Client Credentials Flow Skill
Overview
Client Credentials Flow is used for service-to-service authentication without user involvement. Ideal for daemon applications and background services.
When to Use
- •Service-to-service authentication
- •Daemon/background applications
- •Machine-to-machine communication
- •No user context needed
- •Automated processes
Flow Steps
- •Service authenticates using client credentials (certificate or managed identity)
- •Service directly calls authorization endpoint with credentials
- •AAD validates credentials and returns access token
- •Token cached and used to access APIs as application identity
Agent Actions
Generate Code Snippet
Agent can show code for each credential type:
- •Standard Certificate: with-certificate.cs
- •Certificate with SNI: with-certificate-sni.cs
- •Federated Identity Credentials: with-federated-identity-credentials.cs
Setup Guidance
Reference appropriate credential setup:
Example: Service with Certificate
csharp
// Acquire token for service-to-service authentication
public class TokenAcquisitionService
{
private readonly IConfidentialClientApplication _app;
public TokenAcquisitionService(string clientId, X509Certificate2 cert)
{
// For complete example with static token caching, see: with-certificate.cs
_app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithCertificate(cert)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
.WithCacheOptions(CacheOptions.EnableSharedCacheOptions) // Enable static token caching
.Build();
}
public async Task<string> GetAccessTokenAsync()
{
var result = await _app.AcquireTokenForClient(
new[] { "resource-uri" })
.ExecuteAsync();
return result.AccessToken;
}
}
Error Resolution
Refer to Troubleshooting Guide
Best Practices
- •Use Token Caching Strategies - enable static token caching with
.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)for optimal performance - •Implement Error Handling Patterns
- •Monitor token acquisition using
AuthenticationResultMetadatafor cache hit ratios - •Rotate certificates periodically (if using certificate-based auth)
- •Use Federated Identity Credentials with Managed Identity for keyless authentication
- •For additional caching options and strategies, see Token cache serialization documentation
Explain the Flow
- •Credential Submission: Service authenticates directly with AAD using certificate or MI
- •No User Involved: Authentication is machine-to-machine only
- •Access Grant: AAD validates credentials and issues access token
- •Token Caching: Token automatically cached for subsequent requests
- •API Access: Token used to call downstream APIs as application identity
Decision Help
Choose Client Credentials if:
- •Building daemon/background service
- •Service-to-service authentication needed
- •No user context involved
- •Want simplest flow for automated processes
Avoid if:
- •Need to access user-scoped resources
- •User consent required
- •Need refresh tokens for long-lived sessions