Blogs from our authors

Office 365: The best recipes for developers
Gustavo Velez
Learn more and buy
Return to Blogs
Moving from ADAL to MSAL for Microsoft GraphGustavo Velez
ADAL was the library to work programmatically for authentication managed by Active Directory. ADAL is becoming deprecated and should be replaced by MSAL22-10-2020

ADAL (Active Directory Authentication Library) integrates with the Azure AD v1.0 endpoint. That means that it only supports the Azure AD authentication. It does not support any other authentication style, such as a Microsoft Account (personal account or consumer account). ADAL is becoming deprecated by Microsoft: starting June 30th, 2020, Microsoft will no longer add any new features to ADAL and Azure AD Graph, but it will continue to provide technical support and security updates. Starting June 30th, 2022, Microsoft will end support for ADAL and Azure AD Graph; applications using ADAL on existing OS versions will continue to work after this time but will not get any technical support or security updates.

MSAL (Microsoft Authentication Library) integrates with the Microsoft identity platform v2.0 endpoint, the unification of Microsoft personal accounts, and work accounts into a single authentication system. Additionally, MSAL also allows us to get authentications for Azure AD B2C. MSAL is replacing ADAL as the Microsoft authentication library.

Because ADAL was used for several years, there is a multitude of software that uses it to get the authentication tokens from AD. The ADAL routines should, in general, follow the next syntax, that uses the Microsoft.IdentityModel.Clients.ActiveDirectory namespace and an Application Permissions registration in AD:

static string GetTokenAdalAppPerm()
    string authString = "" + tenantId;
    string resourceUrl = "";

    AdalAd.AuthenticationContext authenticationContext = new AdalAd.AuthenticationContext(authString, false);
    AdalAd.ClientCredential clientCred = new AdalAd.ClientCredential(clientIdAppPerm, clientSecretAppPerm);
    AdalAd.AuthenticationResult authenticationResult = null;
    Task runTask = Task.Run(async () => authenticationResult = await
                        authenticationContext.AcquireTokenAsync(resourceUrl, clientCred));

    return authenticationResult.AccessToken;

Note that the using directive for the namespace is declared as (also for the next routines in this blog):

using System.Security;
using System.Threading.Tasks;
using AdalAd = Microsoft.IdentityModel.Clients.ActiveDirectory;
using MsalAd = Microsoft.Identity.Client;

For the configuration variables, the next declarations are used at a global level:

static string tenantId = "9e5f418c-8a47-4228-aa48-17a7555e2400";

static string clientIdAppPerm = "f3ac8ba4-5039-4db7-95df-7285e8f19140";
static string clientSecretAppPerm = "WJoH85-6UG11A-o2VN-yO97jqq_FAO_Ztu";

static string clientIdDelPerm = "2c51655f-204a-4c27-a85c-fd0c31776668";
static string userNameDelPerm = "";
static string userPwDelPerm = "mySecurePw";

The ADAL routine can be easily replaced by another one that uses MSAL and returns the token. In this way, other changes in the code are not necessary. The MSAL routine uses the Microsoft.Identity.Client namespace and also uses an Application Permissions registration in AD:

static string GetTokenMsalAppPerm()
    string resourceUrl = "";

    MsalAd.IConfidentialClientApplication clientApplication =
    string[] myScopes = new string[] { resourceUrl + "/.default" };
    var myToken = clientApplication.AcquireTokenForClient(myScopes).ExecuteAsync().Result;

    return myToken.AccessToken;

For a Delegated Permissions registration in AD, there were no methods in ADAL V3 to get the authentication token using the account credentials of one user (login name and password), they existed only till ADAL V2. Fortunately, the MSAL library allows to get the authentication token in an analogous way as for the Application Permissions registration:

static string GetTokenMsalDelPerm()
    string resourceUrl = "";

    MsalAd.IPublicClientApplication clientApplication =
    string[] myScopes = new string[] { resourceUrl + "/.default" };

    SecureString securePassword = new SecureString();
    foreach (char chr in userPwDelPerm) { securePassword.AppendChar(chr); }

    var myToken = clientApplication.AcquireTokenByUsernamePassword(myScopes,
                            userNameDelPerm, securePassword).ExecuteAsync().Result;

    return myToken.AccessToken;

These routines are made to work with Microsoft Graph, but if you need to use any other type of API permissions (Office 365 Management APIs, OneNote, SharePoint, Yammer, etc.), the only change is the value of the resourceUrl entry point.

For ADAL, add the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet in the Visual Studio solution. For MSAL, use the Microsoft.Identity.Client NuGet.

Return to Blogs