ADAuthenticationContext
is the first object an ADAL app creates. It represents an instantiation of ADAL. Apps create a new instance of ADAuthenticationContext
for each Azure Active Directory cloud and tenant (authority) combination. The same ADAuthenticationContext
can be used to get tokens for multiple public client applications.MSALPublicClientApplication
object, which is modeled after OAuth 2.0 Public Client. One instance of MSALPublicClientApplication
can be used to interact with multiple AAD clouds, and tenants, without needing to create a new instance for each authority. For most apps, one MSALPublicClientApplication
instance is sufficient.https://graph.microsoft.com
to acquire tokens from the Azure Active Directory v1.0 endpoint. A resource can define a number of scopes, or oAuth2Permissions in the app manifest, that it understands. This allowed client apps to request tokens from that resource for a certain set of scopes pre-defined during app registration.https://graph.microsoft.com/user.read
@[@'https://graph.microsoft.com/directory.read', @'https://graph.microsoft.com/directory.write']
directory.read
and directory.write
permissions. The user will be asked to consent for those permissions if they haven't consented to them before for this app. The application might also receive additional permissions that the user has already consented to for the application. The user will only be prompted to consent for new permissions, or permissions that haven't been granted./.default
scope.resource
. This can be useful when migrating to ensure that a similar set of scopes and user experience is maintained./.default
scope, append /.default
to the resource identifier. For example: https://graph.microsoft.com/.default
. If your resource ends with a slash (/
), you should still append /.default
, including the leading forward slash, resulting in a scope that has a double forward slash (//
) in it.UIWebView
; which can improve the user experience and security.WKWebView
provides the user experience most similar to ADAL on iOS and macOS. We encourage you to migrate to ASWebAuthenticationSession
on iOS, if possible. For macOS, we encourage you to use WKWebView
.acquireToken()
or acquireTokenSilent()
, you receive an ADUserInformation
object containing a list of claims from the id_token
that represents the account being authenticated. Additionally, ADUserInformation
returns a userId
based on the upn
claim. Smiths detection ionscan 400b operator manual. After initial interactive token acquisition, ADAL expects developer to provide userId
in all silent calls.id_token
. It's part of the MSALAccount
object inside the MSALResult
object.identifier
property in the MSALAccount
object) isn't displayable and you can't assume what format it is in nor should you try to interpret or parse it.userId
, which doesn't have the identifier
required by MSAL. As a one-time migration step, an app can query an MSAL account using ADAL's userId with the following API:- (nullable MSALAccount *)accountForUsername:(nonnull NSString *)username error:(NSError * _Nullable __autoreleasing * _Nullable)error;
identifier
). After that, only identifier
should be used for account lookups by using the following API:- (nullable MSALAccount *)accountForIdentifier:(nonnull NSString *)identifier error:(NSError * _Nullable __autoreleasing * _Nullable)error;
userId
for all operations in MSAL, since userId
is based on UPN, it's subject to multiple limitations that result in a bad user experience. For example, if the UPN changes, the user has to sign in again. We recommend all apps use the non-displayable account identifier
for all operations.acquireTokenSilent
always results in a silent request.acquireToken
always results in user actionable UI either through the web view or the Microsoft Authenticator app. Depending on the SSO state inside webview/Microsoft Authenticator, the user may be prompted to enter their credentials.acquireToken
with AD_PROMPT_AUTO
first tries silent token acquisition, and only shows UI if the silent request fails. In MSAL, this logic can be achieved by first calling acquireTokenSilent
and only calling acquireToken
if silent acquisition fails. This allows developers to customize user experience before starting interactive token acquisition.MSALErrorInteractionRequired
: The user must do an interactive request. This can be caused for various reasons such as an expired authentication session, Conditional Access policy has changed, a refresh token expired or was revoked, there are no valid tokens in the cache, and so on.MSALErrorServerDeclinedScopes
: The request wasn't fully completed and some scopes weren't granted access. This can be caused by a user declining consent to one or more scopes.MSALError
list is optional. You could use the information in those errors to improve the user experience.msauth.<app.bundle.id>://auth
. Replace <app.bundle.id>
with your application's bundle ID. If you're migrating from ADAL and your application was already broker capable, there's nothing extra you need to do. Your previous redirect URI is fully compatible with MSAL, so you can skip to step 3.msauth.<app.bundle.id>
. For example:ADAuthenticationContext
for each tenant that the app requests tokens for. This is no longer a requirement in MSAL. In MSAL, you can create a single instance of MSALPublicClientApplication
and use it for any AAD cloud and organization by specifying a different authority for acquireToken and acquireTokenSilent calls.ASWebAuthenticationSession
, which provides SSO through cookies shared between other apps on the device and specifically the Safari browser.msauth.<app.bundle.id>://auth
. Replace <app.bundle.id>
with your application's bundle ID. Specify the redirect URI in the Azure portal.msauth://code/<broker-redirect-uri-in-url-encoded-form>
. For example, msauth://code/msauth.com.microsoft.mybundleId%3A%2F%2Fauth
msauth.<app.bundle.id>
.LSApplicationQueriesSchemes
.SceneDelegate
file instead.If you support both UISceneDelegate and UIApplicationDelegate for compatibility with older iOS, MSAL callback would need to be placed into both files.com.microsoft.adalcache
3.b For macOS enter com.microsoft.identity.universalstorage
MSALPublicClientApplication
using following code:acquireTokenSilent
API: