Microsoft.Agents.Authentication.Msal 0.2.154-alpha

Prefix Reserved
.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
This is a prerelease version of Microsoft.Agents.Authentication.Msal.
There is a newer prerelease version of this package available.
See the version list below for details. 
dotnet add package Microsoft.Agents.Authentication.Msal --version 0.2.154-alpha
                    


                    

                
NuGet\Install-Package Microsoft.Agents.Authentication.Msal -Version 0.2.154-alpha
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Microsoft.Agents.Authentication.Msal" Version="0.2.154-alpha" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Microsoft.Agents.Authentication.Msal" Version="0.2.154-alpha" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Microsoft.Agents.Authentication.Msal" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Microsoft.Agents.Authentication.Msal --version 0.2.154-alpha
                    


                    

                
#r "nuget: Microsoft.Agents.Authentication.Msal, 0.2.154-alpha"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#addin nuget:?package=Microsoft.Agents.Authentication.Msal&version=0.2.154-alpha&prerelease
                    


                            Install Microsoft.Agents.Authentication.Msal as a Cake Addin
                        

                    

                
#tool nuget:?package=Microsoft.Agents.Authentication.Msal&version=0.2.154-alpha&prerelease
                    


                            Install Microsoft.Agents.Authentication.Msal as a Cake Tool

Microsoft.Agents.Authentication.Msal

Provides the MSAL IAccessTokenProvider implementation to get tokens.

Example configuration

  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "MsalAuth",
      "Settings": {
        "AuthType": "ClientSecret", // this is the AuthType for the connection, valid values can be found in Microsoft.Agents.Authentication.Msal.Model.AuthTypes.  The default is ClientSecret.
        "AuthorityEndpoint": "https://login.microsoftonline.com/{{TenantId}}",
        "ClientId": "00000000-0000-0000-0000-000000000000", // this is the Client ID used for the connection.
        "ClientSecret": "00000000-0000-0000-0000-000000000000", // this is the Client Secret used for the connection.
        "Scopes": [
          "https://api.botframework.com/.default"
        ]
      }
    }
  }

MSAL Authentication provider

The MSAL authentication provider is a utility aid you on creating access tokens for bot clients and external services from the Microsoft Agents Framework self hosted Agent.

This utility has supports multiple distinct profiles that can be used to create access tokens. Each access token can be created using one of the following auth types:

  • Client Secret
  • Client Certificate using Thumbprint
  • Client Certificate using Subject Name
  • User Managed Identity
  • System Managed Identity

General Configuration

There are several shared configuration options that control general settings for acquiring tokens from Microsoft Entra Identity.

These settings are:

Setting Name Type Default Value Description
MSALRequestTimeout TimeSpan 30seconds This setting controls how long the client will wait for a response from Entra ID after a request has been made.
MSALRetryCount Int 3 This setting controls how many retry attempts the provider will make for an individual request for a token
MSALEnabledLogPII Bool False This setting controls if the attached logger will be provided with PII data from MSAL

These settings are shared with all clients creating using the MSAL Authentication Provider. These settings are intended to be read from an IConfiguration Reader, in from a configuration section a section called "MSALConfiguration".

MSAL Configuration is an optional configuration, if not set or provided, the default configuration for these values are used.

An example of this entry in an appsettings.json file is:
{
  "MSALConfiguration": {
    "MSALEnabledLogPII": "true",
    "MSALRequestTimeout": "00:00:40",
    "MSALRetryCount": "1"
  },
}

In this case, this settings block would instruct all MSAL clients created with the MSAL provider to enabled PII logging, set the timeout to 40 seconds, and reduce the retry count to 1.

Configuring a Connection

The MSAL Authentication provider is intended to allow for multiple distinct clients to be created and used by the Agents Framework Hosting engine. As such, the MSAL Authentication provider allows for multiple configurations to be provided in the application configuration file, where each configuration can be used to create a named authentication client to support communications with external services or other Agents.

There are several possible settings for the creating an instance of the MSAL Authentication Provider.

These settings are:

Setting Name Type Default Value Description
AuthType AuthTypes Enum (Certificate, CertificateSubjectName, ClientSecret, UserManagedIdentity, SystemManagedIdentity) ClientSecret This is the type of authentication that will be created.
AuthorityEndpoint String Null When present, used as the Authority to request a token from.
TenantId String Null When present and AuthorityEndpoint is null, used to create an Authority to request a token from
Scopes String list Null Default Lists of scopes to request tokens for. Is only used when no scopes are passed from the bot connection request

ClientSecret

Setting Name Type Default Value Description
ClientId String Null ClientId (AppId) to use when creating the Access token.
ClientSecret string Null When AuthType is ClientSecret, Is Secret associated with the client, this should only be used for testing and development purposes.
Example for ClientSecret for Azure Bot Service
  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "Microsoft.Agents.Authentication.Msal.MsalAuth",
      "Settings": {
        "AuthType": "ClientSecret",
        "ClientId": "<<ClientID>>",
        "ClientSecret": "<<ClientSecret>>",
        "AuthorityEndpoint": "https://login.microsoftonline.com/botframework.com",
        "TenantId": "<<ClientTenantId>>",
        "Scopes": [
            "https://api.botframework.com/.default"
          ],
      }
    }
  }

UserManagedIdentity

Setting Name Type Default Value Description
ClientId String Null Managed Identity ClientId to use when creating the Access token.

When using the Managed Identity Types, your host or client must be running with an Azure Service and have set up that service with either a System Assigned Managed identity, or a User Assigned Managed identity.

