The Microsoft Authentication Library (MSAL) is great for getting tokens, but it does not provide a way to use managed identities in your Confidential Client applications.
This library provides extensions on top of the ConfidentialClientApplicationBuilder to allow using managed identities instead of client secrets or certificates.
You can install the package via NuGet:
dotnet add package Svrooij.Identity.Client.ExtensionsYou can use the WithTokenCredential extension method to configure your ConfidentialClientApplication to use a managed identity.
using Azure.Identity;
using Microsoft.Identity.Client;
using Svrooij.Identity.Client.Extensions;
var tokenCredential = new ManagedIdentityCredential();
var app = ConfidentialClientApplicationBuilder
.Create("your-client-id")
.WithTenantId("your-tenant-id")
.WithTokenCredential(tokenCredential) // Add this instead of WithClientSecret or WithCertificate
.Build();
// Use client credentials flow to get a token
var result = await app.AcquireTokenForClient(new[] { "https://graph.microsoft.com/.default" }).ExecuteAsync();
// Use on-behalf-of flow to get a token
var userAssertion = new UserAssertion("user-access-token");
var oboResult = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/user.read" }, userAssertion).ExecuteAsync();The code for this method is rather simple, but is seems like nobody is using this approach yet. I don't care much about if you use this library or copy this one method into your own codebase, as long as you stop using client secrets in your applications.