Sign in users in sample iOS (Swift) mobile app

This guide demonstrates how to configure a sample iOS mobile application to sign in users.

In this article, you do the following tasks:

• Register an application in the Microsoft Entra admin center.
• Add a platform redirect URL.
• Enable public client flows.
• Update the iOS configuration code sample file to use your own Microsoft Entra External ID for external tenant details.
• Run and test the sample iOS mobile application.

Prerequisites

• Xcode.
• An external tenant. If you don't already have one, sign up for a free trial.

Register an application

To enable your application to sign in users with Microsoft Entra, Microsoft Entra External ID must be made aware of the application you create. The app registration establishes a trust relationship between the app and Microsoft Entra. When you register an application, External ID generates a unique identifier known as an Application (client) ID, a value used to identify your app when creating authentication requests.

The following steps show you how to register your app in the Microsoft Entra admin center:

1. Sign in to the Microsoft Entra admin center as at least an Application Developer.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

3. Browse to Identity >Applications > App registrations.

4. Select + New registration.

5. In the Register an application page that appears;

   1. Enter a meaningful application Name that is displayed to users of the app, for example ciam-client-app.
   2. Under Supported account types, select Accounts in this organizational directory only.

6. Select Register.

7. The application's Overview pane displays upon successful registration. Record the Application (client) ID to be used in your application source code.

Add a platform redirect URL

To specify your app type to your app registration, follow these steps:

1. Under Manage, select Authentication.
2. On the Platform configurations page, select Add a platform, and then select iOS / macOS option.
3. Enter your project's Bundle ID. If you downloaded the sample code, this value is com.microsoft.identitysample.ciam.MSALiOS.
4. Select Configure and save the MSAL Configuration that appears in the iOS / macOS configuration pane so you can enter it when you configure your app later.
5. Select Done.

Enable public client flow

To identify your app as a public client, follow these steps:

1. Under Manage, select Authentication.

2. Under Advanced settings, for Allow public client flows, select Yes.

3. Select Save to save your changes.

Grant admin consent

1. From the App registrations page, select the application that you created (such as ciam-client-app) to open its Overview page.

2. Under Manage, select API permissions. From the Configured permissions list, your application has been assigned the User.Read permission. However, since the tenant is an external tenant, the consumer users themselves can't consent to this permission. You as the admin must consent to this permission on behalf of all the users in the tenant:

   1. Select Grant admin consent for <your tenant name>, then select Yes.
   2. Select Refresh, then verify that Granted for <your tenant name> appears under Status for both scopes.

Clone sample iOS mobile application

To obtain the sample application, you can either clone it from GitHub or download it as a .zip file.

• To clone the sample, open a command prompt and navigate to where you wish to create the project, and enter the following command:

  git clone https://github.com/Azure-Samples/ms-identity-ciam-browser-delegated-ios-sample.git
  

Configure the sample iOS mobile application

To enable authentication and access to Microsoft Graph resources, configure the sample by following these steps:

1. In Xcode, open the project that you cloned.

2. Open /MSALiOS/Configuration.swift file.

3. Find the placeholder:

   • Enter_the_Application_Id_Here and replace it with the Application (client) ID of the app you registered earlier.
   • Enter_the_Redirect_URI_Here and replace it with the value of kRedirectUri in the Microsoft Authentication Library (MSAL) configuration file you downloaded earlier when you added the platform redirect URL.
   • Enter_the_Protected_API_Scopes_Here and replace it with the scopes recorded in Grant admin concent. If you haven't recorded any scopes, you can leave this scope list empty.
   • Enter_the_Tenant_Subdomain_Here and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is contoso.onmicrosoft.com, use contoso. If you don't know your tenant subdomain, learn how to read your tenant details.

You've configured the app and it's ready to run.

Run and test the iOS sample app

To build and run your app, follow these steps:

1. To build and run your code, select Run from the Product menu in Xcode. After a successful build, Xcode will launch the sample app in the Simulator.
2. Select Acquire Token Interactively to request an access token.
3. If you select API - Perform GET to call a protected ASP.NET Core web API, you will get an error.

For more information about calling a protected web API, see our Next steps

Next steps

• Sign in users and call a protected web API in sample iOS (Swift) app.