HOWTO: Identify Azure AD-integrated apps and services that still rely on ADAL

While initially communicated for June 30th, 2022, the deprecation of the Azure Active Directory Authentication Library (ADAL) has been postponed to December 2022. No doubt, this has to do with the continued use of the Azure Active Directory Authentication library (ADAL) in many apps and services.

Since this month, Microsoft has made an Azure AD workbook available that includes the version(s) in use of the soon-to-be-deprecated library in use by Azure AD-integrated apps and services, if any.

These are the steps:

Before you begin

You need the following:

Licenses and subscriptions

For Azure Log Analytics workspaces, you’ll need an Azure subscription, besides the Azure AD tenant.

Accounts and permissions

You’ll need to sign in with an account that has the Global administrator role in Azure AD. If the organization uses the Azure AD Privileged Identity Management (PIM) feature, activate the Global administrator role in advance. This account also needs at least Reader permissions on the Azure Log Analytics workspace where the Azure AD signinlogs are exported to.

Azure log analytics

The AD signinlogs need to be exported to an Azure Log Analytics workspace. If you haven’t yet configured this, perform the following steps with an account that has the Global administrator role in Azure AD and has Contributor privileges in the Azure Resource Group where you want to create the Azure Log Analytics workspace:

  1. In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
  2. Click + Add.
    The Log Analytics workspace blade appears.
  3. Fill in the required information to add a Log Analytics workspace.
  4. Click OK on the bottom of the blade to create the Log Analytics workspace.

Next, to export Azure AD’s sign-in logs to the Azure Log Analytics workspace, perform the following steps:

  1. Click on Azure Active Directory in the left navigation menu.
  2. Click on Diagnostic settings in Azure AD’s navigation menu.
  3. In the main pane, click Add diagnostic setting.
    The Diagnostic settings blade appears.
  4. On the Diagnostic settings blade, provide a name for the diagnostic settings.
  5. Select the Send to Log Analytics workspace check box.
  6. Select the previously created Log Analytics workspace.
  7. To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.
  8. Select Save on top of the blade to save the diagnostic settings.

From this time forward, the logs are exported to the Log Analytics workspace and you can analyze them using your own KQL queries and with the Azure AD Workbooks

Identify apps and services that still rely on ADAL

To identify Azure AD-integrated apps and services that still rely on ADAL, perform the following steps:

  1. Click on Azure Active Directory in the left navigation menu.
  2. Click on Workbooks in Azure AD’s navigation menu.
  3. In the main pane, click the Sign-ins workbook.
  4. At the top of the workbook, specify the time range to use. Set it to an appropriate time frame for analysis, like Last 30 days
  5. Scroll to the bottom of the workbook to the heading that reads Apps using Active Directory Authentication Libraries (ADAL) signing in users.

The table shows you the apps and services that have relied on ADAL, which version of the library and the ADAL package name. This should provide ample information to track down the developer or vendor of the app or service and request an upgrade to MSAL.

Note:
If the developer or vendor cannot be found, no longer exists, no longer works for your organization, is no longer available or in any other way uncooperative, prepare to say “Goodbye” to the app or service. Microsoft is adamant on removing the ADAL endpoints in the Azure AD service.

Concluding

Use the Sign-ins workbook to identify Azure AD-integrated apps and services that still rely on ADAL. Then, work towards migrating the apps and services to MSAL.

Further reading

TODO: Upgrade from ADAL to MSAL 
Calculating your Azure Log Analytics bill when you stream your Azure AD logs to it 
HOWTO: Set an alert to notify when an Azure AD emergency access account is used 
Getting Started with Azure Monitor Workbooks for Azure Active Directory

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.