Implement interactive authentication with MSAL.NET

In this exercise, you register a new application in Microsoft Entra ID (Azure AD), then create a .NET console application that uses the Microsoft.Identity.Client namespace to perform interactive authentication.

Tasks performed in this exercise:

Register an application with the Microsoft identity platform
Create a .NET console app that implements the PublicClientApplicationBuilder class to configure authentication.
Acquire a token interactively using the user.read Microsoft Graph permission.

This exercise takes approximately 15 minutes to complete.

Before you start

To complete the exercise you need:

An Azure subscription. If you don't already have one, you can sign up for one.

Register a new application

In your browser navigate to the Azure portal https://portal.azure.com; signing in with your Azure credentials if prompted.
Use the [>_] button to the right of the search bar at the top of the page to create a new cloud shell in the Azure portal, selecting a Bash environment. The cloud shell provides a command line interface in a pane at the bottom of the Azure portal.

Note: If you have previously created a cloud shell that uses a PowerShell environment, switch it to Bash.
In the portal, search for and select App registrations.

Select + New registration, and when the Register an application page appears, enter your application's registration information:

Field	Value
Name	Enter `myApplication`
Supported account types	Select Accounts in this organizational directory only
Redirect URI (optional)	Select Public client/native (mobile & desktop) and enter `http://localhost` in the box to the right.

Select Register. Microsoft Entra ID assigns a unique application (client) ID to your app, and you're taken to your application's Overview page.
In the Essentials section of the Overview page record the Application (client) ID and the Directory (tenant) ID. The information is needed for the application.

Create a .NET console app to send and receive messages

Now that the needed resources are deployed to Azure the next step is to set up the console application. The following steps are performed in the cloud shell.

Run the following commands to create a directory to contain the project and change into the project directory.
```
mkdir authapp
cd authapp
```
Create the .NET console application.
```
dotnet new console --framework net8.0
```
Run the following commands to add the Microsoft.Identity.Client package to the project, and also the supporting dotenv.net package.
```
dotnet add package Microsoft.Identity.Client
dotnet add package dotenv.net
```

Configure the console application

In this section you create, and edit, a .env file to hold the secrets you recorded earlier.

Run the following command to create the .env file, and then open it in the code editor.
```
touch .env
code .env
```
Add the following code to the .env file. Replace YOUR_CLIENT_ID, and YOUR_TENANT_ID with the values you recorded earlier.
```
CLIENT_ID="YOUR_CLIENT_ID"
TENANT_ID="YOUR_TENANT_ID"
```
Press ctrl+s to save the file, then ctrl+q to exit the editor.

Add the starter code for the project

Run the following command in the cloud shell to begin editing the application.
```
code Program.cs
```

Replace any existing contents with the following code. Be sure to review the comments in the code.

using Microsoft.Identity.Client;
using dotenv.net;

// Load environment variables from .env file
DotEnv.Load();
var envVars = DotEnv.Read();

// Retrieve Azure AD Application ID and tenant ID from environment variables
string _clientId = envVars["CLIENT_ID"];
string _tenantId = envVars["TENANT_ID"];

// ADD CODE TO DEFINE SCOPES AND CREATE CLIENT 



// ADD CODE TO ACQUIRE AN ACCESS TOKEN

Press ctrl+s to save your changes.

Add code to complete the application

Locate the // ADD CODE TO DEFINE SCOPES AND CREATE CLIENT comment and add the following code directly after the comment. Be sure to review the comments in the code.

// Define the scopes required for authentication
string[] _scopes = { "User.Read" };

// Build the MSAL public client application with authority and redirect URI
var app = PublicClientApplicationBuilder.Create(_clientId)
    .WithAuthority(AzureCloudInstance.AzurePublic, _tenantId)
    .WithDefaultRedirectUri()
    .Build();

Locate the // ADD CODE TO ACQUIRE AN ACCESS TOKEN comment and add the following code directly after the comment. Be sure to review the comments in the code.

// Attempt to acquire an access token silently or interactively
AuthenticationResult result;
try
{
    // Try to acquire token silently from cache for the first available account
    var accounts = await app.GetAccountsAsync();
    result = await app.AcquireTokenSilent(_scopes, accounts.FirstOrDefault())
                .ExecuteAsync();
}
catch (MsalUiRequiredException)
{
    // If silent token acquisition fails, prompt the user interactively
    result = await app.AcquireTokenInteractive(_scopes)
                .ExecuteAsync();
}

// Output the acquired access token to the console
Console.WriteLine($"Access Token:\n{result.AccessToken}");

Press ctrl+s to save the file, then ctrl+q to exit the editor.

Run the application

Now that the app is complete it's time to run it.

Start the application by running the following command:
```
dotnet run
```
The app opens the default browser prompting you to select the account you want to authenticate with. If there are multiple accounts listed select the one associated with the tenant used in the app.
If this is the first time you've authenticated to the registered app you receive a Permissions requested notification asking you to approve the app to sign you in and read your profile, and maintain access to data you have given it access to. Select Accept.
You should see the results similar to the example below in the console.
```
Access Token:
eyJ0eXAiOiJKV1QiLCJub25jZSI6IlZF.........
```
Start the application a second time and notice you no longer receive the Permissions requested notification. The permission you granted earlier was saved.

Summary

In this exercise, you learned how to register an application in Microsoft Entra ID, configure a .NET console app to use MSAL.NET for interactive authentication, and acquire an access token for Microsoft Graph. You also saw how user consent works and how authentication tokens can be reused for subsequent runs. This process is essential for securely accessing Azure resources and APIs from your applications.