Security update for the ADAL .NET library


An elevation of privilege vulnerability exists in the Active Directory Authentication Library for .NET (ADAL .NET) in specific problem scenarios.

An attacker who successfully exploits this vulnerability could receive a token granting higher privilege than should be granted for an application.

This issue occurs in scenarios that include the On Behalf Of protocol flow and specific use cases of ClientAssertion/ClientAssertionCertificate/ClientCredential and UserAssertion being passed to the AcquireToken* API.

Frequently asked questions about this vulnerability

Q1: What is Active Directory Authentication Library for .NET?

A1: The Active Directory Authentication Library (ADAL) for .NET provides easy to use authentication functionality for .NET clients and Windows Store applications.

Q2: Which versions of Active Directory Authentication Library for .NET (ADAL .NET) are affected?

A2: There are two issues that have different behavior that occur in different ADAL versions. These versions are as follows:

  • ADAL versions 2.0.x to 2.21.x inclusive and ADAL versions 3.0.x to 3.5.x inclusive.
  • ADAL versions 2.25.x to 2.27.x inclusive and ADAL versions 3.10.x to 3.11.x inclusive.

Q3: I use Azure Active Directory. Am I affected?

A3: This vulnerability affects only applications that use specific versions of the ADAL .NET under specific conditions. This issue does not affect the Azure Active Directory service or Microsoft or Azure infrastructure.

Update information

Developers who use ADAL .NET must download the latest version of ADAL .NET and then update their applications. The technical details are published in our GitHub repository.


Microsoft has confirmed that this is a problem in the ADAL .NET library.


Learn about the terminology that Microsoft uses to describe software updates.

Article ID: 3190237 - Last Review: Sep 7, 2016 - Revision: 1