Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity

Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:

Quickstart: .NET Core console that calls an API

We apologize for the inconvenience and appreciate your patience while we work to get this resolved.

The following quickstart uses a code sample to demonstrates how a .NET Core console application can get an access token to call the Microsoft Graph API and display a list of users in the directory. It also demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. The sample console application in this quickstart is also a daemon application, therefore it's a confidential client application.

Prerequisites

This quickstart requires the .NET Core 6.0 SDK.

Download and configure your quickstart app

Step 1: Configure your application in the Azure portal

For the code sample in this quickstart to work, create a client secret and add the Graph API's User.Read.All application permission.

Already configured Your application is configured with these attributes.

Step 2: Download your Visual Studio project

Run the project by using Visual Studio 2022.

Tip

To avoid errors caused by path length limitations in Windows, we recommend extracting the archive or cloning the repository into a directory near the root of your drive.

Note

Enter_the_Supported_Account_Info_Here

Running the application now results in the output HTTP 403 - Forbidden* error: "Insufficient privileges to complete the operation. This error occurs because any app-only permission requires a global administrator of the directory to give consent to the application. Select one of the following options, depending on the role.

Global tenant administrator

For a global tenant administrator, go to the API Permissions page and select Grant admin consent for Enter_the_Tenant_Name_Here.

Standard user

For a standard user of your tenant, ask a global administrator to grant admin consent to the application. To do this, provide the following URL to the administrator:

https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

The error AADSTS50011: No reply address is registered for the application may be displayed after you grant consent to the app by using the preceding URL. This error occurs because the application and the URL don't have a redirect URI. This can be ignored.

Step 4: Run the application

In Visual Studio, press F5 to run the application. Otherwise, run the application via command prompt, console, or terminal:

cd {ProjectFolder}\1-Call-MSGraph\daemon-console
dotnet run

In that code:

  • {ProjectFolder} is the folder where you extracted the .zip file. An example is C:\Azure-Samples\active-directory-dotnetcore-daemon-v2.

A list of users in Azure Active Directory should be displayed as a result.

This quickstart application uses a client secret to identify itself as a confidential client. The client secret is added as a plain-text file to the project files. For security reasons, it is recommended to use a certificate instead of a client secret before considering the application as a production application. For more information on how to use a certificate, see these instructions.

More information

This section gives an overview of the code required to sign in users. This overview can be useful to understand how the > code works, what the main arguments are, and how to add sign-in to an existing .NET Core console application.

How the sample works

![Diagram that shows how the sample app generated by this quickstart works.](media/quickstart-v2-netcore-daemon/> netcore-daemon-intro.svg)

MSAL.NET

Microsoft Authentication Library (MSAL, in the Microsoft.Identity.Client package) is the library that's used to sign in users and request tokens for accessing an API protected by the Microsoft identity platform. This quickstart requests tokens by using the application's own identity instead of delegated permissions. The authentication flow in this case is known as a client credentials OAuth flow. For more information on how to use MSAL.NET with a client credentials flow, see this article.

MSAL.NET can be installed by running the following command in the Visual Studio Package Manager Console:

dotnet add package Microsoft.Identity.Client

MSAL initialization

Add the reference for MSAL by adding the following code:

using Microsoft.Identity.Client;

Then, initialize MSAL with the following:

IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
                                          .WithClientSecret(config.ClientSecret)
                                          .WithAuthority(new Uri(config.Authority))
                                          .Build();
Element Description
config.ClientSecret The client secret created for the application in the Azure portal.
config.ClientId The application (client) ID for the application registered in the Azure portal. This value can be found on the app's Overview page in the Azure portal.
config.Authority (Optional) The security token service (STS) endpoint for the user to authenticate. It's usually https://login.microsoftonline.com/{tenant} for the public cloud, where {tenant} is the name of the tenant or the tenant ID.

For more information, see the reference documentation for ConfidentialClientApplication.

Requesting tokens

To request a token by using the app's identity, use the AcquireTokenForClient method:

result = await app.AcquireTokenForClient(scopes)
                  .ExecuteAsync();
Element Description
scopes Contains the requested scopes. For confidential clients, this value should use a format similar to {Application ID URI}/.default. This format indicates that the requested scopes are the ones that are statically defined in the app object set in the Azure portal. For Microsoft Graph, {Application ID URI} points to https://graph.microsoft.com. For custom web APIs, {Application ID URI} is defined in the Azure portal, under Application Registration (Preview) > Expose an API.

For more information, see the reference documentation for AcquireTokenForClient.

Help and support

If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

Next steps

To learn more about daemon applications, see the scenario overview: