Review app authentication library changes

This article is part of step 3: review app details of the process to migrate apps.

Most apps use an authentication library to acquire and manage access tokens to call Microsoft Graph. Microsoft offers two authentication libraries:

Updating ADAL

If your app still uses ADAL, use a two-stage migration approach:

  1. Update your app to acquire access tokens for Microsoft Graph. Continue to use ADAL for this step. Update the resourceURL, which holds the URI representing the resource web API, from:


    Newly acquired tokens have the same scopes after this change, but the audience of the access tokens is now Microsoft Graph.

    Once you update resourceURL and verified functionality, release an interim update for your app users.

  2. Next, begin migrating your app to use MSAL, which is the only supported library, now that ADAL is retired.

Migrating to MSAL

MSAL provides multiple benefits over ADAL, including incremental consent, richer single sign-on experiences, support for personal Microsoft accounts, and use of standards-based protocols.

When you switch your app over to MSAL, you need to make a few changes, including setting the scopes parameter in the token acquisition request:

var scopes = new string[] { "" };

The expression above limits the permission scopes request to the scopes configured during application registration in the Microsoft Entra admin center, and saves your existing users from having to consent to your app again.

Learn .NET client library differences between Azure Active Directory (Azure AD) Graph and Microsoft Graph.

See Migrate applications to the Microsoft Authentication Library (MSAL) for direct and extensive help with the process, including troubleshooting and help with common errors.

Once you migrate to MSAL, you can request more scopes dynamically, and users are prompted to provide incremental consent the next time they use your app.

Next step