Azure Active Directory client credentials flow - Access token request with a certificate
Published Jun 10 2022 06:41 AM 2,208 Views

In the scenario I refer to this blog, customer would like to authenticate the demon app with Azure Active Directory using a certificate. This Customer use .NET Framework 3.0 and not ready to upgrade the client code to use MSAL.NET or Microsoft Identity Model. Here I will go through how to generate a client assertion and get the access token from Azure AD using native C# code.


To get a token by using the client credentials grant, we need to send a POST request to the /token Microsoft identity platform. There are three ways to get the token.

1. Get  Access Token using Client Secret

2. Get Access Token using certificate

3. Get Access Token using federated client


Second and third case is almost similar, with one crucial exception - the source of the client_assertion. In the third case, your application does not create the JWT assertion itself. Instead, your app uses a JWT created by another identity provider. As part of this blog, I will discuss to get the access token using a certificate by generating a client assertion.


It is recommended to use MSAL.NET library and MSAL handles it in a single line of code. Follow Client credential flows · AzureAD/microsoft-authentication-library-for-dotnet Wiki ( if you would like to implement through MSAL.


Below are the steps to get the access token using .NET core.


Step 1: Clone or download this repository

From your shell or command line:


git clone

There are two projects in the repo. GenerateAccessTokenfromAzureAD can be used to get the Token directly using the certificate. This project internally generates the client_assertion with the certificate and calls the /token endpoint to get the token from Active Directory. You can use GenerateClientAssertion project to generate only the jwt(client_assertion).


Step 2: Register the client app in Azure Active Directory tenant

You can follow Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra | Microsoft Docs. In the Supported account types section, select Accounts in any organizational directory. You don't need to enter any Redirect URI in this app.



Step 3: Register your certificate in Azure Active Directory tenant

You can follow Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra | Microsoft Docs, A...


Make sure that application manifest gets updated after uploading the certificate. keyCredentials property should have the new certificate information.




Step 4: Update ClientID and TenantId in the Code

Get the Client Id and Tenant Id from the registered in Active Directory.

Update the program.cs with the values. You can create a web.config file with these properties.




var clientId = "xxxxx-xxxxxxx-xxxxxxxx";
var tenantId = "xxxxx-xxxxxxx-xxxxxxxx";

var body = new Dictionary<string, string>()
                            { "client_id", "xxxxx-xxxxxxx-xxxxxxxx"},





Step 5: Add the .pfx file in the project

Add the Personal Information Exchange(.pfx) in the project folder thorugh Visual Studio or in the folder. Update program.cs with the fileName and the password.







var cert = new X509Certificate2("certificate.pfx", "password");




Step 6: Run the project

Access Token would be retrieved after running the GenerateAccessTokenFromAzureAD project. If you run GenerateClientAssertion project, client assertion jwt would be retrieved.


Step 7: Test the token and/or client assertion

You can test by calling an API which validates the Azure Active Directory token. To validate the client assertion, you can see the header, claims and signature of the JWT.


You can see the details of those in the following link Microsoft identity platform certificate credentials - Microsoft Entra | Microsoft Docs.


I hope this post was useful and helped with a better and simplified view for client credential flow using a certificate.


Happy Learning!




Version history
Last update:
‎Jun 10 2022 08:46 AM
Updated by: