Microsoft Graph .NET Authentication Provider Library
Microsoft Graph .NET authentication library provides a set of OAuth scenario-centric authentication providers that implement
Microsoft.Graph.IAuthenticationProvider and uses Microsoft Authentication Library (MSAL) under the hood to handle access token acquisition and storage. It also exposes
BaseRequest extension methods that are used to set per request authentication options to the providers.
Get started with Microsoft Graph .NET Authentication Provider Library by integrating Microsoft Graph API into your .Net application.
Microsoft Graph .NET Authentication Provider Library targets .NetStandard 1.3 and depends on Microsoft.Identity.Client 2.7.1.
Installation via NuGet
To install the authentication provider library via Nuget:
- Search for
Microsoft.Graph.Authin NuGet or
Install-Package Microsoft.Graph.Authinto the Package Manager Console.
1. Register your application
Register your application to use Microsoft Graph API using one of the following supported authentication portals:
- Microsoft Application Registration Portal: Register a new application that works with Microsoft Account and/or organizational accounts using the unified V2 Authentication Endpoint.
- Microsoft Azure Active Directory: Register a new application in your tenant's Active Directory to support work or school users for your tenant or multiple tenants.
2. Create IAuthenticationProvider object
2.1. Confidential Client Providers
Are used by applications that can securely store an application's secret and call Microsoft Graph in the name of a user, or without a user. They are broadly classified as :
- Web Clients (Web Apps/ Web APIs).
a. Authorization code provider
Authorization code provider is used by Web Apps (ASP.NET & ASP.NET Core) to acquire Microsoft Graph access token in the name of a user. It uses MSALs Authorization Code to authenticate Microsoft Graph requests.
IConfidentialClientApplication clientApplication = AuthorizationCodeProvider.CreateClientApplication(clientId, redirectUri, clientCredential); AuthorizationCodeProvider authenticationProvider = new AuthorizationCodeProvider(clientApplication, scopes);
b. Client credential provider
Client credential provider is used by services and desktop applications to acquire Microsoft Graph access token without a user. The app should have previously registered a secret (app password or certificate) with Azure AD during the application registration. This provider leverages on MSALs Client Credential Flows to authenticate Microsoft Graph requests.
IConfidentialClientApplication clientApplication = ClientCredentialProvider.CreateClientApplication(clientId, clientCredential); ClientCredentialProvider authenticationProvider = new ClientCredentialProvider(clientApplication);
c. On behalf of provider
As the name suggests, on behalf of provider is used by services or daemons to acquire Microsoft Graph access token on behalf of a user by passing a UserAssertion. This provider uses MSALs On Behalf Of to authenticate Microsoft Graph requests.
IConfidentialClientApplication clientApplication = OnBehalfOfProvider.CreateClientApplication(clientId, redirectUri, clientCredential); OnBehalfOfProvider authenticationProvider = new OnBehalfOfProvider(clientApplication, scopes);
2.2. Public Client Providers
These providers are used by Native client applications (mobile/ desktop applications) that can't securely store an application's secret and call Microsoft Graph in the name of a user.
a. Device code provider
Device code provider is used by desktop apps that run on devices without browsers to call Microsoft Graph in the name of a user. This provider leverages MSALs Device Code Flow to authenticate Microsoft Graph requests.
IPublicClientApplication clientApplication = DeviceCodeProvider.CreateClientApplication(clientId); DeviceCodeProvider authenticationProvider = new DeviceCodeProvider(clientApplication, scopes);
b. Integrated windows authentication provider
This provider is used by Windows hosted .NET applications running on computers joined to Azure AD to acquire token silently. This provider leverages MSALs Integrated Windows Authentication to authenticate Microsoft Graph requests.
IPublicClientApplication clientApplication = IntegratedWindowsAuthenticationProvider.CreateClientApplication(clientId); IntegratedWindowsAuthenticationProvider authenticationProvider = new IntegratedWindowsAuthenticationProvider(clientApplication, scopes);
c. Interactive authentication provider
Interactive authentication provider is used by mobile applications (Xamarin and UWP) and desktops applications to call Microsoft Graph in the name of a user. Refer to MSALs interactive Authentication on how to configure the provider for your platform of choice since each platform has its own specificities.
IPublicClientApplication clientApplication = InteractiveAuthenticationProvider.CreateClientApplication(clientId); InteractiveAuthenticationProvider authenticationProvider = new InteractiveAuthenticationProvider(clientApplication, scopes);
d. Username password provider
This provider is used by desktop applications to acquire Microsoft Graph access token by leveraging MSALs Username Password with the provider username (email) and password.
IPublicClientApplication clientApplication = UsernamePasswordProvider.CreateClientApplication(clientId); UsernamePasswordProvider authenticationProvider = new UsernamePasswordProvider(clientApplication, scopes);
3. Initialize Microsoft Graph service client with an authentication provider
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
4. Make request to Microsoft Graph
Once the GraphServiceClient has been initialized with an authentication provider, you can make calls against Microsoft Graph service. The requests should follow the Microsoft Graph REST API syntax. For example, to retrieve a user's default drive:
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider); var drive = await graphServiceClient.Me.Drive.Request().GetAsync();
1. Client credential provider
// Create client application. ConfidentialClientApplication clientApplication = ClientCredentialProvider.CreateClientApplication(clientId, redirectUri, clientCredential); // Create authentication provider. ClientCredentialProvider authenticationProvider = new ClientCredentialProvider(clientApplication); // Configure GraphServiceClient with provider. GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider); // Make a request var me = await graphServiceClient.Me.Request().WithForceRefresh(true).GetAsync();
- MSAL .Net authentication scenarios.
- For documentations on provider arguments, refer to MSAL documentation.
To view or log MSAL.Net issues, see issues. This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact firstname.lastname@example.org with any additional questions or comments.
To view or log Microsoft Graph Authentication library issues, see issues.
- NuGet Package: https://www.nuget.org/packages/Microsoft.Graph.Auth