Azure Active Directory B2B Access Token Generator using C#

Azure Active Directory B2B
Share this

In this post ‘Azure Active Directory B2B Access Token Generator using C#’, I will create a console application which is used to generate OAuth access token for an ASP.NET WebAPI project hosted on Azure and secured against Azure B2B Active Directory.

Try to call the Azure REST API using a REST client like POSTMAM and you will receive an error message – “Authentication has been denied for this request.”

This is because the Authentication Header was not passed with a valid Azure Active Directory B2B OAuth authentication token.

In this article, I will describe following two methods that can be used to generate Azure Active Directory B2B OAuth bearer token –

(1) Using Client Id and Client Secret

(2) Using Service Account

(1) ‘Web app/Api’ Registration for authentication with Client Id and Client Secret

An application of type WebApp/API needs to be registered in Azure B2B Active directory with the authentication needed to access the Azure Web API project.

Login to Azure Portal and navigate to ‘Azure Active Directory’ blade, select your AD and click ‘App registrations’ as shown in following screenshot.

Azure Active Directory B2B New App Registration

Next, select ‘New App registration’ as shown in following screenshot.

Under ‘Create’ section, give a Name for the app, choose ‘Web app/API’ and in the Sign-on URL text box, write the name of the Azure Web App/API home page URL and finally click create.

Azure Active Directory B2B New Web app/API

Next, under ‘Settings’, select ‘Properties’. Under ‘Properties’, navigate to ‘App ID URI’. In the text box, change the last part of the string from a GUID to a descriptive name. The App ID URI changed by me looks as follows :

https://<Azure B2B AD Name>.onmicrosoft.com/testb2bweb

Replace <Azure B2B AD Name> with your Azure B2B AD name.

Next, navigate to ‘Settings’ and under this section, navigate to ‘Keys’ as shown follows:

Azure Active Directory B2B App Keys

For the key, add a Description,  select duration – 1 year, 2 years or never expires and save it to view the key’s value and copy it. After you navigate away from this section, you won’t be able to view the key. In you loose the key’s value, you need to generate a new key again.

After this, the app registered looks as follows:

Azure Active Directory B2B Registered App

(2) ‘Native’ App Registration for authentication with Service Account

In a similar fashion as described in Step (1) above, register a Native app as shown follows :

Azure Active Directory B2B Native App Registration

In the Redirect Uri’s section, add a Redirect URI as : http://testclient-azure

Please note that this Redirect URI is not a URI for a Azure Web App.

(3) Create the Access Token generator C# Console application

Create a new C# console application. Add the NuGet package –

Microsoft.IdentityModel.Clients.ActiveDirectory

Add the code as shown follows:

On running the above console application, user is presented with two choices “1” and “2”. Selecting “1” generated access token using service account approach and selecting “2” generated access token using client id and client secret approach.

In both the approached, first AuthenticationContext object is created from authority which is constructed from aadInstance and tenent.

Next, authContext.AcquireTokenAsyncmethod is called to fetch the token. In the service account approach, UserCredential object is used while in client id and client secret approach, ClientCredential object is used.

On running the application, the access token is generated using Service Account as shown follows:

Azure Active Directory B2B Access Token using Service Account

On running the application, the access token is generated using Client Id and Client Secret as shown follows:

Azure Active Directory B2B Access Token using ClientId ClientSecret

I have created an WebAPI which is secured using Azure B2B Active Directory and is hosted on Azure.

In this sample api, I have explicitly generated an exception.

If I call the api without using authentication token, I get a ‘401 Unauthorized’ error as shown follows:

Azure Active Directory B2B API Unauthenticated

If I call the api by passing the Bearer token in the Header, the api is executed successfully.

Azure Active Directory B2B API Authenticated

As mentioned above, in this sample api I have explicitly generated an exception.

This concludes the configuration and code required for generating Azure Active Directory B2B Access Token using two different approaches.

I hope you liked this article. If you have any comments, questions or suggestions, post your comments using the comments section below this article. I will try to respond at my earliest or somebody else reading the article and your comment will try to respond.

Please subscribe to my blog via email to get updates on the latest articles and also share this article over social networks like Facebook, Twitter etc.


Share this

Leave a Reply