Merge pull request #115028 from msmimart/mm-msalupdate

[App Proxy] MSAL updates (replaces PR 53645)

Author: v-albemi

articles/active-directory/manage-apps/application-proxy-configure-native-client-application.md

@@ -12,23 +12,23 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/15/2019
+ms.date: 05/12/2020
 ms.author: mimart
 ms.reviewer: japere
-ms.custom: it-pro, has-adal-ref
+ms.custom: it-pro
 
 ms.collection: M365-identity-device-management
 ---
 
 # How to enable native client applications to interact with proxy applications
 
-You can use Azure Active Directory (Azure AD) Application Proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
+You can use Azure Active Directory (Azure AD) Application Proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Microsoft Authentication Library (MSAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
 
 To support native client applications, Application Proxy accepts Azure AD-issued tokens that are sent in the header. The Application Proxy service does the authentication for the users. This solution doesn't use application tokens for authentication.
 
 ![Relationship between end users, Azure AD, and published applications](./media/application-proxy-configure-native-client-application/richclientflow.png)
 
-To publish native applications, use the Azure AD Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the [Native Application to Web API scenario](../azuread-dev/native-app.md).
+To publish native applications, use the Microsoft Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the [Desktop app that calls a web API on behalf of a signed-in user](https://docs.microsoft.com/azure/active-directory/develop/authentication-flows-app-scenarios#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) scenario.
 
 This article walks you through the four steps to publish a native application with Application Proxy and the Azure AD Authentication Library.
 
@@ -53,8 +53,7 @@ You now need to register your application in Azure AD, as follows:
    - To target only accounts that are internal to your organization, select **Accounts in this organizational directory only**.
    - To target only business or educational customers, select **Accounts in any organizational directory**.
    - To target the widest set of Microsoft identities, select **Accounts in any organizational directory and personal Microsoft accounts**.
-
-1. In the **Redirect URI** heading, select **Public client (mobile & desktop)**, and then type the redirect URI for your application.
+1. Under **Redirect URI**, select **Public client (mobile & desktop)**, and then type the redirect URI `https://login.microsoftonline.com/common/oauth2/nativeclient` for your application.
 1. Select and read the **Microsoft Platform Policies**, and then select **Register**. An overview page for the new application registration is created and displayed.
 
 For more detailed information about creating a new application registration, see [Integrating applications with Azure Active Directory](../develop/quickstart-register-app.md).
@@ -66,42 +65,60 @@ Now that you've registered your native application, you can give it access to ot
 1. In the sidebar of the new application registration page, select **API permissions**. The **API permissions** page for the new application registration appears.
 1. Select **Add a permission**. The **Request API permissions** page appears.
 1. Under the **Select an API** setting, select **APIs my organization uses**. A list appears, containing the applications in your directory that expose APIs.
-1. Type in the search box or scroll to find the proxy application that you published in [Step 1: Publish your proxy application](#step-1-publish-your-proxy-application), and then select the proxy application.
+1. Type in the search box or scroll to find the proxy application that you published in [Step 1: Publish your proxy application](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-native-client-application#step-1-publish-your-proxy-application), and then select the proxy application.
 1. In the **What type of permissions does your application require?** heading, select the permission type. If your native application needs to access the proxy application API as the signed-in user, choose **Delegated permissions**.
 1. In the **Select permissions** heading, select the desired permission, and select **Add permissions**. The **API permissions** page for your native application now shows the proxy application and permission API that you added.
 
-## Step 4: Edit the Active Directory Authentication Library
+## Step 4: Add the Microsoft Authentication Library to your code (.NET C# sample)
 
-Edit the native application code in the authentication context of the Active Directory Authentication Library (ADAL) to include the following text:
+Edit the native application code in the authentication context of the Microsoft Authentication Library (MSAL) to include the following text: 
 
-```
+```         
 // Acquire Access Token from AAD for Proxy Application
-AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/<Tenant ID>");
-AuthenticationResult result = await authContext.AcquireTokenAsync("< External Url of Proxy App >",
-        "<App ID of the Native app>",
-        new Uri("<Redirect Uri of the Native App>"),
-        PromptBehavior.Never);
-
-//Use the Access Token to access the Proxy Application
-HttpClient httpClient = new HttpClient();
-httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
-HttpResponseMessage response = await httpClient.GetAsync("< Proxy App API Url >");
+IPublicClientApplication clientApp = PublicClientApplicationBuilder
+.Create(<App ID of the Native app>)
+.WithDefaultRedirectUri() // will automatically use the default Uri for native app
+.WithAuthority("https://login.microsoftonline.com/{<Tenant ID>}")
+.Build();
+
+AuthenticationResult authResult = null;
+var accounts = await clientApp.GetAccountsAsync();
+IAccount account = accounts.FirstOrDefault();
+
+IEnumerable<string> scopes = new string[] {"<Scope>"};
+
+try
+ {
+    authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
+ }
+    catch (MsalUiRequiredException ex)
+ {
+     authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();                
+ }
+
+if (authResult != null)
+ {
+  //Use the Access Token to access the Proxy Application
+
+  HttpClient httpClient = new HttpClient();
+  HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
+  HttpResponseMessage response = await httpClient.GetAsync("<Proxy App Url>");
+ }
 ```
 
 The required info in the sample code can be found in the Azure AD portal, as follows:
 
 | Info required | How to find it in the Azure AD portal |
 | --- | --- |
 | \<Tenant ID> | **Azure Active Directory** > **Properties** > **Directory ID** |
-| \<External Url of Proxy App> | **Enterprise applications** > *your proxy application* > **Application proxy** > **External Url** |
-| \<App ID of the Native app> | **Enterprise applications** > *your native application* > **Properties** > **Application ID** |
-| \<Redirect URI of the Native App> | **Azure Active Directory** > **App registrations** > *your native application* > **Redirect URIs** |
-| \<Proxy App API Url> | **Azure Active Directory** > **App registrations** > *your native application* > **API permissions** > **API / PERMISSIONS NAME** |
+| \<App ID of the Native app> | **Application registration** > *your native application* > **Overview** > **Application ID** |
+| \<Scope> | **Application registration** > *your native application* > **API permissions** > Click on the Permission API (user_impersonation) > A panel with the caption **user_impersonation** appears on the right hand side. > The scope is the URL in the edit box.
+| \<Proxy App Url> | the External Url and path to the API
 
-After you edit the ADAL with these parameters, your users can authenticate to native client applications even when they're outside of the corporate network.
+After you edit the MSAL code with these parameters, your users can authenticate to native client applications even when they are outside of the corporate network.
 
 ## Next steps
 
 For more information about the native application flow, see [Native apps in Azure Active Directory](../azuread-dev/native-app.md).
 
-Learn about setting up [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md#choosing-a-single-sign-on-method).
+Learn about setting up [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md#choosing-a-single-sign-on-method).