Updating the other articles for daemon

Author: jmprieur

articles/active-directory/develop/scenario-daemon-acquire-token.md

@@ -22,11 +22,23 @@ After you've constructed a confidential client application, you can acquire a to
 
 The scope to request for a client credential flow is the name of the resource followed by `/.default`. This notation tells Azure Active Directory (Azure AD) to use the *application-level permissions* declared statically during application registration. Also, these API permissions must be granted by a tenant administrator.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-```csharp
-ResourceId = "someAppIDURI";
-var scopes = new [] {  ResourceId+"/.default"};
+Here's an example of defining the scopes for the web API as part of the configuration in an [*appsettings.json*](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/2-Call-OwnApi/daemon-console/appsettings.json) file. This example is taken from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub.
+
+```json
+{
+	"AzureAd": {
+		// Same AzureAd section as before.
+	},
+
+	"MyWebApi": {
+		"BaseUrl": "https://localhost:44372/",
+		"RelativePath": "api/TodoList",
+		"RequestAppToken": true,
+		"Scopes": [ "[Enter here the scopes for your web API]" ]
+	}
+}
 ```
 
 # [Java](#tab/java)
@@ -53,6 +65,13 @@ In MSAL Python, the configuration file looks like this code snippet:
 }
 ```
 
+# [.NET (low level)](#tab/dotnet)
+
+```csharp
+ResourceId = "someAppIDURI";
+var scopes = new [] {  ResourceId+"/.default"};
+```
+
 ---
 
 ### Azure AD (v1.0) resources
@@ -65,41 +84,29 @@ The scope used for client credentials should always be the resource ID followed
 
 ## AcquireTokenForClient API
 
-To acquire a token for the app, you'll use `AcquireTokenForClient` or its equivalent, depending on the platform.
+To acquire a token for the app, use `AcquireTokenForClient` or its equivalent, depending on the platform.
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
+
+With Microsoft.Identity.Web, you don't need to acquire a token. You can use higher level APIs, as you see in [Calling a web API from a daemon application](scenario-daemon-call-api.md). If however you're using an SDK that requires a token, the following code snippet shows how to get this token.
 
 ```csharp
-using Microsoft.Identity.Client;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
 
-// With client credentials flows, the scope is always of the shape "resource/.default" because the
-// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
-// a tenant administrator.
-string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
+// In the Program.cs, acquire a token for your downstream API
 
-AuthenticationResult result = null;
-try
-{
- result = await app.AcquireTokenForClient(scopes)
-                  .ExecuteAsync();
-}
-catch (MsalUiRequiredException ex)
-{
-    // The application doesn't have sufficient permissions.
-    // - Did you declare enough app permissions during app creation?
-    // - Did the tenant admin grant permissions to the application?
-}
-catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
-{
-    // Invalid scope. The scope has to be in the form "https://resourceurl/.default"
-    // Mitigation: Change the scope to be as expected.
-}
+var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+ITokenAcquirer acquirer = tokenAcquirerFactory.GetTokenAcquirer();
+AcquireTokenResult tokenResult = await acquirer.GetTokenForUserAsync(new[] { https://graph.microsoft.com/.default" });
+string accessToken = tokenResult.AccessToken;
 ```
 
 ### AcquireTokenForClient uses the application token cache
 
 In MSAL.NET, `AcquireTokenForClient` uses the application token cache. (All the other AcquireToken*XX* methods use the user token cache.)
-Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient`, because `AcquireTokenSilent` uses the *user* token cache. `AcquireTokenForClient` checks the *application* token cache itself and updates it.
+Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient` because `AcquireTokenSilent` uses the *user* token cache. `AcquireTokenForClient` checks the *application* token cache itself and updates it.
 
 # [Java](#tab/java)
 
@@ -152,7 +159,7 @@ private static IAuthenticationResult acquireToken() throws Exception {
 
 # [Node.js](#tab/nodejs)
 
-The code snippet below illustrates token acquisition in an MSAL Node confidential client application:
+The following code snippet illustrates token acquisition in an MSAL Node confidential client application:
 
 ```JavaScript
 try {
@@ -187,6 +194,40 @@ else:
     print(result.get("correlation_id"))  # You might need this when reporting a bug.
 ```
 
+# [.NET (low level)](#tab/dotnet)
+
+```csharp
+using Microsoft.Identity.Client;
+
+// With client credentials flows, the scope is always of the shape "resource/.default" because the
+// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
+// a tenant administrator.
+string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
+
+AuthenticationResult result = null;
+try
+{
+ result = await app.AcquireTokenForClient(scopes)
+                  .ExecuteAsync();
+}
+catch (MsalUiRequiredException ex)
+{
+    // The application doesn't have sufficient permissions.
+    // - Did you declare enough app permissions during app creation?
+    // - Did the tenant admin grant permissions to the application?
+}
+catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
+{
+    // Invalid scope. The scope has to be in the form "https://resourceurl/.default"
+    // Mitigation: Change the scope to be as expected.
+}
+```
+
+### AcquireTokenForClient uses the application token cache
+
+In MSAL.NET, `AcquireTokenForClient` uses the application token cache. (All the other AcquireToken*XX* methods use the user token cache.)
+Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient`, because `AcquireTokenSilent` uses the *user* token cache. `AcquireTokenForClient` checks the *application* token cache itself and updates it.
+
 ---
 
 ### Protocol
@@ -253,10 +294,10 @@ If your daemon app calls your own web API and you weren't able to add an app per
 
 ## Next steps
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
 Move on to the next article in this scenario,
-[Calling a web API](./scenario-daemon-call-api.md?tabs=dotnet).
+[Calling a web API](./scenario-daemon-call-api.md?tabs=idweb).
 
 # [Java](#tab/java)
 
@@ -273,4 +314,8 @@ Move on to the next article in this scenario,
 Move on to the next article in this scenario,
 [Calling a web API](./scenario-daemon-call-api.md?tabs=python).
 
+# [.NET low level](#tab/dotnet)
+
+Move on to the next article in this scenario,
+[Calling a web API](./scenario-daemon-call-api.md?tabs=dotnet).
 ---

articles/active-directory/develop/scenario-daemon-call-api.md

@@ -20,15 +20,53 @@ ms.custom: aaddev
 
 # Daemon app that calls web APIs - call a web API from the app
 
-.NET daemon apps can call a web API. .NET daemon apps can also call several pre-approved web APIs.
+.NET daemon apps can call a web API. .NET daemon apps can also call several preapproved web APIs.
 
 ## Calling a web API from a daemon application
 
 Here's how to use the token to call an API:
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
-[!INCLUDE [Call web API in .NET](../../../includes/active-directory-develop-scenarios-call-apis-dotnet.md)]
+Microsoft.Identity.Web abstracts away the complexity of MSAL.NET. It provides you with higher-level APIs that handle the internals of MSAL.NET for you, such as processing Conditional Access errors, caching.
+
+Here's the Program.cs of the daemon app calling a downstream API:
+
+```csharp
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
+
+// In the Program.cs, acquire a token for your downstream API
+
+var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+tokenAcquirerFactory.Services.AddDownstreamApi("MyApi",
+    tokenAcquirerFactory.Configuration.GetSection("MyWebApi"));
+var sp = tokenAcquirerFactory.Build();
+
+var api = sp.GetRequiredService<IDownstreamApi>();
+var result = await api.GetForAppAsync<IEnumerable<TodoItem>>("MyApi");
+Console.WriteLine($"result = {result?.Count()}");
+```
+
+Here's the Program.cs of a daemon app that calls Microsoft Graph:
+
+```csharp
+var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+tokenAcquirerFactory.Services.AddMicrosoftGraph();
+var serviceProvider = tokenAcquirerFactory.Build();
+try
+{
+    GraphServiceClient graphServiceClient = serviceProvider.GetRequiredService<GraphServiceClient>();
+    var users = await graphServiceClient.Users
+        .Request()
+        .WithAppOnly()
+        .GetAsync();
+    Console.WriteLine($"{users.Count} users");
+    Console.ReadKey();
+}
+catch (Exception ex) { Console.WriteLine("We could not retrieve the user's list: " + $"{ex}"); }
+```
 
 # [Java](#tab/java)
 
@@ -86,18 +124,22 @@ http_headers = {'Authorization': 'Bearer ' + result['access_token'],
 data = requests.get(endpoint, headers=http_headers, stream=False).json()
 ```
 
+# [.NET low level](#tab/dotnet)
+
+[!INCLUDE [Call web API in .NET](../../../includes/active-directory-develop-scenarios-call-apis-dotnet.md)]
+
 ---
 
 ## Calling several APIs
 
-For daemon apps, the web APIs that you call need to be pre-approved. There's no incremental consent with daemon apps. (There's no user interaction.) The tenant admin needs to provide consent in advance for the application and all the API permissions. If you want to call several APIs, acquire a token for each resource, each time calling `AcquireTokenForClient`. MSAL will use the application token cache to avoid unnecessary service calls.
+For daemon apps, the web APIs that you call need to be preapproved. There's no incremental consent with daemon apps. (There's no user interaction.) The tenant admin needs to provide consent in advance for the application and all the API permissions. If you want to call several APIs, acquire a token for each resource, each time calling `AcquireTokenForClient`. MSAL uses the application token cache to avoid unnecessary service calls.
 
 ## Next steps
 
-# [.NET](#tab/dotnet)
+# [.NET](#tab/idweb)
 
 Move on to the next article in this scenario,
-[Move to production](./scenario-daemon-production.md?tabs=dotnet).
+[Move to production](./scenario-daemon-production.md?tabs=idweb).
 
 # [Java](#tab/java)
 
@@ -114,4 +156,9 @@ Move on to the next article in this scenario,
 Move on to the next article in this scenario,
 [Move to production](./scenario-daemon-production.md?tabs=python).
 
----
+# [.NET low level](#tab/dotnet)
+
+Move on to the next article in this scenario,
+[Move to production](./scenario-daemon-production.md?tabs=dotnet).
+
+---