MicrosoftDocs
diff --git a/‎articles/active-directory/develop/TOC.yml
Lines changed: 45 additions & 15 deletions b/‎articles/active-directory/develop/TOC.yml
Lines changed: 45 additions & 15 deletions
diff --git a/‎articles/active-directory/develop/config-authority.md
Lines changed: 251 additions & 0 deletions b/‎articles/active-directory/develop/config-authority.md
Lines changed: 251 additions & 0 deletions
@@ -9,7 +9,7 @@
     href: v2-overview.md
   - name: Quickstarts
     items:
-    - name: Set up a dev environment
+    - name: Set up a tenant
       href: quickstart-create-new-tenant.md
     - name: Configure an application
       items:
@@ -49,7 +49,7 @@
       items:
       - name: Android
         href: quickstart-v2-android.md
-      - name: iOS
+      - name: iOS and macOS
         href: quickstart-v2-ios.md
       - name: Universal Windows Platform
         href: quickstart-v2-uwp.md
@@ -75,7 +75,7 @@
       items:
       - name: Android
         href: tutorial-v2-android.md
-      - name: iOS
+      - name: iOS and macOS
         href: tutorial-v2-ios.md
       - name: Universal Windows Platform
         href: tutorial-v2-windows-uwp.md
@@ -223,12 +223,14 @@
       items:
         - name: Overview
           href: msal-overview.md
-        - name: Migration
+        - name: Migration from ADAL
           items:
           - name: Migrate to MSAL.NET
             href: msal-net-migration.md
           - name: Migrate to MSAL.js
             href: msal-compare-msal-js-and-adal-js.md
+          - name: Migrate to MSAL for iOS and MacOS
+            href: migrate-objc-adal-msal.md
           - name: Migrate Xamarin apps using brokers from ADAL.NET to MSAL.NET
             href: msal-net-migration-ios-broker.md
         - name: Supported authentication flows
@@ -239,8 +241,6 @@
             href: msal-acquire-cache-tokens.md
           - name: Scopes for v1.0 apps
             href: msal-v1-app-scopes.md
-          - name: Token cache serialization (.NET)
-            href: msal-net-token-cache-serialization.md
         - name: Client applications
           items:
           - name: Client applications
@@ -257,18 +257,28 @@
           href: msal-handling-exceptions.md        
         - name: Logging
           href: msal-logging.md
-        - name: Single sign-on (JS)
-          href: msal-js-sso.md
-        - name: Prompt behavior (JS)
-          href: msal-js-prompt-behavior.md 
-        - name: ADFS support (.NET)
-          href: msal-net-adfs-support.md
+        - name: Single sign-on
+          items:
+          - name: Single sign-on with MSAL.js
+            href: msal-js-sso.md
+          - name: Single sign-on with MSAL for iOS and macOS
+            items:
+            - name: SSO between MSAL apps
+              href: single-sign-on-macos-ios.md
+            - name: SSO between ADAL and MSAL apps
+              href: sso-between-adal-msal-apps-macos-ios.md
+        - name: Integrate with ADFS
+          items:
+          - name: ADFS support in MSAL.NET
+            href: msal-net-adfs-support.md
         - name: Integrate with Azure AD B2C
           items:
           - name: JavaScript
             href: msal-b2c-overview.md
           - name: .NET
             href: msal-net-aad-b2c-considerations.md
+          - name: iOS and macOS
+            href: config-authority.md#b2c
         - name: Considerations and known issues
           items:
             - name: MSAL.NET
@@ -283,6 +293,10 @@
                 href: msal-js-known-issues-ie-edge-browsers.md
               - name: Known issues- Safari 
                 href: msal-js-known-issues-safari-browser.md
+            - name: MSAL for iOS and macOS
+              items:
+              - name: SSL issues
+                href: ssl-issues.md
     - name: Authentication protocol
       items:
       - name: Application types and OAuth2.0
@@ -378,6 +392,8 @@
           items:
             - name: Acquire a token from the cache
               href: msal-net-acquire-token-silently.md
