Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions
Azure AD impersonation for long-running processes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 26%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Agustin Jose Gimenez Bernad
1
Reputation point
We have an application using Blazor as GUI and some .net 5 web api services as back-end using Microsoft.Identity.Web and Azure Active Directory for authorization.
This system interacts with Sharepoint, Graph and other API's from Azure and these tasks need to be impersonated so the updates reflect which users do these and to allow or deny access to the resources based on the user.
Until now the interactions were direct: the user executed an action on the GUI, the back-end received that request, it requested a token in behalf of the user using the ITokenAcquisition service, called the external system and the flow finished.
But now we need to extend our system so it can handle long-running processes without user interaction and impersonating the user that started this long-running process.
Our idea was to use a refresh token: store a refresh token in a secret vault that is accessed by an isolated service and this service uses this refresh token to request tokens in behalf of the user when a process needs to interact with an external API. The problem is that there is no info on how to get a refresh token using Microsoft.Identity.Web, all the token acquisition is hidden from the system, it is requested on the GUI app and propagated to the back-end as a bearer token and can't find any information on how to get a refresh token from there.
Is this the correct way to impersonate an user in a long-running process? If it is, how can we get the refresh token? If not, how should we implement it?
Thanks.