Quickstart: Acquire a token and call the Microsoft Graph API by using a console app's identity

In this quickstart, you download and run a code sample that demonstrates how a .NET Core console application can get an access token to call the Microsoft Graph API and display a list of users in the directory. The code sample also demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. The sample console application in this quickstart is also a daemon application, so it's a confidential client application.

The following diagram shows how the sample app works:

Diagram that shows how the sample app generated by this quickstart works.

Prerequisites

This quickstart requires .NET Core 3.1 SDK but will also work with .NET 5.0 SDK.

Register and download the app

You have two options to start building your application: automatic or manual configuration.

Automatic configuration

If you want to register and automatically configure your app and then download the code sample, follow these steps:

  1. Go to the Azure portal page for app registration.
  2. Enter a name for your application and select Register.
  3. Follow the instructions to download and automatically configure your new application in one click.

Manual configuration

If you want to manually configure your application and code sample, use the following procedures.

Step 1: Register your application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select App registrations > New registration.
  5. For Name, enter a name for your application. For example, enter Daemon-console. Users of your app will see this name, and you can change it later.
  6. Select Register to create the application.
  7. Under Manage, select Certificates & secrets.
  8. Under Client secrets, select New client secret, enter a name, and then select Add. Record the secret value in a safe location for use in a later step.
  9. Under Manage, select API Permissions > Add a permission. Select Microsoft Graph.
  10. Select Application permissions.
  11. Under the User node, select User.Read.All, and then select Add permissions.

Step 2: Download your Visual Studio project

Download the Visual Studio project

You can run the provided project in either Visual Studio or Visual Studio for Mac.

Tip

To avoid errors caused by path length limitations in Windows, we recommend extracting the archive or cloning the repository into a directory near the root of your drive.

Step 3: Configure your Visual Studio project

  1. Extract the .zip file to a local folder that's close to the root of the disk. For example, extract to C:\Azure-Samples.

    We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.

  2. Open the solution in Visual Studio: 1-Call-MSGraph\daemon-console.sln (optional).

  3. In appsettings.json, replace the values of Tenant, ClientId, and ClientSecret:

    "Tenant": "Enter_the_Tenant_Id_Here",
    "ClientId": "Enter_the_Application_Id_Here",
    "ClientSecret": "Enter_the_Client_Secret_Here"
    

    In that code:

    • Enter_the_Application_Id_Here is the application (client) ID for the application that you registered. To find the values for the application (client) ID and the directory (tenant) ID, go to the app's Overview page in the Azure portal.
    • Replace Enter_the_Tenant_Id_Here with the tenant ID or tenant name (for example, contoso.microsoft.com).
    • Replace Enter_the_Client_Secret_Here with the client secret that you created in step 1. To generate a new key, go to the Certificates & secrets page.

If you try to run the application at this point, you'll receive an HTTP 403 - Forbidden error: "Insufficient privileges to complete the operation." This error happens because any app-only permission requires a global administrator of your directory to give consent to your application. Select one of the following options, depending on your role.

Global tenant administrator

If you're a global tenant administrator, go to Enterprise applications in the Azure portal. Select your app registration, and select Permissions from the Security section of the left pane. Then select the large button labeled Grant admin consent for {Tenant Name} (where {Tenant Name} is the name of your directory).

Standard user

If you're a standard user of your tenant, ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:

https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

In that URL:

  • Replace Enter_the_Tenant_Id_Here with the tenant ID or tenant name (for example, contoso.microsoft.com).
  • Enter_the_Application_Id_Here is the application (client) ID for the application that you registered.

You might see the error "AADSTS50011: No reply address is registered for the application" after you grant consent to the app by using the preceding URL. This error happens because this application and the URL don't have a redirect URI. You can ignore it.

Step 5: Run the application

If you're using Visual Studio or Visual Studio for Mac, press F5 to run the application. Otherwise, run the application via command prompt, console, or terminal:

cd {ProjectFolder}\1-Call-MSGraph\daemon-console
dotnet run

In that code:

  • {ProjectFolder} is the folder where you extracted the .zip file. An example is C:\Azure-Samples\active-directory-dotnetcore-daemon-v2.

You should see a list of users in Azure Active Directory as result.

This quickstart application uses a client secret to identify itself as a confidential client. The client secret is added as a plain-text file to your project files. For security reasons, we recommend that you use a certificate instead of a client secret before considering the application as a production application. For more information on how to use a certificate, see these instructions in the GitHub repository for this sample.

More information

This section gives an overview of the code required to sign in users. This overview can be useful to understand how the code works, what the main arguments are, and how to add sign-in to an existing .NET Core console application.

MSAL.NET

Microsoft Authentication Library (MSAL, in the Microsoft.Identity.Client package) is the library that's used to sign in users and request tokens for accessing an API protected by the Microsoft identity platform. This quickstart requests tokens by using the application's own identity instead of delegated permissions. The authentication flow in this case is known as a client credentials OAuth flow. For more information on how to use MSAL.NET with a client credentials flow, see this article.

You can install MSAL.NET by running the following command in the Visual Studio Package Manager Console:

dotnet add package Microsoft.Identity.Client

MSAL initialization

You can add the reference for MSAL by adding the following code:

using Microsoft.Identity.Client;

Then, initialize MSAL by using the following code:

IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
                                          .WithClientSecret(config.ClientSecret)
                                          .WithAuthority(new Uri(config.Authority))
                                          .Build();
Element Description
config.ClientSecret The client secret created for the application in the Azure portal.
config.ClientId The application (client) ID for the application registered in the Azure portal. You can find this value on the app's Overview page in the Azure portal.
config.Authority (Optional) The security token service (STS) endpoint for the user to authenticate. It's usually https://login.microsoftonline.com/{tenant} for the public cloud, where {tenant} is the name of your tenant or your tenant ID.

For more information, see the reference documentation for ConfidentialClientApplication.

Requesting tokens

To request a token by using the app's identity, use the AcquireTokenForClient method:

result = await app.AcquireTokenForClient(scopes)
                  .ExecuteAsync();
Element Description
scopes Contains the requested scopes. For confidential clients, this value should use a format similar to {Application ID URI}/.default. This format indicates that the requested scopes are the ones that are statically defined in the app object set in the Azure portal. For Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com. For custom web APIs, {Application ID URI} is defined in the Azure portal, under Application Registration (Preview) > Expose an API.

For more information, see the reference documentation for AcquireTokenForClient.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

To learn more about daemon applications, see the scenario overview:

In this quickstart, you download and run a code sample that demonstrates how a Python application can get an access token using the app's identity to call the Microsoft Graph API and display a list of users in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.

Shows how the sample app generated by this quickstart works

Prerequisites

To run this sample, you need:

Register and download your quickstart app

Step 1: Register your application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select App registrations > New registration.
  5. Enter a Name for your application, for example Daemon-console. Users of your app might see this name, and you can change it later.
  6. Select Register.
  7. Under Manage, select Certificates & secrets.
  8. Under Client secrets, select New client secret, enter a name, and then select Add. Record the secret value in a safe location for use in a later step.
  9. Under Manage, select API Permissions > Add a permission. Select Microsoft Graph.
  10. Select Application permissions.
  11. Under User node, select User.Read.All, then select Add permissions.

Step 2: Download the Python project

Download the Python daemon project

Step 3: Configure the Python project

  1. Extract the zip file to a local folder close to the root of the disk, for example, C:\Azure-Samples.

  2. Navigate to the sub folder 1-Call-MsGraph-WithSecret.

  3. Edit parameters.json and replace the values of the fields authority, client_id, and secret with the following snippet:

    "authority": "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
    "client_id": "Enter_the_Application_Id_Here",
    "secret": "Enter_the_Client_Secret_Here"
    

    Where:

    • Enter_the_Application_Id_Here - is the Application (client) ID for the application you registered.
    • Enter_the_Tenant_Id_Here - replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)
    • Enter_the_Client_Secret_Here - replace this value with the client secret created on step 1.

Tip

To find the values of Application (client) ID, Directory (tenant) ID, go to the app's Overview page in the Azure portal. To generate a new key, go to Certificates & secrets page.

