Skip to content

Commit

Permalink
Merge pull request #427 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
Sync to production
  • Loading branch information
localden authored May 23, 2024
2 parents d898351 + 844b3bd commit a16c1f5
Show file tree
Hide file tree
Showing 33 changed files with 173 additions and 344 deletions.
12 changes: 12 additions & 0 deletions .openpublishing.redirection.json
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,18 @@
{
"source_path": "dotnet/api/overview/msal-public-client/index.md",
"redirect_url": "/dotnet/api/overview/core-msal-net-libraries/"
},
{
"source_path": "msal-dotnet-articles/resources/ios12-security-advisory.md",
"redirect_url": "/entra/msal/dotnet/"
},
{
"source_path": "msal-dotnet-articles/acquiring-tokens/desktop-mobile/uwp.md",
"redirect_url": "/entra/msal/dotnet/"
},
{
"source_path": "msal-dotnet-articles/acquiring-tokens/desktop-mobile/xamarin.md",
"redirect_url": "/entra/msal/dotnet/acquiring-tokens/desktop-mobile/mobile-applications"
}
]
}
6 changes: 1 addition & 5 deletions msal-dotnet-articles/TOC.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,7 @@
- name: Using MSAL.NET with Web Account Manager (WAM)
href: acquiring-tokens/desktop-mobile/wam.md
- name: Xamarin
href: acquiring-tokens/desktop-mobile/xamarin.md
- name: Universal Windows Platform
href: acquiring-tokens/desktop-mobile/uwp.md
href: acquiring-tokens/desktop-mobile/mobile-applications.md
- name: Sign-in users with social identities
href: acquiring-tokens/desktop-mobile/social-identities.md
- name: Integrated Windows Authentication for domain or Microsoft Entra joined machines
Expand Down Expand Up @@ -185,8 +183,6 @@
href: resources/telemetry-overview.md
- name: Handling of personally identifiable information
href: resources/handling-pii.md
- name: iOS12 security advisory
href: resources/ios12-security-advisory.md
- name: Releases
href: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases
- name: MSAL.NET reference documentation
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -196,13 +196,10 @@ Depending on the platform, additional configuration might be required for intera

- [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](/entra/identity-platform/msal-net-xamarin-android-considerations)
- [Considerations for using Xamarin iOS with MSAL.NET](/entra/identity-platform/msal-net-xamarin-ios-considerations)
- [Using MSAL.NET with UWP applications](./uwp.md)

## Samples

| Sample | Platform | Description |
|------ | -------- | ----------- |
| [active-directory-dotnet-desktop-msgraph-v2](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | Desktop (WPF) | Windows Desktop .NET (WPF) application calling the Microsoft Graph API. ![WPF app topology](../../media/wpf-app-topology.png) |
| [active-directory-dotnet-native-uwp-v2](https://github.com/azure-samples/active-directory-dotnet-native-uwp-v2) | UWP | A Windows Universal Platform client application using MSAL.NET, accessing the Microsoft Graph for a user authenticating with Azure AD v2.0 endpoint. ![UWP app topology](../../media/uwp-app-topology.png) |
| [https://github.com/Azure-Samples/active-directory-xamarin-native-v2](https://github.com/Azure-Samples/active-directory-xamarin-native-v2) | Xamarin iOS, Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL to authenticate Microsoft accounts and Microsoft Entra ID via the Microsoft identity platform endpoint, and access the Microsoft Graph with the resulting token. ![Xamarin Forms app topology](../../media/xamarin-forms-topology.png) |
| [https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2) | WPF, ASP.NET Core 2.0 Web API | A WPF application calling an ASP.NET Core Web API using Azure AD v2.0. ![Desktop and web app interaction topology](../../media/desktop-web-topology.png) |
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ Supported ADFS versions in this federated scenario are ADFS v2 , ADFS v3 (Window

When acquiring a token using the `AcquireTokenByIntegratedAuthentication` or `AcquireTokenByUsernamePassword` methods, MSAL.NET gets the identity provider to contact based on the username. MSAL.NET receives a [SAML 1.1 token](/azure/active-directory/develop/reference-saml-tokens) after contacting the identity provider. MSAL.NET then provides the SAML token to Microsoft Entra ID as a user assertion (similar to the [on-behalf-of flow](../web-apps-apis/on-behalf-of-flow.md) to get back a JWT.


