Skip to main content
 

Regrant Admin consent before migrating from AAD Graph to MS Graph

KB003653

PRODUCT
K2 Five 5.2 - 5.5
BASED ON
K2 Five 5.5

Admin consent is recommended before upgrading K2 Five (5.4)/(5.5) November 2021, or K2 Five (5.3) January 2022 Cumulative Updates.

Microsoft is deprecating Azure AD Graph API in June 2022, and as of June 30th, 2020, stopped adding new features to the API. See these Microsoft articles for more information:

Microsoft strongly recommends upgrading to Microsoft Graph API to access Azure AD APIs as well as APIs from other Microsoft services. K2 OAuth resources requiring access to the https://graph.windows.net API (AAD Graph), must be upgraded to use https://graph.microsoft.com (Microsoft Graph) as part of the migration from AAD Graph to Microsoft Graph. The following cumulative updates include the code fixes necessary for this migration:

If you have installed one of these cumulative updates, and intend to upgrade your system to either K2 Five (5.4) or (5.5), you must only use one of these product builds:

Using any other product builds will render your K2 installation unusable.

For more information on migrating apps, see the Microsoft article App migration planning checklist.

After the installation of the Cumulative Update, the OAuth resources that require access to AAD Graph API will be updated to use Microsoft Graph API instead. This will affect the workflows using the Azure Active Directory broker. These workflows can enter a failed state if the workflow executes a step that uses the broker after upgrade, but before a Global administrator in your organization re-consents to the Microsoft Graph permissions. These workflows will have to be manually repaired after upgrade and re-consent.

We recommend that a Global administrator consent to the Microsoft Graph permissions before installing the Cumulative Update to avoid the extra work of repairing the workflows that use the Azure Active Directory broker.

Consent to the Microsoft Graph permissions

If you already have an AAD Service instance registered, you don't need to create a new one, just edit the existing one and change the Graph type as per step 2.

Follow these steps to grant Admin consent to the Microsoft Graph permissions.

  1. In K2 Management, browse to Integration > Service Types and select the Azure Active Directory service type. Click New Instance.
    20127i01DFBABD69514311.png
  2. Configure the Service Instance as described in the Service Instances topic of the K2 user guide but make sure to enter https://graph.microsoft.com as the OAuth Resource Audience.
    21298i5A12A3BE7AF51A85.png
    You will only see the full authorization flow if your Nintex K2 environment doesn’t have the graph.microsoft.com token. If you have previously consented to the new permissions and then run through this re-consent flow, you will not see the OAuth error, or permissions page described below in steps 3 and 4.
  3. When you click OK on the registration form, the OAuth Error dialog shows. Click OK again to be redirected for authorization.
    18051i54198DC1BC1659A2.png
  4. Sign in with your Global Administrator credentials and accept the permissions request to continue. Since permissions required for Azure AD Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. For more information, see the topic Applications for integrating with third-party technologies in the Nintex K2 Five help documentation.
  5. You are redirected to the Authorization Successful page, at which point the new Microsoft Graph resource token is created. Close the tab to return to the K2 Management site.
  6. You are returned to the Service Instance registration page after the token is created. Click Cancel as there is no need to create a new Service Instance after completing the consent flow.
    20125iCC649E8CD4132C35.png
Repeat these steps for the AADMGMT resource if you are using it.
20124i3C4CA635470B248D.png

 

Be the first to reply!

Reply