-
Notifications
You must be signed in to change notification settings - Fork 367
Managed Identity Support in MSAL
A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.
IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create()
.WithExperimentalFeatures()
.Build();
AuthenticationResult result = await mi.AcquireTokenManagedIdentity(resource) // resource to acquire token for. For example https://management.azure.com
.ExecuteAsync()
.ConfigureAwait(false);
IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create(userAssignedId) // userAssignedId can be client id or resource id (if client id is not generated) for the user assigned managed identity
.WithExperimentalFeatures()
.Build();
AuthenticationResult result = await mi.AcquireTokenManagedIdentity(resource) // resource to acquire token for. For example https://management.azure.com
.ExecuteAsync()
.ConfigureAwait(false);
For MSAL logging see: aka.ms/msal-net-logging
MSAL supports the following sources for managed identity
Supported:
- App services
- IMDS (VMs)
- Azure Arc
- Cloud Shell
- Service Fabric
For failed requests, the error response contains a correlation id that can be used for further investigation. The MSAL's correlation id generated in MSAL or passed in to MSAL is different than the one returned in server error response as MSAL cannot pass the correlation id to managed identity token acquisition endpoints.
MsalServiceException Error Code: managed_identity_failed_response Error Message: An unexpected error occurred while fetching the AAD token
This exception might mean that the scope added is either not supported or is in wrong format. An example of expected scope is https://management.azure.com/.default
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- High Availability
- Regional
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code