Desktop app that calls web APIs: Acquire a token using Device Code flow

If you're writing a command-line tool that doesn't have web controls, and you can't or don't want to use the previous flows, use the device code flow.

Device code flow

Interactive authentication with Microsoft Entra ID requires a web browser. For more information, see Usage of web browsers. To authenticate users on devices or operating systems that don't provide a web browser, device code flow lets the user use another device such as a computer or a mobile phone to sign in interactively. By using the device code flow, the application obtains tokens through a two-step process that's designed for these devices or operating systems. Examples of such applications are applications that run on iOT or command-line tools (CLI). The idea is that:

  1. Whenever user authentication is required, the app provides a code for the user. The user is asked to use another device, such as an internet-connected smartphone, to go to a URL, for instance, Then the user is prompted to enter the code. That done, the web page leads the user through a normal authentication experience, which includes consent prompts and multi-factor authentication, if necessary.

  2. Upon successful authentication, the command-line app receives the required tokens through a back channel and uses them to perform the web API calls it needs.

Use it

IPublicClientApplicationcontains a method named AcquireTokenWithDeviceCode.

 AcquireTokenWithDeviceCode(IEnumerable<string> scopes,
                            Func<DeviceCodeResult, Task> deviceCodeResultCallback)

This method takes as parameters:

  • The scopes to request an access token for.
  • A callback that receives the DeviceCodeResult.

The following sample code presents the synopsis of most current cases, with explanations of the kind of exceptions you can get and their mitigation. For a fully functional code sample, see active-directory-dotnetcore-devicecodeflow-v2 on GitHub.

private const string ClientId = "<client_guid>";
private const string Authority = "";
private readonly string[] scopes = new string[] { "" };

static async Task<AuthenticationResult> GetATokenForGraph()
    IPublicClientApplication pca = PublicClientApplicationBuilder

    var accounts = await pca.GetAccountsAsync();

    // All AcquireToken* methods store the tokens in the cache, so check the cache first
        return await pca.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
    catch (MsalUiRequiredException ex)
        // No token found in the cache or Azure AD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)
        // If you want to provide a more complex user experience, check out ex.Classification

        return await AcquireByDeviceCodeAsync(pca);

private static async Task<AuthenticationResult> AcquireByDeviceCodeAsync(IPublicClientApplication pca)
        var result = await pca.AcquireTokenWithDeviceCode(scopes,
            deviceCodeResult =>
                    // This will print the message on the console which tells the user where to go sign-in using
                    // a separate browser and the code to enter once they sign in.
                    // The AcquireTokenWithDeviceCode() method will poll the server after firing this
                    // device code callback to look for the successful login of the user via that browser.
                    // This background polling (whose interval and timeout data is also provided as fields in the
                    // deviceCodeCallback class) will occur until:
                    // * The user has successfully logged in via browser and entered the proper code
                    // * The timeout specified by the server for the lifetime of this code (typically ~15 minutes) has been reached
                    // * The developing application calls the Cancel() method on a CancellationToken sent into the method.
                    //   If this occurs, an OperationCanceledException will be thrown (see catch below for more details).
                return Task.FromResult(0);

        return result;

    // TODO: handle or throw all these exceptions depending on your app
    catch (MsalServiceException ex)
        // Kind of errors you could have (in ex.Message)

        // AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.
        // Mitigation: as explained in the message from Azure AD, the authoriy needs to be tenanted. you have probably created
        // your public client application with the following authorities:
        // or

        // AADSTS90133: Device Code flow is not supported under /common or /consumers endpoint.
        // Mitigation: as explained in the message from Azure AD, the authority needs to be tenanted

        // AADSTS90002: Tenant <tenantId or domain you used in the authority> not found. This may happen if there are
        // no active subscriptions for the tenant. Check with your subscription administrator.
        // Mitigation: if you have an active subscription for the tenant this might be that you have a typo in the
        // tenantId (GUID) or tenant domain name.
    catch (OperationCanceledException ex)
        // If you use a CancellationToken, and call the Cancel() method on it, then this *may* be triggered
        // to indicate that the operation was cancelled.
        // See
        // for more detailed information on how C# supports cancellation in managed threads.
    catch (MsalClientException ex)
        // Possible cause - verification code expired before contacting the server
        // This exception will occur if the user does not manage to sign-in before a time out (15 mins) and the
        // call to `AcquireTokenWithDeviceCode` is not cancelled in between

Next steps

Move on to the next article in this scenario, Call a web API from the desktop app.