Azure Active Directory Authentication Library
Warning
This content is for the older Azure AD v1.0 endpoint. Use the Microsoft identity platform for new projects.
The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls. ADAL makes authentication easier for developers through features such as:
- Configurable token cache that stores access tokens and refresh tokens
- Automatic token refresh when an access token expires and a refresh token is available
- Support for asynchronous method calls
Note
Looking for the Azure AD v2.0 libraries? Checkout the MSAL library guide.
Warning
Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the Microsoft Authentication Library (MSAL). If you have existing applications that use ADAL, be sure to migrate them to MSAL.
Microsoft-supported Client Libraries
| Platform | Library | Download | Source Code | Sample | Reference |
|---|---|---|---|---|---|
| .NET Client, Windows Store, UWP, Xamarin iOS and Android | ADAL .NET v3 | NuGet | GitHub | Desktop app | |
| JavaScript | ADAL.js | GitHub | GitHub | Single-page app | |
| iOS, macOS | ADAL | GitHub | GitHub | iOS app | |
| Android | ADAL | Maven | GitHub | Android app | JavaDocs |
| Node.js | ADAL | npm | GitHub | Node.js web app | Reference |
| Java | ADAL4J | Maven | GitHub | Java web app | Reference |
| Python | ADAL | GitHub | GitHub | Python web app | Reference |
Microsoft-supported Server Libraries
| Platform | Library | Download | Source Code | Sample | Reference |
|---|---|---|---|---|---|
| .NET | OWIN for AzureAD | NuGet | GitHub | MVC App | |
| .NET | OWIN for OpenIDConnect | NuGet | GitHub | Web App | |
| .NET | OWIN for WS-Federation | NuGet | GitHub | MVC Web App | |
| .NET | Identity Protocol Extensions for .NET 4.5 | NuGet | GitHub | ||
| .NET | JWT Handler for .NET 4.5 | NuGet | GitHub | ||
| Node.js | Azure AD Passport | npm | GitHub | Web API |
Scenarios
Here are three common scenarios for using ADAL in a client that accesses a remote resource:
Authenticating users of a native client application running on a device
In this scenario, a developer has a mobile client or desktop application that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls and must be called in the context of an authenticated user. The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD is pre-configured to issue access tokens for that resource. To invoke the web API from the client, the developer uses ADAL to facilitate authentication with Azure AD. The most secure way to use ADAL is to have it render the user interface for collecting user credentials (rendered as browser window).
ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then call the web API using the access token.
For a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.
Authenticating a confidential client application running on a web server
In this scenario, a developer has an application running on a server that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls, so it must be called from an authorized service. The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials (client ID and secret). ADAL facilitates authentication of the service with Azure AD returning an access token that can be used to call the web API. ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary. For a code sample that demonstrates this scenario, see Daemon console Application to Web API.
Authenticating a confidential client application running on a server, on behalf of a user
In this scenario, a developer has a web application running on a server that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls, so it must be called from an authorized service on behalf of an authenticated user. The web API is pre-configured to trust access tokens issued by a specific Microsoft Entra tenant, and Microsoft Entra ID is pre-configured to issue access tokens for that resource to a service with client credentials. Once the user is authenticated in the web application, the application can get an authorization code for the user from Microsoft Entra ID. The web application can then use ADAL to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Microsoft Entra ID. Once the web application is in possession of the access token, it can call the web API until the token expires. When the token expires, the web application can use ADAL to get a new access token by using the refresh token that was previously received. For a code sample that demonstrates this scenario, see Native client to Web API to Web API.