Episode #118 – Using MSAL.NET to access Microsoft Graph – Part 2

Here you can find the transcript of Episode #118 of PiaSys TechBites.

Welcome back to PiaSys Tech Bites. Today, we keep on talking about MSAL, the Microsoft Authentication Library, which is a library that helps developers to acquire tokens, to consume the Microsoft Graph, first of all, as well as any other API registered in Azure Directory. MSAL is available for multiple development platforms and languages like .NET, JavaScript and TypeScript, all the macOS and Android native app platforms and stuff like that.

And today, I want to talk with you about how you can use the ConfidentialClientApplication to consume MSAL and to get an access token in order to consume backend APIs, either using the on behalf flow or the app-only flow, or the authorization code flow, which are the flows available in MSAL when you want to use the confidential model. Which is called confidential because you leverage on information, on a secret, like the client secret on an X.509 certificate in order to acquire token in the backend API or web application or service that you are developing and where you are using the confidential client application type.

So let’s move to the demo environment, and let’s see how to do that in practice. Let’s start from the Azure Active Directory management portal. And here we will have to register an application in order to use MSAL with the ConfidentialClientApplication. You will have to go under app registrations, and here actually I already registered an application. So I will show you the result. I have an MSALConfidentialClientDemo, which I registered just by clicking on the plus new registration command right here. So my confidential client application is configured to have in the API permissions section, the permission to read all of the sites. So I clicked on other permission, Microsoft Graph, application permission because I want to show you how to use an application only token retrieved through MSAL ConfidentialClientApplication. And I simply search for sites. And here we see, I have the preselected permission Sites.Read.All.

Moreover, I granted the permission at tenant level with the global tenant admin account. And in the certificate and secrets, I registered a new client secret. You simply need to click on this button to provide a name and to choose an expiry date for your new share secret. Remember to copy the value of the share secret, because you will be able to see that one, if and only if you create it from scratch. And once you have created it and you have got its value, you will not be able anymore to get it back. Moreover, we need to copy the client ID and the tenant ID, because this will be information we will use in the application that I’m going to show you. And here is the application. Of course, here for the sake of simplicity, I created a static, IConfidentialClientApplication type, which will be the type we are looking for in order to use the ConfidentialClientApplication.

And I registered as static strings, the clientId, clientSecret, which I will delete right after the recording and the tenantId, so that I can build an authority, which is based on the login.microsoftonline.com and the ID of the target tenant. Of course, in a real application, these settings will be in the app setting JSON file or in the configuration settings of your Azure hosting platform. Then using the confidential client application builder type provided by MSAL, I can create a new confidential client based on the client ID of my application with the authority that we just defined right here, and with the client secret, or if you like, and I would say it is even better, you can use a certificate for a better security so that you will be able, for example, to store the certificate in Azure Key Vault, or in a safe certificate store.

So once I’ve done that, I build the confidential client application through the builder, and I’m able to use it. In order to use it, I need to define a set of permission scopes. And when you want to retrieve an access token for an application only access token, so in the name of no user, you will have to provide the .default value for the permission scope. As such, I simply say that I want to use my confidential client object, I want to acquire a token for a client, I provide the scopes and I execute asynchronously the request. And I will get back an access token, which I will show in the UI of this console sample application. And then using the HTTP client of .Net, I simply make a request to access the root site of my SharePoint online tenant. And I provide as a bearer access token in the authorization header of my HTTP request, the access token I retrieved using a MSAL. And that’s it. Then I can send the request and I can get back the result.

So let me play this application and let me show you how it behaves. So F5, here you can see the console application output. Let me copy the content of the access token that we just got through MSAL from Azure Active Directory. And if I go to JWT or jwt.ms, I can paste the value of my access token and see what’s inside. And here we can see that this is an access token for the Microsoft Graph, which is the audience I’m targeting. I got back an access token with Sites.Read.All permission scope, which is the one I declared in the configuration in Azure Directory, and which I retrieved through the .default request of the scope in my acquire token request. And I can see that this is an access token for my application, with my client ID, and with no user in the definition of the access token, because this is an application only in the name of no users. And that’s it, simple as that. You can consume a backend API like Microsoft Graph with an app only access token retrieved using MSAL. Like always, thank you for watching this video. I hope you found it interesting, and I’m really looking forward to seeing you next week. And remember to subscribe to this channel. Thank you.