Microsoft recommends you **do not use** the username and password flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. For more information about why you want to avoid using this grant, see [why Microsoft is working to make passwords a thing of the past](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).


## Case where MSAL connects directly to ADFS

MSAL.NET supports connecting to AD FS 2019, which is OpenID Connect compliant and understands PKCE and scopes. This support requires that a service pack [KB 4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) is applied to Windows Server. When connecting directly to AD FS, the authority you'll want to use to build your application is similar to `https://mysite.contoso.com/adfs/`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ If your desktop or mobile application runs on Windows and on a machine connected

- **Federated** users only, i.e. those created in an Active Directory and backed by Microsoft Entra ID. Users created directly in Microsoft Entra ID, without AD backing - **managed** users - cannot use this auth flow. This limitation does not affect the Username/Password flow.
- Does not work for MSA users. For MSA uses try out [WAM](./wam.md)
- IWA is for apps written for .NET Framework, .NET Core and UWP platforms
- IWA is for applications written for .NET and .NET Framework.
- IWA does NOT bypass MFA (multi factor authentication). If MFA is configured, IWA might fail if an MFA challenge is required, because MFA requires user interaction.
> This one is tricky. IWA is non-interactive, but 2FA requires user interactivity. You do not control when the identity provider requests 2FA to be performed, the tenant admin does. From our observations, 2FA is required when you login from a different country, when not connected via VPN to a corporate network, and sometimes even when connected via VPN. Don’t expect a deterministic set of rules, Microsoft Entra ID uses AI to continuously learn if 2FA is required. You should fallback to a [user prompt](./acquiring-tokens-interactively.md) if IWA fails
Expand Down Expand Up @@ -120,10 +120,7 @@ static async Task GetATokenForGraph()
// Explanation: the library was unable to query the current Windows logged-in user or this user is not AD or Azure AD
// joined (work-place joined users are not supported).
// Mitigation 1: on UWP, check that the application has the following capabilities: Enterprise Authentication,
// Private Networks (Client and Server), User Account Information
// Mitigation 2: Implement your own logic to fetch the username (e.g. [email protected]) and use the
// Mitigation: Implement your own logic to fetch the username (e.g. [email protected]) and use the
// AcquireTokenByIntegratedWindowsAuth form that takes in the username
// Error Code: integrated_windows_auth_not_supported_managed_user
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
title: Using MSAL.NET With MAUI and Xamarin
title: Using MSAL.NET With .NET MAUI
description: "How to use MSAL.NET on mobile platforms."
---

# Using MSAL.NET With MAUI and Xamarin
# Using MSAL.NET With MAUI

MSAL.NET can run on mobile devices (both iOS and Android) through applications built with [.NET Multi-platform App UI (MAUI)](https://dotnet.microsoft.com/apps/maui).

Expand All @@ -14,19 +14,19 @@ MSAL.NET can run on mobile devices (both iOS and Android) through applications b

MSAL.NET can be used with authentication brokers on mobile devices, such as Microsoft Authenticator or the Company Portal. To learn more about how to configure applications to use brokers on iOS and Android, refer to [Use Microsoft Authenticator or Intune Company Portal on Xamarin applications](/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps).

## MAUI and Xamarin Android
## MAUI on Android

To get started with MSAL.NET integration on Android, refer to the following resources:

- [How to migrate Xamarin ADAL apps to MSAL for Android](/azure/active-directory/develop/msal-net-migration-android-broker)
- [Xamarin Android Configuration Tips + Troubleshooting](/azure/active-directory/develop/msal-net-xamarin-android-considerations)
- [Xamarin Android System Browser Info](/azure/active-directory/develop/msal-net-system-browser-android-considerations)
- [How to migrate Xamarin ADAL apps to MSAL for Android](/entra/identity-platform/msal-net-migration-android-broker)
- [Xamarin Android Configuration Tips + Troubleshooting](/entra/identity-platform/msal-net-xamarin-android-considerations)
- [Xamarin Android System Browser Info](/entra/identity-platform/msal-net-system-browser-android-considerations)

To learn more about testing MSAL on Android devices, refer to the [MSAL for Android Wiki](https://github.com/AzureAD/microsoft-authentication-library-for-android/wiki/Android-Emulator-with-MSAL).

