Calling an ASP.NET Core Web API from a WPF application using Azure AD V2

Last updated: 4/16/2019
Edit on GitHub

About this sample


You expose a Web API and you want to protect it so that only authenticated users can access it. You want to enable apps authenticating users with both work and school accounts or Microsoft personal accounts (formerly live account) to use your Web API.

Later you enrich your Web API by enabling it to call another Web API such as the Microsoft Graph

Structure of the repository

This repository contains a progressive tutorial made of two parts:

Sub folder Description
1. Desktop app calls Web API This first part, presents an ASP.NET Core 2.2 Web API protected by Azure Active Directory OAuth Bearer Authentication. This Web API is exercised by a .NET Desktop WPF application. This subfolder contains a Visual Studio solution made of two applications: the desktop application (TodoListClient), and the Web API (TodoListService)

2. Web API now calls Microsoft Graph This second part presents an increment where the Web API now calls Microsoft Graph on-behalf of the user signed-in in the desktop application. In this part, the Web API uses the Microsoft Authentication Library for .NET (MSAL.NET) to acquire a token for Microsoft Graph using the on-behalf-of flow

Note: Even if you'll probably get the most of this tutorial by going through the part in the proposed order, it's also possible to jump directly to the second part.

User experience with this sample

In the first part of the tutorial

The Web API (TodoListService) maintains an in-memory collection of to-do items per authenticated user. Several applications signed-in under the same identities share the same to-do list.

The WPF application (TodoListClient) enables a user to:

  • Sign in. The first time a user signs in, a consent screen is presented letting the user consent for the application accessing the TodoList Service.
  • When the user has signed-in, the user sees the list of to-do items exposed by Web API for the signed-in identity
  • The user can add more to-do items by clicking on Add item button.

Next time a user runs the application, the user is signed-in with the same identity as the application maintains a cache on disk. Users can clear the cache (which will also have the effect of signing them out)

In the second part of the tutorial

The second phase of the tutorials modifies the Web API so that the todo-items also mention the identity of the user adding them.

How to run this sample


  • Install .NET Core for Windows by following the instructions at, which will include Visual Studio 2017.
  • An Internet connection
  • An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant
  • A user account in your Azure AD tenant, or a Microsoft personal account

Step 1: Clone or download this repository

From your shell or command line:

git clone aspnetcore-webapi
cd aspnetcore-webapi

Given that the name of the sample is pretty long, that it has sub-folders and so are the name of the referenced NuGet pacakges, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal dotnet].

If you find a bug in the sample, please raise the issue on GitHub Issues.

To provide a recommendation, visit the following User Voice page.


If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact with any additional questions or comments.

Other samples and documentation