Merge pull request #107791 from bgavrilMS/patch-24

ShannonLeavitt · web-flow · commit 73bb489ca8f8 · 2023-04-11T10:47:09.000-06:00
Update scenario-desktop-acquire-token-wam.md
diff --git a/articles/active-directory/develop/scenario-desktop-acquire-token-wam.md b/articles/active-directory/develop/scenario-desktop-acquire-token-wam.md
@@ -17,139 +17,139 @@ ms.custom: aaddev, devx-track-python
 
 # Desktop app that calls web APIs: Acquire a token using WAM
 
-MSAL is able to call Web Account Manager, a Windows 10 component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.
-
-## Availability
-
-MSAL 4.25+ supports WAM on UWP, and .NET 5.
-
-For .NET 5, target `net5.0-windows10.0.17763.0` (or higher) and not just `net5.0`. Your app will still run on older versions of Windows if you add `<SupportedOSPlatformVersion>7</SupportedOSPlatformVersion>` in the *.csproj* file. MSAL will use a browser when WAM isn't available.
+MSAL is able to call Web Account Manager (WAM), a Windows 10+ component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.
 
 ## WAM value proposition
 
 Using an authentication broker such as WAM has numerous benefits.
 
-- Enhanced security (your app doesn't have to manage the powerful refresh token)
+- Enhanced security. See [token protection](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-token-protection)
 - Better support for Windows Hello, Conditional Access and FIDO keys
 - Integration with Windows' "Email and Accounts" view
-- Better Single Sign-On (users don't have to reenter passwords)
+- Better Single Sign-On 
+- Ability to sign in silently with the current Windows account
 - Most bug fixes and enhancements will be shipped with Windows
 
 ## WAM limitations
 
+- Available on Windows 10 and later and on Windows Server 2019 and later. On Mac, Linux, and earlier versions of Windows, MSAL will automatically fall back to a browser.
 - B2C and ADFS authorities aren't supported. MSAL will fall back to a browser.
-- Available on Win10+ and Win Server 2019+. On Mac, Linux, and earlier versions of Windows, MSAL will fall back to a browser.
-- Not available on Xbox.
 
-## WAM calling pattern
+## WAM integration package
 
-You can use the following pattern to use WAM.
+Most apps will need to reference `Microsoft.Identity.Client.Broker` package to use this integration. MAUI apps are not required to do this; the functionality is inside MSAL when the target is `net6-windows` and later.
 
-```csharp
-// 1. Configuration - read below about redirect URI
-var pca = PublicClientApplicationBuilder.Create("client_id")
-              .WithBroker()
-              .Build();
-
-// Add a token cache, see https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop
+## WAM calling pattern
 
-// 2. GetAccounts
-var accounts = await pca.GetAccountsAsync();
-var accountToLogin = // choose an account, or null, or use PublicClientApplication.OperatingSystemAccount for the default OS account
+You can use the following pattern to use WAM. 
 
-try
-{
-    // 3. AcquireTokenSilent 
-    var authResult = await pca.AcquireTokenSilent(new[] { "User.Read" }, accountToLogin)
-                              .ExecuteAsync();
-}
-catch (MsalUiRequiredException) // no change in the pattern
-{
-    // 4. Specific: Switch to the UI thread for next call . Not required for console apps.
-    await SwitchToUiThreadAsync(); // not actual code, this is different on each platform / tech
-
-    // 5. AcquireTokenInteractive
-    var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" })
-                              .WithAccount(accountToLogin)  // this already exists in MSAL, but it is more important for WAM
-                              .WithParentActivityOrWindow(myWindowHandle) // to be able to parent WAM's windows to your app (optional, but highly recommended; not needed on UWP)
-                              .ExecuteAsync();
-}
+```csharp
+    // 1. Configuration - read below about redirect URI
+    var pca = PublicClientApplicationBuilder.Create("client_id")
+                    .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
+                    .Build();
+
+    // Add a token cache, see https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop
+
+    // 2. Find a account for silent login
+
+    // is there an account in the cache?
+    IAccount accountToLogin = (await pca.GetAccountsAsync()).FirstOrDefault();
+    if (accountToLogin == null)
+    {
+        // 3. no account in the cache, try to login with the OS account
+        accountToLogin = PublicClientApplication.OperatingSystemAccount;
+    }
+
+    try
+    {
+        // 4. Silent authentication 
+        var authResult = await pca.AcquireTokenSilent(new[] { "User.Read" }, accountToLogin)
+                                    .ExecuteAsync();
+    }
+    // cannot login silently - most likely AAD would like to show a consent dialog or the user needs to re-enter credentials
+    catch (MsalUiRequiredException) 
+    {
+        // 5. Interactive authentication
+        var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" })
+                                    .WithAccount(accountToLogin)
+                                    // this is mandatory so that WAM is correctly parented to your app, read on for more guidance
+                                    .WithParentActivityOrWindow(myWindowHandle) 
+                                    .ExecuteAsync();
+                                    
+        // consider allowing the user to re-authenticate with a different account, by calling AcquireTokenInteractive again                                  
+    }
 ```
 
-Call `.WithBroker(true)`. If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser, where redirect URI rules apply.
+If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser, where redirect URI rules apply.
 
-## Redirect URI
+### Redirect URI
 
-WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration.
-
-### Win32 (.NET framework / .NET 5)
+WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration. 
 
