dotnet
diff --git a/‎docs/azure/sdk/authentication/additional-methods.md‎
Lines changed: 81 additions & 31 deletions b/‎docs/azure/sdk/authentication/additional-methods.md‎
Lines changed: 81 additions & 31 deletions
diff --git a/‎docs/azure/sdk/media/web-account-manager-sign-in-account-picker.png‎
200 KB b/‎docs/azure/sdk/media/web-account-manager-sign-in-account-picker.png‎
200 KB
diff --git a/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.Designer.cs‎
Lines changed: 59 additions & 0 deletions b/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.Designer.cs‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.cs‎
Lines changed: 44 additions & 0 deletions b/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.cs‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.resx‎
Lines changed: 120 additions & 0 deletions b/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuth.resx‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuthSample.csproj‎
Lines changed: 17 additions & 0 deletions b/‎docs/azure/sdk/snippets/additional-auth/interactive/InteractiveBrokeredAuthSample.csproj‎
Lines changed: 17 additions & 0 deletions
@@ -16,25 +16,92 @@ This method interactively authenticates an application through [`InteractiveBrow
 
 Interactive browser authentication enables the application for all operations allowed by the interactive login credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. For this reason, the use of interactive browser authentication is discouraged for anything but experimentation.
 
+### Enable applications for interactive browser authentication
+
+Perform the following steps to enable the application to authenticate through the interactive browser flow. These steps also work for the [device code authentication](#device-code-authentication) flow described later. This process is only necessary if you are using `InteractiveBrowserCredential` in your code.
+
+1. In the [Azure portal](https://portal.azure.com), navigate to **Microsoft Entra ID** and select **App registrations** on the left navigation.
+1. Select the registration for your app, then select **Authentication**.
+1. Under **Advanced settings**, select **Yes** for **Allow public client flows**.
+1. Select **Save** to apply the changes.
+1. To authorize the application for specific resources, navigate to the resource in question, select **API Permissions**, and enable **Microsoft Graph** and other resources you want to access. Microsoft Graph is usually enabled by default.
+
+    > [!IMPORTANT]
+    > You must also be the admin of your tenant to grant consent to your application when you sign in for the first time.
+
 ### Example using InteractiveBrowserCredential
 
 The following example demonstrates using an [`InteractiveBrowserCredential`](/dotnet/api/azure.identity.interactivebrowsercredential) to authenticate with the [`BlobServiceClient`](/dotnet/api/azure.storage.blobs.blobserviceclient):
 
-```csharp
-using Azure.Identity;
-using Azure.Storage.Blobs;
+:::code language="csharp" source="../snippets/additional-auth/interactive/InteractiveBrowserAuth.cs" highlight="15-17":::
 
-var client = new BlobServiceClient(
-    new Uri("https://<storage-account-name>.blob.core.windows.net"),
-    new InteractiveBrowserCredential());
+For more exact control, such as setting redirect URIs, you can supply specific arguments to `InteractiveBrowserCredential` such as `redirect_uri`.
 
-foreach (var blobItem in client.GetBlobContainers())
-{
-    Console.WriteLine(blobItem.Name);
-}
-```
+## Interactive brokered authentication
 
