At one point in recent history, VB.Net was one of the most popular development languages around. In fact, there are many legacy applications written in VB.Net and even still, VB.Net is still in the top 10 languages ( source: https://www.techworm.net/2018/02/popular-programming-languages-2018-according-tiobe-pypl.html ).  I will show a simple console application using VB.Net to authenticate using MSAL.Net

Of course, the first step, as in everything Azure, starts with setting up an app registration to use for Authentication. For this demonstration, I created a single tenant app registration with the following Redirect URI configured ( urn:ietf:wg:oauth:2.0:oob ):

There is nothing else special about this app registration.

Now, for the code. To start with, you must install the Microsoft.Identity.Client from the Nuget package manager. I will present to you sample VB.Net code that performs authentication synchronously, then asynchronously.

Imports Microsoft.Identity.Client

Module Module1

    Private _accessToken As String = String.Empty
    Private Const client_id As String = "{client_id}" '<-- enter the client_id guid here
    Private Const tenant_id As String = "{tenant_id}" '<-- enter either your tenant id here
    Private authority As String = $"https://login.microsoftonline.com/{tenant_id}"
    Private scopes As New List(Of String)

    Sub Main()

        scopes.Add($"{client_id}/.default")

        Console.WriteLine("Starting Synchronous Sample...")

        SyncSample()

        Console.WriteLine($"{Environment.NewLine}End Synchronous Sample...{Environment.NewLine}Start Asynchronous Sample...")

        AsyncSample()

        Console.WriteLine($"{Environment.NewLine}End Asynchronous Sample.{Environment.NewLine}Press any key to close...")
        Console.ReadKey()

    End Sub

#Region "Synchronous Code"


    Private Sub SyncSample()
        If Login() Then
            Console.WriteLine(_accessToken)
        Else
            Console.WriteLine("Not Authorized")
        End If
    End Sub

    Private Function Login() As Boolean

        Dim publicClientApp As IPublicClientApplication
        publicClientApp = PublicClientApplicationBuilder.Create(client_id).WithAuthority(authority).Build()

        Dim accounts As IEnumerable(Of IAccount) = publicClientApp.GetAccountsAsync().Result()
        Dim firstAccount As IAccount = accounts.FirstOrDefault()
        Dim authResult As AuthenticationResult

        Try
            authResult = publicClientApp.AcquireTokenSilent(scopes, firstAccount).ExecuteAsync().Result()
        Catch e As MsalUiRequiredException
            Try
                authResult = publicClientApp.AcquireTokenInteractive(scopes).ExecuteAsync().Result()
            Catch ex As Exception
                'user cancelled
                Return False
            End Try
        Catch ex As Exception
            Console.WriteLine($"Auth Exception: {ex.Message}")
            Return False
        End Try

        _accessToken = authResult.AccessToken

        Return True

    End Function

#End Region

#Region "Asynchronous Code"

    Private Sub AsyncSample()

        Dim task As Task(Of Boolean) = LoginTask()

        If task.Result() Then
            Console.WriteLine(_accessToken)
        Else
            Console.WriteLine("Not Authorized")
        End If
    End Sub

    Private Async Function LoginTask() As Task(Of Boolean)
        Dim publicClientApp As IPublicClientApplication
        publicClientApp = PublicClientApplicationBuilder.Create(client_id).WithAuthority(authority).Build()

        Dim accounts As IEnumerable(Of IAccount) = Await publicClientApp.GetAccountsAsync()
        Dim firstAccount As IAccount = accounts.FirstOrDefault()
        Dim authResult As AuthenticationResult

        Dim tryInteractive As Boolean = False

        Try
            authResult = Await publicClientApp.AcquireTokenSilent(scopes, firstAccount).ExecuteAsync()
            _accessToken = authResult.AccessToken
        Catch e As MsalUiRequiredException
            tryInteractive = True
        End Try

        If tryInteractive Then
            Try
                authResult = Await publicClientApp.AcquireTokenInteractive(scopes).ExecuteAsync()
                _accessToken = authResult.AccessToken
            Catch ex As Exception
                Return False
            End Try
        End If

        Return _accessToken <> String.Empty

    End Function

#End Region

End Module

 

Although there are quite a few differences from our C# samples, we can still leverage MSAL in our VB.Net code as well with some minor changes.

UPDATE: 06/18/2020
To clear up some confusion about the redirect URI, please try selecting the default MSAL redirect from the portal that is created when you create the app registration and after selecting that by clicking the checkbox, click the save button:

Then, modify your code to add the .WithRedirectUri parameter like so:
publicClientApp = PublicClientApplicationBuilder.Create(client_id).WithAuthority(authority).WithRedirectUri(“msal28a00d08-ba05-4015-a269-9d0546e850b9://auth”).Build()

The redirect URI I had in this post, I obtained to see what the default was sent during authentication by running fiddler, in an attempt to make this more universal for everyone, which apparently isn’t the case 🙂

15 Thoughts to “VB.NET – Use MSAL.Net in a Console Application to Authenticate to Azure”

  1. Thomas

    Hi. That doesn’t work for me. I’m getting an Error when trying to log in.
    “AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:”
    I know one can configure the redirection_URI in Azure-Portal, but the way i understand it the redirection_URI must be the same in your application. But where in your code can I set the redirection URI so that it matches the one I’ve set in Azure-Portal?

    1. Ray Held [MSFT]

      Yes, the redirection uri is part of the authentication process so they must match exactly. Try setting the redirect uri in both the portal and the app to match.

