Trying to access Azure Service with AD from Desktop C# application

devarae 1 Reputation point
2020-04-23T12:32:51.697+00:00

Hello!

We are developing an App Service that is set up with Authentication/Authorization turned on, and anonymous requests are set to "Login with Azure Active Directory" (Express configured using an existing App). The application is built in Visual Studio and published to Azure).

The App Service uses AAD to login web users, and that all works as desired.
But the App Service also exposes an API (for example: https://appserviceurl/api/ControllerName/SampleAPICall ). We would like a different desktop application (C#) to be able to call that API via HttpWebRequest or similar.

We are currently attempting to use PublicClientApplicationBuilder, providing the clientid/tenentid/etc for the AAD to gain an AccessToken.

        var app = PublicClientApplicationBuilder.Create(clientId).WithTenantId(tenantId).WithRedirectUri(requestURIString).Build();

        var accounts = await app.GetAccountsAsync();

        AuthenticationResult result;
        try
        {
            result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync();
        }
        catch (MsalUiRequiredException)
        {
            result = await app.AcquireTokenInteractive(scopes)
                .WithParentActivityOrWindow(parent)
                .ExecuteAsync();
        }

We are then passing the resulting AccessToken to the the HttpWebRequest:
request.Headers.Add("Bearer", result.AccessToken);

Running this, we get a popup dialog prompting the desktop user to log in to Microsoft, and the result returns with an AccessToken.

But when we attempt to send the request with the Bearer/Token, it returns a 401 error. We're not sure if there's some missing setup on the Azure AD side, or whether what we';re trying here is actually possible. Any suggestions are welcome! Or if this question is addressed elsewhere please redirect us there.

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,105 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,696 Reputation points Microsoft Employee
    2020-04-23T12:56:45.97+00:00

    @devarae , The error 401 is Unauthorized. This error is prompted by the API, when a request is sent but the request doesnt contain proper permissions for the API to validate and authorize the access.

    In you case, the API that is exposed through AAD, should have some permissions listed on it. Now when you are requesting for a token from AAD, these permissions should be asked for from AAD and AAD would issue an access token with these permissions listed in it, either under the scp parameter or roles parameter [this depends on the fact if you are using delegated permissions(user permissions) or application permissions]

    Once you have the permissions listed in your token and then you send the token as bearer to the api, the api would be able to provide you the access after validating and authorizing the permissions from the access token.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.