Using authProvider with MS SDK for graph calls in C#

c# azure-active-directory microsoft-graph-api
gtrivedi picture gtrivedi · May 15, 2019 · Viewed 12.8k times · Source

I'm trying create a C# console application to connect to graph API and get a list of users from AzureAD from a tenant. I have registered the app and the admin has given me the following

  • Tenant Name and Tenant ID
  • Client ID (also sometimes called App Id)
  • Client Secret

Using the sdk the C# code I need to use looks like this (https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=cs):

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var users = await graphClient.Users
    .Request()
    .GetAsync();

However, the console application will run as a batch process so there will be no user interaction at all. So in order to provide the authProvider I followed this article on MS docs site: https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS

And I think for my purpose I need to go for the "Client Credential OAuth flow". The code which is shown on that URL. But here it is too.

IConfidentialClientApplication clientApplication = ClientCredentialProvider.CreateClientApplication(clientId, clientCredential);
ClientCredentialProvider authProvider = new ClientCredentialProvider(clientApplication);

The trouble is that Visual Studio does not recognise ClientCredentialProvider class. I'm not sure which assembly to import. I'm using the following usings in the top.

using Microsoft.Identity.Client;
using Microsoft.IdentityModel.Clients;
using Microsoft.IdentityModel;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

I'm not very experienced with GitHub repos and I'm using Visual Studio 2015. I would be interested in sample code; I have looked but cannot find any. MS have some lectures but they use another type of auth Provider which is authenticating interactively which is not what I'm looking for. I want obtain the token using the TenantId/ClientId and Client Secret.

Answer

Philippe Signoret picture Philippe Signoret · May 15, 2019

ClientCredentialProvider is part of the Microsoft.Graph.Auth package. You can read more about this package at https://github.com/microsoftgraph/msgraph-sdk-dotnet-auth

Note that this package is currently (as of 2019-05-15) in preview, so you may want to wait before using this in a production application.

Alternatively, the following example uses the Microsoft Authentication Library for .NET (MSAL) directly to set up the Microsoft Graph SDK using app-only authentication:

// The Azure AD tenant ID or a verified domain (e.g. contoso.onmicrosoft.com) 
var tenantId = "{tenant-id-or-domain-name}";

// The client ID of the app registered in Azure AD
var clientId = "{client-id}";

// *Never* include client secrets in source code!
var clientSecret = await GetClientSecretFromKeyVault(); // Or some other secure place.

// The app registration should be configured to require access to permissions
// sufficient for the Microsoft Graph API calls the app will be making, and
// those permissions should be granted by a tenant administrator.
var scopes = new string[] { "https://graph.microsoft.com/.default" };

// Configure the MSAL client as a confidential client
var confidentialClient = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithAuthority($"https://login.microsoftonline.com/$tenantId/v2.0")
    .WithClientSecret(clientSecret)
    .Build();

// Build the Microsoft Graph client. As the authentication provider, set an async lambda
// which uses the MSAL client to obtain an app-only access token to Microsoft Graph,
// and inserts this access token in the Authorization header of each API request. 
GraphServiceClient graphServiceClient =
    new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) => {

            // Retrieve an access token for Microsoft Graph (gets a fresh token if needed).
            var authResult = await confidentialClient
                .AcquireTokenForClient(scopes)
                .ExecuteAsync();

            // Add the access token in the Authorization header of the API request.
            requestMessage.Headers.Authorization = 
                new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
        })
    );

// Make a Microsoft Graph API query
var users = await graphServiceClient.Users.Request().GetAsync();

(Note that this example uses the latest version of the Microsoft.Identity.Client package. Earlier versions (before version 3) did not include ConfidentialClientApplicationBuilder.)

Related questions

IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null

I'm attempting to authenticate for Azure AD and Graph for an Intranet (Based off Orchard CMS), this functions as expected on my local machine, however, when accessing what will be the production site (already set up with ssl on our …

Read More
How to validate Azure AD security token?

The following code gives me Azure AD security token, I need to validate that token is valid or not. How to achieve this? // Get OAuth token using client credentials string tenantName = "mytest.onmicrosoft.com"; string authString = "https://login.microsoftonline.com/" + …

Read More
Graph API - Insufficient privileges to complete the operation

When trying to access the Graph Service Client using I am receiving the error : Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. After researching this error the most common solution was to set the permissions for the API. …

Read More