🔐 What is MSAL?
MSAL (Microsoft Authentication Library) is a Microsoft-supported SDK used to authenticate users and acquire tokens from:
-
Azure AD
-
Azure AD B2C
-
Microsoft Identity Platform (v2 endpoint)
It supports:
-
Authorization Code Flow (for web apps)
-
Device Code Flow
-
Username/password (ROPC – discouraged for production)
-
Confidential client (server-to-Azure API access)
-
Public client (desktop/mobile apps)
✅ MSAL is used with OpenID Connect and OAuth 2.0 (not SAML)
MSAL is not a SAML library. It's used for OpenID Connect/OAuth2-based authentication flows, usually with Azure AD or Azure B2C.
🧰 MSAL Libraries for .NET
| Platform | Library | NuGet Package |
|---|---|---|
| Web apps / APIs | Microsoft.Identity.Web | Microsoft.Identity.Web |
| General use | Microsoft.Identity.Client | Microsoft.Identity.Client (MSAL itself) |
| Blazor (WASM) | Microsoft.Authentication.WebAssembly.Msal | Blazor-specific |
🔧 Example Usage in .NET Core / .NET 8
For Web Apps (OpenID Connect):
Use Microsoft.Identity.Web:
Under the hood, Microsoft.Identity.Web uses MSAL.NET to acquire and cache tokens.
For APIs (Confidential client):
🎯 Where MSAL Fits
| Scenario | Use MSAL? |
|---|---|
| Web app login (Azure AD/B2C) | ✅ Yes |
| Call Microsoft Graph API | ✅ Yes |
| Authenticate users with SAML | ❌ No |
| Acquire tokens for Azure APIs | ✅ Yes |
| Desktop/mobile app login | ✅ Yes |
| Integrate with Okta/ADFS (SAML only) | ❌ No |
📌 Summary
-
MSAL is for token acquisition using OAuth 2.0/OpenID Connect, not SAML.
-
Use
Microsoft.Identity.Webfor ASP.NET Core web apps — it simplifies MSAL integration. -
For backend-only APIs, use
Microsoft.Identity.Clientdirectly. -
To troubleshoot token/cookie issues, MSAL logging can be enabled via:
