How to use PRT token for Azure AD silent authentication ?

Shishir 21 Reputation points
2021-07-23T07:53:34.33+00:00

Hi All,

We have an windows application built using c#, WPF Avalonia. This application gets installed as a windows service in client's users machine and when the users starts his/her machine our a service launches this Appplication.One of our client want this app to be authenticated before it opens and has suggested to use PRT token to authenticate with their Azure AD domain. The mahciens in which this app is installed is joined with Azure AD Domain.

I have gone through the below link to understand about PRT token.
[concept-primary-refresh-token][1]

I need help in understanding how we can access the PRT token stored in users machine(joined with Azure AD) programatically and use it to authenticate with Azure AD Domain siliently wihtout user interacrtion.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,579 questions
0 comments
Accepted answer
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-07-26T07:06:51.097+00:00

    @Shishir Thanks for reaching out.

    When a client application connects to a service application that relies in Azure AD for authentication (for example the Outlook app connecting to Office 365 Exchange Online) the application will request a token to the Web Account Manager using its API.

    The Web Account Manager calls the Azure AD plug-in which in turn uses the PRT to obtain an access token for the service application in question.

    There are two interfaces in particular that are important to note. One that permits an application get a token silently, which will use the PRT to obtain an access token silently if it can. If it can’t, it will return a code to the caller application telling it that UI interaction is required. This could happen for multiple reasons including the PRT has expired or when MFA authentication for the user is required, etc. Once the caller application receives this code, it will be able to call a separate API that will display a web control for the user to interact.

    WinRT API

    WebAuthenticationCoreManager.GetTokenSilentlyAsync(...) // Silent API
    WebAuthenticationCoreManager.RequestTokenAsync(...) // User interaction API

    Win32 API

    IWebAuthenticationCoreManagerStatics::GetTokenSilentlyAsync(...) // Silent API
    IWebAuthenticationCoreManagerInterop::RequestTokenForWindowAsync(...)

    Read more here.

    ---------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest