This app demonstrates how to use the Microsoft identity platform to access the data of Microsoft business customers in a long-running, non-interactive process. It uses the Microsoft Authentication Library (MSAL) for Java to acquire an access token, which it then uses to call Microsoft Graph and accesses organizational data. The sample utilizes the OAuth 2 client credentials grant and a secret value configured in Azure to obtain an access token for calls to Microsoft Graph.

The console application:

• Acquires an access token from Azure AD using its own identity (without a user).
• It then calls the Microsoft Graph /users endpoint to retrieve a list of users, which it then displays on the screen (as a Json blob).

For more information on the concepts used in this sample, be sure to read the Microsoft identity platform endpoint client credentials protocol documentation.

To run this sample, you'll need:

• Working installation of Java 8 or greater and Maven.
• An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant.
• One or more user accounts in your Azure AD tenant.

From your shell or command line:

git clone https://github.com/Azure-Samples/ms-identity-java-daemon.git

or download and extract the repository .zip file.

To register the project, you can:

• either follow the steps Step 2: Register the sample with your Azure Active Directory tenant and Step 3: Configure the sample to use your Azure AD tenant
• or use PowerShell scripts that:
  • automatically creates the Azure AD applications and related objects (passwords, permissions, dependencies) for you.
  • modify the project's configuration files.

If you want to use this automation, read the instructions in App Creation Scripts Please note that the configuration of your code (Step 3) still needs to be done manually.

Follow the steps below to manually walk through the steps to register and configure the applications.

As a first step you'll need to:

1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
2. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory. Change your portal session to the desired Azure AD tenant.
3. In the portal menu, select the Azure Active Directory service, and then select App registrations.

1. Navigate to the Microsoft identity platform for developers App registrations page.

2. Select New registration.

   • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example java-daemon-console.
   • In the Supported account types section, select Accounts in this organizational directory only ({tenant name}).
   • Click Register button at the bottom to create the application.

3. On the application Overview page, find the Application (client) ID and Directory (tenant) ID values and record it for later. You'll need it to configure the configuration file(s) later in your code.

4. In the Application menu blade, click on the Certificates & secrets, in the Client secrets section, choose New client secret:

   • Type a key description (for instance app secret),
   • Select a key duration of either In 1 year, In 2 years, or Never Expires as per your security concerns.
   • The generated key value will be displayed when you click the Add button. Copy the generated value for use in the steps later.
   • You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade.

5. In the Application menu blade, click on the API permissions in the left to open the page where we add access to the Apis that your application needs.

   • Click the Add a permission button and then,
   • Ensure that the Microsoft APIs tab is selected
   • In the Commonly used Microsoft APIs section, click on Microsoft Graph
   • In the Application permissions section, ensure that the right permissions are checked: User.Read.All
   • Select the Add permissions button at the bottom.

6. At this stage, the permissions are assigned correctly but since the client app does not allow users to interact, the user's themselves cannot consent to these permissions. To get around this problem, we'd let the tenant administrator consent on behalf of all users in the tenant. Click the Grant admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be the tenant admin to be able to carry out this operation.

Open the project in your IDE to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId" and "Tenant ID" is same as "Directory ID".

1. Open the msal-client-credential-secret\src\main\resources\application.properties class
2. Set the CLIENT_ID property to the application/client ID value you recorded earlier
3. Replace Tenant_Info_Here in the AUTHORITY property with the directory/tenant ID value you recorded earlier
4. Set the SECRET property to the secret value you recorded earlier

You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE.

From your shell or command line:

• $ mvn clean compile assembly:single

This will generate a msal-client-credential-secret-1.0.0.jar file in your /targets directory. Run this using your Java executable like below:

• $ java -jar msal-client-credential-secret-1.0.0.jar

After running, the application should display the list of user in the configured tenant.

The relevant code for this sample is in the ClientCredentialGrant.java file.

1. Create the MSAL confidential client application.

   Important note: even if we are building a console application, it is a daemon, and therefore a confidential client application, as it does not access Web APIs on behalf of a user, but on its own application behalf.

      ConfidentialClientApplication app = ConfidentialClientApplication.builder(
                      clientId,
                      ClientCredentialFactory.createFromSecret(secret))
                      .authority(authority)
                      .build();

2. Define the scopes.

   Specific to client credentials, you don't specify the individual scopes you want to access. You have statically declared them during the application registration step. Therefore the only possible scope is "resource/.default" (here "https://graph.microsoft.com/.default") which means "the static permissions defined in the application"

   // With client credentials flows the scope is ALWAYS of the shape "resource/.default", as the
   // application permissions need to be set statically (in the portal), and then granted by a tenant administrator
   ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
      Collections.singleton(scope))
      .build();

3. Acquire the token

   Uses the ConfidentialClientApplication, built with the configured authority/client ID/secret, to acquire an access token

       CompletableFuture<IAuthenticationResult> future = app.acquireToken(clientCredentialParam);
       return future.get();    

4. Call the API and read result

   In this case calling "https://graph.microsoft.com/v1.0/users" with the access token as a bearer token.

      URL url = new URL("https://graph.microsoft.com/v1.0/users");
      HttpURLConnection conn = (HttpURLConnection) url.openConnection();
   
      //...
   
      try(BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()))){
   
          String inputLine;
          response = new StringBuilder();
          while (( inputLine = in.readLine()) != null) {
                      response.append(inputLine);
          }
      }
      return response.toString();

If you get an Forbidden error when calling the API, this is because the tenant administrator has not granted permissions to the application. Check the steps in Register the client app (daemon-console) above.

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal java].

If you find a bug in the sample, please raise the issue on GitHub Issues.

If you find a bug in msal4j, please raise the issue on MSAL4J GitHub Issues.

To provide a recommendation, visit the following User Voice page.

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

For more information, see:

• MSAL4J conceptual documentation.
• Permissions and Consent
• OAuth 2 client credentials grant
• Quickstart: Register an application with the Microsoft identity platform
• Quickstart: Configure a client application to access web APIs
• The documentation for Microsoft identity platform is available from https://aka.ms/aadv2
• Other samples for Microsoft identity platform are available from https://aka.ms/aaddevsamplesv2