+            - name: Token cache serialization
+              href: msal-net-token-cache-serialization.md
             - name: Clear the token cache
               href: msal-net-clear-token-cache.md
             - name: Instantiate a public client with options
@@ -393,7 +409,21 @@
             - name: Avoid page reloads
               href: msal-js-avoid-page-reloads.md
             - name: Pass custom state in authentication requests
-              href:  msal-js-pass-custom-state-authentication-request.md
+              href: msal-js-pass-custom-state-authentication-request.md
+            - name: Prompt behavior
+              href: msal-js-prompt-behavior.md 
+        - name: MSAL for iOS and macOS
+          items:
+            - name: Microsoft Authentication Library for iOS and macOS differences
+              href: msal-differences-ios-macos.md
+            - name: Configure keychain
+              href: howto-v2-keychain-objc.md
+            - name: Customize browsers and WebViews
+              href: customize-webviews.md
+            - name: Request custom claims
+              href: request-custom-claims.md
+            - name: Redirect URI configuration
+              href: redirect-uris-ios.md
     - name: Work with Visual Studio
       items:
       - name: Use the Active Directory connected service
@@ -428,7 +458,7 @@
     href: v1-overview.md
   - name: Quickstarts
     items:
-    - name: Set up a dev environment
+    - name: Set up a tenant
       href: quickstart-create-new-tenant.md
     - name: Configure an application
       items:
@@ -468,7 +498,7 @@
       items:
       - name: Android
         href: quickstart-v1-android.md
-      - name: iOS
+      - name: iOS and MacOS
         href: quickstart-v1-ios.md
       - name: Windows Desktop .NET
         href: quickstart-v1-dotnet.md
 
@@ -0,0 +1,251 @@
+---
+title: Configure MSAL for iOS and macOS to use different identity providers | Microsoft identity platform
+description: Learn how to use different authorities such as B2C, sovereign clouds, and guest users, with MSAL for iOS and macOS.
+services: active-directory
+documentationcenter: ''
+author: tylermsft
+manager: CelesteDG
+editor: ''
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 08/28/2019
+ms.author: twhitney
+ms.reviewer: ''
+ms.custom: aaddev
+ms.collection: M365-identity-device-management
+---
+
+# How to: Configure MSAL for iOS and macOS to use different identity providers
+
+This article will show you how to configure your Microsoft authentication library app for iOS and macOS (MSAL) for different authorities such as Azure Active Directory (Azure AD), Business-to-Consumer (B2C), sovereign clouds, and guest users.  Throughout this article, you can generally think of an authority as an identity provider.
+
+## Default authority configuration
+
+`MSALPublicClientApplication` is configured with a default authority URL of `https://login.microsoftonline.com/common`, which is suitable for most Azure Active Directory (AAD) scenarios. Unless you're implementing advanced scenarios like national clouds, or working with B2C, you won't need to change it.
+
+> [!NOTE]
+> Modern authentication with Active Directory Federation Services as identity provider (ADFS) is not supported (see [ADFS for Developers](https://docs.microsoft.com/windows-server/identity/ad-fs/overview/ad-fs-scenarios-for-developers) for details). ADFS is supported through federation.
+
+## Change the default authority
+
+In some scenarios, such as business-to-consumer (B2C), you may need to change the default authority.
+
+### B2C
+
+To work with B2C, the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md) requires a different authority configuration. MSAL recognizes one authority URL format as B2C by itself. The recognized B2C authority format is `https://<host>/tfp/<tenant>/<policy>`, for example `https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/B2C_1_SignInPolicy`. However, you can also use any other supported B2C authority URLs by declaring authority as B2C authority explicitly.