If you try to run the application at this point, you'll receive HTTP 403 - Forbidden error: Insufficient privileges to complete the operation. This error happens because any app-only permission requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:

Global tenant administrator

If you are a global tenant administrator, go to API Permissions page in App registrations in the Azure portal and select Grant admin consent for {Tenant Name} (Where {Tenant Name} is the name of your directory).

Standard user

If you're a standard user of your tenant, ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:

https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

Where:

  • Enter_the_Tenant_Id_Here - replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)
  • Enter_the_Application_Id_Here - is the Application (client) ID for the application you registered.

Step 5: Run the application

You'll need to install the dependencies of this sample once.

pip install -r requirements.txt

Then, run the application via command prompt or console:

python confidential_client_secret_sample.py parameters.json

You should see on the console output some Json fragment representing a list of users in your Azure AD directory.

Important

This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions in the same GitHub repository for this sample, but in the second folder 2-Call-MsGraph-WithCertificate.

More information

MSAL Python

MSAL Python is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as client credentials oauth flow. For more information on how to use MSAL Python with daemon apps, see this article.

You can install MSAL Python by running the following pip command.

pip install msal

MSAL initialization

You can add the reference for MSAL by adding the following code:

import msal

Then, initialize MSAL using the following code:

app = msal.ConfidentialClientApplication(
    config["client_id"], authority=config["authority"],
    client_credential=config["secret"])
Where: Description
config["secret"] Is the client secret created for the application in Azure portal.
config["client_id"] Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal.
config["authority"] The STS endpoint for user to authenticate. Usually https://login.microsoftonline.com/{tenant} for public cloud, where {tenant} is the name of your tenant or your tenant Id.

For more information, please see the reference documentation for ConfidentialClientApplication.

Requesting tokens

To request a token using app's identity, use AcquireTokenForClient method:

result = None
result = app.acquire_token_silent(config["scope"], account=None)

if not result:
    logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
    result = app.acquire_token_for_client(scopes=config["scope"])
Where: Description
config["scope"] Contains the scopes requested. For confidential clients, this should use the format similar to {Application ID URI}/.default to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com). For custom web APIs, {Application ID URI} is defined under the Expose an API section in App registrations in the Azure portal.

For more information, please see the reference documentation for AcquireTokenForClient.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

To learn more about daemon applications, see the scenario landing page.

In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a list of users in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.

This quickstart uses the Microsoft Authentication Library for Node.js (MSAL Node) with the client credentials grant.

Prerequisites

Register and download the sample application

Follow the steps below to get started.

Step 1: Register the application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select App registrations > New registration.
  5. Enter a Name for your application, for example msal-node-cli. Users of your app might see this name, and you can change it later.
  6. Select Register.
  7. Under Manage, select Certificates & secrets.
  8. Under Client secrets, select New client secret, enter a name, and then select Add. Record the secret value in a safe location for use in a later step.
  9. Under Manage, select API Permissions > Add a permission. Select Microsoft Graph.
  10. Select Application permissions.
  11. Under User node, select User.Read.All, then select Add permissions.

Step 2: Download the Node.js sample project

Download the code sample

Step 3: Configure the Node.js sample project

  1. Extract the zip file to a local folder close to the root of the disk, for example, C:/Azure-Samples.
  2. Edit .env and replace the values of the fields TENANT_ID, CLIENT_ID, and CLIENT_SECRET with the following snippet:
"TENANT_ID": "Enter_the_Tenant_Id_Here",
 "CLIENT_ID": "Enter_the_Application_Id_Here",
 "CLIENT_SECRET": "Enter_the_Client_Secret_Here"

Where:

  • Enter_the_Application_Id_Here - is the Application (client) ID of the application you registered earlier. Find this ID on the app registration's Overview pane in the Azure portal.
  • Enter_the_Tenant_Id_Here - replace this value with the Tenant ID or Tenant name (for example, contoso.microsoft.com). Find these values on the app registration's Overview pane in the Azure portal.
  • Enter_the_Client_Secret_Here - replace this value with the client secret you created earlier. To generate a new key, use Certificates & secrets in the app registration settings in the Azure portal.

Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using certificate credentials instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.

  1. Edit .env and replace the Azure AD and Microsoft Graph endpoints with the following values:
    • For the Azure AD endpoint, replace Enter_the_Cloud_Instance_Id_Here with https://login.microsoftonline.com.
    • For the Microsoft Graph endpoint, replace Enter_the_Graph_Endpoint_Here with https://graph.microsoft.com/.

If you try to run the application at this point, you'll receive HTTP 403 - Forbidden error: Insufficient privileges to complete the operation. This error happens because any app-only permission requires admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:

Global tenant administrator

If you're a global tenant administrator, go to API Permissions page in the Azure portal's Application Registration and select Grant admin consent for {Tenant Name} (where {Tenant Name} is the name of your directory).

Standard user

If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:

https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

Where:

  • Enter_the_Tenant_Id_Here - replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)
  • Enter_the_Application_Id_Here - is the Application (client) ID for the application you registered.

Step 5: Run the application

Locate the sample's root folder (where package.json resides) in a command prompt or console. You'll need to install the dependencies your sample app requires before running it for the first time:

npm install

Then, run the application via command prompt or console:

node . --op getUsers

You should see on the console output some JSON fragment representing a list of users in your Azure AD directory.

About the code

Below, some of the important aspects of the sample application are discussed.

MSAL Node

MSAL Node is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by application permissions (using the application's own identity) instead of delegated permissions. The authentication flow used in this case is known as OAuth 2.0 client credentials flow. For more information on how to use MSAL Node with daemon apps, see Scenario: Daemon application.

You can install MSAL Node by running the following npm command.

npm install @azure/msal-node --save

MSAL initialization

You can add the reference for MSAL by adding the following code:

const msal = require('@azure/msal-node');

Then, initialize MSAL using the following code:

const msalConfig = {
    auth: {
        clientId: "Enter_the_Application_Id_Here",
        authority: "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
        clientSecret: "Enter_the_Client_Secret_Here",
   }
};
const cca = new msal.ConfidentialClientApplication(msalConfig);
Where: Description
clientId Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal.
authority The STS endpoint for user to authenticate. Usually https://login.microsoftonline.com/{tenant} for public cloud, where {tenant} is the name of your tenant or your tenant ID.
clientSecret Is the client secret created for the application in Azure portal.

For more information, please see the reference documentation for ConfidentialClientApplication

Requesting tokens

To request a token using app's identity, use acquireTokenByClientCredential method:

const tokenRequest = {
    scopes: [ 'https://graph.microsoft.com/.default' ],
};

const tokenResponse = await cca.acquireTokenByClientCredential(tokenRequest);
Where: Description
tokenRequest Contains the scopes requested. For confidential clients, this should use the format similar to {Application ID URI}/.default to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com). For custom web APIs, {Application ID URI} is defined under Expose an API section in Azure portal's Application Registration.
tokenResponse The response contains an access token for the scopes requested.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

To learn more about daemon/console app development with MSAL Node, see the tutorial:

In this quickstart, you download and run a code sample that demonstrates how a Java application can get an access token using the app's identity to call the Microsoft Graph API and display a list of users in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.

Shows how the sample app generated by this quickstart works

Prerequisites

To run this sample, you need:

Register and download your quickstart app

You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2)

Option 1: Register and auto configure your app and then download your code sample

  1. Go to the Azure portal - App registrations quickstart experience.
  2. Enter a name for your application and select Register.
  3. Follow the instructions to download and automatically configure your new application with just one click.

Option 2: Register and manually configure your application and code sample

Step 1: Register your application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
  3. Search for and select Azure Active Directory.
  4. Under Manage, select App registrations > New registration.
  5. Enter a Name for your application, for example Daemon-console. Users of your app might see this name, and you can change it later.
  6. Select Register.
  7. Under Manage, select Certificates & secrets.
  8. Under Client secrets, select New client secret, enter a name, and then select Add. Record the secret value in a safe location for use in a later step.
  9. Under Manage, select API Permissions > Add a permission. Select Microsoft Graph.
  10. Select Application permissions.
  11. Under User node, select User.Read.All, then select Add permissions.

