Migrate from ADAL to MSAL without specific identity provider

Question

Migrate from ADAL to MSAL without specific identity provider

Wagner, Chris 106

I have an an iOS mobile app written in objective c that is currently using ADAL in it's most basic implementation. Given that it will be deprecated in June 2022, how do I migrate to MSAL when the mobile app does not use ADAL or MSAL for it's own authentication mechanism? ADAL is currently used just to allow Intune auto prompt for user credentials and prompt (outside the scope of the app, prior to app main screen) to determine which provider should manage the app, which user is using the device, receive app configuration values, etc.

Everything I read seems to imply that I must specify a clientID, authority, redirect scheme, etc. Given the app is used and managed by enterprise customers, those values are outside the apps knowledge. ADAL seems to "magically" manage this. Is there a implementation/configuration of MSAL that can simulate the current implementation of ADAL?

Thanks for the help in advance!
Chris

Rakesh Jagatap 11 Reputation points Microsoft External Staff

2021-10-11T17:33:39.337+00:00

Hi, can you please mark your own answer as answered, Doing so helps others find answers to their questions.

Accepted answer

1 additional answer

Your answer

Rakesh Jagatap 11 Reputation points Microsoft External Staff

2021-10-11T17:33:39.337+00:00

Hi, can you please mark your own answer as answered, Doing so helps others find answers to their questions.

Answer 1

After reading the ADAL vs MSAL documentation, here is what i have concluded. If I read the section "Let Intune handle authentication and enrollment at launch" in a very direct way, I determined that if I just replace ADAL with MSAL in the CocoaPods and have the "AutoEnrollOnLaunch=YES" and "MAMPolicyRequired=YES" in the plist file then it appears to work as it did before. For me, the documentation is a little misleading as it gives the impression that you have to implement MSAL when really you just need to include it. This is true when not using the authentication mechanism for app access, just for retrieving the MAM policies.

Since my application processes authentication using a customer specific server, I only need Intune ADAL/MSAL authentication to register the app with Intune. This registration then allows the app to receive the app configuration and app protection policies.

I am not certain on how the customer experience will go once the end users upgrade form the version of the app using ADAL to MSAL. I do not know if Intune will re-prompt the user for credentials or just gracefully recognize the previously authenticated user.

Thanks,
Chris

Answer 2

@Wagner, Chris , thank you for reaching out to us. I assume that your app supports multi-identity. Multi-identity support is a feature of the SDK that enables coexistence of policy-managed (corporate) and unmanaged (personal) accounts in a single app.

For example, many users configure both corporate and personal email accounts in the Office mobile apps for iOS and Android. When a user accesses data with their corporate account, the IT administrator must be confident that app protection policy will be applied. However, when a user is accessing a personal email account, that data should be outside of the IT administrator's control. The Intune App SDK achieves this by targeting the app protection policy to only the corporate identity in the app.

You can use Intune App SDK for using MSAL in your app. The Intune App SDK uses the Microsoft Authentication Library for its authentication and conditional launch scenarios. It also relies on MSAL to register the user identity with the MAM service for management without device enrollment scenarios.

The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal code changes. The fewer the code changes the less time to market, but without affecting the consistency and stability of your mobile application.

Typically, MSAL requires apps to register with Azure Active Directory (AAD) and create a unique client ID and redirect URI, to guarantee the security of the tokens granted to the app. If your app does not already use MSAL, you will need to configure an app registration in AAD and specify the client ID and redirect URI that the Intune SDK should use.

If your app does not already use ADAL or MSAL, and you do not need to access any AAD resource, you do not need to set up a client app registration in AAD if you choose to integrate ADAL. If you decide to integrate MSAL, you will need to configure an app registration and override the default Intune client ID and redirect URI. You can follow Microsoft Intune App SDK for iOS developer guide to setup the same. Let me know if I missed out on something.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" and upvote if the information helped you. This will help us and others in the community as well.

Wagner, Chris 106 Reputation points

2021-09-23T12:39:26.967+00:00

Thanks for the reply.

No the app does not use multi-identity as the app is intended for enterprise customers only. There is not a separation between enterprise and personal data within the app. The vanilla version of the app has a logon screen in which the user authenticates to an enterprise specific server (located at the individual customer). The Intune SDK version needs to prompt with the Microsoft Login screen prior to our app login screen, this way the SDK can determine which enterprise to associate the app with and obtain managed app configuration values.

My current implementation of the app uses ADAL without needing any code changes (for processing the enrolled account) other than retrieving and managing the app configuration and Intune App Protection policies.

So, in short, I have removed the ADAL CocoaPod from my app and I am trying to determine the least invasive way to get the app back to working without using ADAL. I looked at the SDK guide however, it gives me the impression that I do not need to do much of anything with MSAL if I have "AutoEnrollOnLaunch" and "MAMPolicyRequired" both set to TRUE. In doing this, I see the Intune credentials prompt behind a pop-up error the just says "unexpected failure". Not sure if that is the indicator that I need to implement MSAL or not. And if so, what is the minimum amount that needs to be done given I will not know the customers AzureAD/Intune Identity.

Thank you again for the help!
singhh-msft 2,431 Reputation points

2021-09-24T06:43:32.997+00:00

@Wagner, Chris , as I do not have the complete setup of your app, can you please setup MSAL and let me know if it works for you? They both achieve similar goals. I would suggest you to remove all settings related to ADAL and setup just MSAL as per the guide shared above. Also, you can find a similar query around this here.
singhh-msft 2,431 Reputation points

2021-09-28T03:15:47.423+00:00

@Wagner, Chris , just checking in to see if you got a chance to see my response.
Wagner, Chris 106 Reputation points

2021-09-28T12:49:15.873+00:00

I did see your response and I am currently working on verifying the changeover. I have switched the cocoa pod to MSAL and I am testing to verify that the change works. It is just time consuming as once a device is registered, it appears that the most efficient way to de-register and start over is to reset the entire device.

Thanks and I will follow-up with you once I have more information.

Share via

Migrate from ADAL to MSAL without specific identity provider

1 additional answer

Your answer