+
+To support an arbitrary URL format for B2C, `MSALB2CAuthority` can be set with an arbitrary URL, like this:
+
+Objective-C
+```objc
+NSURL *authorityURL = [NSURL URLWithString:@"arbitrary URL"];
+MSALB2CAuthority *b2cAuthority = [[MSALB2CAuthority alloc] initWithURL:authorityURL
+                                                                     error:&b2cAuthorityError];
+```
+Swift
+```swift
+guard let authorityURL = URL(string: "arbitrary URL") else {
+    // Handle error
+    return
+}
+let b2cAuthority = try MSALB2CAuthority(url: authorityURL)
+```
+
+All B2C authorities that don't use the default B2C authority format must be declared as known authorities.
+
+Add each different B2C authority to the known authorities list even if authorities only differ in policy.
+
+Objective-C
+```objc
+MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
+                                                               initWithClientId:@"your-client-id"
+                                                               redirectUri:@"your-redirect-uri"
+                                                               authority:b2cAuthority];
+b2cApplicationConfig.knownAuthorities = @[b2cAuthority];
+```
+Swift
+```swift
+let b2cApplicationConfig = MSALPublicClientApplicationConfig(clientId: "your-client-id", redirectUri: "your-redirect-uri", authority: b2cAuthority)
+b2cApplicationConfig.knownAuthorities = [b2cAuthority]
+```
+
+When your app requests a new policy, the authority URL needs to be changed because the authority URL is different for each policy. 
+
+To configure a B2C application, set `@property MSALAuthority *authority` with an instance of `MSALB2CAuthority` in `MSALPublicClientApplicationConfig` before creating `MSALPublicClientApplication`, like this:
+
+Objective-C
+```ObjC
+    // Create B2C authority URL
+    NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/B2C_1_SignInPolicy"];
+    
+    MSALB2CAuthority *b2cAuthority = [[MSALB2CAuthority alloc] initWithURL:authorityURL
+                                                                     error:&b2cAuthorityError];
+    if (!b2cAuthority)
+    {
+        // Handle error
+        return;
+    }
+    
+    // Create MSALPublicClientApplication configuration
+    MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
+                                                                   initWithClientId:@"your-client-id"
+                                                                   redirectUri:@"your-redirect-uri"
+                                                                   authority:b2cAuthority];
+
+    // Initialize MSALPublicClientApplication
+    MSALPublicClientApplication *b2cApplication =
+    [[MSALPublicClientApplication alloc] initWithConfiguration:b2cApplicationConfig error:&error];
+    
+    if (!b2cApplication)
+    {
+        // Handle error
+        return;
+    }
+```
+Swift
+```swift
+do{
+    // Create B2C authority URL
+    guard let authorityURL = URL(string: "https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/B2C_1_SignInPolicy") else {
+        // Handle error
+        return
+    }
+    let b2cAuthority = try MSALB2CAuthority(url: authorityURL)
+
+    // Create MSALPublicClientApplication configuration
+    let b2cApplicationConfig = MSALPublicClientApplicationConfig(clientId: "your-client-id", redirectUri: "your-redirect-uri", authority: b2cAuthority)
+
+    // Initialize MSALPublicClientApplication
+    let b2cApplication = try MSALPublicClientApplication(configuration: b2cApplicationConfig)
+} catch {
+    // Handle error
+}
+```
+
+### Sovereign clouds
+
+If your app runs in a sovereign cloud, you may need to change the authority URL in the `MSALPublicClientApplication`. The following example sets the authority URL to work with the German AAD cloud:
+
+Objective-C
+```objc
+    NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.de/common"];
+    MSALAuthority *sovereignAuthority = [MSALAuthority authorityWithURL:authorityURL error:&authorityError];
+    
+    if (!sovereignAuthority)
+    {
+        // Handle error
+        return;
+    }
+    
+    MSALPublicClientApplicationConfig *applicationConfig = [[MSALPublicClientApplicationConfig alloc]
+                                                               initWithClientId:@"your-client-id"
+                                                               redirectUri:@"your-redirect-uri"
+                                                               authority:sovereignAuthority];
+    
+    
+    MSALPublicClientApplication *sovereignApplication = [[MSALPublicClientApplication alloc] initWithConfiguration:applicationConfig error:&error];
+    
+    
+    if (!sovereignApplication)
+    {
+        // Handle error
+        return;
+    }
+```
+Swift
+```swift
+do{
+    guard let authorityURL = URL(string: "https://login.microsoftonline.de/common") else {
+        //Handle error
+        return
+    }
+    let sovereignAuthority = try MSALAuthority(url: authorityURL)
+            
+    let applicationConfig = MSALPublicClientApplicationConfig(clientId: "your-client-id", redirectUri: "your-redirect-uri", authority: sovereignAuthority)
+            
+    let sovereignApplication = try MSALPublicClientApplication(configuration: applicationConfig)
+} catch {
+    // Handle error
+}
+```
+
+You may need to pass different scopes to each sovereign cloud. Which scopes to send depends on the resource that you're using. For example, you might use `"https://graph.microsoft.com/user.read"` in worldwide cloud, and `"https://graph.microsoft.de/user.read"` in German cloud.
