Azure: Automatic "Windows" login using MSAL, without "Azure Account selector"

Question

I have an Azure website which currently leverages MSAL and Entra for login and authorization.

Every time the site is loaded on a new session, the user must manually select a login from the Azure redirect screen.

What I would like to do is cache this token or force automatic SSO for the signed-in user, without forcing a login selection every time.

In mobile apps (Xamarin), I was able to cache the token for re-use until it expired. Can I employ a similar strategy here? Or can I setup "forced" SSO for the signed-in Windows user..?

I vaguely remember that you can force Hybrid Windows tokens in certain scenarios, but I can't seem to find MSAL docs on it.

Answer 1

To achieve single sign-on (SSO) and automatic token acquisition without prompting the user every time, you can indeed leverage token caching and other features provided by Microsoft Authentication Library (MSAL). In your case, for a web application hosted on Azure, you can use the TokenCache to cache tokens and reduce the need for the user to sign in repeatedly.

Ensure that you are configuring a persistent token cache. This can be achieved by using a cache that persists across sessions. For example, you can use a distributed cache like DistributedTokenCache Here is the way i configured TokenCache and deployed

Step 1: Install NuGet Packages

Install-Package Microsoft.Identity.Client

Step 2: Create a TokenCacheProvider Class

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Identity.Client;
using System;
using System.Security.Claims;

public interface ITokenCacheProvider
{
    TokenCache GetCache(ClaimsPrincipal user);
    void SaveCache(ClaimsPrincipal user, TokenCache cache);
}

public class TokenCacheProvider : ITokenCacheProvider
{
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly IDistributedCache _distributedCache;
    private readonly IDataProtectionProvider _dataProtectionProvider;

    public TokenCacheProvider(
        IHttpContextAccessor httpContextAccessor,
        IDistributedCache distributedCache)
    {
        _httpContextAccessor = httpContextAccessor;
        _distributedCache = distributedCache;
    }

    public TokenCache GetCache(ClaimsPrincipal user)
    {
        var cache = new TokenCache();

        var userId = user.FindFirst(ClaimTypes.NameIdentifier).Value;
        var key = $"{userId}_TokenCache";

        var data = _distributedCache.Get(key);
        if (data != null)
        {
            cache.DeserializeMsalV3(data);
        }

        return cache;
    }

    public void SaveCache(ClaimsPrincipal user, TokenCache cache)
    {
        var userId = user.FindFirst(ClaimTypes.NameIdentifier).Value;
        var key = $"{userId}_TokenCache";

        var data = cache.SerializeMsalV3();
        var options = new DistributedCacheEntryOptions
        {
            AbsoluteExpirationRelativeToNow = TimeSpan.FromDays(14) // Adjust as needed
        };

        _distributedCache.Set(key, data, options);
    }
}

Step 3: Configure Services in program.cs

// Add MSAL token cache
builder.Services.AddDistributedMemoryCache();
builder.Services.AddSession();
builder.Services.AddSingleton<ITokenCacheProvider>(provider =>
{
    var httpContextAccessor = provider.GetRequiredService<IHttpContextAccessor>();
    var distributedCache = provider.GetRequiredService<IDistributedCache>();

    return new TokenCacheProvider(httpContextAccessor, distributedCache);
});

Step 4- Add AzureAd

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "microsoft.onmicrosoft.com",
    "TenantId": "TenantId",
    "ClientId": "ClientId",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "ClientSecret",
    "ClientCertificates": []
  },

Step 5: Deploy to Azure web App

You can also refer below MSDoc

Token cache serialization in MSAL.NET

Acquire and cache tokens using the Microsoft Authentication Library (MSAL)