Daemon applications use application permissions rather than delegated permissions. So their supported account type can't be an account in any organizational directory. You need to choose accounts in my organization or accounts in any organization.
The authority specified in the application configuration should be tenanted (specifying a tenant ID or a domain name associated with your organization).
Even if you want to provide a multitenant tool, you should use a tenant ID or domain name, and notcommon or organizations with this flow, because the service can't reliably infer which tenant should be used.
Configure and instantiate the application
In MSAL libraries, the client credentials (secret or certificate) are passed as a parameter of the confidential client application construction.
Important
Even if your application is a console application that runs as a service, if it's a daemon application, it needs to be a confidential client application.
Configuration file
The configuration file defines:
The cloud instance and tenant ID, which together make up the authority.
The client ID that you got from the application registration.
Here's an example of defining the configuration in an appsettings.json file. This example is taken from the .NET console daemon code sample on GitHub.
{
"AzureAd": {
"Instance": "https://login.partner.microsoftonline.cn/",
"TenantId": "[Enter here the tenantID or domain name for your Azure AD tenant]",
"ClientId": "[Enter here the ClientId for your application]",
"ClientCredentials": [
{
"SourceType": "ClientSecret",
"ClientSecret": "[Enter here a client secret for your application]"
}
]
}
}
# Credentials
TENANT_ID=Enter_the_Tenant_Info_Here
CLIENT_ID=Enter_the_Application_Id_Here
// You provide either a ClientSecret or a CertificateConfiguration, or a ClientAssertion. These settings are exclusive
CLIENT_SECRET=Enter_the_Client_Secret_Here
CERTIFICATE_THUMBPRINT=Enter_the_certificate_thumbprint_Here
CERTIFICATE_PRIVATE_KEY=Enter_the_certificate_private_key_Here
CLIENT_ASSERTION=Enter_the_Assertion_String_Here
# Endpoints
// the Azure AD endpoint is the authority endpoint for token issuance
AAD_ENDPOINT=Enter_the_Cloud_Instance_Id_Here // https://login.partner.microsoftonline.cn/
// the graph endpoint is the application ID URI of Microsoft Graph
GRAPH_ENDPOINT=Enter_the_Graph_Endpoint_Here // https://microsoftgraph.chinacloudapi.cn/
When you build a confidential client with client secrets, the parameters.json config file in the Python daemon sample is as follows:
{
"authority": "https://login.partner.microsoftonline.cn/<your_tenant_id>",
"client_id": "your_client_id",
"scope": [ "https://microsoftgraph.chinacloudapi.cn/.default" ],
"secret": "The secret generated by Azure AD during your confidential app registration",
"endpoint": "https://microsoftgraph.chinacloudapi.cn/v1.0/users"
}
When you build a confidential client with certificates, the parameters.json config file in the Python daemon sample is as follows:
{
"authority": "https://login.partner.microsoftonline.cn/<your_tenant_id>",
"client_id": "your_client_id",
"scope": [ "https://microsoftgraph.chinacloudapi.cn/.default" ],
"thumbprint": "790E... The thumbprint generated by Azure AD when you upload your public cert",
"private_key_file": "server.pem",
"endpoint": "https://microsoftgraph.chinacloudapi.cn/v1.0/users"
}
Here's an example of defining the configuration in an appsettings.json file. This example is taken from the .NET console daemon code sample on GitHub.
{
"Instance": "https://login.partner.microsoftonline.cn/{0}",
"Tenant": "[Enter here the tenantID or domain name for your Azure AD tenant]",
"ClientId": "[Enter here the ClientId for your application]",
"ClientSecret": "[Enter here a client secret for your application]",
"CertificateName": "[Or instead of client secret: Enter here the name of a certificate (from the user cert store) as registered with your application]"
}
You provide either a ClientSecret or a CertificateName. These settings are exclusive.
Instantiate the MSAL application
To instantiate the MSAL application, add, reference, or import the MSAL package (depending on the language).
The construction is different, depending on whether you're using client secrets or certificates (or, as an advanced scenario, signed assertions).
Reference the package
Reference the MSAL package in your application code.
class Program
{
static async Task Main(string[] _)
{
// Get the Token acquirer factory instance. By default it reads an appsettings.json
// file if it exists in the same folder as the app (make sure that the
// "Copy to Output Directory" property of the appsettings.json file is "Copy if newer").
TokenAcquirerFactory tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
// Configure the application options to be read from the configuration
// and add the services you need (Graph, token cache)
IServiceCollection services = tokenAcquirerFactory.Services;
services.AddMicrosoftGraph();
// By default, you get an in-memory token cache.
// For more token cache serialization options, see https://aka.ms/msal-net-token-cache-serialization
// Resolve the dependency injection.
var serviceProvider = tokenAcquirerFactory.Build();
// ...
}
}
The configuration is read from the appsettings.json:
# Pass the parameters.json file as an argument to this Python script. E.g.: python your_py_file.py parameters.json
config = json.load(open(sys.argv[1]))
# Create a preferably long-lived app instance that maintains a token cache.
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential=config["secret"],
# token_cache=... # Default cache is in memory only.
# You can learn how to use SerializableTokenCache from
# https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
)
The Authority is a concatenation of the cloud instance and the tenant ID, for example https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn or https://login.partner.microsoftonline.cn/aaaabbbb-0000-cccc-1111-dddd2222eeee. In the appsettings.json file shown in the Configuration file section, instance and tenant are represented by the Instance and Tenant values, respectively.
In the code sample the previous snippet was taken from, Authority is a property on the AuthenticationConfig class, and is defined as such:
/// <summary>
/// URL of the authority
/// </summary>
public string Authority
{
get
{
return String.Format(CultureInfo.InvariantCulture, Instance, Tenant);
}
}
Instantiate the confidential client application with a client certificate
Here's the code to build an application with a certificate:
The code itself is exactly the same. The certificate is described in the configuration.
There are many ways to get the certificate. For details see https://aka.ms/ms-id-web-certificates.
Here's how you would do to get your certificate from KeyVault. Microsoft identity delegates to Azure Identity's DefaultAzureCredential, and used Managed identity when available to access the certificate from KeyVault. You can debug your application locally as it then uses your developer credentials.
# Pass the parameters.json file as an argument to this Python script. E.g.: python your_py_file.py parameters.json
config = json.load(open(sys.argv[1]))
# Create a preferably long-lived app instance that maintains a token cache.
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential={"thumbprint": config["thumbprint"], "private_key": open(config['private_key_file']).read()},
# token_cache=... # Default cache is in memory only.
# You can learn how to use SerializableTokenCache from
# https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
)
In addition to using a client secret or certificate, confidential client applications can also prove their identity by using client assertions. See
CredentialDescription for details.
In MSAL Python, you can provide client claims by using the claims that will be signed by this ConfidentialClientApplication's private key.
# Pass the parameters.json file as an argument to this Python script. E.g.: python your_py_file.py parameters.json
config = json.load(open(sys.argv[1]))
# Create a preferably long-lived app instance that maintains a token cache.
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential={"thumbprint": config["thumbprint"], "private_key": open(config['private_key_file']).read()},
client_claims = {"client_ip": "x.x.x.x"}
# token_cache=... # Default cache is in memory only.
# You can learn how to use SerializableTokenCache from
# https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
)
When you use WithClientClaims, MSAL.NET produces a signed assertion that contains the claims expected by Microsoft Entra ID, plus additional client claims that you want to send.
This code shows how to do that: