To update the Microsoft Graph Resource Endpoint, change these
values:
- <add key="ida:msGraphResource" value="https://graph.microsoft.com/"/>
- <add key="ida:msGraphAPIURL" value="https://graph.microsoft.com/v1.0/"/>
These endpoints are literal values by default. These values must be updated if any changes are made to the feature or configuration.
- To support Microsoft Graph API, change the value of the ida:graphApiTarget key to msgraph.
- Save the web.config file.
- Restart your AgilePoint Portal instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal