Share via

APIM Identity Provider sets ClientLibrary to ADAL despise MSAL being chosen

Gottling Sebastian 0 Reputation points
2026-05-22T11:04:27.4333333+00:00

When running this request
https://learn.microsoft.com/en-us/rest/api/apimanagement/identity-provider/create-or-update?view=rest-apimanagement-2024-05-01&tabs=HTTP&source=docs#identityprovidertype

Like so

            az rest \
              --method put \
              --url "https://management.azure.com/subscriptions/******/resourceGroups/******/providers/Microsoft.ApiManagement/service/******/identityProviders/aad?api-version=2024-05-01" \
              --headers "Content-Type=application/json" \
              --body "{
                \"properties\": {
                  \"clientId\": \"******\",
                  \"clientSecret\": \"******\",
                  \"signinTenant\": \"\"******\",\",
                  \"clientLibrary\": \"MSAL\",
                  \"allowedTenants\": [\"\"******\",\"]
                }
              }"

When looking at the identity provider in API Management, ADAL is chosen despite MSAL being set in the request. I tried adding properties.authority to the request, but this just failed with this:
Bad Request({"error":{"code":"ValidationError","message":"One or more fields contain incorrect values:","details":[{"code":"ValidationError","target":"Authority","message":"Azure Active Directory authority is not valid."}]}})

Tried this with both the actual discovery endpoint and the base endpoint
https://login.microsoftonline.com/*****/v2.0/.well-known/openid-configuration
https://login.microsoftonline.com/*****/v2.0

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 17,025 Reputation points Microsoft External Staff Moderator
    2026-05-22T12:32:39.2466667+00:00

    Hi @Gottling Sebastian ,

    You’re hitting a known quirk: when you set clientLibrary to “MSAL” in the Create/Update call, APIM today still falls back to ADAL unless you explicitly use the value “MSAL-2”. In other words, right now the service expects “MSAL-2” for v2.0 endpoints.

    Here’s how you can fix it:

    1. Change your body to use clientLibrary = "MSAL-2", for example: 
       {
   
     "properties": {

   "clientId":   "*****",
   
   
   "clientSecret":"*****",
   
   
   "signinTenant":"*****",
   
   
   "clientLibrary":"MSAL-2",
   
   
   "allowedTenants":["*****"]
  }

}
    1. Run your az rest PUT again against …/identityProviders/aad?api-version=2024-05-01
    2. Republish the developer portal (and clear your browser cache just in case).

    After that you should see MSAL selected in the portal instead of ADAL.

    References:

    Hope this helps!

    If the resolution was helpful, kindly take a moment to click on User's imageand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

  2. kagiyama yutaka 3,605 Reputation points
    2026-05-22T12:23:58.7633333+00:00

    In my opinion, the AI answer incorrectly states that only the portal is supported and that REST may not honor clientLibrary, but this contradicts the ARM schema, which officially exposes clientLibrary as a writable property.

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-05-22T11:04:48.5033333+00:00

    clientLibrary is a valid property on the API Management identity provider resource, but the value is constrained and interpreted by the APIM service, not taken verbatim from the PUT body.

    From the ARM/REST schema for Microsoft.ApiManagement/service/identityProviders, clientLibrary is:

    The client library to be used in the developer portal. Only applies to AAD and AAD B2C Identity Provider. (string, max length 16)

    The behavior observed (portal still showing ADAL after sending "clientLibrary": "MSAL") indicates that the service either:

    • Ignores or normalizes unsupported values for clientLibrary, or
    • Does not yet honor clientLibrary changes via the 2024-05-01 REST API in the way the portal expects.

    The supported and documented way to switch an existing ADAL-based identity provider to MSAL for the developer portal is through the Azure portal, not via direct REST/ARM:

    1. In Azure portal, open the API Management instance.
    2. Select Identities.
    3. Select the Microsoft Entra ID (AAD) or Azure Active Directory B2C identity provider.
    4. In Client library, select MSAL.
    5. Select Update.
    6. Republish the developer portal.

    This flow is the documented path for migrating from ADAL to MSAL in API Management and is required to avoid the ADAL retirement impact on 30 September 2025.

    Regarding authority, the schema describes it as:

    OpenID Connect discovery endpoint hostname for AAD or AAD B2C.

    That means only the hostname is expected (for example, login.microsoftonline.com or the B2C authority host), not the full discovery URL or tenant-specific path. Passing the full .../v2.0/.well-known/openid-configuration or .../v2.0 URL will fail validation with the Authority is not valid error seen.

    To summarize the two issues:

    • To reliably switch to MSAL for the developer portal today, use the Azure portal Identities blade and then republish the developer portal, as documented for the ADAL retirement migration.
    • If setting authority via REST/ARM, only provide the hostname (no path), because the property is defined as the discovery endpoint hostname, not the full URL.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.