-For more exact control, such as setting redirect URIs, you can supply specific arguments to `InteractiveBrowserCredential` such as `redirect_uri`.
+This method interactively authenticates an application through [`InteractiveBrowserCredential`](/dotnet/api/azure.identity.interactivebrowsercredential?view=azure-dotnet) by collecting user credentials using the system authentication broker. A system authentication broker is an app running on a user's machine that manages the authentication handshakes and token maintenance for all connected accounts. Currently, only the Windows authentication broker, Web Account Manager (WAM), is supported. Users on macOS and Linux will be authenticated through the non-brokered interactive browser flow.
+
+WAM enables identity providers such as Microsoft Entra ID to natively plug into the OS and provide the service to other apps to provide a more secure login process. WAM offers the following benefits:
+
+- **Feature support**: Apps can access OS-level and service-level capabilities, including Windows Hello, conditional access policies, and FIDO keys.
+- **Streamlined single sign-on**: Apps can use the built-in account picker, allowing the user to select an existing account instead of repeatedly entering the same credentials.
+- **Enhanced security**: Bug fixes and enhancements ship with Windows.
+- **Token protection**: Refresh tokens are device-bound, and apps can acquire device-bound access tokens.
+
+Interactive brokered authentication enables the application for all operations allowed by the interactive login credentials. Personal Microsoft accounts and work or school accounts are supported. If a supported version of Windows is used, the default browser-based UI is replaced with a smoother authentication experience, similar to Windows built-in apps.
+
+### Enable applications for interactive brokered authentication
+
+Perform the following steps to enable the application to authenticate through the interactive broker flow.
+
+1. On the [Azure portal](https://portal.azure.com), navigate to **Microsoft Entra ID** and select **App registrations** on the left-hand menu.
+1. Select the registration for your app, then select **Authentication**.
+1. Add the WAM redirect URI to your app registration via a platform configuration:
+    1. Under **Platform configurations**, select **+ Add a platform**.
+    1. Under **Configure platforms**, select the tile for your application type (platform) to configure its settings, such as **mobile and desktop applications**.
+    1. In **Custom redirect URIs**, enter the following WAM redirect URI:
+
+        ```text
+        ms-appx-web://microsoft.aad.brokerplugin/{client_id}
+        ```
+
+         The `{client_id}` placeholder must be replaced with the **Application (client) ID** listed on the **Overview** pane of the app registration.
+
+    1. Select **Configure**.
+
+    To learn more, see [Add a redirect URI to an app registration](/entra/identity-platform/quickstart-register-app#add-a-redirect-uri).
+
+1. Back on the **Authentication** pane, under **Advanced settings**, select **Yes** for **Allow public client flows**.
+1. Select **Save** to apply the changes.
+1. To authorize the application for specific resources, navigate to the resource in question, select **API Permissions**, and enable **Microsoft Graph** and other resources you want to access. Microsoft Graph is usually enabled by default.
+
+    > [!IMPORTANT]
+    > You must also be the admin of your tenant to grant consent to your application when you sign in for the first time.
+
+### Example using InteractiveBrowserCredential
+
+The following example demonstrates using an [`InteractiveBrowserCredential`](/dotnet/api/azure.identity.interactivebrowsercredential?view=azure-dotnet) in a Windows Forms app to authenticate with the [`BlobServiceClient`](/dotnet/api/azure.storage.blobs.blobserviceclient):
+
+:::code language="csharp" source="../snippets/additional-auth/interactive/InteractiveBrokeredAuth.cs" highlight="16-20":::
+
+> [!NOTE]
+> Visit the [Parent window handles](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam#parent-window-handles) and [Retrieve a window handle](/windows/apps/develop/ui-input/retrieve-hwnd) articles for more information about retrieving window handles.
+
+For the code to run successfully, your user account must be assigned an Azure role on the storage account that allows access to blob containers such as **Storage Account Data Contributor**. If an app is specified, it must have API permissions set for **user_impersonation Access Azure Storage** (step 6 in the previous section). This API permission allows the app to access Azure storage on behalf of the signed-in user after consent is granted during sign-in.
+
+The following screenshot shows the user sign-in experience:
+
+:::image type="content" source="../media/web-account-manager-sign-in-account-picker.png" alt-text="A screenshot that shows the sign-in experience when using the interactive browser broker credential to authenticate a user." :::
+
+### Authenticate the default system account via WAM
+
+Many people always sign in to Windows with the same user account and, therefore, only ever want to authenticate using that account. WAM and `InteractiveBrowserCredential` also support a silent login process that automatically uses a default account so the user doesn't have to repeatedly select it.
+
+The following example shows how to enable sign-in with the default system account:
+
+:::code language="csharp" source="../snippets/additional-auth/interactive/SilentBrokeredAuth.cs" highlight="16-24":::
+
+Once you opt into this behavior, the credential attempts to sign in by asking the underlying Microsoft Authentication Library (MSAL) to perform the sign-in for the default system account. If the sign-in fails, the credential falls back to displaying the account picker dialog, from which the user can select the appropriate account.
 
 ## Device code authentication
 
@@ -49,7 +116,7 @@ For more information, see [Microsoft identity platform and the OAuth 2.0 device
 
 Device code authentication in a development environment enables the application for all operations allowed by the interactive login credentials. As a result, if you're the owner or administrator of your subscription, your code has inherent access to most resources in that subscription without having to assign any specific permissions. However, you can use this method with a specific client ID, rather than the default, for which you can assign specific permissions.
 
