Can We Use SPN identity for creating MSAL token? in C# Don't want use Token
I have tried to create MSAL token for my demon application. I have tried blow code
IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create(ManagedIdentityId.WithUserAssignedClientId("myspnid"))
.Build();
AuthenticationResult result = await mi.AcquireTokenForManagedIdentity("https://graph.microsoft.com/.default")
.ExecuteAsync()
.ConfigureAwait(false);
_logger.LogInformation("C# HTTP trigger function processed a request."+ result.AccessToken);
return new OkObjectResult("Welcome to Azure Functions! token" + result.AccessToken);
}
catch (Exception ex)
{
return new OkObjectResult("Welcome to Azure Functions! error"+ex.Message);
_logger.LogInformation("C# HTTP trigger function processed a request." +ex.Message);
}
I don't want to use secrets. Cos I already have created app I have SPN service principle ID.
can any one have idea on this?
I m adding more details for more clarity
I m using this client id and added full permission for for graph Error is "No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId."
To use SPN identity for creating MSAL token/Access token, check the below:
For sample, I used the below PowerShell script to assign permissions to the managed identity:
Connect-AzureAD
$TenantID="TenantID"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$NameOfMSI="ruktestMI"
$PermissionName = "User.Read.All"
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'")
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles |
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
Now to generate token, you can make use of below code as a workaround:
using System;
using Azure.Identity;
using Azure.Core;
class Program
{
static async Task Main(string[] args)
{
string clientId = "XXXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId
})
.GetTokenAsync(
new TokenRequestContext(
new[] { "https://graph.microsoft.com/.default" }
));
Console.WriteLine(token.Token);
}
}
By using the above access token, you can call Microsoft Graph API
Note that: Either make use of Managed identity or interactive flow ( without passing the client secret). OR make use of ROPC flow which is non interactive and doesnt need client Secret to generate token. Using SPN identity and without client secret and non interactively it is not possible to generate token.
Reference:
Options for obtaining an access token with Azure application to application authentication by Anoop
- Flutter MSAL_js-based (B2C) Authentication fails
- Caching User Single Sign On using Distributed Cache
- How to redirect back to Azure AD B2C defining which custom policy to use based on the username given
- Access token not working Azure AD custom policy
- MSAL login getting stuck in .NET MAUI app
- Sign-up User Flow with Azure B2C and Microsoft.Identity.Web
- Azure AD B2C Password Reset
- Reset password MS Entra
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Retrieving tokens from aad_b2c_webview
- MissingPluginException When Using aad_oauth for Microsoft Multi-Factor Authentication in Flutter
- How to check user exists in AD B2C, using custom policy?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Use managed identity of the web app to manage b2c using graph api
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- no email in claim when logging on via Entra ID
- Azure B2C App Always Redirects to <domain>/MicrosoftIdentity/Account/Error
- How to Implement Direct Username and Password Login with Azure AD B2C in Flutter without Using Microsoft's UI?
- How to properly restrict access to an azur eweb application?
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Set-AzureADMSTrustFrameworkPolicy powershell cmdlet works on laptop but not in github actions. No changes done
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- B2C Custom Policy: Error changing localAccountPasswordReset Content selfAsserted policy version beyond 1.1.0
- Non Verified Domain as IdntifierUri for Azure B2C IEF Application
- B2C authentication not returning access_token
- How to disable authentication during the start up of an ASP.NET Core 5 Blazor B2C application?
- Email address empty when trying to read it out at the back end
- Creating a user in Azure AD B2C through Microsoft SSO
- Azure B2C client credentials flow throws invalid_grant AADB2C90085