Step 2: Download the Java project

Download the Java daemon project

Step 3: Configure the Java project

  1. Extract the zip file to a local folder close to the root of the disk, for example, C:\Azure-Samples.
  2. Navigate to the sub folder msal-client-credential-secret.
  3. Edit src\main\resources\application.properties and replace the values of the fields AUTHORITY, CLIENT_ID, and SECRET with the following snippet:
  AUTHORITY=https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/
  CLIENT_ID=Enter_the_Application_Id_Here
  SECRET=Enter_the_Client_Secret_Here

Where:

  • Enter_the_Application_Id_Here - is the Application (client) ID for the application you registered.
  • Enter_the_Tenant_Id_Here - replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
  • Enter_the_Client_Secret_Here - replace this value with the client secret created on step 1.

Tip

To find the values of Application (client) ID, Directory (tenant) ID, go to the app's Overview page in the Azure portal. To generate a new key, go to Certificates & secrets page.

If you try to run the application at this point, you'll receive HTTP 403 - Forbidden error: Insufficient privileges to complete the operation. This error happens because any app-only permission requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:

Global tenant administrator

If you are a global tenant administrator, go to API Permissions page in App registrations in the Azure portal and select Grant admin consent for {Tenant Name} (Where {Tenant Name} is the name of your directory).

Standard user

If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:

https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

Where:

  • Enter_the_Tenant_Id_Here - replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)
  • Enter_the_Application_Id_Here - is the Application (client) ID for the application you registered.

Step 5: Run the application

You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE.

From your shell or command line:

$ mvn clean compile assembly:single

This will generate a msal-client-credential-secret-1.0.0.jar file in your /targets directory. Run this using your Java executable like below:

$ java -jar msal-client-credential-secret-1.0.0.jar

After running, the application should display the list of users in the configured tenant.

Important

This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see these instructions in the same GitHub repository for this sample, but in the second folder msal-client-credential-certificate.

More information

MSAL Java

MSAL Java is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as client credentials oauth flow. For more information on how to use MSAL Java with daemon apps, see this article.

Add MSAL4J to your application by using Maven or Gradle to manage your dependencies by making the following changes to the application's pom.xml (Maven) or build.gradle (Gradle) file.

In pom.xml:

<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>msal4j</artifactId>
    <version>1.0.0</version>
</dependency>

In build.gradle:

compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.0.0'

MSAL initialization

Add a reference to MSAL for Java by adding the following code to the top of the file where you will be using MSAL4J:

import com.microsoft.aad.msal4j.*;

Then, initialize MSAL using the following code:

IClientCredential credential = ClientCredentialFactory.createFromSecret(CLIENT_SECRET);

ConfidentialClientApplication cca =
        ConfidentialClientApplication
                .builder(CLIENT_ID, credential)
                .authority(AUTHORITY)
                .build();
Where: Description
CLIENT_SECRET Is the client secret created for the application in Azure portal.
CLIENT_ID Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal.
AUTHORITY The STS endpoint for user to authenticate. Usually https://login.microsoftonline.com/{tenant} for public cloud, where {tenant} is the name of your tenant or your tenant Id.

Requesting tokens

To request a token using app's identity, use acquireToken method:

IAuthenticationResult result;
     try {
         SilentParameters silentParameters =
                 SilentParameters
                         .builder(SCOPE)
                         .build();

         // try to acquire token silently. This call will fail since the token cache does not
         // have a token for the application you are requesting an access token for
         result = cca.acquireTokenSilently(silentParameters).join();
     } catch (Exception ex) {
         if (ex.getCause() instanceof MsalException) {

             ClientCredentialParameters parameters =
                     ClientCredentialParameters
                             .builder(SCOPE)
                             .build();

             // Try to acquire a token. If successful, you should see
             // the token information printed out to console
             result = cca.acquireToken(parameters).join();
         } else {
             // Handle other exceptions accordingly
             throw ex;
         }
     }
     return result;
Where: Description
SCOPE Contains the scopes requested. For confidential clients, this should use the format similar to {Application ID URI}/.default to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com). For custom web APIs, {Application ID URI} is defined under the Expose an API section in App registrations in the Azure portal.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

To learn more about daemon applications, see the scenario landing page.