Quickstart: Acquire a token and call Microsoft Graph API from a Windows desktop app

In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) application that can sign in personal, work and school accounts, get an access token, and call the Microsoft Graph API.

Shows how the sample app generated by this quickstart works

Register and download your quickstart app

You have two options to start your quickstart application:

Option 1: Register and auto configure your app and then download your code sample

  1. Go to the new Azure portal - App registrations.
  2. Enter a name for your application and select Register.
  3. Follow the instructions to download and automatically configure your new application with just one click.

Option 2: Register and manually configure your application and code sample

Step 1: Register your application

To register your application and add the app's registration information to your solution manually, follow these steps:

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.
  3. Navigate to the Microsoft identity platform for developers App registrations page.
  4. Select New registration.
    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example Win-App-calling-MsGraph.
    • In the Supported account types section, select Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com).
    • Select Register to create the application.
  5. In the list of pages for the app, select Authentication.
  6. Expand the Desktop + devices section. (If Desktop + devices is not visible, first click the top banner to view the preview Authentication experience)
  7. Under the Redirect URI section, select Add URI. Type urn:ietf:wg:oauth:2.0:oob.
  8. Select Save.

Step 1: Configure your application in Azure portal

For the code sample for this quickstart to work, you need to add a reply URL as urn:ietf:wg:oauth:2.0:oob.

Already configured Your application is configured with these attributes.

Step 2: Download your Visual Studio project

Download the Visual Studio project (View Project on Github)

Step 3: Configure your Visual Studio project

  1. Extract the zip file to a local folder close to the root of the disk, for example, C:\Azure-Samples.

  2. Open the project in Visual Studio.

  3. Edit App.Xaml.cs and replace the values of the fields ClientId and Tenant with the following code:

    private static string ClientId = "Enter_the_Application_Id_here";
    private static string Tenant = "Enter_the_Tenant_Info_Here";
    

Note

This quickstart supports Enter_the_Supported_Account_Info_Here.

Where:

  • Enter_the_Application_Id_here - is the Application (client) ID for the application you registered.
  • Enter_the_Tenant_Info_Here - is set to one of the following options:
    • If your application supports Accounts in this organizational directory, replace this value with the Tenant Id or Tenant name (for example, contoso.microsoft.com)
    • If your application supports Accounts in any organizational directory, replace this value with organizations
    • If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace this value with common

Tip

To find the values of Application (client) ID, Directory (tenant) ID, and Supported account types, go to the app's Overview page in the Azure portal.

More information

MSAL.NET

MSAL (Microsoft.Identity.Client) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. You can install MSAL by running the following command in Visual Studio's Package Manager Console:

Install-Package Microsoft.Identity.Client -IncludePrerelease

MSAL initialization

You can add the reference for MSAL by adding the following code:

using Microsoft.Identity.Client;

Then, initialize MSAL using the following code:

public static IPublicClientApplication PublicClientApp;
PublicClientApplicationBuilder.Create(ClientId)
                .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
                .Build();
Where:
ClientId Is the Application (client) ID for the application registered in the Azure portal. You can find this value in the app's Overview page in the Azure portal.

Requesting tokens

MSAL has two methods for acquiring tokens: AcquireTokenInteractive and AcquireTokenSilent.

Get a user token interactively

Some situations require forcing users interact with the Microsoft identity platform endpoint through a popup window to either validate their credentials or to give consent. Some examples include:

  • The first time users sign in to the application
  • When users may need to reenter their credentials because the password has expired
  • When your application is requesting access to a resource that the user needs to consent to
  • When two factor authentication is required
authResult = await App.PublicClientApp.AcquireTokenInteractive(_scopes)
                                      .ExecuteAsync();
Where:
_scopes Contains the scopes being requested, such as { "user.read" } for Microsoft Graph or { "api://<Application ID>/access_as_user" } for custom Web APIs.

Get a user token silently

You don't want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction. You can use the AcquireTokenSilentAsync method to obtain tokens to access protected resources after the initial AcquireTokenInteractive method:

var accounts = await App.PublicClientApp.GetAccountsAsync();
var firstAccount = accounts.FirstOrDefault();
authResult = await App.PublicClientApp.AcquireTokenSilent(scopes, firstAccount)
                                      .ExecuteAsync();
Where:
scopes Contains the scopes being requested, such as { "user.read" } for Microsoft Graph or { "api://<Application ID>/access_as_user" } for custom Web APIs.
firstAccount Specifies the first user in the cache (MSAL support multiple users in a single app).

Help and support

If you need help, want to report an issue, or want to learn more about your support options, see the following article:

Next steps

Try out the Windows desktop tutorial for a complete step-by-step guide on building applications and new features, including a full explanation of this quickstart.