Skip to content

Managed Identity Support in MSAL

Jump to bottom
Neha Bhargava edited this page Nov 30, 2022 · 22 revisions

This is an experimental feature for 1st party use only.

Managed Identity for Confidential Client

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

How to use managed identity in MSAL

IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithExperimentalFeatures()
    .Build();

AuthenticationResult result = await cca.AcquireTokenForClient(scopes)
    .WithManagedIdentity(userAssignedClientOrResourceId) // userAssignedClientIdOrResourceId is optional. To be provided only in case of user assigned managed identity.
    .ExecuteAsync()
    .ConfigureAwait(false);
  • The scopes array should contain a single scope as managed identity acquires token for a resource.
  • The parameter userAssignedClientIdOrResourceId can either contain the client id of the user assigned managed identity or the resource id in case the client id is not yet available.
  • For system assigned managed identity the parameter userAssignedClientIdOrResourceId need not be passed.

Supported by MSAL

MSAL supports the following sources for managed identity In Progress:

  • App services
  • IMDS
  • Cloud Shell
  • Azure Arc
  • Service Fabric

Common Exceptions

TBD

Getting started with MSAL.NET

Acquiring tokens

Web Apps / Web APIs / daemon apps

Desktop/Mobile apps

Advanced topics

FAQ

Other resources

Clone this wiki locally