Microsoft Authentication Library Preview

What is MSAL?

Recently, we announced MSAL – the Microsoft Authentication Library. This is the unified library to deal with authentication, across the different identity platforms provided by Microsoft. This includes Microsoft Accounts, Azure AD and Azure AD B2C.

With this brand new library, you are able to leverage our investments into the authentication space – with a streamlined and unified programming model. You no longer have to learn and maintain different code bases for integrating with each identity platform. In addition, you no longer need an Azure subscription to allow for organizations to consume your applications or services!

If you have ever worked with the Active Directory Authentication Library (ADAL), you will feel right at home with MSAL. Many of the primitives and concepts that we used in ADAL, have colored the structure of MSAL. MSAL also features a lot of improvements; such as fewer parameters, better multi-tenant support, incremental consent and much more. Much of this is possible due to the new converged authentication endpoint, you can learn more about it here:

Combining MSAL with the Microsoft Graph creates a great development experience. Where you can build a single code base, that serves and integrates with all of the users and their data in the Microsoft space.

Please note that the MSAL is still in an early preview, so it is still subject to potential changes and updates.

Get started in .NET

If you have used ADAL in the past, much of the code snippets below will be very familiar. Instead, I will introduce you to the improvements to this library that we are sure that you will like. For the rest of you, follow along. I will use Visual Studio 2015 for the following example. I will use a console application, but the primitives and the flow will be exactly the same – whether you’re building a Universal Windows App or something cross-platform with Xamarin.

  1. Open Visual Studio 2015.
  2. Create a new project by opening the File menu, choose Windows and finally select Console Application.
  3. Click OK.
  4. Right click on the project and click on Manage NuGet Packages…
  5. In the NuGet Package Manager, make sure that you’re in the Browse tab and that Include prerelease has been checked.
  6. Search for Microsoft.Identity.Client, select it and click on the Install button.

Image 1

This will install the dependencies into your project. To get started, include the namespace in your source code:

Next up, let’s acquire an access token – this is super straight forward. Be sure that you have registered your application in the new Application Registration Portal. You can read more about doing so here:

Grab the Client Id (Application Id) from the Application Registration Portal, we will need this when creating the authentication context in the console application.

Image 2

In this case, our authentication context will be represented by a primitive called PublicClientApplication. ThePublicClientApplication primitive can be used with native applications. If you’re building something like a web application, you should use the ConfidentialClientApplication primitive. This is because the authentication flow involves a Client Secret (and a few other aspects) at this point – which can also be generated in the Application Registration Portal (Application Secrets) and provided to the primitive.

After creating your authentication context, you can call a couple of different methods on it. In our case, we will use the AcquireToken method. It will all return an AuthenticationResult containing the token response.

Image 3

You might notice that we no longer require you to specify a Resource parameter when calling the AcquireToken method. This is because we changed the flow in the converged authentication endpoint. You will request the scopes you need on the fly in the AcquireToken method – and that’s it! You can learn more about scopes for the Microsoft Graph here:

With that, you can attach the token to your network calls – no matter the identity service.

Image 4

I requested the scope “User.Read”, I can now attach the token to a request towards (for instance) the Microsoft Graph ( and read the user profile. I did so using Fiddler (

Image 5

So requesting a token with MSAL is very simple and familiar. To learn more I would recommend you to check out these links:

Currently the MSAL allows you to develop for .NET 4.5, .NET Core, Windows Universal Apps (UWP) and Xamarin. Stay tuned for more to come!

About the Author: Simon Jäger
Simon Jäger is a part of the evangelism group at Microsoft that builds world-class software and delivers great developer engagements. He works on helping strategic partners and customers to succeed on the Microsoft platform. As a Technical Evangelist for Office 365, his role is very multifaceted. Encompassing everything from architectural guidance, hands-on assistance to deep technical investments.Throughout the years he has been coding for many projects for the Microsoft platform. His primary focus is within extensibility for Office, Office 365 REST APIs and parts of Azure.Simon leads talks and blogs at about cloud architecture and application development. His intention is to help anyone – to realise their ideas with the help of the Microsoft stack. On current computer, console or mobile devices… and the next generation of products in the connected age of technology.

Simon will be speaking at ESPC16 in Vienna: Take a look at his session here: One Endpoint to Rule Them All – Microsoft Graph


Share this on...

Rate this Post: