microsoft-authentication-library-for-dotnet | Microsoft Authentication Library (MSAL) for NET | Azure library

We develop a bunch of augmented reality applications for our company. The applications are based on the game engine Unity (currently in the version 2020.3.7f1). Now, we're facing the point that we'd like to implement a SSO method in our apps, so every member of our company authenticates himself with his company user credentials. To authenticate the user we want to / have to use the Microsoft identity platform and thus the Microsoft Authentication Library (MSAL).

We already created an client on Azure with a client id, redirect uri, authority uri, endpoint, tenant, etc and it was tested successfully with an official sample project by Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-ios).

But now we stuck at the point to establish this process in Unity. We created the MSAL library dll (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), imported it into Unity and called it by using the namespace Microsoft.Identity.Client. Due to security reasons we're only allowed to use PublicClientApplicationBuilder (which makes totally sense) so we need the web based login screen. The problem is that we can't implement a web view in Unity where the user can sign in to Microsoft and we can parse the received token out of the web view into our app for further communications.

We did a lot of internet research to find a solution but there are only some posts about MSAL in Unity in combination with Android and other posts which reference to the git repos I mentioned before.

How can we use MSAL in Unity for iOS devices?

Example code:

I have a C# application running in Azure Functions, I need to change password of a specific user using username\password credentials.

My app using MSAL for authentication (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)

and in order to obtain the ability to authenticate with username\password flow this option is used: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Username-Password-Authentication.

I'm using Graph API for changing the password of the user (https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http)

I do manage to reset password that way only if I grant the user one of those built-in assign-roles:

Password Admin, Helpdesk Admin, Authentication Admin, User Admin, Privileged Authentication Admin, Global Admin

but if I don't give the user one those roles it get the following error message when trying to update the user using PATCH request https://graph.microsoft.com/v1.0/users/########-####-####-####-########

Message: { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2021-04-07T12:56:56", "request-id": "########-#####-#####-#####-#####", "client-request-id": "########-####-####-####-########" } } }

My problem is that I don't want to give those permission to any user just to change its own password since those roles are too strong.

It doesn't make sense to me that a user can't change its own password with that flow, since with PowerShell it is possible for example with Update-AzureADSignedInUserPassword and no special roles needed for the user. Why the role does effect it when I try to do the same operation with my flow. any ideas how to overcome this problem, what I'm doing wrong or is that even possible in that flow?

Thanks ahead

I am using this package to authenticate the user from the react native mobile app. After acquiring the access token I am sending it to my .net WebAPI which tries to call ConfidentialClientApplication.AcquireTokenOnBehalfOf. Both the react native mobile app and the webapi are using the same client id from the azure app registration and scopes.

Based on the documentation details for MSAL (Azure AD) mentioned at : https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/MSAL.NET-supports-multiple-application-architectures-and-multiple-platforms#msalnet-is-about-acquiring-tokens-not-protecting-an-api

I am working on POC : ASP.NET Web App accessing Custom REST API protected by Azure AD.

The link mentioned above says that MSAL.NET (Microsoft Authentication Library for .NET) enables developers of .NET applications to acquire tokens in order to call secured Web APIs. These Web APIs can be the Microsoft Graph, other Microsoft APIS, 3rd party Web APIs, or your own Web API.

Based on the above definition is it good to assume that MSAL will be helping in maintaining a token cache and refreshes tokens for you when they are close to expire in case of the Custom REST APIs also.

Can anyone help me here by providing their guidance on it further.

I've been struggling to successfully get data from microsoft graph, to be more precise, struggling to get valid authentication token. I followed all instructions and code samples from their github but I cannot get it to work. In image below is my code.

Important fact is that when I hardcode token, which I got from Graph Explorer, it works perfectly... When I try to get data with token obtained with AuthProvider, I get exception Request_ResourceNotFound.

App is registered, access is granted (that's why it works with hardcoded token). NuGet references imported are Microsoft.Graph, Microsoft.Graph.Client, Microsoft.Identity.Client (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)

If someone can help me with this problem or suggest anything, I would be grateful.

When you access a mailbox of a specific user via a background service using MS Graph, the token will expire after 90 days since MSGraph (MSAL.NET/Azure AD 2.0) does not return a refresh token (see here).

Using administrator consent should resolve this issue, but the only choice is to get access to ALL mailboxes of the organization. This is way too great a security risk for this task.

Does anybody know a middle ground for this? Is there a way to get the refresh token when using user consent, or limit admin consent to 1 mailbox?

Is this an issue that Microsoft should resolve?

My main question: Working with Exchange Online, how is the streaming subscription supposed to work in relation to the periodic access token refresh?

Details: I have been using EWS streaming subscriptions for some time for on-premise Exchange. Following the usual process I create a StreamingSubscriptionConnection, add the mailbox subscriptions to it, and then open the connection. When the OnDisconnect event fires, we re-open the connection.

We have now implemented the streaming subscription for mailboxes in Exchange Online, which requires us to use Modern Auth with Microsoft.Identity.Client. As advised on this page, we are forcing a refresh of the access token every 30 minutes on a background thread.

Everything works great, until we refresh the access token. At that point, when a connection's OnDisconnect event fires, and we attempt to re-open the connection, it fails with 401 Unauthorized. We currently have it re-assigning the Credentials property of the ExchangeService object, after refreshing the token, but that doesn't seem to have any effect on the StreamingSubscriptionConnection objects which were created prior to refreshing the token.

Note the StreamingSubscriptionConnection class doesn't have a Credentials property that we can reset after the token refresh. How is the connection object supposed to get the updated credentials?

Thank you!

John

UPDATE

It turns out I was not actually updating the Credentials property of the ExchangeService object after refreshing the token. Once I got that sorted, the re-opening of the connection works fine.

For anyone who might be interested, here's how we're doing this. First define the scopes:

Is it possible to use MSAL.NET authentication library to handle appCacheTokens that are generated multi-tenant daemon service app(i.e. the Client Credential grant). in this scenario i have to build (n) number of confidential client applications based on tenant ids and need to maintain the tokens.

When using the MSAL library to generate access token for a background console application, using client_credentials, to call two REST endpoints, the get token call is created as: