Migrate from ADAL to MSAL without specific identity provider

Wagner, Chris 106 Reputation points

I have an an iOS mobile app written in objective c that is currently using ADAL in it's most basic implementation. Given that it will be deprecated in June 2022, how do I migrate to MSAL when the mobile app does not use ADAL or MSAL for it's own authentication mechanism? ADAL is currently used just to allow Intune auto prompt for user credentials and prompt (outside the scope of the app, prior to app main screen) to determine which provider should manage the app, which user is using the device, receive app configuration values, etc.

Everything I read seems to imply that I must specify a clientID, authority, redirect scheme, etc. Given the app is used and managed by enterprise customers, those values are outside the apps knowledge. ADAL seems to "magically" manage this. Is there a implementation/configuration of MSAL that can simulate the current implementation of ADAL?

Thanks for the help in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,576 questions
{count} votes

Accepted answer
  1. Wagner, Chris 106 Reputation points

    After reading the ADAL vs MSAL documentation, here is what i have concluded. If I read the section "Let Intune handle authentication and enrollment at launch" in a very direct way, I determined that if I just replace ADAL with MSAL in the CocoaPods and have the "AutoEnrollOnLaunch=YES" and "MAMPolicyRequired=YES" in the plist file then it appears to work as it did before. For me, the documentation is a little misleading as it gives the impression that you have to implement MSAL when really you just need to include it. This is true when not using the authentication mechanism for app access, just for retrieving the MAM policies.

    Since my application processes authentication using a customer specific server, I only need Intune ADAL/MSAL authentication to register the app with Intune. This registration then allows the app to receive the app configuration and app protection policies.

    I am not certain on how the customer experience will go once the end users upgrade form the version of the app using ADAL to MSAL. I do not know if Intune will re-prompt the user for credentials or just gracefully recognize the previously authenticated user.


    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. singhh-msft 2,431 Reputation points

    @Wagner, Chris , thank you for reaching out to us. I assume that your app supports multi-identity. Multi-identity support is a feature of the SDK that enables coexistence of policy-managed (corporate) and unmanaged (personal) accounts in a single app.

    For example, many users configure both corporate and personal email accounts in the Office mobile apps for iOS and Android. When a user accesses data with their corporate account, the IT administrator must be confident that app protection policy will be applied. However, when a user is accessing a personal email account, that data should be outside of the IT administrator's control. The Intune App SDK achieves this by targeting the app protection policy to only the corporate identity in the app.

    You can use Intune App SDK for using MSAL in your app. The Intune App SDK uses the Microsoft Authentication Library for its authentication and conditional launch scenarios. It also relies on MSAL to register the user identity with the MAM service for management without device enrollment scenarios.

    The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal code changes. The fewer the code changes the less time to market, but without affecting the consistency and stability of your mobile application.

    Typically, MSAL requires apps to register with Azure Active Directory (AAD) and create a unique client ID and redirect URI, to guarantee the security of the tokens granted to the app. If your app does not already use MSAL, you will need to configure an app registration in AAD and specify the client ID and redirect URI that the Intune SDK should use.

    If your app does not already use ADAL or MSAL, and you do not need to access any AAD resource, you do not need to set up a client app registration in AAD if you choose to integrate ADAL. If you decide to integrate MSAL, you will need to configure an app registration and override the default Intune client ID and redirect URI. You can follow Microsoft Intune App SDK for iOS developer guide to setup the same. Let me know if I missed out on something.


    Please "Accept the answer" and upvote if the information helped you. This will help us and others in the community as well.