Merge pull request #247845 from shlipsey3/adal-msal-080923

adal-msal-080923

Author: prmerger-automator[bot]

articles/active-directory/reports-monitoring/recommendation-migrate-from-adal-to-msal.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 05/26/2023
+ms.date: 08/10/2023
 ms.author: sarahlipsey
 ms.reviewer: jamesmantu
 
@@ -25,7 +25,9 @@ This article covers the recommendation to migrate from the Azure Active Director
 
 The Azure Active Directory Authentication Library (ADAL) is currently slated for end-of-support on June 30, 2023. We recommend that customers migrate to Microsoft Authentication Libraries (MSAL), which replaces ADAL. 
 
-This recommendation shows up if your tenant has applications that still use ADAL.
+This recommendation shows up if your tenant has applications that still use ADAL. The service marks any application in your tenant that makes a token request from the ADAL as an ADAL application. Applications that use both ADAL and MSAL are marked as ADAL applications.
+
+When an application is identified as an ADAL application, each day the recommendation looks back 30 days for any new ADAL requests from applications within the tenant. If an ADAL recommendation doesn't send any new ADAL requests for 30 days, the recommendation is marked as completed. When all applications are completed, the recommendation status changes to completed. If a new ADAL request is detected for an application that was completed, the status changes back to active.
 
 ## Value 
 
@@ -35,9 +37,9 @@ Existing apps that use ADAL will continue to work after the end-of-support date.
 
 ## Action plan
 
-The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps in the Azure portal or programmatically.
+The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps in the Azure portal or programmatically with the Microsoft Graph API or the Microsoft Graph PowerShell SDK.
 
-### Identify your apps in the Azure portal
+### [Azure portal](#tab/Azure-portal)
 
 There are four steps to identifying and updating your apps in the Azure portal. The following steps are covered in detail in the [List all apps using ADAL](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md) article. 
 
@@ -49,7 +51,7 @@ There are four steps to identifying and updating your apps in the Azure portal.
     - For example, the steps for .NET and Python applications have separate instructions.
     - For a full list of instructions for each scenario, see [How to migrate to MSAL](../develop/msal-migration.md#how-to-migrate-to-msal).
 
-### Identify your apps with the Microsoft Graph API
+### [Microsoft Graph API](#tab/Microsoft-Graph-API)
 
 You can use Microsoft Graph to identify apps that need to be migrated to MSAL. To get started, see [How to use Microsoft Graph with Azure AD recommendations](howto-use-recommendations.md#how-to-use-microsoft-graph-with-azure-active-directory-recommendations).
 
@@ -87,7 +89,7 @@ df.onecloud.azure-test.net/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBla
 }
 ```
 
-### Identify your apps with Microsoft Graph PowerShell SDK
+### [Microsoft Graph PowerShell SDK](#tab/Microsoft-Graph-PowerShell-SDK)
 
 You can run the following set of commands in Windows PowerShell. These commands use the [Microsoft Graph PowerShell SDK](/graph/powershell/installation) to get a list of all applications in your tenant that use ADAL.
 
@@ -104,6 +106,30 @@ You can run the following set of commands in Windows PowerShell. These commands
 
 1. Update the code for your apps using the instructions in [How to migrate to MSAL](../develop/msal-migration.md#how-to-migrate-to-msal).
 
+---
+
+## Frequently asked questions
+
+### Why does it take 30 days to change the status to completed?
+
+To reduce false positives, the service uses a 30 day window for ADAL requests. This way, the service can go several days without an ADAL request and not be falsely marked as completed. 
+
+### How were ADAL applications identified before the recommendation was released?
+
+The [Azure AD sign-ins workbook](../develop/howto-get-list-of-all-auth-library-apps.md) is an alternative method to identify these apps. The workbook is still available to you, but using the workbook requires streaming sign-in logs to Azure Monitor first. The ADAL to MSAL recommendation works out of the box. Plus, the sign-ins workbook does not capture Service Principal sign-ins, while the recommendation does.
+
+### Why is the number of ADAL applications different in the workbook and the recommendation?
+
+Because the recommendation captures Service Principal sign-ins and the workbook doesn't, the recommendation may show more ADAL applications.
+
+### How do I identify the owner of an application in my tenant?
+
+You can locate owner from the recommendation details. Select the resource, which takes you to the application details. Select **Owners** from the navigation menu.
+
+### Can the status change from *completed* to *active*?
+
+Yes. If an application was marked as completed - so no ADAL requests were made during the 30 day window - that application would be marked as complete. If the service detects a new ADAL request, the status changes back to *active*.
+
 ## Next steps
 
 - [Review the Azure AD recommendations overview](overview-recommendations.md)

articles/active-directory/reports-monitoring/reports-faq.yml

@@ -232,3 +232,10 @@ sections:
         answer: |
           You may need to sign in to Microsoft Graph separately from the Azure portal. Select your profile icon on the upper-right corner and sign in to the right directory.
           You may be trying to run a query that you don't have permissions for. Select **Modify Permissions** and select the **Consent** button. Follow the sign-in prompts.
+
+  - name: Identity recommendations
+    questions:
+      - question: |
+          Why did a recommendation that was "completed" change back to "active"?
+        answer: |
+          If the service detects activity related to that recommendation for something marked as "completed" it changes automatically back to "active".