-## Authentication with a username and password
+## Username and password authentication
 
 This method authenticates an application using previously collected credentials and the [UsernamePasswordCredential](/dotnet/api/azure.identity.usernamepasswordcredential) object.
 
@@ -58,21 +125,4 @@ This method authenticates an application using previously collected credentials
 >
 > Furthermore, this method authenticates only work and school accounts; Microsoft accounts aren't supported. For more information, see [Sign up your organization to use Microsoft Entra ID](/entra/fundamentals/sign-up-organization).
 
-```csharp
-using Azure.Identity;
-using Azure.Storage.Blobs;
-
-var clientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
-var tenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");
-var username = Environment.GetEnvironmentVariable("AZURE_USERNAME");
-var password = Environment.GetEnvironmentVariable("AZURE_PASSWORD");
-
-var client = new BlobServiceClient(
-    new Uri("https://<storage-account-name>.blob.core.windows.net"),
-    new UsernamePasswordCredential(username, password, tenantId, clientId));
-
-foreach (var blobItem in client.GetBlobContainers())
-{
-    Console.WriteLine(blobItem.Name);
-}
-```
+:::code language="csharp" source="../snippets/additional-auth/username-password/Program.cs" highlight="9-11":::
@@ -0,0 +1,44 @@
+using Azure.Identity;
+using Azure.Identity.Broker;
+using Azure.Storage.Blobs;
+
+namespace InteractiveBrokeredAuthSample
+{
+    public partial class InteractiveBrokeredAuth : Form
+    {
+        public InteractiveBrokeredAuth()
+        {
+            InitializeComponent();
+        }
+
+        private void testInteractiveBrokeredAuth_Click(object sender, EventArgs e)
+        {
+            // Get the handle of the current window
+            IntPtr windowHandle = this.Handle;
+
+            var credential = new InteractiveBrowserCredential(
+                new InteractiveBrowserCredentialBrokerOptions(windowHandle));
+
+            // To authenticate and authorize with an Entra ID app registration, substitute the
+            // <app_id> and <tenant_id> placeholders with the values for your app and tenant.
+            // var credential = new InteractiveBrowserCredential(
+            //    new InteractiveBrowserCredentialBrokerOptions(windowHandle)
+            //        { 
+            //            TenantId = "your-tenant-id",
+            //            ClientId = "your-client-id"
+            //        }
+            // );
+
+            var client = new BlobServiceClient(
+                new Uri("https://<storage-account-name>.blob.core.windows.net/"),
+                credential
+            );
+
+            // Prompt for credentials appears on first use of the client
+            foreach (var container in client.GetBlobContainers())
+            {
+                Console.WriteLine(container.Name);
+            }
+        }
+    }
+}
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!--
+    Microsoft ResX Schema 
+
+    Version 2.0
+
+    The primary goals of this format is to allow a simple XML format
+    that is mostly human readable. The generation and parsing of the
+    various data types are done through the TypeConverter classes
+    associated with the data types.
+
+    Example:
+
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+
+    There are any number of "resheader" rows that contain simple
+    name/value pairs.
+
+    Each data row contains a name, and value. The row also contains a
+    type or mimetype. Type corresponds to a .NET class that support
+    text/value conversion through the TypeConverter architecture.
+    Classes that don't support this are serialized and stored with the
+    mimetype set.
+
+    The mimetype is used for serialized objects, and tells the
+    ResXResourceReader how to depersist the object. This is currently not
+    extensible. For a given mimetype the value must be set accordingly:
+
+    Note - application/x-microsoft.net.object.binary.base64 is the format
+    that the ResXResourceWriter will generate, however the reader can
+    read any of the formats listed below.
+
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+</root>
@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>WinExe</OutputType>
+    <TargetFramework>net8.0-windows</TargetFramework>
+    <Nullable>enable</Nullable>
+    <UseWindowsForms>true</UseWindowsForms>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.12.0" />
+    <PackageReference Include="Azure.Identity.Broker" Version="1.1.0" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
+  </ItemGroup>
+
+</Project>