For now, this feature is limited to Windows users only. At the time of writing, the team is designing macOS broker support; Linux support follows that release.<\/p>\n
What is a system authentication broker?<\/h2>\n
A system authentication broker<\/em> is an app running on a user’s machine that manages the authentication handshakes and token maintenance for all connected accounts. On Windows, the authentication broker is Web Account Manager (WAM)<\/em>. WAM made its debut in Windows 10 and Windows Server 2019 and continues to ship in the latest releases of Windows. Open the Services<\/strong> snap-in control file via WAM is a broker service that allows apps to request OAuth tokens from identity providers, such as Microsoft Entra ID, in a seamless fashion. With it, identity providers can natively plug into the OS and provide the service to other apps. In no particular order, WAM offers the following benefits:<\/p>\n Many of Microsoft’s developer tools, including Visual Studio<\/a>, Azure CLI<\/a>, and Azure PowerShell<\/a>, already provide WAM integration.<\/p>\n The Azure Identity libraries’ What does the aforementioned default browser-based UI look like? On Windows, there are a couple possibilities:<\/p>\n On macOS, Linux, and earlier versions of Windows\u2014systems on which WAM isn’t supported\u2014the Azure Identity libraries default to a browser-based authentication experience.<\/p>\n To use WAM in your app, complete these steps:<\/p>\n The As a .NET developer, imagine a scenario in which you created a desktop app using WinForms and C#. In that app, you use an Azure Monitor Query client library to query a Log Analytics workspace. The services.msc<\/code>, and you see WAM listed:<\/p>\n![\"WAM](\"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-content\/uploads\/sites\/58\/2023\/12\/2023-11-30-wam-service.png\")
<\/p>\n\n
Interactive, brokered authentication in the Azure Identity libraries<\/h2>\n
InteractiveBrowserCredential<\/code> type was extended to support WAM. Personal Microsoft accounts and work or school accounts are supported. If a supported version of Windows is used, the default browser<\/a>-based UI is replaced with a smoother authentication experience, similar to Windows built-in apps.<\/p>\n\n
![\"Embedded](\"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-content\/uploads\/sites\/58\/2023\/12\/2023-11-30-embedded-view.png\")
<\/li>\n![\"System](\"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-content\/uploads\/sites\/58\/2023\/12\/2023-11-30-system-browser.png\")
<\/li>\n<\/ol>\nGet started<\/h3>\n
\n
ms-appx-web:\/\/microsoft.aad.brokerplugin\/{client_id}<\/code><\/pre>\n{client_id}<\/code> placeholder must be replaced with the Application (client) ID<\/strong> listed on the Overview<\/strong> blade of the app registration.<\/li>\n\n
dotnet add package Azure.Identity\r\ndotnet add package Azure.Identity.Broker<\/code><\/pre>\n<\/li>\nnpm install --save @azure\/identity @azure\/identity-broker<\/code><\/pre>\n<\/li>\npip install azure-identity azure-identity-broker<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\nInteractiveBrowserCredential<\/code> in your app. The credential requires the handle of the parent window that’s requesting the authentication flow. On Windows, the handle is an integer value that uniquely identifies the window.\n\n
using Azure.Identity;\r\nusing Azure.Identity.Broker;\r\n\r\n\/\/ code omitted for brevity\r\n\r\nIntPtr windowHandle = GetForegroundWindow();\r\nInteractiveBrowserCredential credential = new(\r\n new InteractiveBrowserCredentialBrokerOptions(windowHandle)\r\n);<\/code><\/pre>\n<\/li>\nimport com.azure.identity.InteractiveBrowserCredential;\r\nimport com.azure.identity.broker.InteractiveBrowserBrokerCredentialBuilder;\r\n\r\n\/\/ code omitted for brevity\r\n\r\nlong windowHandle = getWindowHandle();\r\nInteractiveBrowserCredential credential = \r\n new InteractiveBrowserBrokerCredentialBuilder()\r\n .setWindowHandle(windowHandle)\r\n .build();<\/code><\/pre>\n<\/li>\nimport { nativeBrokerPlugin } from \"@azure\/identity-broker\";\r\nimport { \r\n useIdentityPlugin,\r\n InteractiveBrowserCredential,\r\n} from \"@azure\/identity\";\r\n\r\nuseIdentityPlugin(nativeBrokerPlugin);\r\n\r\n\/\/ code omitted for brevity\r\n\r\nlet windowHandle = getWindowHandle();\r\n\r\nconst credential = new InteractiveBrowserCredential({\r\n brokerOptions: {\r\n enabled: true,\r\n parentWindowHandle: windowHandle,\r\n },\r\n});<\/code><\/pre>\n<\/li>\nimport win32gui\r\nfrom azure.identity.broker import InteractiveBrowserBrokerCredential\r\n\r\n# code omitted for brevity\r\n\r\nwindow_handle = win32gui.GetForegroundWindow()\r\n\r\ncredential = InteractiveBrowserBrokerCredential(\r\n parent_window_handle=window_handle\r\n)<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\nInteractiveBrowserCredential<\/code> instance.<\/li>\n<\/ol>\nA .NET developer’s end-to-end experience<\/h3>\n
LogsQueryClient<\/code> object in the Monitor Query library requires authentication of a work or school account to Microsoft Entra ID. You’d complete the following steps to use and test WAM:<\/p>\n\n
<ItemGroup>\r\n <PackageReference Include=\"Azure.Identity\" Version=\"1.10.4\" \/>\r\n <PackageReference Include=\"Azure.Identity.Broker\" Version=\"1.0.0\" \/>\r\n <PackageReference Include=\"Azure.Monitor.Query\" Version=\"1.2.0\" \/>\r\n<\/ItemGroup><\/code><\/pre>\n<\/li>\nprivate async void testBrokeredAuth_Click(object sender, EventArgs e)\r\n{\r\n IntPtr windowHandle = this.Handle;\r\n\r\n \/\/ code omitted for brevity\r\n}<\/code><\/pre>\n