Skip to main content
Sign in More Resources

How to update DirSync from legacy Azure Directory DirSync to Microsoft Graph Directory DirSync

Cameron McDonald
  • Updated

Problem

Azure Directory Sync fails to synchronize Clients and Groups.

Cause

Microsoft retired the API for the legacy Azure Directory DirSync. For details, please see the description in the following link: Action required: Azure AD Graph API retirement

Azure Admin console shows the following in DirSync | API Permissions.

DirSync log shows the failure symptom:

om.microsoft.azure.management.graphrbac.GraphErrorException: Status code 403, {"odata.error":{"code":"Authentication_Unauthorized","codeForMetrics":"Authentication_Unauthorized","message":{"lang":"en","value":"Access blocked to AAD Graph API for this application. https:\/\/aka.ms\/AzureADGraphMigration."}}}”

Solution

In the Netsweeper Webadmin, navigate to Tools > Directory Sync and click on the Search Base name.

If the Directory Type is 'Azure Directory' then it needs to be changed to 'Microsoft Graph Directory'. 

Note: On Netsweeper managed clouds, you might need assistance from Netsweeper support to make this change on you behalf.

Change to:

 

Azure Update:

The following is an excerpt from the "Adding Permissions" section of the following Netsweeper document and assumes that an Entra ID is registered: Microsoft Graph Directory Sync

  1. Log in to the Azure portal at https://portal.azure.com, using an account with administrator privilege.
  2. Select either the View button, (under 'Manage Microsoft Entra ID,') or the Microsoft Entra ID button.
  3. Navigate to Directory Sync, then in API permissions select Microsoft Graph.
  4. Select the Delegated permissions option within the 'Request API Permissions' pane.
  5. Ensure the following Delegated permissions are given:
    • Directory.AccessAsUser.All
    • Directory.Read.All
    • Group.Read.All
    • Member.Read.Hidden
    • User.Read
    • User.Read.All
    • User.ReadBasic.All
  6. Select the Add permissions button.

  7. We also need to add Application permissions. Select the Add a permission button again.

     

  8. Choose Microsoft Graph from the 'Request API Permissions' > 'Microsoft APIs' selection pane.

     

  9. Select Application Permissions from the 'Request API permissions' pane.

  10. Ensure the following Application Permissions are given:
    • Directory.Read.All
    • Member.Read.Hidden
  11. Select the Add permissions button.
  12. Choose the Grant Admin consent button.

Allowing Authentication

  1. Navigate to Authentication and in the 'Advanced settings' > 'Allow public client flows' section, set the value to Yes for the 'Enable the following mobile and desktop flows' option.
  2. Select Save.

Note: It might be necessary to log in to the Entra Account Email to confirm that it is not disabled.  This is the account used in the Webadmin Directory Sync configuration in the example shown below:

Additional Information

Refer to the Netsweeper document: Microsoft Graph Directory Sync 

and the Microsoft document: Action required: Azure AD Graph API retirement

 

Related to

Related articles