Resetting consent to update the Microsoft Intune ADAL API Permissions
search cancel

Resetting consent to update the Microsoft Intune ADAL API Permissions

book

Article ID: 275491

calendar_today

Updated On:

Products

Endpoint Protection Mobile

Issue/Introduction

Microsoft has retired Azure AD Graph APIs (ADAL APIs) in June 2023 and no longer supports any update to ADAL without breaking existing functionality.

SEP Mobile iOS Apps, Android App, and Console have already migrated to the supported Microsoft Authentication Library (MSAL) APIs. The Intune Partner Integration is also updated to remove the ADAL API permissions. It is recommended that administrators reset and grant consent again to apply the updated set of MSAL permissions.

Environment

SEP Mobile deployments (SEP Mobile Management Console (MC) administration of iOS and / or Android devices running the SEP Mobile app) 

Resolution

Step 1: Reset Consent in SEP Mobile Management Console

To reset consent:

  1. Go to Endpoint Protection Mobile management console > Settings > Integrations > Intune > Basic Setup tab.
  2. Click Reset Consent. Resetting consent impacts the MDM sync with Intune. It is recommended to reset the consent when the Intune Integration Status is green.

    Note: After your reset consent, you might observe that the sync groups temporarily disappear, but they populate again once this step is complete.

  3. Activate and Regrant API Permissions for 

      • iOS or iPadOS App
      • Android App
      • Management App

For more information, see Resetting consent.

Step 2: Remove ADAL API Permissions that were previously granted in Azure Active Directory

To remove the ADAL API permissions:

  1. Go to Azure AD Console and select Applications > Enterprise Applications.
  2. Edit the API Permission Set for the following Apps
    • Symantec Endpoint Protection Mobile Management
    • SEP Mobile iOS
    • SEP Mobile Android
  3. Select the option to Revoke Permissions for all "Windows Azure Active Directory" Permissions.
  4. Keep the Microsoft Graph and Microsoft Intune API Permissions.

Note: While performing this step, it’s normal if you find that the ADAL API permissions are removed. 

 

Step 3. Verify the API Permissions for the SEP Mobile Enterprise Applications are configured properly

Verify that the remaining API Permissions match the following sets of permissions: 

  1. Go to Azure AD Console and select Applications > Enterprise Applications.
  2. Review the API Permission Set for each app. 
    • Symantec Endpoint Protection Mobile Management:
      • Microsoft Graph:
        • Directory.Read.All (Application)
        • Application.ReadAll (Application)
        • User.Read (Delegated)
        • DeviceManagementApps.Read.All (Application)
        • DeviceManagementManagedDevices.Read.All (Application)
      • Intune
        • update_device_health (Application)

    • SEP Mobile iOS
      • Microsoft Graph:
        • User.Read (Delegated)
    • SEP Mobile Android:
      • Microsoft Graph:
        • User.Read (Delegated)