Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you add app-only authentication to the application you created in Build .NET apps with Microsoft Graph and app-only authentication.
The Azure Identity client library for .NET provides many TokenCredential classes that implement OAuth2 token flows. The Microsoft Graph .NET client library uses those classes to authenticate calls to Microsoft Graph.
Configure Graph client for app-only authentication
In this section, you use the ClientSecretCredential class to request an access token by using the client credentials flow.
Create a new file in the GraphTutorial directory named GraphHelper.cs and add the following code to that file.
using Azure.Core; using Azure.Identity; using Microsoft.Graph; using Microsoft.Graph.Models; class GraphHelper { }Add the following code to the
GraphHelperclass.// Settings object private static Settings? _settings; // App-ony auth token credential private static ClientSecretCredential? _clientSecretCredential; // Client configured with app-only authentication private static GraphServiceClient? _appClient; public static void InitializeGraphForAppOnlyAuth(Settings settings) { _settings = settings; // Ensure settings isn't null _ = settings ?? throw new System.NullReferenceException("Settings cannot be null"); _settings = settings; if (_clientSecretCredential == null) { _clientSecretCredential = new ClientSecretCredential( _settings.TenantId, _settings.ClientId, _settings.ClientSecret); } if (_appClient == null) { _appClient = new GraphServiceClient(_clientSecretCredential, // Use the default scope, which will request the scopes // configured on the app registration new[] {"https://graph.microsoft.com/.default"}); } }Replace the empty
InitializeGraphfunction in Program.cs with the following.void InitializeGraph(Settings settings) { GraphHelper.InitializeGraphForAppOnlyAuth(settings); }
This code declares two private properties, a ClientSecretCredential object and a GraphServiceClient object. The InitializeGraphForAppOnlyAuth function creates a new instance of ClientSecretCredential, then uses that instance to create a new instance of GraphServiceClient. Every time an API call is made to Microsoft Graph through the _appClient, it uses the provided credential to get an access token.
Test the ClientSecretCredential
Next, add code to get an access token from the ClientSecretCredential.
Add the following function to the
GraphHelperclass.public static async Task<string> GetAppOnlyTokenAsync() { // Ensure credential isn't null _ = _clientSecretCredential ?? throw new System.NullReferenceException("Graph has not been initialized for app-only auth"); // Request token with given scopes var context = new TokenRequestContext(new[] {"https://graph.microsoft.com/.default"}); var response = await _clientSecretCredential.GetTokenAsync(context); return response.Token; }Replace the empty
DisplayAccessTokenAsyncfunction in Program.cs with the following.async Task DisplayAccessTokenAsync() { try { var appOnlyToken = await GraphHelper.GetAppOnlyTokenAsync(); Console.WriteLine($"App-only token: {appOnlyToken}"); } catch (Exception ex) { Console.WriteLine($"Error getting app-only access token: {ex.Message}"); } }Build and run the app. Enter
1when prompted for an option. The application displays an access token..NET Graph Tutorial Please choose one of the following options: 0. Exit 1. Display access token 2. List users 3. Make a Graph call 1 App-only token: eyJ0eXAiOiJKV1QiLCJub25jZSI6IlVDTzRYOWtKYlNLVjVkRzJGenJqd2xvVUcwWS...Tip
For validation and debugging purposes only, you can decode app-only access tokens using Microsoft's online token parser at https://jwt.ms. Parsing your token can be useful if you encounter token errors when calling Microsoft Graph. For example, verifying that the
roleclaim in the token contains the expected Microsoft Graph permission scopes.