Microsoft Authentication Library for .NET
MSAL.NET (Microsoft.Identity.Client) is an authentication library that enables you to acquire tokens from Microsoft Entra ID to access protected web APIs (Microsoft APIs or applications registered with Microsoft Entra ID).
MSAL.NET is available on several .NET platforms (desktop, mobile, and web).
Supported platforms and application architectures
MSAL.NET supports different application topologies, including:
- Native clients (mobile or desktop applications) calling the Microsoft Graph API on behalf of a user.
- Daemons, services, or web clients (web apps or web APIs) calling the Microsoft Graph API on behalf of a user, or without a user.
For more information about the supported scenarios, see Scenarios.
MSAL.NET supports multiple platforms, including .NET, .NET Framework, and .NET MAUI.
Note
Not all the authentication features are available in all platforms.
- Mobile platforms do not allow confidential client flows. They are not meant to function as a backend and cannot store secrets securely.
- On public clients (mobile and desktop) the default browser and redirect URIs are different from platform to platform, and broker availability varies (details in browser usage documentation).
Note
MSAL.NET versions 4.61.0 and above do not provide support for Universal Windows Platform, Xamarin Android, and Xamarin iOS. Read more about the deprecation in Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP.
Why use MSAL.NET?
MSAL.NET provides several ways of getting a token. Using MSAL.NET is easier than using generic OAuth libraries or writing calls against the protocol. MSAL.NET provides several out-of-the-box benefits that simplify the developer workflow:
- Maintain a token cache and refresh tokens for you when they're close to expiry.
- Helps you specify which audience you want your application to sign-in (your organization, several organizations, work, school, and Microsoft personal accounts, social identities with Microsoft Entra External ID, or users in sovereign and national clouds).
- Helps you set up the application through configuration files.
- Helps you troubleshoot the app by exposing actionable exceptions, logging, and telemetry.
Getting started with MSAL.NET
- Learn about MSAL.NET usage scenarios.
- Register your app with Microsoft Entra ID.
- Learn about the types of client applications: public client and confidential client.
- Learn about acquiring tokens to access a protected API.
Considerations
MSAL.NET is used to acquire tokens. It's not used to protect a Web API. If you're interested in protecting a Web API with Microsoft Entra ID, check out:
- Microsoft Entra ID with ASP.NET Core. Examples showcase web apps that call a web API with MSAL.NET.
- active-directory-dotnet-native-aspnetcore-v2 shows how to call an ASP.NET Core Web API from a WPF application using Microsoft Entra ID.
- The IdentityModel extensions for .NET open source library provides middleware used by ASP.NET and ASP.NET Core to protect APIs.
Migration from Azure Active Directory Authentication Library (ADAL)
Microsoft Authentication Library (MSAL) for .NET is the supported library that can be used for authentication token acquisition. If you or your organization are using the Azure Active Directory Authentication Library (ADAL), you should migrate to MSAL. ADAL reached end-of-life on June 30, 2023.
Note
While ADAL is deprecated since June 30, 2023, applications depending on ADAL should not break as the underlying endpoint will remain active. However, no new features or support will be offered for ADAL.
Releases
For previous releases, see the Releases on GitHub.
For work-in-progress and future releases, see Milestones.
For more information on versioning, see Semantic versioning - API change management to understand changes in MSAL.NET public API.