Regrant Admin consent before migrating from AAD Graph to MS Graph
KB003653
PRODUCTAdmin consent is recommended before upgrading K2 Five (5.4)/(5.5) November 2021, or K2 Five (5.3) January 2022 Cumulative Updates.
Microsoft is deprecating Azure AD Graph API in June 2022, and as of June 30th, 2020, stopped adding new features to the API. See these Microsoft articles for more information:
- Migrate Azure Active Directory (Azure AD) Graph apps to Microsoft Graph
- Azure Active Directory (Azure AD) Graph to Microsoft Graph migration FAQ
Microsoft strongly recommends upgrading to Microsoft Graph API to access Azure AD APIs as well as APIs from other Microsoft services. K2 OAuth resources requiring access to the https://graph.windows.net API (AAD Graph), must be upgraded to use https://graph.microsoft.com (Microsoft Graph) as part of the migration from AAD Graph to Microsoft Graph. The following cumulative updates include the code fixes necessary for this migration:
- Nintex K2 Five (5.3) January 2022 Cumulative Update
- Nintex K2 Five (5.2) June 2022 Cumulative Update
- Nintex K2 blackpearl (4.7) April 2022 Cumulative Update
If you have installed one of these cumulative updates, and intend to upgrade your system to either K2 Five (5.4) or (5.5), you must only use one of these product builds:
Using any other product builds will render your K2 installation unusable.
For more information on migrating apps, see the Microsoft article App migration planning checklist.
After the installation of the Cumulative Update, the OAuth resources that require access to AAD Graph API will be updated to use Microsoft Graph API instead. This will affect the workflows using the Azure Active Directory broker. These workflows can enter a failed state if the workflow executes a step that uses the broker after upgrade, but before a Global administrator in your organization re-consents to the Microsoft Graph permissions. These workflows will have to be manually repaired after upgrade and re-consent.
We recommend that a Global administrator consent to the Microsoft Graph permissions before installing the Cumulative Update to avoid the extra work of repairing the workflows that use the Azure Active Directory broker.
Consent to the Microsoft Graph permissions
If you already have an AAD Service instance registered, you don't need to create a new one, just edit the existing one and change the Graph type as per step 2.
Follow these steps to grant Admin consent to the Microsoft Graph permissions.
- In K2 Management, browse to Integration > Service Types and select the Azure Active Directory service type. Click New Instance.
- Configure the Service Instance as described in the Service Instances topic of the K2 user guide but make sure to enter https://graph.microsoft.com as the OAuth Resource Audience.You will only see the full authorization flow if your Nintex K2 environment doesn’t have the graph.microsoft.com token. If you have previously consented to the new permissions and then run through this re-consent flow, you will not see the OAuth error, or permissions page described below in steps 3 and 4.
- When you click OK on the registration form, the OAuth Error dialog shows. Click OK again to be redirected for authorization.
- Sign in with your Global Administrator credentials and accept the permissions request to continue. Since permissions required for Azure AD Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. For more information, see the topic Applications for integrating with third-party technologies in the Nintex K2 Five help documentation.
- You are redirected to the Authorization Successful page, at which point the new Microsoft Graph resource token is created. Close the tab to return to the K2 Management site.
- You are returned to the Service Instance registration page after the token is created. Click Cancel as there is no need to create a new Service Instance after completing the consent flow.