.NET console application letting a user acquire a token for the Microsoft Graph using Integrated Windows Authentication (on domain joined or AAD joined machines)
page_type: sample languages:
We have renamed the default branch to main. To rename your local repo follow the directions here.
This sample demonstrates how to use MSAL.NET from apps that run on a domain joined or Microsoft Entra joined Windows machine. It enables these apps to:
If you would like to get started immediately, skip this section and jump to How To Run The Sample.
The application obtains tokens through Integrated Windows Authentication (Kerberos):
To run this sample, you'll need:
From your shell or command line:
git clone https://github.com/Azure-Samples/active-directory-dotnet-iwa-v2.git
or download and exact the repository .zip file.
Given that the name of the sample is pretty long, and so are the name of the referenced NuGet pacakges, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.
Open the solution in Visual Studio, restore the NuGet packages, select the project, and start it in the debugger.
When you run the sample, if you are running on a domain joined or Microsoft Entra joined Windows machine, it will display your information as well as the information about your manager.
The instructions so far used the Microsoft Entra ID entry for the app in a Microsoft test tenant: given that the app is multi-tenant, anybody can run the sample against that app registration. To register your project in your own Microsoft Entra tenant, you can find instructions to manually provision the sample in your own tenant, so that you can exercise complete control on the app settings and behavior.
There is one project in this sample. To register it, you can:
If you want to use this automation:
On Windows run PowerShell and navigate to the root of the cloned directory
In PowerShell run:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
Run the script to create your Microsoft Entra application and configure the code of the sample application accordingly.
.\AppCreationScripts\Configure.ps1
Other ways of running the scripts are described in App Creation Scripts
Open the Visual Studio solution and click start
If you don't want to use this automation, follow the steps below
As a first step you'll need to:
Directory + Subscription
at the top right corner in the menu on top of the page, and switch your portal session to the desired Microsoft Entra tenant.In App registrations (Preview) page, select New registration.
When the Register an application page appears, enter your application's registration information:
iwa-console
.On the app Overview page, find the Application (client) ID value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.
In the list of pages for the app, select Manifest, and:
allowPublicClient
property to true
In the list of pages for the app, select API permissions
At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be a Microsoft Entra tenant admin to do this.
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
Open the solution in Visual Studio to configure the projects
Note: if you used the setup scripts, the changes below will have been applied for you
iwa-console\appsettings.json
fileclientId
is set and replace the existing value with the application ID (clientId) of the iwa-console
application copied from the Microsoft Entra admin center.Tenant
is set and replace the existing value with your tenant ID.Clean the solution, rebuild the solution, and start it in the debugger.
The code for handling the token acquisition process is simple, as it boils down to calling the AcquireTokenByIntegratedWindowsAuthAsync
method of PublicClientApplication
. See the GetTokenForWebApiUsingIntegratedWindowsAuthenticationAsync
method in PublicAppUsingIntegratedWindowsAuthentication.cs
.
private async Task<AuthenticationResult> GetTokenForWebApiUsingIntegratedWindowsAuthenticationAsync(IEnumerable<string> scopes)
{
AuthenticationResult result=null;
try
{
result = await App.AcquireTokenByIntegratedWindowsAuthAsync(scopes);
}
catch()
...
// error handling omitted here (see sample for details)
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [msal
dotnet
].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
For more information, see MSAL.NET's conceptual documentation:
Quickstart: Register an application with the Microsoft identity platform
Quickstart: Configure a client application to access web APIs
Understanding Microsoft Entra application consent experiences
Application and service principal objects in Microsoft Entra ID
Customizing Token cache serialization (was not done in this sample, but you might want to add a serialized cache)
For more information about the Microsoft identity platform endpoint see: