Resetting consent to update the Microsoft Intune ADAL API Permissions
search cancel

Resetting consent to update the Microsoft Intune ADAL API Permissions

book

Article ID: 275490

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Security

Issue/Introduction

Microsoft has retired Azure AD Graph APIs (ADAL APIs) in June 2023 and no longer supports any update to ADAL without breaking existing functionality.

SEP Mobile iOS Apps, Android App, and Console have already migrated to the supported Microsoft Authentication Library (MSAL) APIs. The Intune Partner Integration is also updated to remove the ADAL API permissions. It is recommended that administrators reset and grant consent again to apply the updated set of MSAL permissions.

 

Environment

SES Mobile deployments (ICDm management of iOS and / or Android devices protected by the SEP Mobile app)

Resolution

Use the following steps to reset and grant consent to update the Microsoft Intune ADAL API Permissions:

Step 1: Reset Consent in Symantec Endpoint Security

To reset consent:

  1. In the cloud console, go to Integrations.
  2. On the Integrations page, select Unified Endpoint Management.
  3. Under Intune Provider Settings > Grant Consent, click Reset Consent.
    Resetting consent impacts the UEM sync with Intune. It is recommended that you reset the consent when the UEM sync status is green. 
  4. Activate and Regrant API Permissions for 
    • Console
    • iOS App
    • Android App

For more information, see Resetting consent.

 

Step 2: Remove ADAL API Permissions that were previously granted in Azure Active Directory

To remove the ADAL API permissions:

  1. Go to Entra AD Console and select Applications > Enterprise Applications.
  2. Edit the API Permission Set for the following Apps
    • Symantec Endpoint Protection Mobile Management
    • Symantec Integrated Cyber Defense Manager 
    • SEP Mobile iOS
    • SEP Mobile Android
  3. Select the option to Revoke Permissions for all "Windows Azure Active Directory" Permissions.
  4. Keep the Microsoft Graph and Microsoft Intune API Permissions.

Note: While performing this step, it’s normal if you find that the ADAL API permissions are removed. 

 

Step 3. Verify the API Permissions for the SEP Mobile Enterprise Applications are configured properly

Verify that the remaining API Permissions match the following sets of permissions: 

  1. Go to Azure AD Console and select Applications > Enterprise Applications.
  2. Review the API Permission Set for each app. 
    • Symantec Integrated Cyber Defense Manager:
      • Microsoft Graph:
        • User.Read (sign in and read user profile) - Delegated
        • Device.Read.All (read all devices) - Application 
        • Directory.Read.All (read directory data) - Application 

    • Symantec Endpoint Protection Mobile Management
      • Microsoft Graph: 
        • User.Read (sign in and read user profile) - Delegated
        • DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices) - Application
        • Directory.Read.All (read directory data) - Application 
        • Application.Read.All (read all applications) - Application
        • DeviceManagementApps.Read.All (Read MS Intune apps) - Application

      • Microsoft Intune API: 
        • update_device_health (send device threat info to MS Intune) - Application

    • SEP Mobile iOS
      • Microsoft Graph:
        • User.Read (sign in and read user profile) - Delegated

    • SEP Mobile Android:
      • Microsoft Graph:
        • User.Read (sign in and read user profile) - Delegated
Powered by Wolken Software