ConfidentialClientApplication Class


Class to be used for confidential client applications (web apps, web APIs, and daemon applications).

public sealed class ConfidentialClientApplication : Microsoft.Identity.Client.ClientApplicationBase, Microsoft.Identity.Client.IByRefreshToken, Microsoft.Identity.Client.IConfidentialClientApplication, Microsoft.Identity.Client.IConfidentialClientApplicationWithCertificate
type ConfidentialClientApplication = class
    inherit ClientApplicationBase
    interface IConfidentialClientApplication
    interface IClientApplicationBase
    interface IConfidentialClientApplicationWithCertificate
    interface IByRefreshToken
Public NotInheritable Class ConfidentialClientApplication
Inherits ClientApplicationBase
Implements IByRefreshToken, IConfidentialClientApplication, IConfidentialClientApplicationWithCertificate


Confidential client applications are typically applications which run on servers (web apps, web API, or even service/daemon applications).

They are considered difficult to access, and therefore capable of keeping an application secret (hold configuration

time secrets as these values would be difficult for end users to extract).

A web app is the most common confidential client. The clientId is exposed through the web browser, but the secret is passed only in the back channel

and never directly exposed. For details see



Instructs MSAL to try to auto discover the Azure region.



Details on the configuration of the ClientApplication for debugging purposes.

(Inherited from ClientApplicationBase)
Authority (Inherited from ClientApplicationBase)

The certificate used to create this ConfidentialClientApplication, if any.

UserTokenCache (Inherited from ClientApplicationBase)


AcquireTokenByAuthorizationCode(IEnumerable<String>, String)

Acquires a security token from the authority configured in the app using the authorization code previously received from the STS. It uses the OAuth 2.0 authorization code flow (See It's usually used in web apps (for instance ASP.NET / ASP.NET Core web apps) which sign-in users, and can request an authorization code. This method does not lookup the token cache, but stores the result in it, so it can be looked up using other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount).


Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user) using the client credentials flow. See

AcquireTokenOnBehalfOf(IEnumerable<String>, UserAssertion)

Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. See This confidential client application was itself called with a token which will be provided in the userAssertion parameter.

AcquireTokenSilent(IEnumerable<String>, IAccount)

[V3 API] Attempts to acquire an access token for the account from the user token cache. See for more details

(Inherited from ClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)

[V3 API] Attempts to acquire an access token for the IAccount having the Username match the given loginHint, from the user token cache. See for more details

(Inherited from ClientApplicationBase)

Get the IAccount by its identifier among the accounts available in the token cache.

(Inherited from ClientApplicationBase)

Returns all the available IAccount in the user token cache for the application.

(Inherited from ClientApplicationBase)

Get the IAccount collection by its identifier among the accounts available in the token cache, based on the user flow. This is for Azure AD B2C scenarios.

(Inherited from ClientApplicationBase)

Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in the user's name. The URL targets the /authorize endpoint of the authority configured in the application. This override enables you to specify a login hint and extra query parameter.


Removes all tokens in the cache for the specified account.

(Inherited from ClientApplicationBase)

Explicit Interface Implementations

IByRefreshToken.AcquireTokenByRefreshToken(IEnumerable<String>, String)

Extension Methods


Returns the certificate used to create this ConfidentialClientApplication, if any.

Applies to