Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
708 questions
How to clear the account list in the Web Account Manager list of Accounts displayed by WAM Broker
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Michael
81
Reputation points
I have a WPF desktop app that accesses an Azure WebAPI. It uses the MSAL library and when authenticating uses the WAM broker. When the list of accounts is displayed, there is an account of someone that used the computer once when I was logged on to the operating system. I can't seem to delete that account with PublicClientApplication.RemoveAsync(). I have tried deleting the token cache file. I have looked in the Credential Manager. I just can't seem to delete this account and stop it from showing up in the account list of WAM. It must be stored somewhere but I can't find it.
Microsoft Identity Manager
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,927 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,176 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 0%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Mark Garza 0 Reputation points2024-05-25T18:52:51.6466667+00:00 I can't really comment any further but I saw WAM and thought of the signoutofwamaccounts script on this page, maybe will help point you in the right direction: https://learn.microsoft.com/en-us/office/troubleshoot/activation/reset-office-365-proplus-activation-state
-
Michael 81 Reputation points
2024-05-26T13:04:14.46+00:00 I was sooo hopeful that would work. I ran the script in PS but I get the same problem. The account list contained the account of someone that used the computer once when I was logged on.
My WPF app uses MSAL and the WAM broker. There is a RemoveAsync method that just doesn't remove the accounts. I does seem to remove the token though because after I run it I can't authenticate silently.
In fact, if I run the code directly from the Microsoft website ( https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/clear-token-cache?source=recommendations ) it gets frozen in an endless loop at the "while(accounts.Any())". That occurs because accounts are not removed and the loop becomes infinite.
If I run the app on different computers I get different Account lists. Still, the code doesn't remove the accounts. I presume the account lists are local to the computer and not an Azure thing.
I need a way to either get the code to work or another way to clear the accounts list.
I have tried using different token caches too.
Help!
_app = PublicClientApplicationBuilder.Create(ClientId) .WithAuthority(Authority) .Build(); var accounts = (await _app.GetAccountsAsync()).ToList(); // clear the cache while (accounts.Any()) { await _app.RemoveAsync(accounts.First()); accounts = (await _app.GetAccountsAsync()).ToList(); } -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 29,856 Reputation points Microsoft Employee2024-05-27T07:01:46.7633333+00:00 Thanks for reaching out.
Did you set
ListWindowsWorkAndSchoolAccountsCould you please confirm what is the kind of account you are trying to remove?
Similar issue raised - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3566
Could you please check and confirm the above , so we can troubleshoot this further.
Thanks,
Shweta
-
Michael 81 Reputation points
2024-05-28T12:28:03.83+00:00 Thanks for your reply. Here is the code block where I create the IPubicClientApplication:
var builder = PublicClientApplicationBuilder.Create(ClientId) .WithAuthority($"{Instance}{Tenant}") .WithDefaultRedirectUri(); if (UseWAM) { BrokerOptions brokerOptions = new BrokerOptions(BrokerOptions.OperatingSystems.Windows); brokerOptions.ListOperatingSystemAccounts = true; builder.WithBroker(brokerOptions); } builder.WithParentActivityOrWindow(get_hWnd); _clientApp = builder.Build(); // Let the cache helper handle MSAL's cache, otherwise the user will be prompted to sign-in every time. MsalCacheHelper cacheHelper = CreateCacheHelperAsync().GetAwaiter().GetResult(); cacheHelper.RegisterCache(_clientApp.UserTokenCache);I don't know where
ListWindowsWorkAndSchoolAccountsproperty would be located. It doesn't seem to be part of the BrokerOptions.The account I'm trying to remove is in the same AD as my login account. It's a Work and School account in a Microsoft AD (EntraID)
Let me take a look at the link you sent with the similar issue.
Thanks, this is really annoying me.
-
Michael 81 Reputation points
2024-05-28T13:45:44.2066667+00:00 The link you sent me https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3566 describes exactly the issue. In the list, I'd really like to display only the account of the person that logged into the windows session. How can I do that and that would be a good (but temp) solution
-
Shweta Mathur 29,856 Reputation points Microsoft Employee
2024-05-29T10:20:32.71+00:00 @Michael You can directly use
PublicClientApplication.OperatingSystemAccountto get the account of the person logged into the Windows session.// 1. Configuration - read below about redirect URI var pca = PublicClientApplicationBuilder.Create("client_id") .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows)) .Build(); { // 3. No account in the cache; try to log in with the OS account accountToLogin = PublicClientApplication.OperatingSystemAccount; } try { // 4. Silent authentication var authResult = await pca.AcquireTokenSilent(new[] { "User.Read" }, accountToLogin) .ExecuteAsync(); } // Cannot log in silently - most likely Azure AD would show a consent dialog or the user needs to re-enter credentials catch (MsalUiRequiredException) { // 5. Interactive authentication var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" }) .WithAccount(accountToLogin) // This is mandatory so that WAM is correctly parented to your app; read on for more guidance .WithParentActivityOrWindow(myWindowHandle) .ExecuteAsync(); // Consider allowing the user to re-authenticate with a different account, by calling AcquireTokenInteractive again } -
Michael 81 Reputation points
2024-05-31T13:56:37.99+00:00 I was so excited to try this. Unfortunately, IAccount? OSAccount = PublicClientApplication.OperatingSystemAccount did not return an account. There were now errors, it wasn't null either, but all the fields were "". Not sure what to do next. I see this is right out of the Microsoft documentation, but it's not working. I have a simple Win 11 desktop installation. I log on with my MicrosoftAccount (and not a School/Work account). This fix also doesn't address the inability to delete accounts with the Microsoft code seen at the top of this post. But, let's keep going here! I really want to get this to work
-
Michael 81 Reputation points
2024-05-31T15:06:38.2+00:00 Unfortuately, accountToLogin = PublicClientApplication.OperatingSystemAccount did not return an IAccount. It didn't return an error nor a null. However, the properties in the accountToLogin were "" and I could not use IAccount to get the authResult
Sign in to comment
Sign in to answer