For a headless text output client application, it is not possible authenticate through an interactive prompt. Instead a text only approach is necessary. This flow leverages a user's external device (i.e. phone) to authenticate through an interactive login prompt and pass the auth token to the headless application. For more information click here.
If the tenant admin requires device authentication conditional access policies, using the Device profile flow won't be a good option.
This sample will walk you through the steps to create a client-side console application which uses MSAL.NET to authenticate a user via the Device Profile flow and returns a JSON string containing all account team project data viewable by the authenticated user.
To run this sample you will need:
- Visual Studio
- An Azure AD tenant. For more information see: How to get an Azure AD tenant
- A user account in your Azure AD tenant.
- A Azure DevOps account backed by your AAD tenant where your user account has access. If you have an existing Azure DevOps account not connected to your AAD tenant follow these steps to connect your AAD tenant to your Azure DevOps account
To run this sample for a Microsoft Account backed Azure DevOps account you will need:
- Azure DevOps account not connected to AAD.
From a shell or command line:
git clone https://github.com/Microsoft/vsts-auth-samples.git
Step 2: Register the sample application with you Azure Active Directory tenant (AAD backed Azure DevOps account)
If you are a Microsoft Account backed Azure DevOps account please skip this step.
- Navigate to the Microsoft identity platform for developers App registrations page.
- Select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
MSAL-DeviceCodeFlow
. - Under Supported account types, select Accounts in this organizational directory only.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
- Select Register to create the application.
- In the app's registration screen, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
- In the Advanced settings | Default client type section, flip the switch for
Treat application as a public client
to Yes.
- In the Advanced settings | Default client type section, flip the switch for
- Select Save to save your changes.
- In the app's registration screen, select the API permissions blade in the left to open the page where we add access to the APIs that your application needs.
- Select the Add a permission button and then,
- Ensure that the Microsoft APIs tab is selected.
- In the list of APIs, select the API
Azure DevOps
. - In the Delegated permissions section, select the user_impersonation in the list. Use the search box if necessary.
- Select the Add permissions button at the bottom.
Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
- Open the
DeviceProfileSample\App.config
file. - Find the key
ida:ClientID
and replace the existing value with the application ID (clientId) ofManagedClientConsoleAppSample
app copied from the Azure portal. - Find the key
ida:Tenant
and replace the existing value with your Azure AD tenant ID or tenant domain. - Find the key
ado:OrganizationUrl
and replace the existing value to the URL of your Azure DevOps organization; NOTE: This must use HTTPS.
Clean the solution, rebuild the solution, and run it.
Use a web browser to open the Url (https://microsoft.com/devicelogin) that is displayed in console app. Input the code presented in the console , sign-in and check the result of the operation back in the console.