How To
Summary
MSAL token acquisition will be explained from Concept to Where it lives to the actual Purpose.
Objective
Concept | Where it lives | Purpose |
App Registration | Azure portal (Entra ID) | Defines who your app is |
Certificates / secrets | App Registration | Proves identity |
API permissions | App Registration | Defines what the app is allowed to do |
MSAL token acquisition | Your .NET code (runtime) | Gets an OAuth access token |
ClientContext usage | Your code | Uses the token to call SPO |
Environment
Azure, SharePoint Online
Steps
*MSAL is active code.
Why there is no “MSAL setting” in App Registration
Because MSAL:
- Is just a client library
- Talks to Azure AD OAuth endpoints:
- Uses:
- client_id
- certificate / secret
- scopes (.default)
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
*Azure AD does not need to know MSAL exists.
Before MSAL can acquire a token, these must be configured in the portal.
Create / update the App Registration
Azure Portal à Entra ID à App registrations
- Single-tenant (recommended)
- No redirect URI needed for daemon apps
API permissions (CRITICAL)
Add Application permissions (not delegated):
SharePoint à Sites.FullControl.All
Then:
- Grant admin consent
NOTE: Without admin consent, MSAL will still succeed but please know SPO will return 401/403
Credentials (one required)
Choose one of the following:
Certificate (recommended for services)
- Upload .cer
- Keep private key in machine cert store
OR
Client Secret (not ideal for long‑term services)
- Stored in config / KeyVault
Using a client secret (acceptable but less secure)
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithClientSecret(clientSecret)
.Build();
var result = await app
.AcquireTokenForClient(new[] { "https://<tenant>.sharepoint.com/.default" })
.ExecuteAsync();
Where MSAL token acquisition happens
In your .NET code (runtime)
MSAL is a NuGet library your application uses to authenticate.
Install-Package Microsoft.Identity.Client
Example: App‑only (daemon/service) token acquisition
Using a certificate (best practice)
using Microsoft.Identity.Client;
using System.Security.Cryptography.X509Certificates;
var tenantId = "<tenant-id>";
var clientId = "<app-client-id>";
var siteScope = "https://<tenant>.sharepoint.com/.default";
// Load cert from store
var cert = LoadCertificateFromStore("CN=MyCertName");
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithCertificate(cert)
.Build();
AuthenticationResult result =
await app.AcquireTokenForClient(new[] { siteScope })
.ExecuteAsync();
string accessToken = result.AccessToken;
This is MSAL token acquisition
It happens every time your app runs (or token expires)
How this connects to SharePoint CSOM
Once you have the token:
var ctx = new ClientContext(siteUrl);
ctx.ExecutingWebRequest += (sender, e) =>
{
e.WebRequestExecutor.RequestHeaders["Authorization"] =
"Bearer " + accessToken;
};
ctx.ExecuteQuery();
How to verify MSAL token is correct
Paste token into https://jwt.ms and verify:
Claim | Expected |
iss | login.microsoftonline.com |
aud | https://tenant.sharepoint.com |
appid | Your App (Client) ID |
roles | Sites.FullControl.All |
idtyp | app |
If roles is missing à bad permissions
If issuer is ACS à wrong flow
If aud is Graph à wrong scope
Cause for Fix:
Your current flow:
- Now gets a token
- Token is ACS-issued
- SPO no longer trusts it
MSAL flow:
- Token is Azure AD–issued
- Uses modern OAuth
- SPO trusts it
- CSOM succeeds
MSAL token acquisition:
- Not configured in App Registration UI
- Implemented in your .NET code
- Uses App Registration identity in addition to permissions
- Required to replace ACS / legacy auth
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 April 2026
UID
ibm17271113