Additional methods to authenticate to Azure resources from .NET apps
This article lists additional methods apps may use to authenticate to Azure resources. The methods on this page are less commonly used; when possible, use one of the methods outlined in authenticating .NET apps to Azure using the Azure SDK overview.
Interactive browser authentication
This method interactively authenticates an application through InteractiveBrowserCredential by collecting user credentials in the default system.
Interactive browser authentication enables the application for all operations allowed by the interactive login credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. For this reason, the use of interactive browser authentication is discouraged for anything but experimentation.
Enable applications for interactive browser authentication
Perform the following steps to enable the application to authenticate through the interactive browser flow. These steps also work for the device code authentication flow described later. This process is only necessary if you are using InteractiveBrowserCredential in your code.
In the Azure portal, navigate to Microsoft Entra ID and select App registrations on the left navigation.
Select the registration for your app, then select Authentication.
Under Advanced settings, select Yes for Allow public client flows.
Select Save to apply the changes.
To authorize the application for specific resources, navigate to the resource in question, select API Permissions, and enable Microsoft Graph and other resources you want to access. Microsoft Graph is usually enabled by default.
Important
You must also be the admin of your tenant to grant consent to your application when you sign in for the first time.
Example using InteractiveBrowserCredential
The following example demonstrates using an InteractiveBrowserCredential to authenticate with the BlobServiceClient:
using Azure.Identity;
using Azure.Storage.Blobs;
namespace InteractiveBrokeredAuthSample
{
public partial class InteractiveBrowserAuth : Form
{
public InteractiveBrowserAuth()
{
InitializeComponent();
}
private void testInteractiveBrowserAuth_Click(object sender, EventArgs e)
{
var client = new BlobServiceClient(
new Uri("https://<storage-account-name>.blob.core.windows.net"),
new InteractiveBrowserCredential());
foreach (var blobItem in client.GetBlobContainers())
{
Console.WriteLine(blobItem.Name);
}
}
}
}
For more exact control, such as setting redirect URIs, you can supply specific arguments to InteractiveBrowserCredential such as redirect_uri.
Interactive brokered authentication
This method interactively authenticates an application through InteractiveBrowserCredential by collecting user credentials using the system authentication broker. A system authentication broker is an app running on a user's machine that manages the authentication handshakes and token maintenance for all connected accounts. Currently, only the Windows authentication broker, Web Account Manager (WAM), is supported. Users on macOS and Linux will be authenticated through the non-brokered interactive browser flow.
WAM enables identity providers such as Microsoft Entra ID to natively plug into the OS and provide the service to other apps to provide a more secure login process. WAM offers the following benefits:
- Feature support: Apps can access OS-level and service-level capabilities, including Windows Hello, conditional access policies, and FIDO keys.
- Streamlined single sign-on: Apps can use the built-in account picker, allowing the user to select an existing account instead of repeatedly entering the same credentials.
- Enhanced security: Bug fixes and enhancements ship with Windows.
- Token protection: Refresh tokens are device-bound, and apps can acquire device-bound access tokens.
Interactive brokered authentication enables the application for all operations allowed by the interactive login credentials. Personal Microsoft accounts and work or school accounts are supported. If a supported version of Windows is used, the default browser-based UI is replaced with a smoother authentication experience, similar to Windows built-in apps.
Enable applications for interactive brokered authentication
Perform the following steps to enable the application to authenticate through the interactive broker flow.
On the Azure portal, navigate to Microsoft Entra ID and select App registrations on the left-hand menu.
Select the registration for your app, then select Authentication.
Add the WAM redirect URI to your app registration via a platform configuration:
Under Platform configurations, select + Add a platform.
Under Configure platforms, select the tile for your application type (platform) to configure its settings, such as mobile and desktop applications.
In Custom redirect URIs, enter the following WAM redirect URI:
ms-appx-web://microsoft.aad.brokerplugin/{client_id}The
{client_id}placeholder must be replaced with the Application (client) ID listed on the Overview pane of the app registration.Select Configure.
To learn more, see Add a redirect URI to an app registration.
Back on the Authentication pane, under Advanced settings, select Yes for Allow public client flows.
Select Save to apply the changes.
To authorize the application for specific resources, navigate to the resource in question, select API Permissions, and enable Microsoft Graph and other resources you want to access. Microsoft Graph is usually enabled by default.
Important
You must also be the admin of your tenant to grant consent to your application when you sign in for the first time.
