Generate token console for Intune datawarehouse

Question

Here's the code snippet pulled from Microsoft Learn (https://learn.microsoft.com/en-us/mem/intune/developer/data-warehouse-app-only-auth-)

It seems the line with AuthenticationContext, ClientCredential and SecureClientSecret are depreciated. For example: ClientCredential' is obsolete: 'Use ConfidentialClientApplicationBuilder.WithCertificate or WithClientSecret instead. I cannot get this code snippet to work.

using System.Security;
using System.Configuration;
using Microsoft.Identity.Client;


    class IntuneDataWarehouse
    {
        public static void Main()
        {
            Console.WriteLine("Intune Datawarehouse Start");
    
            var applicationId = ConfigurationManager.AppSettings["appId"].ToString();
            SecureString applicationSecret = ConvertToSecureStr(ConfigurationManager.AppSettings["appKey"].ToString()); // Load as SecureString from configuration file or secret store (i.e. Azure KeyVault)
            var tenantDomain = ConfigurationManager.AppSettings["tenantDomain"].ToString();
            var msalContext = new AuthenticationContext($"https://login.windows.net/" + tenantDomain + "/oauth2/token");
    
             AuthenticationResult authResult = msalContext.AcquireTokenAsync(
             resource: "https://api.manage.microsoft.com/",
             clientCredential: new ClientCredential(
                 applicationId,
                 new SecureClientSecret(applicationSecret))).Result;
    
            Console.WriteLine("End of run");
        }

Has anyone worked on similar code?

Answer 1

Instead of Microsoft.IdentityModel.Clients.ActiveDirectory (now considered obsolete), consider Microsoft.Identity.Client (MSAL) and ConfidentialClientApplicationBuilder, which is the recommended way to acquire tokens for applications. That method supports both client secrets and certificates for authentication.

Similar to this example, or this one (to get a token), your code would be:

using Microsoft.Identity.Client;
using System;
using System.Configuration;
using System.Threading.Tasks;

class IntuneDataWarehouse
{
    public static async Task Main()
    {
        Console.WriteLine("Intune Datawarehouse Start");

        // Configuration parameters
        var applicationId = ConfigurationManager.AppSettings["appId"];
        var applicationSecret = ConfigurationManager.AppSettings["appKey"];
        var tenantId = ConfigurationManager.AppSettings["tenantId"]; // Make sure your configuration has tenantId
        var authority = $"https://login.microsoftonline.com/{tenantId}";
        var scope = new string[] { "https://api.manage.microsoft.com/.default" }; // Using /.default for app permissions

        // Build the MSAL client
        var confidentialClient = ConfidentialClientApplicationBuilder.Create(applicationId)
            .WithClientSecret(applicationSecret)
            .WithAuthority(new Uri(authority))
            .Build();

        // Acquire token
        var authResult = await confidentialClient.AcquireTokenForClient(scope).ExecuteAsync();

        Console.WriteLine("Token acquired: " + authResult.AccessToken);
        Console.WriteLine("End of run");
    }
}

Remember to update your app's registration in Azure AD to include permissions for Microsoft Intune and grant admin consent for those permissions.

The authority URL is changed to https://login.microsoftonline.com/{tenantId}, which is the recommended format. For app-only authentication, the scope is defined using https://api.manage.microsoft.com/.default. That scope indicates that the application is requesting the permissions defined directly in the Azure portal for the app. The Main method is asynchronous (async Task), to properly await the asynchronous call to AcquireTokenForClient.