Daemon using idweb. App config

jmprieur · jmprieur · commit 004b953f8b79 · 2023-04-02T18:37:53.000-07:00
diff --git a/articles/active-directory/develop/scenario-daemon-app-configuration.md b/articles/active-directory/develop/scenario-daemon-app-configuration.md
@@ -28,11 +28,11 @@ The following Microsoft libraries support daemon apps:
 
 ## Configure the authority
 
-Daemon applications use application permissions rather than delegated permissions. So their supported account type can't be an account in any organizational directory or any personal Microsoft account (for example, Skype, Xbox, Outlook.com). There's no tenant admin to grant consent to a daemon application for a Microsoft personal account. You'll need to choose *accounts in my organization* or *accounts in any organization*.
+Daemon applications use application permissions rather than delegated permissions. So their supported account type can't be an account in any organizational directory or any personal Microsoft account (for example, Skype, Xbox, Outlook.com). There's no tenant admin to grant consent to a daemon application for a Microsoft personal account. You need to choose *accounts in my organization* or *accounts in any organization*.
 
 The authority specified in the application configuration should be tenanted (specifying a tenant ID or a domain name associated with your organization).
 
-Even if you want to provide a multitenant tool, you should use a tenant ID or domain name, and **not** `common` or `organizations` with this flow, because the service cannot reliably infer which tenant should be used.
+Even if you want to provide a multitenant tool, you should use a tenant ID or domain name, and **not** `common` or `organizations` with this flow, because the service can't reliably infer which tenant should be used.
 
 ## Configure and instantiate the application
 
@@ -49,21 +49,28 @@ The configuration file defines:
 - The client ID that you got from the application registration.
 - Either a client secret or a certificate.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-Here's an example of defining the configuration in an [*appsettings.json*](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/daemon-console/appsettings.json) file. This example is taken from from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub.
+Here's an example of defining the configuration in an [*appsettings.json*](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/daemon-console/appsettings.json) file. This example is taken from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub.
 
 ```json
 {
-  "Instance": "https://login.microsoftonline.com/{0}",
-  "Tenant": "[Enter here the tenantID or domain name for your Azure AD tenant]",
-  "ClientId": "[Enter here the ClientId for your application]",
-  "ClientSecret": "[Enter here a client secret for your application]",
-  "CertificateName": "[Or instead of client secret: Enter here the name of a certificate (from the user cert store) as registered with your application]"
+    "AzureAd": {
+        "Instance": "https://login.microsoftonline.com/",
+        "TenantId": "[Enter here the tenantID or domain name for your Azure AD tenant]",
+        "ClientId": "[Enter here the ClientId for your application]",
+        "ClientCredentials": [
+            {
+                "SourceType": "ClientSecret",
+                "ClientSecret": "[Enter here a client secret for your application]"
+            }
+        ]
+    }
 }
+
 ```
 
-You provide either a `ClientSecret` or a `CertificateName`. These settings are exclusive.
+You provide a certificate instead of the client secret, or [workload identity federation](/azure/active-directory/workload-identities/workload-identity-federation.md) credentials.
 
 # [Java](#tab/java)
 
@@ -123,6 +130,22 @@ When you build a confidential client with certificates, the [parameters.json](ht
 }
 ```
 
+# [.NET (low level) ](#tab/dotnet)
+
+Here's an example of defining the configuration in an [*appsettings.json*](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/daemon-console/appsettings.json) file. This example is taken from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub.
+
+```json
+{
+  "Instance": "https://login.microsoftonline.com/{0}",
+  "Tenant": "[Enter here the tenantID or domain name for your Azure AD tenant]",
+  "ClientId": "[Enter here the ClientId for your application]",
+  "ClientSecret": "[Enter here a client secret for your application]",
+  "CertificateName": "[Or instead of client secret: Enter here the name of a certificate (from the user cert store) as registered with your application]"
+}
+```
+
+You provide either a `ClientSecret` or a `CertificateName`. These settings are exclusive.
+
 ---
 
 ### Instantiate the MSAL application
@@ -135,15 +158,38 @@ The construction is different, depending on whether you're using client secrets
 
 Reference the MSAL package in your application code.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-Add the [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) NuGet package to your application, and then add a `using` directive in your code to reference it.
+Add the [Microsoft.Identity.Web.TokenAcquisition](https://www.nuget.org/packages/Microsoft.Identity.Web.TokenAcquisition) NuGet package to your application. 
+Alternatively, if you want to call Microsoft Graph, add the [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) package.
+Your project could be as follows. The *appsettings.json* file needs to be copied to the output directory.
 
-In MSAL.NET, the confidential client application is represented by the `IConfidentialClientApplication` interface.
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net7.0</TargetFramework>
+    <RootNamespace>daemon_console</RootNamespace>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Identity.Web.MicrosoftGraph" Version="2.6.1" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="appsettings.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+</Project>
+```
+
+In the Program.cs file, add a `using` directive in your code to reference Microsoft.Identity.Web. 
 
 ```csharp
-using Microsoft.Identity.Client;
-IConfidentialClientApplication app;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
 ```
 
 # [Java](#tab/java)
@@ -160,7 +206,7 @@ import com.microsoft.aad.msal4j.SilentParameters;
 
 # [Node.js](#tab/nodejs)
 
-Simply install the packages by running `npm install` in the folder where *package.json* file resides. Then, import **msal-node** package:
+Install the packages by running `npm install` in the folder where *package.json* file resides. Then, import **msal-node** package:
 
 ```JavaScript 
 const msal = require('@azure/msal-node');
@@ -175,38 +221,52 @@ import sys
 import logging
 ```
 
----
+# [.NET (low level)](#tab/dotnet)
 
-#### Instantiate the confidential client application with a client secret
-
-Here's the code to instantiate the confidential client application with a client secret:
+Add the [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) NuGet package to your application, and then add a `using` directive in your code to reference it.
 
-# [.NET](#tab/dotnet)
+In MSAL.NET, the confidential client application is represented by the `IConfidentialClientApplication` interface.
 
 ```csharp
-app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
-           .WithClientSecret(config.ClientSecret)
-           .WithAuthority(new Uri(config.Authority))
-           .Build();
+using Microsoft.Identity.Client;
+IConfidentialClientApplication app;
 ```
 
-The `Authority` is a concatenation of the cloud instance and the tenant ID, for example `https://login.microsoftonline.com/contoso.onmicrosoft.com` or `https://login.microsoftonline.com/eb1ed152-0000-0000-0000-32401f3f9abd`. In the *appsettings.json* file shown in the [Configuration file](#configuration-file) section, these are represented by the `Instance` and `Tenant` values, respectively.
+---
 
-In the code sample the previous snippet was taken from, `Authority` is a property on the  [AuthenticationConfig](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/ffc4a9f5d9bdba5303e98a1af34232b434075ac7/1-Call-MSGraph/daemon-console/AuthenticationConfig.cs#L61-L70) class, and is defined as such:
+#### Instantiate the confidential client application with a client secret
+
+Here's the code to instantiate the confidential client application with a client secret:
+
+# [.NET](#tab/idweb)
 
 ```csharp
-/// <summary>
-/// URL of the authority
-/// </summary>
-public string Authority
-{
-    get
+   class Program
     {
-        return String.Format(CultureInfo.InvariantCulture, Instance, Tenant);
+        static async Task Main(string[] _)
+        {
+            // Get the Token acquirer factory instance. By default it reads an appsettings.json
+            // file if it exists in the same folder as the app (make sure that the 
+            // "Copy to Output Directory" property of the appsettings.json file is "Copy if newer").
+            TokenAcquirerFactory tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+
+            // Configure the application options to be read from the configuration
+            // and add the services you need (Graph, token cache)
+            IServiceCollection services = tokenAcquirerFactory.Services;
+            services.AddMicrosoftGraph();
+            // By default, you get an in-memory token cache.
+            // For more token cache serialization options, see https://aka.ms/msal-net-token-cache-serialization
+
+            // Resolve the dependency injection.
+            var serviceProvider = tokenAcquirerFactory.Build();
+
+            // ...
+        }
     }
-}
 ```
 
+The configuration is read from the *appsettings.json*:
+
 # [Java](#tab/java)
 
 ```Java
@@ -258,20 +318,51 @@ app = msal.ConfidentialClientApplication(
     )
 ```
 
+# [.NET (low level)](#tab/dotnet)
+
+```csharp
+app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
+           .WithClientSecret(config.ClientSecret)
+           .WithAuthority(new Uri(config.Authority))
+           .Build();
+```
+
+The `Authority` is a concatenation of the cloud instance and the tenant ID, for example `https://login.microsoftonline.com/contoso.onmicrosoft.com` or `https://login.microsoftonline.com/eb1ed152-0000-0000-0000-32401f3f9abd`. In the *appsettings.json* file shown in the [Configuration file](#configuration-file) section, instance and tenant are represented by the `Instance` and `Tenant` values, respectively.
+
+In the code sample the previous snippet was taken from, `Authority` is a property on the  [AuthenticationConfig](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/ffc4a9f5d9bdba5303e98a1af34232b434075ac7/1-Call-MSGraph/daemon-console/AuthenticationConfig.cs#L61-L70) class, and is defined as such:
+
+```csharp
+/// <summary>
+/// URL of the authority
+/// </summary>
+public string Authority
+{
+    get
+    {
+        return String.Format(CultureInfo.InvariantCulture, Instance, Tenant);
+    }
+}
+```
+
 ---
 
 #### Instantiate the confidential client application with a client certificate
 
 Here's the code to build an application with a certificate:
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-```csharp
-X509Certificate2 certificate = ReadCertificate(config.CertificateName);
-app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
-    .WithCertificate(certificate)
-    .WithAuthority(new Uri(config.Authority))
-    .Build();
+The code itself is exactly the same. The certificate is described in the configuration. 
+There are many ways to get the certificate. For details see https://aka.ms/ms-id-web-certificates.
+Here's how you would do to get your certificate from KeyVault. Microsoft identity delegates to Azure Identity's DefaultAzureCredential, and used Managed identity when available to access the certificate from KeyVault. You can debug your application locally as it, then, uses your developer credentials.
+
+```json
+  "ClientCredentials": [
+      {
+        "SourceType": "KeyVault",
+        "KeyVaultUrl": "https://yourKeyVaultUrl.vault.azure.net",
+        "KeyVaultCertificateName": "NameOfYourCertificate"
+      }
 ```
 
