Windows Service connect to Azure AD as User (MFA)

Question

I have a service which needs to run under user context, because some endpoints of Microsoft need an user context to execute. My problem now is 01.09.2019 MFA is mandatory. So, at least at the beginning, the service needs a person who logs in, but this is not possible because it is an non interactive Windows Service. So my question is, it is possible to login as a user by code or not? If it is, how? And will the refresh token be stored in the aad cache?

UserIdentifier user = new UserIdentifier(Cred.UserName,UserIdentifierType.OptionalDisplayableId);



        return Task.Run(() => authContext.AcquireTokenAsync(
            "https://api.partnercenter.microsoft.com",
            Cred.ApplicationId,
            new Uri("http://localhost"),
            new PlatformParameters(PromptBehavior.Auto),
            user)).Result;

Answer 1

it is possible to login as a user by code or not? yes it is possible

In Authentication time the app receives both sign in info (the id_token) and artifacts (ex: an authorization code) that the app can use for obtaining an access token. That token can be used to access other resources -

This sample shows how to use MSAL to redeem the authorization code into an access token, which is saved in a cache along with any other useful artifact (such as associated refresh_tokens) so that it can be used later on in the application.

Answer 2

You'll need to have some kind of app that authenticates the user and stores their refresh token in a secure place like an Azure Key Vault. Your background service can then use the refresh token to get a new access token and new refresh token. You can use the access token to call the API and store the new refresh token over the old one.

Then if the refresh token does not work, you'll need to repeat the authentication process. Refresh tokens can go invalid for some reasons, so your app needs to be ready for that.