DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

API graph option is no longer available | PKI Platform

Solution ID : SO111121220357
Last Modified : 10/21/2023

Scenario

Microsoft deprecating AAD Graph in June of 2022. Making this graph option is no longer available.  

The AAD team made a change that is causing this impact in the UX very recently. The workaround, in the short term, can be done by editing JSON as shown below.

Error Message

When customers are setting up Intune SCEP to work with PKI 8 they get permission denied errors when adding the graph feature. The reason is Microsoft is deprecating the ADD graph in favor of a new one. The following message is posted to alert them of the situation.

(This is the currently available option for adding the permission per our current document) 

Now the Graph is contained in the following section of Intune.

This is the error in Splunk from an attempted enrollment.

Solution

  1. In the Application Registration blade, select the application desired to have AAD Graph permission.
  2. Back up the config by downloading it and then rename to .orig or .DATE.  
  3. Go to the Azure portal. Search for and select the Azure Active Directory service.
  4. Select App registrations.
  5. Select the app you want to configure.
  6. From the app's Overview page, select the Manifest section. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.

    In the cfg file insert the below data after “replyUrlsWithType” and before “samlMetadataUrl” 
 
"requiredResourceAccess": [
                                {
                                                "resourceAppId": "00000002-0000-0000-c000-000000000000",
                                                "resourceAccess": [
                                                                {
                                                                                "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
                                                                                "type": "Role"
                                                                }
                                                ]
                                },
                                {
                                                "resourceAppId": "00000003-0000-0000-c000-000000000000",
                                                "resourceAccess": [
                                                                {
                                                                                "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                                                                                "type": "Scope"
                                                                },
                                                                {
                                                                                "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
                                                                                "type": "Role"
                                                                }
                                                ]
                                },
                                {
                                                "resourceAppId": "c161e42e-d4df-4a3d-9b42-e7a3c31f59d4",
                                                "resourceAccess": [
                                                                {
                                                                                "id": "39d724e8-6a34-4930-9a36-364082c35716",
                                                                                "type": "Role"
                                                                }
                                                ]
                                }
                ],

To confirm you are complete, check the API graph permissions NOTE, you will need to “Grant Consent” as well:


For additional information please see the following KB:
Use third-party certification authorities (CA) with SCEP in Microsoft Intune

 

If you have any questions, please contact DigiCert PKI Support

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.