Example for UserManagedIdentity
  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "Microsoft.Agents.Authentication.Msal.MsalAuth",
      "Settings": {
        "AuthType": "UserManagedIdentity",
        "ClientId": "<ClientID>",
        "TenantId": "<<ClientTenantId>>",
        "Scopes": [
          "https://api.botframework.com/.default"
        ]
      }
    }
  }

SystemManagedIdentity

When using Auth type SystemManagedIdentity, Client ID is ignored and the system managed identity for the service is used.

When using the Managed Identity Types, your host or client must be running with an Azure Service and have set up that service with either a System Assigned Managed identity, or a User Assigned Managed identity.

Example for SystemManagedIdentity
  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "Microsoft.Agents.Authentication.Msal.MsalAuth",
      "Settings": {
        "AuthType": "SystemManagedIdentity",
        "Scopes": [
          "https://api.botframework.com/.default"
        ]
      }
    }
  }

CertificateSubjectName

AuthType Type Default Value Description
ClientId String Null ClientId (AppId) to use when creating the Access token.
CertSubjectName String Null When AuthType is CertificateSubjectName, this is the subject name that is sought
CertStoreName String "My" When AuthType is either CertificateSubjectName or Certificate, Indicates which certificate store to look in
ValidCertificateOnly bool True Requires the certificate to have a valid chain.
SendX5C bool False Enables certificate auto rotation with appropriate configuration.
Example for CertificateSubjectName for SN+I
  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "Microsoft.Agents.Authentication.Msal.MsalAuth",
      "Settings": {
        "AuthType": "CertificateSubjectName",
        "ClientId": "<ClientID>",
        "CertSubjectName": "<<CertificateSubjectName>>",
        "SendX5C": true,
        "AuthorityEndpoint": "https://login.microsoftonline.com/botframework.com",
        "TenantId": "<<ClientTenantId>>",
        "Scopes": [
          "https://api.botframework.com/.default"
        ]
      }
    }
  },

Certificate

AuthType Type Default Value Description
ClientId String Null ClientId (AppId) to use when creating the Access token.
CertThumbprint String Null Thumbprint of the certificate to load, only valid when AuthType is set as Certificate
CertStoreName String "My" When AuthType is either CertificateSubjectName or Certificate, Indicates which certificate store to look in
ValidCertificateOnly bool True Requires the certificate to have a valid chain.
SendX5C bool False Enables certificate auto rotation with appropriate configuration.
Example for CertificateSubjectName using the certificate thumbprint
  "Connections": {
    "BotServiceConnection": {
      "Assembly": "Microsoft.Agents.Authentication.Msal",
      "Type": "Microsoft.Agents.Authentication.Msal.MsalAuth",
      "Settings": {
        "AuthType": "CertificateSubjectName",
        "ClientId": "<ClientID>",
        "CertThumbprint": "<<CertificateThumbprint>>",
        "AuthorityEndpoint": "https://login.microsoftonline.com/botframework.com",
        "TenantId": "<<ClientTenantId>>",
        "Scopes": [
          "https://api.botframework.com/.default"
        ]
      }
    }
  },
Default Configuration Provider for MSAL

To easy setup, we provide a service provider extension to add the default configuration settings for MSAL to your host.

An example of this from an Asp.net core host:

In a Program.cs class.

    // Add default bot MsalAuth support
    builder.Services.AddDefaultMsalAuth(builder.Configuration);

    // Add Connections object to access configured token connections.
    builder.Services.AddSingleton<IConnections, ConfigurationConnections>();

This extension will look for a configuration section named "MSALConfiguration" in your IConfiguration Object and create an MSAL Configuration object from it.

If the MSALConfig section is not found, it will create the MSAL Configuration Object using default values.

Logging Support for Authentication

The MSAL Authentication system allows for independent logging of authentication flows for telemetry integration should you need to troubleshoot token acquisition.

To enable logging, you would add a entry for :::no-loc text="Microsoft.Agents.Authentication.Msal"::: to your applications app settings to setup an ILogger to report on token operations for your connections, should you have added the MSALEnabledLogPII Option, this will also include PII for your connection.

An example of the logging block in this case would be:
  "Logging": {
    "LogLevel": {
      "Default": "Warning",
      "Microsoft.Agents": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Microsoft.Agents.Authentication.Msal": "Trace"
    }
  }

In this case, logging is enabled for several modules include Microsoft.Agents.Authentication.Msal, where the trace level is "Trace" for MSAL.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories (1)

Showing the top 1 popular GitHub repositories that depend on Microsoft.Agents.Authentication.Msal:

Repository Stars
microsoft/Agents
The Microsoft 365 Agent SDK simplifies building full stack, multichannel, trusted agents for platforms including M365, Teams, Copilot Studio, and Webchat.
Version Downloads Last updated
0.2.308-alpha 0 4/10/2025
0.2.295-alpha 68 4/9/2025
0.2.290-alpha 79 4/8/2025
0.2.287-alpha 76 4/5/2025
0.2.286-alpha 118 4/4/2025
0.2.282-alpha 162 4/3/2025
0.2.277-alpha 164 4/1/2025
0.2.271-alpha 104 3/29/2025
0.2.267-alpha 125 3/28/2025
0.2.257-alpha 137 3/27/2025
0.2.180-alpha 458 3/26/2025
0.2.171-alpha 286 3/21/2025
0.2.162-alpha 151 3/19/2025
0.2.154-alpha 277 3/18/2025
0.2.153-alpha 82 3/15/2025
0.2.151-alpha 112 3/14/2025
0.2.146-alpha 302 3/12/2025
0.2.141-alpha 182 3/8/2025
0.2.137-alpha 261 3/7/2025
0.1.26 934 11/18/2024