Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using authProvider with MS SDK for graph calls in C#

I'm trying create a C# console application to connect to graph API and get a list of users from AzureAD from a tenant. I have registered the app and the admin has given me the following

  • Tenant Name and Tenant ID
  • Client ID (also sometimes called App Id)
  • Client Secret

Using the sdk the C# code I need to use looks like this (https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=cs):

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var users = await graphClient.Users
    .Request()
    .GetAsync();

However, the console application will run as a batch process so there will be no user interaction at all. So in order to provide the authProvider I followed this article on MS docs site: https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS

And I think for my purpose I need to go for the "Client Credential OAuth flow". The code which is shown on that URL. But here it is too.

IConfidentialClientApplication clientApplication = ClientCredentialProvider.CreateClientApplication(clientId, clientCredential);
ClientCredentialProvider authProvider = new ClientCredentialProvider(clientApplication);

The trouble is that Visual Studio does not recognise ClientCredentialProvider class. I'm not sure which assembly to import. I'm using the following usings in the top.

using Microsoft.Identity.Client;
using Microsoft.IdentityModel.Clients;
using Microsoft.IdentityModel;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

I'm not very experienced with GitHub repos and I'm using Visual Studio 2015. I would be interested in sample code; I have looked but cannot find any. MS have some lectures but they use another type of auth Provider which is authenticating interactively which is not what I'm looking for. I want obtain the token using the TenantId/ClientId and Client Secret.

like image 680
gtrivedi Avatar asked May 15 '19 15:05

gtrivedi


People also ask

Is MS graph API deprecated?

Azure Active Directory (Azure AD) Graph is deprecated but won't be retired on June 30, 2022 as previously announced.


1 Answers

ClientCredentialProvider is part of the Microsoft.Graph.Auth package. You can read more about this package at https://github.com/microsoftgraph/msgraph-sdk-dotnet-auth

Note that this package is currently (as of 2019-05-15) in preview, so you may want to wait before using this in a production application.

Alternatively, the following example uses the Microsoft Authentication Library for .NET (MSAL) directly to set up the Microsoft Graph SDK using app-only authentication:

// The Azure AD tenant ID or a verified domain (e.g. contoso.onmicrosoft.com) 
var tenantId = "{tenant-id-or-domain-name}";

// The client ID of the app registered in Azure AD
var clientId = "{client-id}";

// *Never* include client secrets in source code!
var clientSecret = await GetClientSecretFromKeyVault(); // Or some other secure place.

// The app registration should be configured to require access to permissions
// sufficient for the Microsoft Graph API calls the app will be making, and
// those permissions should be granted by a tenant administrator.
var scopes = new string[] { "https://graph.microsoft.com/.default" };

// Configure the MSAL client as a confidential client
var confidentialClient = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithAuthority($"https://login.microsoftonline.com/$tenantId/v2.0")
    .WithClientSecret(clientSecret)
    .Build();

// Build the Microsoft Graph client. As the authentication provider, set an async lambda
// which uses the MSAL client to obtain an app-only access token to Microsoft Graph,
// and inserts this access token in the Authorization header of each API request. 
GraphServiceClient graphServiceClient =
    new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) => {

            // Retrieve an access token for Microsoft Graph (gets a fresh token if needed).
            var authResult = await confidentialClient
                .AcquireTokenForClient(scopes)
                .ExecuteAsync();

            // Add the access token in the Authorization header of the API request.
            requestMessage.Headers.Authorization = 
                new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
        })
    );

// Make a Microsoft Graph API query
var users = await graphServiceClient.Users.Request().GetAsync();

(Note that this example uses the latest version of the Microsoft.Identity.Client package. Earlier versions (before version 3) did not include ConfidentialClientApplicationBuilder.)

like image 70
Philippe Signoret Avatar answered Oct 11 '22 17:10

Philippe Signoret