-
Notifications
You must be signed in to change notification settings - Fork 366
MSAL.NET supports multiple application architectures and multiple platforms
MSAL.NET (Microsoft Authentication Library for .NET) enables developers of .NET applications to acquire tokens in order to call secured Web APIs. These Web APIs can be the Microsoft Graph, other Microsoft APIS, 3rd party Web APIs, or your own Web API.
MSAL.NET supports all the possible application topologies including:
- native client (mobile/desktop applications) calling the Microsoft Graph in the name of the user,
- daemons/services or web clients (Web Apps/ Web APIs) calling the Microsoft Graph in the name of a user, or without a user.
With the exception of:
- User-agent based client which is only supported in JavaScript
For details about the supported scenarios see Scenarios
Important
Not all the authentication features are available in all platforms, mostly because:
- mobile platforms (Xamarin and UWP) do not allow confidential client flows, because they are not meant to function as a backend and to store secrets,
- on public client (mobile and desktop), the default browser is different from platform to platform and broker availability varies.
Most of the pages in the wiki describe the most complete platform (.NET Framework), but, topic by topic, it occasionally calls out differences between platforms.
MSAL.NET is a token acquisition library. Depending on your scenario it provides you with various way of getting a token, with a consistent API for a number of platforms. It also adds value by:
- maintaining a token cache and refreshes tokens for you when they are close to expire.
you don't need to handle expiration on your own.
- helping you specify which audience you want your application to sign-in (your org, several orgs, work and school and Microsoft personal accounts, Social identities with Azure AD B2C, users in sovereign and national clouds)
- helping you setting-up your application from configuration files
- helping you troubleshooting your app by exposing actionable exceptions, logging and telemetry.
MSAL.NET is used to acquire tokens. It's not used to protect a Web API. If you are interested in protecting a Web API with Azure AD, you might want to check out:
- Azure Active Directory with ASP.NET Core. Note that some of these examples present Web Apps which also call a Web API with ADAL.NET or MSAL.NET
- active-directory-dotnet-native-aspnetcore-v2 which demoes calling a ASP.NET Core Web API from a WPF application using Azure AD V2
- The IdentityModel extensions for .Net open source library providing middleware used by ASP.NET and ASP.NET Core to protect APIs
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- High Availability
- Regional
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code