Protecting an ASP.NET Core Web API using Microsoft identity platform

Build status

About this sample


In this scenario, we protect a web API using the Microsoft identity platform. This ensures that the web API is accessible only to authenticated users. In these samples, we work with apps that authenticate users using both Work and school accounts and personal Microsoft accounts (MSA).

We also enhance the web API to use the on-behalf-of flow to call other web APIs protected by the Microsoft identity platform.


  • Install .NET Core for Windows by following the instructions at which includes Visual Studio 2019.
  • An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see Quickstart: Set up a tenant
  • A user account in your Azure AD tenant, or a personal Microsoft account (MSA)

Step 1: Clone or download this repository

From your shell or command line:

git clone

TIP: To avoid path length limitations on Windows, you may need to clone into a directory with a shorter name or near the root of your drive.

Structure of the repository

This repository contains a progressive tutorial made up of the following chapters. We recommend you follow the tutorial in the order presented, but you can try out individual chapters if you wish.

Subfolder Description
1. Desktop app calls a protected Web API In the first chapter, we protect an ASP.Net Core Web API using the Microsoft identity platform. The Web API will be protected using Azure Active Directory OAuth Bearer Authorization. The Web API is called by a .NET Desktop WPF application. In this chapter, the desktop application uses the Microsoft Authentication Library for .NET (MSAL.NET) to sign-in the user to acquire an Access Token for the protected Web API.

2. Web API now calls Microsoft Graph In the second chapter we enhance the Web API to call Microsoft Graph using the on-behalf flow to represent the user signed-in in the desktop application to Microsoft Graph. In this chapter, the Web API uses the MSAL.NET to acquire an Access Token for Microsoft Graph using the on-behalf-of flow

3. Web API and client share the same app id and signs-in MSA users In the third chapter, we present another pattern where a tightly-knit client and Web API share the same client id (app id). In this one we will sign-in users with Microsoft Personal Accounts. The sign-in flow and the call to Web API uses the same flow as chapter 2.

4. Client app calls a Web API with Proof of Possession (PoP) In this chapter, the ASP.NET Core Web API is expecting an Access Token with a Proof of Possession key.


We recommend that you start with chapter 1. Desktop app calls Web API, where you learn how to protect a web API with Azure AD.

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Tag your questions or comments with [msal dotnet].

If you find a bug in the sample, please open an issue on GitHub Issues.

To provide a recommendation, visit the following User Voice page.


If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact with any additional questions or comments.

Other samples and documentation

See also other samples where a client app calls your own web API:

Then for other samples and docs: