Azure Active Directory Authentication Library

Warning

This content is for the older Azure AD v1.0 endpoint. Use the Microsoft identity platform for new projects.

The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls. ADAL makes authentication easier for developers through features such as:

  • Configurable token cache that stores access tokens and refresh tokens
  • Automatic token refresh when an access token expires and a refresh token is available
  • Support for asynchronous method calls

Note

Looking for the Azure AD v2.0 libraries? Checkout the MSAL library guide.

Warning

Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the Microsoft Authentication Library (MSAL). If you have existing applications that use ADAL, be sure to migrate them to MSAL.

Microsoft-supported Client Libraries

Platform Library Download Source Code Sample Reference
.NET Client, Windows Store, UWP, Xamarin iOS and Android ADAL .NET v3 NuGet GitHub Desktop app
JavaScript ADAL.js GitHub GitHub Single-page app
iOS, macOS ADAL GitHub GitHub iOS app
Android ADAL Maven GitHub Android app JavaDocs
Node.js ADAL npm GitHub Node.js web app Reference
Java ADAL4J Maven GitHub Java web app Reference
Python ADAL GitHub GitHub Python web app Reference

Microsoft-supported Server Libraries

Platform Library Download Source Code Sample Reference
.NET OWIN for AzureAD NuGet GitHub MVC App
.NET OWIN for OpenIDConnect NuGet GitHub Web App
.NET OWIN for WS-Federation NuGet GitHub MVC Web App
.NET Identity Protocol Extensions for .NET 4.5 NuGet GitHub
.NET JWT Handler for .NET 4.5 NuGet GitHub
Node.js Azure AD Passport npm GitHub Web API

Scenarios

Here are three common scenarios for using ADAL in a client that accesses a remote resource:

Authenticating users of a native client application running on a device

In this scenario, a developer has a mobile client or desktop application that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls and must be called in the context of an authenticated user. The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD is pre-configured to issue access tokens for that resource. To invoke the web API from the client, the developer uses ADAL to facilitate authentication with Azure AD. The most secure way to use ADAL is to have it render the user interface for collecting user credentials (rendered as browser window).

ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then call the web API using the access token.

For a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.

Authenticating a confidential client application running on a web server

In this scenario, a developer has an application running on a server that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls, so it must be called from an authorized service. The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials (client ID and secret). ADAL facilitates authentication of the service with Azure AD returning an access token that can be used to call the web API. ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary. For a code sample that demonstrates this scenario, see Daemon console Application to Web API.

Authenticating a confidential client application running on a server, on behalf of a user

In this scenario, a developer has a web application running on a server that needs to access a remote resource, such as a web API. The web API does not allow anonymous calls, so it must be called from an authorized service on behalf of an authenticated user. The web API is pre-configured to trust access tokens issued by a specific Microsoft Entra tenant, and Microsoft Entra ID is pre-configured to issue access tokens for that resource to a service with client credentials. Once the user is authenticated in the web application, the application can get an authorization code for the user from Microsoft Entra ID. The web application can then use ADAL to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Microsoft Entra ID. Once the web application is in possession of the access token, it can call the web API until the token expires. When the token expires, the web application can use ADAL to get a new access token by using the refresh token that was previously received. For a code sample that demonstrates this scenario, see Native client to Web API to Web API.

See Also