-
Notifications
You must be signed in to change notification settings - Fork 366
Managed Identity Support in MSAL
A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. For more information on managed identity see: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create()
.WithExperimentalFeatures()
.Build();
AuthenticationResult result = await mi.AcquireTokenManagedIdentity(resource) // resource to acquire token for. For example https://management.azure.com
.ExecuteAsync()
.ConfigureAwait(false);
IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create(userAssignedId) // userAssignedId can be client id or resource id (if client id is not generated) for the user assigned managed identity
.WithExperimentalFeatures()
.Build();
AuthenticationResult result = await mi.AcquireTokenManagedIdentity(resource) // resource to acquire token for. For example https://management.azure.com
.ExecuteAsync()
.ConfigureAwait(false);
For MSAL logging see: https://aka.ms/msal-net-logging
By default MSAL supports in-memory caching. To explore MSAL's caching options to provide custom cache see https://aka.ms/msal-net-token-cache-serialization. Currently, we would recommend to not share a cache between 2 azure sources with system assigned managed identity enabled. This is a known issue where same token will be shared for both the sources.
MSAL supports the following sources for managed identity
Supported:
- Azure App Services
- IMDS (VMs)
- Azure Arc
- Cloud Shell
- Service Fabric
For failed requests, the error response contains a correlation id that can be used for further investigation. The MSAL's correlation id generated in MSAL or passed in to MSAL is different than the one returned in server error response as MSAL cannot pass the correlation id to managed identity token acquisition endpoints.
MsalServiceException Error Code: managed_identity_failed_response Error Message: An unexpected error occurred while fetching the AAD token
This exception might mean that the resource you are trying to acquire token for is either not supported or is in wrong format. Some examples of expected resource is https://management.azure.com/.default, https://management.azure.com, https://graph.microsoft.com
This exception might mean that you are using a resource where MSAL does not support acquiring token for managed identity or you are running the sample code from a dev machine where the endpoint to acquire token for managed identity are unreachable.
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code