Configuring the Microsoft Authentication policy

In an app security profile, set these options for Microsoft Intune Authentication. (See Configuring app security profiles for general information about managing profiles.)

Click Policies, then click Create New App Security Profile or click on the name of an existing profile to edit it. If you're adding a new profile, give it a name.

On the policy details page, select the Authentication tab and enable Use custom Active Directory configuration.

Configure Authentication options:

Azure AD Client ID

The app’s Azure AD client identifier. This can be retrieved from the Azure Portal's App Registrations. (Required for custom AD.)

Example: af325ed9-7761-5ae0-ac36-ea5b62359ad4

Azure AD Authority

A base URI for the Azure AD authority that the app will use to authenticate. (Required for custom AD.)


A different authority may be specified if necessary. For example:

ADAL Cache Identifier Override

The platform-specific identifier used to control where ADAL cache information is stored to allow sharing between apps.

  • On iOS, this is used as a Shared Keychain ID.
  • On Android this is used as a Shared User ID.

Note that apps must have the same signer (Team ID on iOS or keystore on Android) to share ADAL cache information directly.

This option is unavailable if Use Authentication Broker is enabled.

Use Authentication Broker

Enable to use an external authentication broker app (such as the Microsoft Authenticator).

Redirecting authentication flows to an authentication broker allows apps that do not have the same signer to use the ADAL cache in the authentication broker to achieve Single Sign-On (SSO), for example between Microsoft apps and third-party apps. Using an authentication broker also allows Multi-Factor Authentication (MFA) flows to be used.

If you use an authentication broker, see instructions below after signing your app.

Click Save changes.

Using the authentication broker

If you are using the authentication broker or a custom client ID, the signing process generates a Redirect URI. 

  • If you sign your app on the Blue Cedar platform, the Redirect URI appears on the app card after integrating and signing.
  • If you sign your app externally, the signing script displays the Redirect URI on completion.

Copy this Redirect URI and add it to your Azure AD portal.