Migrate applications to the Microsoft Authentication Library (MSAL)

If any of your applications use the Azure Active Directory Authentication Library (ADAL) for authentication and authorization functionality, it's time to migrate them to the Microsoft Authentication Library (MSAL).

  • All Microsoft support and development for ADAL, including security fixes, ends in December, 2022.
  • There are no ADAL feature releases or new platform version releases planned prior to December, 2022.
  • No new features have been added to ADAL since June 30, 2020.

Warning

If you choose not to migrate to MSAL before ADAL support ends in December, 2022, you put your app's security at risk. Existing apps that use ADAL will continue to work after the end-of-support date, but Microsoft will no longer release security fixes on ADAL.

Why switch to MSAL?

To understand 'Why MSAL?', it's important to first understand the differences between Microsoft identity platform (v2.0) and Azure Active Directory (v1.0) endpoints. The v1.0 endpoint is used by Azure AD Authentication Library (ADAL) while the v2.0 endpoint is used by Microsoft Authentication Library (MSAL). If you've developed apps against the v1.0 endpoint in the past, you're likely using ADAL. Since the v2.0 endpoint has changed significantly enough, the new library (MSAL) was built for the new endpoint entirely.

The following diagram shows the v2.0 vs v1.0 endpoint experience at a high level, including the app registration experience, SDKs, endpoints, and supported identities.

Diagram that shows the v1.0 versus the v2.0 architecture.

MSAL leverages all the benefits of Microsoft identity platform (v2.0) endpoint.

MSAL is designed to enable a secure solution without developers having to worry about the implementation details. it simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to increase the resilience of authentication and authorization in client applications that you develop.

MSAL provides multiple benefits over ADAL, including the following features:

Features MSAL ADAL
Security
Security fixes beyond December, 2022 Security fixes beyond December, 2022 - MSAL provides the feature Security fixes beyond December, 2022 - ADAL doesn't provide the feature
Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE). Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE) - MSAL provides the feature Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE) - ADAL doesn't provide the feature
Standards compliant with OAuth v2.0 and OpenID Connect (OIDC) Standards compliant with OAuth v2.0 and OpenID Connect (OIDC) - MSAL provides the feature Standards compliant with OAuth v2.0 and OpenID Connect (OIDC) - ADAL doesn't provide the feature
User accounts and experiences
Azure Active Directory (Azure AD) accounts Azure Active Directory (Azure AD) accounts - MSAL provides the feature Azure Active Directory (Azure AD) accounts - ADAL provides the feature
Microsoft account (MSA) Microsoft account (MSA) - MSAL provides the feature Microsoft account (MSA) - ADAL doesn't provide the feature
Azure AD B2C accounts Azure AD B2C accounts - MSAL provides the feature Azure AD B2C accounts - ADAL doesn't provide the feature
Best single sign-on experience Best single sign-on experience - MSAL provides the feature Best single sign-on experience - ADAL doesn't provide the feature
Resilience
Proactive token renewal Proactive token renewal - MSAL provides the feature Proactive token renewal - ADAL doesn't provide the feature
Throttling Throttling - MSAL provides the feature Throttling - ADAL doesn't provide the feature

Additional Capabilities of MSAL over ADAL

  • Auth broker support – Device-based Conditional Access policy
  • Proof of possession tokens
  • Azure AD certificate-based authentication (CBA) on mobile
  • System browsers on mobile devices
  • Where ADAL had only authentication context class, MSAL exposes the notion of a collection of client apps (public client and confidential client).

AD FS support in MSAL.NET

You can use MSAL.NET, MSAL Java, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.

If you need to continue using AD FS, you should upgrade to AD FS 2019 or later before you update your applications from ADAL to MSAL.

How to migrate to MSAL

Before you start the migration, you need to identify which of your apps are using ADAL for authentication. Follow the steps in this article to get a list by using the Azure portal:

After identifying your apps that use ADAL, migrate them to MSAL depending on your application type as illustrated below.

Single-page app (SPA)

MSAL Supports a wide range of application types and scenarios. Please refer to Microsoft Authentication Library support for several application types.

ADAL to MSAL Migration Guide for different platforms are available in the following link.

Migration help

If you have questions about migrating your app from ADAL to MSAL, here are some options:

  • Post your question on Microsoft Q&A and tag it with [azure-ad-adal-deprecation].
  • Open an issue in the library's GitHub repository. See the Languages and frameworks section of the MSAL overview article for links to each library's repo.

If you partnered with an Independent Software Vendor (ISV) in the development of your application, we recommend that you contact them directly to understand their migration journey to MSAL.

Next steps

For more information about MSAL, including usage information and which libraries are available for different programming languages and application types, see: