Resetting consent to update the Microsoft Intune ADAL API Permissions
search cancel

Resetting consent to update the Microsoft Intune ADAL API Permissions

book

Article ID: 275490

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Security

Issue/Introduction

Microsoft has retired Azure AD Graph APIs (ADAL APIs) in June 2023 and no longer supports any update to ADAL without breaking existing functionality.

SEP Mobile iOS Apps, Android App, and Console have already migrated to the supported Microsoft Authentication Library (MSAL) APIs. The Intune Partner Integration is also updated to remove the ADAL API permissions. It is recommended that administrators reset and grant consent again to apply the updated set of MSAL permissions.

 

Environment

SES Mobile deployments (ICDm management of iOS and / or Android devices protected by the SEP Mobile app)

Resolution

Use the following steps to reset and grant consent to update the Microsoft Intune ADAL API Permissions:

Step 1: Reset Consent in Symantec Endpoint Security

To reset consent:

  1. In the cloud console, go to Integrations.
  2. On the Integrations page, select Unified Endpoint Management.
  3. Under Intune Provider Settings > Grant Consent, click Reset Consent.
    Resetting consent impacts the UEM sync with Intune. It is recommended that you reset the consent when the UEM sync status is green. 
  4. Activate and Regrant API Permissions for 
    • Console
    • iOS App
    • Android App

For more information, see Resetting consent.

 

Step 2: Remove ADAL API Permissions that were previously granted in Azure Active Directory

To remove the ADAL API permissions:

  1. Go to Azure AD Console and select Applications > Enterprise Applications.
  2. Edit the API Permission Set for the following Apps
    • Symantec Endpoint Protection Mobile Management
    • SEP Mobile iOS
    • SEP Mobile Android
  3. Select the option to Revoke Permissions for all "Windows Azure Active Directory" Permissions.
  4. Keep the Microsoft Graph and Microsoft Intune API Permissions.

Note: While performing this step, it’s normal if you find that the ADAL API permissions are removed. 

 

Step 3. Verify the API Permissions for the SEP Mobile Enterprise Applications are configured properly

Verify that the remaining API Permissions match the following sets of permissions: 

  1. Go to Azure AD Console and select Applications > Enterprise Applications.
  2. Review the API Permission Set for each app. 
    • Symantec Integrated Cyber Defense Manager:
      • Microsoft Graph:
        • Directory.Read.All (Application)
        • Application.ReadAll (Application)
        • User.Read (Delegated)
        • DeviceManagementApps.Read.All (Application)
        • DeviceManagementManagedDevices.Read.All (Application)
      • Intune
        • update_device_health (Application)

    • SEP Mobile iOS
      • Microsoft Graph:
        • User.Read (Delegated)
    • SEP Mobile Android:
      • Microsoft Graph:
        • User.Read (Delegated)