ApplicationOptions Class


Base class for options objects with string values loadable from a configuration file (for instance a JSON file, as in an configuration scenario) See See also derived classes PublicClientApplicationOptions and ConfidentialClientApplicationOptions

public abstract class ApplicationOptions
type ApplicationOptions = class
Public MustInherit Class ApplicationOptions





Sign-in audience. This property is mutually exclusive with TenantId. If both are provided, an exception will be thrown.


Specific instance in the case of Azure Active Directory. It allows users to use the enum instead of the explicit url. This property is mutually exclusive with Instance. If both are provided, an exception will be thrown.


Client ID (also known as App ID) of the application as registered in the application registration portal (


The name of the calling application for telemetry purposes.


The version of the calling application for telemetry purposes.


Identifier of the component (libraries/SDK) consuming MSAL.NET. This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.


Flag to enable/disable logging of Personally Identifiable Information (PII). PII logs are never written to default outputs like Console, Logcat or NSLog Default is set to false, which ensures that your application is compliant with GDPR. You can set it to true for advanced debugging requiring PII. See


STS instance (for instance for the Azure public cloud). The name was chosen to ensure compatibility with AzureAdOptions in ASP.NET Core. This property is mutually exclusive with AzureCloudInstance. If both are provided, an exception will be thrown.


Flag to enable/disable logging to platform defaults. In Desktop/UWP, Event Tracing is used. In iOS, NSLog is used. In Android, logcat is used. The default value is false. See


Enables you to configure the level of logging you want. The default value is Info. Setting it to Error will only get errors Setting it to Warning will get errors and warning, etc.. See


The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens. This redirect URI needs to be registered in the app registration ( In MSAL.NET, IPublicClientApplication defines the following default RedirectUri values:

  • urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
  • msal{ClientId} for Xamarin iOS and Xamarin Android without broker (as this will be used by the system web browser by default on these platforms to call back the application)
These default URIs could change in the future.

For Web Apps and Web APIs, the redirect URI can be the URL of the application

For daemon applications (confidential client applications using only the Client Credential flow that is calling AcquireTokenForClient), no reply URI is needed.


Tenant from which the application will allow users to sign it. This can be: a domain associated with a tenant, a guid (tenant id), or a meta-tenant (e.g. consumers). This property is mutually exclusive with AadAuthorityAudience. If both are provided, an exception will be thrown.

Applies to