## MAUI and Xamarin iOS
## MAUI on iOS

To get started with MSAL.NET integration on iOS, refer to the following resources:

- [How to migrate Xamarin ADAL apps to MSAL for iOS](/azure/active-directory/develop/msal-net-migration-ios-broker)
- [Xamarin iOS Configuration Tips + Troubleshooting](/azure/active-directory/develop/msal-net-xamarin-ios-considerations)
- [How to migrate Xamarin ADAL apps to MSAL for iOS](/entra/identity-platform/msal-net-migration-ios-broker)
- [Xamarin iOS Configuration Tips + Troubleshooting](/entra/identity-platform/msal-net-xamarin-ios-considerations)
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ms.service: msal
ms.subservice: msal-dotnet
ms.topic: conceptual
ms.workload: identity
ms.date: 08/24/2023
ms.date: 05/21/2024
ms.author: dmwendia
ms.reviewer: ddelimarsky, saeeda, jeferrie
ms.custom: devx-track-csharp, aaddev, devx-track-dotnet
Expand Down Expand Up @@ -148,21 +148,22 @@ Or whichever special logic you were doing to process the `AADB2C90118` error.

## Resource Owner Password Credentials (ROPC) With B2C

For more details on the ROPC flow, please see this [documentation](./username-password-authentication.md).
For more details on the ROPC flow, please see the [username and password flow documentation](./username-password-authentication.md).

### This flow is not recommended

This flow is **not recommended** because your application asking a user for their password is not secure. For more information about this problem, see [this article](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).
This flow is **not recommended** because your application asking a user for their password is not secure. For more information about this problem, see [why Microsoft is working to make passwords a thing of the past](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).

By using username/password you are giving-up a number of things:

- Core tenants of modern identity: password gets fished, replayed. Because we have this concept of a share secret that can be intercepted. This is incompatible with passwordless.
- Users who need to do MFA won't be able to sign-in (as there is no interaction)
- Users won't be able to do single sign-on

### Configure the ROPC flow in AzureAD B2C
### Configure the ROPC flow in Azure AD B2C

In your AzureAD B2C tenant, create a new user flow and select **Sign in using ROPC**. This will enable the ROPC policy for your tenant. See [Configure the resource owner password credentials flow](/azure/active-directory-b2c/configure-ropc) for more details.
In your Azure AD B2C tenant, create a new user flow and select **Sign in using ROPC**. This will enable the ROPC policy for your tenant. See [Configure the resource owner password credentials flow](/azure/active-directory-b2c/configure-ropc) for more details.

`IPublicClientApplication` contains a method called `AcquireTokenByUsernamePassword`:

Expand Down Expand Up @@ -191,7 +192,7 @@ If you are a B2C developer using Google as an identity provider we recommend you
## Caching with B2C in MSAL.NET

### Known issue with Azure B2C
### Known issue with Azure AD B2C

MSAL.Net supports a [token cache](/dotnet/api/microsoft.identity.client.tokencache). The token caching key is based on the claims returned by the Identity Provider. Currently MSAL.Net needs two claims to build a token cache key:

Expand Down Expand Up @@ -219,9 +220,3 @@ One option is to use the "name" claim as the preferred username. The process is
## Customizing the UI

[Customize the user interface with Azure AD B2C](/azure/active-directory-b2c/customize-ui-overview).

## Samples illustrating acquiring tokens interactively with MSAL.NET for B2C applications

Sample | Platform | Description
------ | -------- | -----------
[active-directory-b2c-xamarin-native](https://github.com/Azure-Samples/active-directory-b2c-xamarin-native) | Xamarin iOS, Xamarin Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL.NET to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens.
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ In addition to the [Integrated Windows Authentication constraints](integrated-wi
- Available starting with MSAL 2.1.0.
- Not compatible with conditional access and multi-factor authentication. As a consequence, if the app runs in a Microsoft Entra tenant where the tenant admin requires multi-factor authentication, the flow cannot be used.
- Only available for work and school accounts and **not** personal Microsoft accounts.
- Available on .NET Framework and .NET/.NET Core, but not for Universal Windows Platform (UWP) applications.
- Available on .NET Framework and .NET/.NET Core.

### Authority implications

Expand Down
73 changes: 0 additions & 73 deletions msal-dotnet-articles/acquiring-tokens/desktop-mobile/uwp.md

This file was deleted.

Loading

0 comments on commit a16c1f5

Please sign in to comment.