 ```
 ms-appx-web://microsoft.aad.brokerplugin/{client_id}
 ```
 
-### UWP
-```csharp
-            // returns smth like S-1-15-2-2601115387-131721061-1180486061-1362788748-631273777-3164314714-2766189824
-            string sid = WebAuthenticationBroker.GetCurrentApplicationCallbackUri().Host.ToUpper();
+### Token cache persistence
 
-            // the redirect uri you need to register
-            string redirectUri = $"ms-appx-web://microsoft.aad.brokerplugin/{sid}";
-```
+It's important to persist MSAL's token cache because MSAL continues to store id tokens and account metadata there. See https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop
 
-## Token cache persistence
+### Find a account for silent login
 
-It's important to persist MSAL's token cache because MSAL needs to save internal WAM account IDs there. Without it, restarting the app means that `GetAccounts` API will miss some of the accounts. On UWP, MSAL knows where to save the token cache.
+The recommended pattern is: 
 
-## GetAccounts
+1. If the user previously logged in, use that account.
+2. If not, use `PublicClientApplication.OperatingSystemAccount` which the current Windows Account 
+3. Allow the end-user to change to a different account by logging in interactively. 
 
-`GetAccounts` returns accounts of users who have previously logged in interactively into the app.
+## Parent Window Handles
 
-In addition, WAM can list the OS-wide Work and School accounts configured in Windows (for Win32 apps but not for UWP apps). To opt-into this feature, set `ListWindowsWorkAndSchoolAccounts` in `WindowsBrokerOptions` to **true**. You can enable it as below.
+It is required to configure MSAL with the window that the interactive experience should be parented to, using `WithParentActivityOrWindow` APIs.
 
-```csharp
-.WithWindowsBrokerOptions(new WindowsBrokerOptions()
-{
-    // GetAccounts will return Work and School accounts from Windows
-    ListWindowsWorkAndSchoolAccounts = true,
+### UI applications
+For UI apps like WinForms, WPF, WinUI3 see https://learn.microsoft.com/windows/apps/develop/ui-input/retrieve-hwnd
 
-    // Legacy support for 1st party apps only
-    MsaPassthrough = true
-})
-```
+### Console applications
 
->[!NOTE]
-> Microsoft (outlook.com etc.) accounts will not be listed in Win32 nor UWP for privacy reasons.
+For console applications it is a bit more involved, because of the terminal window and its tabs. Use the following code:
 
-Applications cannot remove accounts from Windows! 
-
-## RemoveAsync
-
-- Removes all account information from MSAL's token cache (this includes MSA, that is, personal accounts information copied by MSAL into its cache).
-- Removes app-only (not OS-wide) accounts.
-
->[!NOTE]
-> Only users can remove OS accounts, whereas apps themselves cannot. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled, the same OS accounts will still be returned.
-
-## Other considerations
-
-- WAM's interactive operations require being on the UI thread. MSAL throws a meaningful exception when not on UI thread. This doesn't apply to console apps.
-- `WithAccount` provides an accelerated authentication experience if the MSAL account was originally obtained via WAM, or, WAM can find a work and school account in Windows.
-- WAM isn't able to pre-populate the username field with a login hint, unless a Work and School account with the same username is found in Windows.
-- If WAM is unable to offer an accelerated authentication experience, it will show an account picker. Users can add new accounts.
-
-!["WAM account picker"](media/scenario-desktop-acquire-token-wam/wam-account-picker.png)
+```csharp
+enum GetAncestorFlags
+{   
+    GetParent = 1,
+    GetRoot = 2,
+    /// <summary>
+    /// Retrieves the owned root window by walking the chain of parent and owner windows returned by GetParent.
+    /// </summary>
+    GetRootOwner = 3
+}
 
-- New accounts are automatically remembered by Windows. Work and School have the option of joining the organization's directory or opting out completely, in which case the account won't appear under "Email & Accounts". Microsoft accounts are automatically added to Windows. Apps can't list these accounts programmatically (but only through the Account Picker).
+/// <summary>
+/// Retrieves the handle to the ancestor of the specified window.
+/// </summary>
+/// <param name="hwnd">A handle to the window whose ancestor is to be retrieved.
+/// If this parameter is the desktop window, the function returns NULL. </param>
+/// <param name="flags">The ancestor to be retrieved.</param>
+/// <returns>The return value is the handle to the ancestor window.</returns>
+[DllImport("user32.dll", ExactSpelling = true)]
+static extern IntPtr GetAncestor(IntPtr hwnd, GetAncestorFlags flags);
+
+[DllImport("kernel32.dll")]
+static extern IntPtr GetConsoleWindow();
+
+// This is your window handle!
+public IntPtr GetConsoleOrTerminalWindow()
+{
+   IntPtr consoleHandle = GetConsoleWindow();
+   IntPtr handle = GetAncestor(consoleHandle, GetAncestorFlags.GetRootOwner );
+  
+   return handle;
+}
+```
 
 ## Troubleshooting
 
-### "Either the user canceled the authentication or the WAM Account Picker crashed because the app is running in an elevated process" error message
-
-When an app that uses MSAL is run as an elevated process, some of these calls within WAM may fail due to different process security levels. Internally MSAL.NET uses native Windows methods ([COM](/windows/win32/com/the-component-object-model)) to integrate with WAM. Starting with version 4.32.0, MSAL will display a descriptive error message when it detects that the app process is elevated and WAM returned no accounts.
-
-One solution is to not run the app as elevated, if possible. Another solution is for the app developer to call `WindowsNativeUtils.InitializeProcessSecurity` method when the app starts up. This will set the security of the processes used by WAM to the same levels. See [this sample app](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/WAM/NetCoreWinFormsWam/Program.cs#L18-L21) for an example. However, note, that this solution isn't guaranteed to succeed to due external factors like the underlying CLR behavior. In that case, an `MsalClientException` will be thrown. For more information, see issue [#2560](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560).
-
 ### "WAM Account Picker did not return an account" error message
 
 This message indicates that either the application user closed the dialog that displays accounts, or the dialog itself crashed. A crash might occur if AccountsControl, a Windows control, is registered incorrectly in Windows. To resolve this issue: 
@@ -162,16 +162,10 @@ This message indicates that either the application user closed the dialog that d
    if (-not (Get-AppxPackage Microsoft.AccountsControl)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxManifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AccountsControl
    ```
 
-### Connection issues
-
-The application user sees an error message similar to "Please check your connection and try again". If this issue occurs regularly, see the [troubleshooting guide for Office](/office365/troubleshoot/authentication/connection-issue-when-sign-in-office-2016), which also uses WAM.
-
 ## Sample
 
 [WPF sample that uses WAM](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2)
 
-[UWP sample that uses WAM, along Xamarin](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/master/2-With-broker)
-
 ---
 ## Next steps
 