    2. Bac Hoang [MSFT]

      Also do you have the Correlation ID, Request ID, and Timestamp from the error message?

  2. Vince Averello

    The Azure team in my firm is telling me that the registration won’t accept “urn:ietf:wg:oauth:2.0:oob” as a valid URI. Any suggestions?

    1. Ray Held [MSFT]

      Are you doing a native app or a web app or just using my sample? Try setting it to http://localhost but you will need to modify the sample app too and add that as a redirect uri since that is part of the authentication process. Like this:

      publicClientApp = PublicClientApplicationBuilder.Create(client_id).WithRedirectUri(“http://localhost”).WithAuthority(authority).Build()

      1. Vince Averello

        I got “AADSTS500113: No reply address is registered for the application. ” back

        1. Ray Held [MSFT]

          The redirect url you use in the app code must also be present in the reply url list on the app registration in the portal. They must also match exactly. If this is the case, I would suggest opening a support ticket so we can review the details of the app registration and your code.

    2. Bac Hoang [MSFT]

      This is still possible although the App Registration portal has changed a bit. In the Authentication blade, click on ‘Add a platform’ button under Platform configuration. Then choose ‘Mobile and desktop application’ you should then be able to add the above urn: reply URL in that section. The portal does some enforcing rule so you can’t add that reply URL into the ‘Web’ type client.

  3. prabu

    Hi,
     
    I am getting accounts as zero always from below line. What could be the reason for that?
     

    Dim accounts As IEnumerable(Of IAccount) = Await publicClientApp.GetAccountsAsync()
            Dim firstAccount As IAccount = accounts.FirstOrDefault()
    

     
    Any help is appreciated.

    1. Ray Held [MSFT]

      The GetAccountAsync method is looking for accounts that are present in the token cache. If you have never authenticated, then it would be expected to be 0. https://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.client.clientapplicationbase.getaccountasync?view=azure-dotnet

  4. Srini

    Hi, I am also facing the same issue with the reply url. i have only one reply url for my AAD App and i have made sure the local host url is matching the url in the AAD App. however i keep getting the same error:
     
    AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 
     
    Any help would be appreciated.

    1. Ray Held [MSFT]

      Go to the portal and your app registration, select the default MSAL redirect uri and click save ( format of that one is “msal{client_id}://auth” so in my tenant, it is “msal28a00d08-ba05-4015-a269-9d0546e850b9://auth”. Then, in your code, where the public client is being set, after the .WithAuthority(….) add a .WithRedirectUri(“your new msal redirect”) but before the .build. So, like this ( using my example ):
      publicClientApp = PublicClientApplicationBuilder.Create(client_id).WithAuthority(authority).WithRedirectUri(“msal28a00d08-ba05-4015-a269-9d0546e850b9://auth”).Build()

      The redirect uri I have in this post, I obtained by running a fiddler trace to see what the default would be so that it would be the same for everyone but, seems that isn’t working out after all 😉

  5. Luis

    Hi, thanks for the good tutorial!

    Unfortunately it doesn’t work for me.
    I’m using .net framework 4.6 in my windows forms application.

    When i try to call AcquireTokenInteractive, nothing happens.       
    [spoiler title=”Call”] authResult = Await publicClientApp.AcquireTokenInteractive(scopes).ExecuteAsync() [/spoiler]

    The Program returns to my start window.
    I tried to use different options between “publicClientApp.AcquireTokenInteractive(scopes).executeAsync()”.
    Like “publicClientApp.AcquireTokenInteractive(scopes).WithParentActivityOrWindow(Me).executeAsync()”

    I’m thankful for any suggestions. Thanks!

    1. Ray Held [MSFT]

      If you make a form with a button ( called btnLogin ) and a text box called ( textbox1 ) then something like this will need to be done.

      Imports Microsoft.Identity.Client

      Public Class Form1

      Private accessToken As String = String.Empty
      Private idToken As String = String.Empty

      Private client_id As String = “{client_id}”
      Private client_secret As String = “{client_secret}”
      Private tenant_id As String = “{tenant_id}”
      Private redirect_uri As String = “http://localhost”
      Private scopes() As String = New String() {“openid offline_access User.Read”}

      Private isLoggedIn As Boolean = False

      Private Sub btnSignIn_Click(sender As Object, e As EventArgs) Handles btnSignIn.Click

      ‘we need a task to get MSAL to log us in
      Dim task = New Task(AddressOf Login)
      task.Start()
      task.Wait()

      End Sub

      Private Async Sub Login()
      Try
      Dim app As IPublicClientApplication = PublicClientApplicationBuilder.Create(client_id).WithRedirectUri(redirect_uri).WithTenantId(tenant_id).WithAuthority(AadAuthorityAudience.AzureAdMyOrg).Build()
      Dim authResult As AuthenticationResult = Nothing

      accessToken = String.Empty

      authResult = Await app.AcquireTokenInteractive(scopes).ExecuteAsync()
      If authResult.AccessToken <> String.Empty Then
      accessToken = authResult.AccessToken
      End If
      Catch ex As Exception
      MessageBox.Show(ex.InnerException.Message)
      End Try

      ‘Since this thread runs under the ui thread, we need a delegate method to update the text box
      TextBox1.BeginInvoke(New InvokeDelegate(AddressOf InvokeMethod))

      Return
      End Sub

      Private Delegate Sub InvokeDelegate()
      Private Sub InvokeMethod()
      TextBox1.Text = accessToken
      End Sub

      End Class

      1. Luis

        Thats it! Thanks a lot!

Leave a Comment