Microsoft Entra recommendation: Migrate from the Azure Active Directory Authentication Library to the Microsoft Authentication Libraries

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to migrate from the Azure Active Directory Authentication Library (ADAL) to the Microsoft Authentication Libraries. This recommendation is called AdalToMsalMigration in the recommendations API in Microsoft Graph.

Description

The 'migrate from ADAL to MSAL' recommendation is created to raise awareness and alert you about all applications using ADAL within your tenant. This recommendation is triggered for tenants with applications using ADAL (Azure Active Directory Authentication Library). It labels any application that requests a token via ADAL as an "ADAL application," including those using both ADAL and MSAL (Microsoft Authentication Library).

Azure Active Directory Authentication Library (ADAL) has been deprecated. We strongly recommend migrating to the Microsoft Authentication Library (MSAL), which replaces ADAL. Microsoft no longer releases new features and security fixes on ADAL. Applications using ADAL will not be able to utilize the latest security features, leaving them vulnerable to future security threats. If you have existing applications that use ADAL, be sure to migrate them to MSAL.

How it works

The system checks daily for new ADAL token requests over the past 30 days. If an application makes no new requests for 30 days, its recommendation status is marked as completed. The overall recommendation status updates to "completed" once all applications meet this criterion. If a new ADAL request is detected for a previously completed application, its status reverts to "active."

Value

MSAL is designed to enable a secure solution without developers having to worry about the implementation details. MSAL simplifies how tokens are acquired, managed, cached, and refreshed. MSAL also uses best practices for resilience. For more information on MSAL supported scenarios, see Migrate applications to MSAL.

Action plan

To identify and get details of all applications in your tenant that are currently using ADAL, you can use Sign-ins Workbook. To get the list of all apps programmatically, you can also use Microsoft Graph API or the Microsoft Graph PowerShell SDK.

Sign-ins Workbook

The Sign-ins Workbook in the Azure portal consolidates logs from various types of sign-in events, including interactive, non-interactive, and service principal sign-ins. This aggregation offers detailed insights into the usage of ADAL applications across your tenant to help you fully understand and manage migration of your ADAL applications. For a more detailed analysis and deeper investigation of ADAL app sign-in data, you can enable the Microsoft Entra Sign-ins workbook in your tenant. This tool supports the migration by providing comprehensive sign-in data insights.

Microsoft Graph API

You can use Microsoft Graph to identify apps that need to be migrated to MSAL. To get started, see How to use Microsoft Graph with Microsoft Entra recommendations.

1. Sign in to Graph Explorer.
2. Select GET as the HTTP method from the dropdown.
3. Set the API version to beta.
4. Run the following query in Microsoft Graph, replacing the <TENANT_ID> placeholder with your tenant ID. This query returns a list of the impacted resources in your tenant.
   • https://graph.microsoft.com/beta/directory/recommendations/<TENANT_ID>_Microsoft.Identity.IAM.Insights.AdalToMsalMigration/impactedResources

The following response provides the details of the impacted resources using ADAL:

{
    "id": "<APPLICATION_ID>",
    "subjectId": "<APPLICATION_ID>",
    "recommendationId": "TENANT_ID_Microsoft.Identity.IAM.Insights.AdalToMsalMigration",
    "resourceType": "app",
    "addedDateTime": "2023-03-29T09:29:01.1708723Z",
    "postponeUntilDateTime": null,
    "lastModifiedDateTime": "0001-01-01T00:00:00Z",
    "lastModifiedBy": "System",
    "displayName": "sample-adal-app",
    "owner": null,
    "rank": 1,
    "portalUrl": "df.onecloud.azure-test.net/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Branding/appId/{0}",
    "apiUrl": null,
    "status": "completedBySystem",
    "additionalDetails": [
        {
            "key": "Library",
            "value": "ADAL.Net"
        }
    ]
}

Microsoft Graph PowerShell SDK

You can run the following set of commands in Windows PowerShell. These commands use the Microsoft Graph PowerShell SDK to get a list of all applications in your tenant that use ADAL.

1. Open Windows PowerShell as an administrator.

2. Connect to Microsoft Graph:

   • Connect-MgGraph-Tenant <YOUR_TENANT_ID>

3. Select your profile:

   • Select-MgProfile beta

4. Get a list of your recommendations:

   • Get-MgDirectoryRecommendation | Format-List

5. Update the code for your apps using the instructions in How to migrate to MSAL.

Frequently asked questions

Review the following common questions as you work on ADAL to MSAL migration.

Why does it take 30 days to change the status to completed?

To reduce false positives, the service uses a 30 day window for ADAL requests. This way, the service can go several days without an ADAL request and not be falsely marked as completed.

How do I identify the owner of an application in my tenant?

You can locate owner from the recommendation details. Select the resource, which takes you to the application details. Select Owners from the navigation menu.

Can the status change from completed to active?

Yes. If an application was marked as completed - so no ADAL requests were made during the 30 day window - that application would be marked as complete. If the service detects a new ADAL request, the status changes back to active.

How can I integrate Microsoft Entra Sign-ins workbook?

You can find the detailed steps in the Microsoft Entra Sign-ins workbook.

Why is the number of ADAL applications different in the Sign-ins workbook and the recommendation?

• Aggregated Data vs. Transactional Data: The recommendation aggregates data over the last 30 days, providing a summarized view of application activities. Conversely, the Sign-ins workbook details each sign-in request transactionally, allowing for a more detailed analysis.

• Time Frame Flexibility: The Sign-ins workbook data can be filtered from as recently as the last 30 minutes to up to 30 days. This flexibility in selecting the time frame can lead to variations in the application count, potentially skewing the results.

• Access to Historical Data: Viewing data older than 7 days in the Sign-ins workbook requires a Microsoft Entra ID P1 or P2 tenant subscription. This requirement affects the volume of historical data accessible compared to the aggregated data in the recommendation.

Next steps

• Learn how to enable Sign-ins Workbook in your tenant
• Review the Microsoft Entra recommendations overview
• Learn how to use Microsoft Entra recommendations
• Explore the Microsoft Graph API properties for recommendations