Exceptions

Exceptions in MSAL.NET are intended for app developers to troubleshoot and not for displaying to end-users. Exception messages are not localized. MSAL throws `MsalClientException` for things that go wrong inside the library (e.g. bad configuration) and `MsalServiceException` for things that go wrong service side or in the broker (e.g. a secret expired). Client exceptions have an error code which you can use to handle the exception. The error codes are explained in the MsalError class. ### Common exceptions - User cancelled authentication (public client only) When calling `AcquireTokenInteractive`, a browser or the broker is invoked to handle user interaction. If the user closes this process or if they hit the browser back button, MSAL generates an `MsalClientException` with the error code `authentication_canceled` ( `MsalError.AuthenticationCanceledError`). On Android, this exception can also occur if a browser with tabs is not available. - HTTP errors ### HTTP Exceptions Developers are expected to implement their own retry policies when calling MSAL. MSAL makes HTTP calls to the AAD service, and occasional failures can occur, for example the network can go down or the server is overloaded. HTTP 5xx status code responses are retried once. MSAL does not rethrow HTTP exceptions as MsalException. See also Simple retry for errors with HTTP error codes 500-600 and Http 429 (Retry After) … #### MsalUiRequiredException The "Ui Required" is proposed as a specialization of `MsalServiceException` named `MsalUiRequiredException`. This means you have attempted to use a non-interactive method of acquiring a token (e.g. AcquireTokenSilent), but MSAL could not do it silently. this can be because: - you need to sign-in - you need to consent - you need to go through a multi-factor authentication experience. The remediation is to call `AcquireTokenInteractive` try { app.AcquireTokenXXX(scopes, account) .WithYYYY(...) .ExecuteAsync() } catch(MsalUiRequiredException ex) { app.AcquireTokenInteractive(scopes) .WithAccount(account) .WithClaims(ex.Claims) .ExcecuteAsync(); } ### Handling Claim challenge exceptions in MSAL.NET In some cases, when the Azure AD tenant admin has enabled conditional access policies, your application will need to handle claim challenge exceptions. This will appear as an `MsalServiceException` which `Claims` property won't be empty. For instance if the conditional access policy is to have a managed device (Intune) the error will be something like `AADSTS53000: Your device is required to be managed to access this resource` or something similar. To handle the claim challenge, you will need to use the .WithClaim() method of PublicClientApplicationBuilder class as shown above. ### Getting started with MSAL.NET - Home