msal-client-credentials

star 1.5k

Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement

AzureAD By AzureAD schedule Updated 4/3/2026
play_arrow Run Skill in Manus View GitHub

name: msal-client-credentials description: Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement tags: - msal - client-credentials - daemon - service-to-service - confidential-client - background-service - machine-to-machine

Client Credentials Flow Skill

Overview

Client Credentials Flow is used for service-to-service authentication without user involvement. Ideal for daemon applications and background services.

When to Use

  • Service-to-service authentication
  • Daemon/background applications
  • Machine-to-machine communication
  • No user context needed
  • Automated processes

Flow Steps

  1. Service authenticates using client credentials (certificate or managed identity)
  2. Service directly calls authorization endpoint with credentials
  3. AAD validates credentials and returns access token
  4. Token cached and used to access APIs as application identity

Agent Actions

Generate Code Snippet

Agent can show code for each credential type:

Setup Guidance

Reference appropriate credential setup:

Example: Service with Certificate

// Acquire token for service-to-service authentication
public class TokenAcquisitionService
{
    private readonly IConfidentialClientApplication _app;

    public TokenAcquisitionService(string clientId, X509Certificate2 cert)
    {
        // For complete example with static token caching, see: with-certificate.cs
        _app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithCertificate(cert)
            .WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
            .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)  // Enable static token caching
            .Build();
    }

    public async Task<string> GetAccessTokenAsync()
    {
        var result = await _app.AcquireTokenForClient(
            new[] { "resource-uri" })
            .ExecuteAsync();

        return result.AccessToken;
    }
}

Error Resolution

Refer to Troubleshooting Guide

Best Practices

  • Use Token Caching Strategies - enable static token caching with .WithCacheOptions(CacheOptions.EnableSharedCacheOptions) for optimal performance
  • Implement Error Handling Patterns
  • Monitor token acquisition using AuthenticationResultMetadata for cache hit ratios
  • Rotate certificates periodically (if using certificate-based auth)
  • Use Federated Identity Credentials with Managed Identity for keyless authentication
  • For additional caching options and strategies, see Token cache serialization documentation

Explain the Flow

  1. Credential Submission: Service authenticates directly with AAD using certificate or MI
  2. No User Involved: Authentication is machine-to-machine only
  3. Access Grant: AAD validates credentials and issues access token
  4. Token Caching: Token automatically cached for subsequent requests
  5. API Access: Token used to call downstream APIs as application identity

Decision Help

Choose Client Credentials if:

  • Building daemon/background service
  • Service-to-service authentication needed
  • No user context involved
  • Want simplest flow for automated processes

Avoid if:

  • Need to access user-scoped resources
  • User consent required
  • Need refresh tokens for long-lived sessions
Install via CLI
npx skills add https://github.com/AzureAD/microsoft-authentication-library-for-dotnet --skill msal-client-credentials
Repository Details
star Stars 1,497
call_split Forks 406
navigation Branch main
article Path SKILL.md
More from Creator
AzureAD
AzureAD Explore all skills →