This is a step by step tutorial of how to programmatically read azure active directory groups with a c# client application.

1. Create a new Visual Studio console application
2. Add the following NuGet packages to your project:
   • Microsoft.Azure.ActiveDirectory.GraphClient
   • Microsoft.IdentityModel.Clients.ActiveDirectory
3. Check the code at GitHub
   • Add a reference to System.Configuration to your project (needed for the AppConfigConfiguration.cs)
4. Configure your application in the Azure portal (see below)
5. Set configuration of the MyConfiguration.cs (see below)
6. Run the sample

Application configuration

First important thing is the configuration of the application. Please check the MyConfiguration.cs file in the Configuration folder of the solution and adapt it to your needs. You can also use the AppConfigConfiguration.cs which reads the config from the app.config file.

public string TenantName { get { return ""; } }
public string TenantId { get { return ""; } }
public string ClientId { get { return ""; } }
public string ClientSecret { get { return ""; } }
public string ClientIdForUserAuthn { get { return ""; } }
public string AuthString { get { return "https://login.microsoftonline.com/" + TenantName; } }
public string ResourceUrl { get { return "https://graph.windows.net"; } }

Tenant name: This is the name of your tenant. if your login url is e.g. “mytenant.onmicrosoft.com”, then the tenant name is mytenant.
Tenant Id: The ID of the tenant. Please find below how to get this id.
Client Id and Client Secret: Those are required because the application needs to get access to the AD. Description of how to get those is below.
Client Id for User Authn: We don’t need it for just reading groups and other simple data from the Active Directory, so you can leave this empty. This will get interesting if you want to read data from the user like his mailbox. In that case, you need to configure the client id for user authentitcation.

This code is mostly inspired by https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.

How to get Azure Tenant ID

Go to: https://login.windows.net/[YOUR_TENANT_NAME].onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml

This will return a xml file with a lot of urls. Check the first line with the entityID:

<EntityDescriptor ID="_..." entityID="https://sts.windows.net/[HERE_IS_THE_TENANT_ID]/">

The part [HERE_IS_THE_TENANT_ID] is your tenant id.

Client Id and Client Secret

How to get the client id and client secret for your azure application:

1. Sign in to the classic azure portal (https://manage.windowsazure.com/)
2. Go to active directory and select your directory tenant
3. Go to application and add a new application:
   1. Add an application my organization is developing
   2. Give it a name and select “Web application and/or web API”
   3. Configurate Sign-On and App Id URL. You can use “http://localhost/AzureGroupSample” for both of them, because we have a simple console application and we do not need to forward to a custom page as you would need it for a web application. I added /AzureGroupSample to it, because the App Id URL must be unique within your directory.
4. Now you should see your newly created application. Go to configure
5. Copy the Client Id
6. In the keys section, add a new key (for 1 or 2 years).
7. Scroll down to the permissions and add “Read directory data” and “Read and write directory data” as “Application permission”.
8. Press save
9. Scroll up to the keys section and copy the key – this is the Client Secret (step 6 must be performed to get the key). Directly paste it into the configuration, because if you reload the page or you navigate away from the page, then you’ll never see the key again.

Side comments

Updating the application permissions can cause some issues. If you configured your application permissions once and saved it, then a change of the permissions is probably not taken into account. I face this issue several times and my solution was to simply delete an recreate the application with the new permissions in the active directory.

Update Jun 14, 2016

Since a few months, there is an update for the NuGet package available. If you update it, then you’ll receive one of the following errors:
[Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContex] does not contain a method named ‘AcquireToken’
or:
‘AuthenticationContext’ does not contain a definition for ‘AcquireToken’ and no extension method ‘AcquireToken’ accepting a first argument of type ‘AuthenticationContext’ could be found (are you missing a using directive or an assembly reference?)

I already updated the code in the GitHub repository. It’s a small change. Just replace:

AuthenticationResult authenticationResult = authenticationContext.AcquireToken(_config.ResourceUrl, clientCred);
// or:
AuthenticationResult userAuthnResult = authenticationContext.AcquireToken(_config.ResourceUrl, _config.ClientIdForUserAuthn, redirectUri, PromptBehavior.Always);

with:

var authTask = authenticationContext.AcquireTokenAsync(_config.ResourceUrl, clientCred);
authTask.Wait();
AuthenticationResult authenticationResult = authTask.Result;
// or:
var authTask = authenticationContext.AcquireTokenAsync(_config.ResourceUrl, _config.ClientIdForUserAuthn, redirectUri, new PlatformParameters(PromptBehavior.Auto));
authTask.Wait();
AuthenticationResult userAuthnResult = authTask.Result;

Additional information

https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
How to integrate it to the asp.net mvc application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation