AddMicrosoftGraph() does not support new graph SDK 5.0.0

[shareonline]

Microsoft.Identity.Web Library

Microsoft.Identity.Web 2.5.0
Protected web app/APIs call downstream web APIs

Description

After upgrading my entire solution to graph SDK 5.0.0 my blazor server app is not working anymore.
Microsoft.Identity.Web has a dependency on graph 4.5 and won't work with new version.

Reproduction steps

upgrade to graph sdk 5.0.0 nuget.

Relevant code snippets

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options => builder.Configuration.Bind("AzureAd", options))
    .EnableTokenAcquisitionToCallDownstreamApi(options => builder.Configuration.Bind("AzureAd", options), initialScopes)
    .AddMicrosoftGraph(graphBaseUrl: "https://graph.microsoft.com", defaultScopes: "User.Read")

Expected behavior

Microsoft.Identity.Web should work with latest graph sdk when release to production

---

Update. This is solved in Microsoft.Identity.Web 2.12.2.
You will need to replace the reference to Microsoft.Identity.Web.Microosft.Graph by Microsoft.Identity.Web.GraphServiceClient. For details on the migration guide see Microsoft.Identity.Web.GraphServiceClient

[ashelopukho]

@shareonline
Temporary solution:
https://gist.github.com/ashelopukho/5b00944c7744ebb4f9baa348e86f7e0e

[AndreErb]

Same here.

In fact it throws
TypeLoadException: Could not load type 'Microsoft.Graph.IAuthenticationProviderOption' from assembly 'Microsoft.Graph.Core, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. Microsoft.Identity.Web.GraphServiceCollectionExtensions+<>c.<AddMicrosoftGraph>b__1_0(IServiceProvider serviceProvider)

Needed to downgrade to Microsoft.Graph 4.54.0 in order to make it run again.
Didn't want to introduce a temporary solution in my Blazor App, like @ashelopukho kindly offered.

[jmprieur]

What happens

@shareonline, @AndreErb
Microsoft.Graph SDK 5.0 has breaking changes with respect to 4.x, including on the auth side. Thanks @ashelopukho for providing the start of the work-around.

But the auth breaking changes are not the whole story. Some of the changes affect the [developer experience] (https://github.com/AzureAD/microsoft-identity-web/wiki/calling-graph) proposed in Microsoft.Identity.Web (.WithScopes, .WithAppOnly). We need to be re-think the developer experience with MSGraph 5.0 SDK (as the Request() method that was holding these extension methods is no longer part of MSGraph SDK 5.0 public API).

Moreover, I wonder if we should add another assembly supporting MicrosoftGraph 5.0 SDK (Microsoft.Identity.Web.MicrosoftGraph), to avoid breaking everybody, or take another major version (3.0) and change Microsoft.Identity.Web.MicrosoftGraph and Microsoft.Identity.Web.MicrosoftGraphBeta.

All that to say we need a bit of time to update Microsoft.Identity.Web.MicrosoftGraph(X) to Microsoft Graph SDK.

Question for the community

Would you be ready to break your code using the Graph SDK when you update to a future version of Microsoft.Identity.Web 5.0? Or would you prefer to separate the decisions of upgrading to Microsoft.Identiy.Web 2.+ and Microsoft.Graph SDK 5.0+?

Any feedback welcome on how you'd like to see things

[shareonline]

What happens

@shareonline, @AndreErb Microsoft.Graph SDK 5.0 has breaking changes with respect to 4.x, including on the auth side. Thanks @ashelopukho for providing the start of the work-around.

But the auth breaking changes are not the whole story. Some of the changes affect the [developer experience] (https://github.com/AzureAD/microsoft-identity-web/wiki/calling-graph) proposed in Microsoft.Identity.Web (.WithScopes, .WithAppOnly). We need to be re-think the developer experience with MSGraph 5.0 SDK (as the Request() method that was holding these extension methods is no longer part of MSGraph SDK 5.0 public API).

Moreover, I wonder if we should add another assembly supporting MicrosoftGraph 5.0 SDK (Microsoft.Identity.Web.MicrosoftGraph), to avoid breaking everybody, or take another major version (3.0) and change Microsoft.Identity.Web.MicrosoftGraph and Microsoft.Identity.Web.MicrosoftGraphBeta.

All that to say we need a bit of time to update Microsoft.Identity.Web.MicrosoftGraph(X) to Microsoft Graph SDK.

Question for the community

Would you be ready to break your code using the Graph SDK when you update to a future version of Microsoft.Identity.Web 5.0? Or would you prefer to separate the decisions of upgrading to Microsoft.Identiy.Web 2.+ and Microsoft.Graph SDK 5.0+?

Any feedback welcome on how you'd like to see things

There is no question that i would be willing to break the code when upgrading. I mean that's what we are doing when upgrading to Graph 5.x anyway.. But tight integration may not be a good idea in the future as in theory this could slow adoption of the graph sdk. I think alot of developers like the "out of box" experience to spin up a project quickly based on Azure AD and Graph..
to be completely honest the Microsoft.Identity.Web is something i am using to easily start a project based on Azure AD login. It's the default behavior for the visual studio template, so in my mind i would have thought it followed the graph sdk.
I would be willing to test stuff out for you if neccesary of course.
I really like the new syntax for the graph sdk over the old one. It makes more sense from a developer point of view in my mind. Granted we got used to the request syntax, but the new syntax is more logic i think..

[mtbayley]

I would be willing to use a separate assembly for Graph if it means faster adoption of the new Graph SDK.

[jmprieur]

@mtbayley: I think that this is what we are going to do (to let customers decide when they want to migrate to 5 as some feedback told us attempted to move to 5 broker a lot of their code and is not straightforward)

[travaille-dev]

I would argue for developers experience it can get tedious deciding which nuget package to install for which purposes. I just want to authenticate my application and call some graph apis that I've been granted permissions for.

I found the starter templates helpful for this purpose. I didn't have to think, I was just able to add authentication and plug in my ClientID and Secret and get to implementing business logic.

From my experience -

• I see there's an update to Microsoft.Graph update it on my aspnet hosted blazor app
• Look at docs to see what's new and how I need to restructure my graph calls
• Oops I can't use AddMicrosoftGraph in my startup anymore
• Check to see if there's a new function or overload that I'm missing out on
• That doesn't work. Let me look into Microsoft.Graph since that's the only package I upgraded and none of my other packages have a dependency on it
• Nothing is in an online search so make a github issue the msgraph-sdk-dotnet repo
• Turns out it's actually the Microsoft.Identity.Web package
• I guess I'll wait until a new major release....

I am at least aware of this issue so I could feasibly pivot and install a different Identity package, but for other devs who want to stay on top of new releases, they'll run into the same hoops I did just to find out they need to use a whole new package - which is documented 🤷

I believe it's a better experience to have teams that don't want to upgrade the graph sdk to also not upgrade their identity package. However, I can see the painpoint of coordinating major releases with the sdk team and it's not an ideal coupling.

[Luk164]

Truth be said I do not think this should have been a stable release. It breaks way too much things including basic templates which makes it really hard for developers used to stuff working out of the box.

[rockit666]

It's unbelievable, I tried version 5.8 and this issue is still open.

[shareonline]

It's unbelievable, I tried version 5.8 and this issue is still open.

But this is a problem with the identity.web package, not the graph package as i have understood it..
As i understand it without going deeper, it is a dependency to the old graph package, which from version 5 has changed dramatically.

[rockit666]

well, a big company like Microsoft should handle this.

[ghost]

@jmprieur There seem to by many auth scenarios between Blazor, Blazor-server, MCV and .Net Core API. So breaking them up might make sense in the future.

The real issue is breaking changes. From a developer standpoint, I would like to set my application to the latest .Net long term support version (.Net 6 right now). Download all the latest packages for those versions. And have them all work. Breaking changes should be reserved for new versions of .Net (and not be tested on the long-term support version).

I do not mind upgrading my packages through breaking changes. I just would like to do it on my terms when I chose to upgrade to a new .Net 6 version. It would be great if the Graph Versions were tied to a specific .Net version. Currently it just says .Net Core 2 or greater. Which seems highly unlikely to me since getting authentication to work on .Net 2 while running Microsoft.Graph 5 would be basically impossible.

[ghost]

Can anyone at all explain to me how I can get graph working? I'm like brand new to this and I'm trying to make graph calls with a "Users.Read.All" scope from my application, but I cannot get it to work and there's very little information as to how to do so.

I am using ASP.NET Core 7.0 Web API.

So far I have this setup, with @ashelopukho 's work around with the following:

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAd")
    .EnableTokenAcquisitionToCallDownstreamApi().AddInMemoryTokenCaches();
builder.Services.AddMicrosoftGraphClient();

This throws the following error:

 An MsalUiRequiredException was thrown due to a challenge for the user.

However, I am able to call the graph endpoint with my associated client id, client secret, tenant id, grant_type, at:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

And I can successfully retrieve a token and query the microsoft graph endpoint with it.

Does anyone know how to just set this up right now? The documentation is vast and unclear with multiple ways to do the same thing and none of them work. Even worse, if i wanted to use old packages, i don't know which ones to use and Microsoft.Identity.Web, Microsoft.Graph and Microsoft.Graph.Core all depend on each other in some way that I don't understand.

[BlueManiac]

Can anyone at all explain to me how I can get graph working? I'm like brand new to this and I'm trying to make graph calls with a "Users.Read.All" scope from my application, but I cannot get it to work and there's very little information as to how to do so.

I am using ASP.NET Core 7.0 Web API.

So far I have this setup, with @ashelopukho 's work around with the following:

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAd")
    .EnableTokenAcquisitionToCallDownstreamApi().AddInMemoryTokenCaches();
builder.Services.AddMicrosoftGraphClient();

This throws the following error:

 An MsalUiRequiredException was thrown due to a challenge for the user.

However, I am able to call the graph endpoint with my associated client id, client secret, tenant id, grant_type, at:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

And I can successfully retrieve a token and query the microsoft graph endpoint with it.

Does anyone know how to just set this up right now? The documentation is vast and unclear with multiple ways to do the same thing and none of them work. Even worse, if i wanted to use old packages, i don't know which ones to use and Microsoft.Identity.Web, Microsoft.Graph and Microsoft.Graph.Core all depend on each other in some way that I don't understand.

I had to register the RejectSessionCookieWhenAccountNotInCacheEvents from #13 to get things to work with the new api

[jonathan-vogel-siemens]

When can we expect the next release including this fix?

[jennyf19]

@Jonathan-a35y Re-opening until we released, GitHub automatically closed as the PR was merged. Release will be 2.12.1 and should be out by 6/16/23.

[StefanSchoof]

2/16/23

Do you mean 6/16/23?

[shareonline]

Can't wait for this! Good job everyone involved, it makes our .NET lives much easier 😏

[jennyf19]

2/16/23

Do you mean 6/16/23?

Yes, sorry got the version (2.12) and the date (6/16) mixed together. 🤦thanks for calling it out.

[jennyf19]

Released in 2.12.2

[andymarksonline]

Hi guys, I updated my Blazor app to 2.12.2 and Microsoft.Graph to 5.1.4.0 and still getting this error:
TypeLoadException: Could not load type 'Microsoft.Graph.IAuthenticationProviderOption' from assembly 'Microsoft.Graph.Core, Version=3.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

    // AD Authentication / Authorisation and Graph...
      var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');
      builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
              .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                  .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
                  .AddInMemoryTokenCaches();

[adukstad]

Hi guys, I updated my Blazor app to 2.12.2 and Microsoft.Graph to 5.1.4.0 and still getting this error:

TypeLoadException: Could not load type 'Microsoft.Graph.IAuthenticationProviderOption' from assembly 'Microsoft.Graph.Core, Version=3.0.7.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

    // AD Authentication / Authorisation and Graph...

      var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

      builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

          .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))

              .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)

                  .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))

                  .AddInMemoryTokenCaches();

You are probably still using the old package. Use Identity.Web.GraphServiceClient

[Nekit19]

Same for me.
using
"Microsoft.Graph" Version="5.14.0" />
"Microsoft.Identity.Web" Version="2.12.2" />
"Microsoft.Identity.Web.MicrosoftGraph" Version="2.12.2" />
And it still doesn't work.
@adukstad
Is Microsoft.Graph.GraphServiceClient the old one?

[adukstad]

Same for me.

using

    "Microsoft.Graph" Version="5.14.0" />

    "Microsoft.Identity.Web" Version="2.12.2" />

    "Microsoft.Identity.Web.MicrosoftGraph" Version="2.12.2" />

And it still doesn't work.

@adukstad

Is Microsoft.Graph.GraphServiceClient the old one?

No, it is the new one. Here https://github.com/AzureAD/microsoft-identity-web/blob/jmprieur/Graph5/src/Microsoft.Identity.Web.GraphServiceClient/Readme.md

[Nekit19]

@andymarksonline
I figured it out.
I've dived into source code and it seems there are several GraphServiceCollectionExtensions which provide AddMicrosoftGraph with same signatures. One in Microsoft.Identity.Web.MicrosoftGraph, one in Microsoft.Identity.Web.GraphServiceClient.

It seems the former is the old one and uses old Core Options that are not present in current version.
Including Microsoft.Identity.Web.GraphServiceClient instead of Microsoft.Identity.Web.MicrosoftGraph solved the issue.

So confusing :)

[jmprieur]

@shareonline @BlueManiac @ashelopukho @StefanSchoof @AndreErb @adukstad @andymarksonline @StefanSchoof @Jonathan-a35y @anonwashere @mtbayley @travaille-dev @Luk164
The problem is indeed solved in Microsoft.Identity.Web 2.12.2.
You will need to replace the reference to Microsoft.Identity.Web.Microosft.Graph by Microsoft.Identity.Web.GraphServiceClient.
For details on the migration guide see Microsoft.Identity.Web.GraphServiceClient

Thanks @Nekit19 for calling out that we had not taken enough time to communicate explicitly in this issue on the change (despite having prepared a Readme for that). It's confusing because we wanted to avoid breaking people. Here is a quote from the document below.

With the introduction of Microsoft.Identity.Web.GraphServiceClient and Microsoft.Identity.Web.GraphServiceClientBeta libraries in version Microsoft.Identity.Web 2.12, you now have the choice to use either the legacy Microsoft.Identity.Web.MicrosoftGraph and Microsoft.Identity.Web.MicrosoftGraphBeta NuGet packages based on Microsoft Graph SDK 4.x or the new libraries based on Microsoft Graph SDK 5. By keeping both options available, you can choose to migrate to the latest version of the SDK at your own pace and with minimal disruption to your existing code.

We are also in the process of updating all the AAD samples and the documentation on Microsoft learn

[jmprieur]

Samples/quickstarts PRs:

• Updating to Graph SDK 5. AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet#51
• Update to Id.Web 2.12.2 Azure-Samples/active-directory-dotnetcore-daemon-v2#164
• update to 2.12.1 Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2#711