+
+### Signing a user into a specific tenant
+
+When the authority URL is set to `"login.microsoftonline.com/common"`, the user will be signed into their home tenant. However, some apps may need to sign the user into a different tenant and some apps only work with a single tenant.
+
+To sign the user into a specific tenant, configure `MSALPublicClientApplication` with a specific authority. For example:
+
+`https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4`
+
+The following shows how to sign a user into a specific tenant:
+
+Objective-C
+```objc
+    NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4"];
+    MSALAADAuthority *tenantedAuthority = [[MSALAADAuthority alloc] initWithURL:authorityURL error:&authorityError];
+    
+    if (!tenantedAuthority)
+    {
+        // Handle error
+        return;
+    }
+    
+    MSALPublicClientApplicationConfig *applicationConfig = [[MSALPublicClientApplicationConfig alloc]
+                                                               initWithClientId:@"your-client-id"
+                                                               redirectUri:@"your-redirect-uri"
+                                                               authority:tenantedAuthority];
+    
+    MSALPublicClientApplication *application =
+    [[MSALPublicClientApplication alloc] initWithConfiguration:applicationConfig error:&error];
+    
+    if (!application)
+    {
+        // Handle error
+        return;
+    }
+```
+Swift
+```swift
+do{
+    guard let authorityURL = URL(string: "https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4") else {
+        //Handle error
+        return
+    }    
+    let tenantedAuthority = try MSALAADAuthority(url: authorityURL)
+            
+    let applicationConfig = MSALPublicClientApplicationConfig(clientId: "your-client-id", redirectUri: "your-redirect-uri", authority: tenantedAuthority)
+            
+    let application = try MSALPublicClientApplication(configuration: applicationConfig)
+} catch {
+    // Handle error
+}
+```
+
+## Supported authorities
+
+### MSALAuthority
+
+The `MSALAuthority` class is the base abstract class for the MSAL authority classes. Don't try to create instance of it using `alloc` or `new`. Instead, either create one of its subclasses directly (`MSALAADAuthority`, `MSALB2CAuthority`) or use the factory method `authorityWithURL:error:` to create subclasses using an authority URL.
+
+Use the `url` property to get a normalized authority URL. Extra parameters and path components or fragments that aren't part of authority won't be in the returned normalized authority URL.
+
+The following are subclasses of `MSALAuthority` that you can instantiate depending on the authority want to use.
+
+### MSALAADAuthority
+
+`MSALAADAuthority` represents an AAD authority. The authority url should be in the following format, where `<port>` is optional: `https://<host>:<port>/<tenant>`
+
+### MSALB2CAuthority
+
+`MSALB2CAuthority` represents a B2C authority. By default, the B2C authority url should be in the following format, where `<port>` is optional: `https://<host>:<port>/tfp/<tenant>/<policy>`. However, MSAL also supports other arbitrary B2C authority formats.
+
+## Next steps
+
+Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)