public async Task WebAPIAccessingGraphOnBehalfOfUserTestAsync() { var keyvault = new KeyVaultSecretsProvider(); var secret = keyvault.GetSecret(MsalTestConstants.MsalOBOKeyVaultUri).Value; var labResponse = LabUserHelper.GetSpecificUser("*****@*****.**"); var user = labResponse.User; //TODO: acquire scenario specific client ids from the lab resonse var publicClientID = "be9b0186-7dfd-448a-a944-f771029105bf"; var oboConfidentialClientID = "23c64cd8-21e4-41dd-9756-ab9e2c23f58c"; SecureString securePassword = new NetworkCredential("", user.GetOrFetchPassword()).SecurePassword; var msalPublicClient = PublicClientApplicationBuilder.Create(publicClientID).WithAuthority(MsalTestConstants.AuthorityOrganizationsTenant).WithRedirectUri("urn:ietf:wg:oauth:2.0:oob").Build(); AuthenticationResult authResult = await msalPublicClient .AcquireTokenByUsernamePassword(s_oboServiceScope, user.Upn, securePassword) .ExecuteAsync(CancellationToken.None) .ConfigureAwait(false); var confidentialApp = ConfidentialClientApplicationBuilder .Create(oboConfidentialClientID) .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true) .WithClientSecret(secret) .Build(); authResult = await confidentialApp.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(authResult.AccessToken)) .ExecuteAsync(CancellationToken.None) .ConfigureAwait(false); MsalAssert.AssertAuthResult(authResult, user); }