Example using InteractiveBrowserCredential
The following example demonstrates using an InteractiveBrowserCredential in a Windows Forms app to authenticate with the BlobServiceClient:
using Azure.Identity;
using Azure.Identity.Broker;
using Azure.Storage.Blobs;
namespace InteractiveBrokeredAuthSample
{
public partial class InteractiveBrokeredAuth : Form
{
public InteractiveBrokeredAuth()
{
InitializeComponent();
}
private void testInteractiveBrokeredAuth_Click(object sender, EventArgs e)
{
// Get the handle of the current window
IntPtr windowHandle = this.Handle;
var credential = new InteractiveBrowserCredential(
new InteractiveBrowserCredentialBrokerOptions(windowHandle));
// To authenticate and authorize with an Entra ID app registration, substitute the
// <app_id> and <tenant_id> placeholders with the values for your app and tenant.
// var credential = new InteractiveBrowserCredential(
// new InteractiveBrowserCredentialBrokerOptions(windowHandle)
// {
// TenantId = "your-tenant-id",
// ClientId = "your-client-id"
// }
// );
var client = new BlobServiceClient(
new Uri("https://<storage-account-name>.blob.core.windows.net/"),
credential
);
// Prompt for credentials appears on first use of the client
foreach (var container in client.GetBlobContainers())
{
Console.WriteLine(container.Name);
}
}
}
}
Note
Visit the Parent window handles and Retrieve a window handle articles for more information about retrieving window handles.
For the code to run successfully, your user account must be assigned an Azure role on the storage account that allows access to blob containers such as Storage Account Data Contributor. If an app is specified, it must have API permissions set for user_impersonation Access Azure Storage (step 6 in the previous section). This API permission allows the app to access Azure storage on behalf of the signed-in user after consent is granted during sign-in.
The following screenshot shows the user sign-in experience:
Authenticate the default system account via WAM
Many people always sign in to Windows with the same user account and, therefore, only ever want to authenticate using that account. WAM and InteractiveBrowserCredential also support a silent login process that automatically uses a default account so the user doesn't have to repeatedly select it.
The following example shows how to enable sign-in with the default system account:
using Azure.Identity;
using Azure.Identity.Broker;
using Azure.Storage.Blobs;
namespace InteractiveBrokeredAuthSample
{
public partial class SilentBrokeredAuth : Form
{
public SilentBrokeredAuth()
{
InitializeComponent();
}
private void testSilentBrokeredAuth_Click(object sender, EventArgs e)
{
// Get the handle of the current window
IntPtr windowHandle = this.Handle;
var credential = new InteractiveBrowserCredential(
new InteractiveBrowserCredentialBrokerOptions(windowHandle)
{
// Enable silent brokered authentication using the default account
UseDefaultBrokerAccount = true,
});
// To authenticate and authorize with an app, substitute the
// <app_id> and <tenant_id> placeholders with the values for your app and tenant.
// var credential = new InteractiveBrowserCredential(
// new InteractiveBrowserCredentialBrokerOptions(windowHandle)
// {
// TenantId = "your-tenant-id",
// ClientId = "your-client-id"
// }
// );
var client = new BlobServiceClient(
new Uri("https://<storage-account-name>.blob.core.windows.net/"),
credential
);
// Prompt for credentials appears on first use of the client
foreach (var container in client.GetBlobContainers())
{
Console.WriteLine(container.Name);
}
}
}
}
Once you opt in to this behavior, the credential attempts to sign in by asking the underlying Microsoft Authentication Library (MSAL) to perform the sign-in for the default system account. If the sign-in fails, the credential falls back to displaying the account picker dialog, from which the user can select the appropriate account.
Device code authentication
This method interactively authenticates a user on devices with limited UI (typically devices without a keyboard):
- When the application attempts to authenticate, the credential prompts the user with a URL and an authentication code.
- The user visits the URL on a separate browser-enabled device (a computer, smartphone, etc.) and enters the code.
- The user follows a normal authentication process in the browser.
- Upon successful authentication, the application is authenticated on the device.
For more information, see Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
Device code authentication in a development environment enables the application for all operations allowed by the interactive login credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. However, you can use this method with a specific client ID, rather than the default, for which you can assign specific permissions.
Username and password authentication
This method authenticates an application using previously collected credentials and the UsernamePasswordCredential object.
Important
This method of authentication is discouraged because it's less secure than other flows. Also, this method isn't interactive and is therefore incompatible with any form of multi-factor authentication or consent prompting. The application must already have consent from the user or a directory administrator.
Furthermore, this method authenticates only work and school accounts; Microsoft accounts aren't supported. For more information, see Sign up your organization to use Microsoft Entra ID.
using Azure.Identity;
using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Models;
string clientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID")!;
string tenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID")!;
string username = Environment.GetEnvironmentVariable("AZURE_USERNAME")!;
string password = Environment.GetEnvironmentVariable("AZURE_PASSWORD")!;
BlobServiceClient client = new(
new Uri("https://<storage-account-name>.blob.core.windows.net"),
new UsernamePasswordCredential(username, password, tenantId, clientId));
foreach (BlobContainerItem blobItem in client.GetBlobContainers())
{
Console.WriteLine(blobItem.Name);
}