 # [Java](#tab/java)
@@ -344,42 +435,24 @@ app = msal.ConfidentialClientApplication(
     )
 ```
 
----
-
-#### Advanced scenario: Instantiate the confidential client application with client assertions
-
 # [.NET](#tab/dotnet)
 
-Instead of a client secret or a certificate, the confidential client application can also prove its identity by using client assertions.
-
-MSAL.NET has two methods to provide signed assertions to the confidential client app:
-
-- `.WithClientAssertion()`
-- `.WithClientClaims()`
-
-When you use `WithClientAssertion`, provide a signed JWT. This advanced scenario is detailed in [Client assertions](msal-net-client-assertions.md).
-
 ```csharp
-string signedClientAssertion = ComputeAssertion();
+X509Certificate2 certificate = ReadCertificate(config.CertificateName);
 app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
-                                          .WithClientAssertion(signedClientAssertion)
-                                          .Build();
+    .WithCertificate(certificate)
+    .WithAuthority(new Uri(config.Authority))
+    .Build();
 ```
 
-When you use `WithClientClaims`, MSAL.NET will produce a signed assertion that contains the claims expected by Azure AD, plus additional client claims that you want to send.
-This code shows how to do that:
+---
 
-```csharp
-string ipAddress = "192.168.1.2";
-var claims = new Dictionary<string, string> { { "client_ip", ipAddress } };
-X509Certificate2 certificate = ReadCertificate(config.CertificateName);
-app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
-                                          .WithAuthority(new Uri(config.Authority))
-                                          .WithClientClaims(certificate, claims)
-                                          .Build();
-```
+#### Advanced scenario: Instantiate the confidential client application with client assertions
 
-Again, for details, see [Client assertions](msal-net-client-assertions.md).
+# [.NET](#tab/idweb)
+
+Instead of a client secret or a certificate, the confidential client application can also prove its identity by using client assertions. See
+[CredentialDescription](/dotnet/api/microsoft.identity.abstractions.credentialdescription?view=msal-model-dotnet-latest) for details.
 
 # [Java](#tab/java)
 
@@ -429,11 +502,44 @@ app = msal.ConfidentialClientApplication(
 
 For details, see the MSAL Python reference documentation for [ConfidentialClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.__init__).
 
+# [.NET (low level)](#tab/dotnet)
+
+Instead of a client secret or a certificate, the confidential client application can also prove its identity by using client assertions.
+
+MSAL.NET has two methods to provide signed assertions to the confidential client app:
+
+- `.WithClientAssertion()`
+- `.WithClientClaims()`
+
+When you use `WithClientAssertion`, provide a signed JWT. This advanced scenario is detailed in [Client assertions](msal-net-client-assertions.md).
+
+```csharp
+string signedClientAssertion = ComputeAssertion();
+app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
+                                          .WithClientAssertion(signedClientAssertion)
+                                          .Build();
+```
+
+When you use `WithClientClaims`, MSAL.NET produces a signed assertion that contains the claims expected by Azure AD, plus additional client claims that you want to send.
+This code shows how to do that:
+
+```csharp
+string ipAddress = "192.168.1.2";
+var claims = new Dictionary<string, string> { { "client_ip", ipAddress } };
+X509Certificate2 certificate = ReadCertificate(config.CertificateName);
+app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
+                                          .WithAuthority(new Uri(config.Authority))
+                                          .WithClientClaims(certificate, claims)
+                                          .Build();
+```
+
+Again, for details, see [Client assertions](msal-net-client-assertions.md).
+
 ---
 
 ## Next steps
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
 Move on to the next article in this scenario,
 [Acquire a token for the app](./scenario-daemon-acquire-token.md?tabs=dotnet).
@@ -453,4 +559,9 @@ Move on to the next article in this scenario,
 Move on to the next article in this scenario,
 [Acquire a token for the app](./scenario-daemon-acquire-token.md?tabs=python).
 
+# [.NET (low level)](#tab/dotnet)
+
+Move on to the next article in this scenario,
+[Acquire a token for the app](./scenario-daemon-acquire-token.md?tabs=dotnet).
+
 ---
