Skip to content

JohnStotko-unplugged/EntraIDExample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
AdalTokenAquirer.cs
AdalTokenAquirer.cs
 
 
EntraID.csproj
EntraID.csproj
 
 
EntraID.sln
EntraID.sln
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 

Repository files navigation

This project is supposed to provide a reference for how to get a access token via Entra ID.

Motivation

Need arose from this while working on creating an MCP server for Azure DevOps, different from the one provided by Microsoft (See GitHub: microsoft/azure-devops-mcp). I wanted something that would just Query things workitems and test plans... no editing.

For accessing AzureDevOps API, Microsoft no longer recommends using Personal Access Tokens and provided Entra ID as the alternative. See Microsoft Dev Blogs: Reducing personal access token (PAT) usage across Azure DevOps. So here we are. This makes it easier to share with other devs anyways. No need to instruct them on how to configure their PAT - just sign in.

For this example program, I've chosen to use the scope User.Read.All, as that's something that exists in an Entra instance. To get an access token for AzureDevOps, you'll want to find the AzureDevOps application id in your Entra instance. See Stack Overflow: Use of Secrets Managment tool.

Once located, the scope you'll want to use is <AzureDevOps application id>/.default.

Quick Start

  1. Clone this repository.

  2. Register your app in Entra ID (see Entra Setup).

  3. Set your secrets using the .NET user-secrets tool (See Use of Secrets Managment tool):

  4. Run the app:

dotnet run

Entra Setup

In your instance of Entra ID (Azure Active Directory), you'll need to create a new App Registration:

  1. Go to Azure PortalAzure Active DirectoryApp registrations.
  2. Click "New registration" and fill in:
    • Name: Choose a name for your app.
    • Supported account types: Choose as appropriate for your scenario.
    • Redirect URI:
      For this example http://localhost was used (add this in the "Redirect URI" section).
  3. After registration, copy the Application (client) ID and Directory (tenant) ID.
    You will use these as AzureClientId and AzureTenantId.

The token aquirer is requesting an access token as the app you're registering on your behalf with the requested scopes.

The first time you sign in, you'll go to the normal user-select screen. Then you'll get a "Permissions Requested" page that lets you know you are granting the registered application the scopes. After the first time you go through the "Permissions Requested" page it may not show again unless you revoke those permissions.

Use of Secrets Managment tool

In an effort to protect sensitive data, I've opted to use app-secrets to store the client and tenant id. See Microsoft Learn: Safe storage of app secrets in development in ASP.NET Core.

If you're trying to run this console app locally, you'll need to run these commands with the client and tenant ids set up in Entra.

dotnet user-secrets set "AzureClientId" "<your client id>"
dotnet user-secrets set "AzureTenantId" "<your tenant id>"

Using the Access Token

TODO Validate the snippit below works

using var httpClient = new HttpClient();
var authHeader = accessToken.CreateAuthorizationHeader();
httpClient.DefaultRequestHeaders.Authorization =
    AuthenticationHeaderValue.Parse(authHeader);

About

Example of how to get an authentication token using Entra ID

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages