Merge pull request #6609 from MicrosoftDocs/jken/fix-568634-msal-wam-discoverability

GrantMeStrength · web-flow · commit 5ee9c5c66ccb · 2026-04-08T15:43:02.000-07:00
Add MSAL.NET + WAM discoverability to Security &amp; Identity section
diff --git a/hub/apps/develop/security/index.md b/hub/apps/develop/security/index.md
@@ -22,6 +22,21 @@ The [Windows App SDK](../../windows-app-sdk/index.md) provides APIs related to O
 |---------|-------------|
 | [Implement OAuth 2.0 functionality in Windows apps](oauth2.md) | The new OAuth2Manager in Windows App SDK enables desktop applications such as WinUI to seamlessly perform OAuth 2.0 authentication in Windows apps. This article describes how to implement OAuth 2.0 with the Windows App SDK. |
 
+### Sign in with Microsoft (MSAL.NET + Web Account Manager)
+
+For apps that need users to sign in with a **Microsoft account or Microsoft Entra ID (work/school) account**, the recommended approach is [MSAL.NET](/entra/msal/dotnet/) with the **Web Account Manager (WAM) broker**. WAM provides silent SSO using the account already signed in to Windows, Windows Hello support, and device-bound refresh tokens — without launching a browser.
+
+| Article | Description |
+|---------|-------------|
+| [Acquire tokens using Web Account Manager (WAM)](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam) | Learn how to use MSAL.NET with the WAM broker to acquire tokens for Microsoft and Microsoft Entra ID accounts in desktop apps including WPF, WinForms, and WinUI 3. |
+| [MSAL.NET overview](/entra/msal/dotnet/) | Overview of the Microsoft Authentication Library for .NET — the recommended library for authentication with Microsoft identity in desktop apps. |
+| [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) | How to register your app in the Azure portal to get a client ID, which is required before using MSAL. |
+| [Web Account Manager (WinRT API)](/windows/uwp/security/web-account-manager) | The underlying WinRT API that WAM is built on (`Windows.Security.Authentication.Web.Core`). Reference this if you need low-level token broker access without MSAL.NET. |
+| [Retrieve a window handle (HWND)](../ui/retrieve-hwnd.md) | Web Account Manager requires your app's window handle (HWND) to display authentication UI. This article shows how to retrieve it in WPF, WinForms, and WinUI 3. |
+
+> [!NOTE]
+> Web Account Manager supports Microsoft accounts and Microsoft Entra ID accounts only. If you need to authenticate with a third-party identity provider (Google, GitHub, etc.) or Azure AD B2C, use [OAuth2Manager](oauth2.md) or another general-purpose OAuth 2.0 library instead.
+
 ### WinRT APIs
 
 The following articles provide information about features available via WinRT APIs provided by the Windows SDK.
diff --git a/hub/apps/develop/security/oauth2.md b/hub/apps/develop/security/oauth2.md
@@ -11,6 +11,9 @@ keywords: windows, winui, winrt, dotnet, security
 
 The [OAuth2Manager](/windows/windows-app-sdk/api/winrt/microsoft.security.authentication.oauth.oauth2manager) in Windows App SDK enables desktop applications such as WinUI 3 to seamlessly perform OAuth 2.0 authorization on Windows. The **OAuth2Manager** API doesn't provide APIs for the implicit request and resource owner password credential because of the security concerns that entails. Use the authorization code grant type with Proof Key for Code Exchange (PKCE). For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636).
 
+> [!NOTE]
+> **OAuth2Manager** is designed for general OAuth 2.0 flows with any identity provider (GitHub, Google, custom, etc.) and always uses the system browser for the authorization step. If you specifically want to sign in with **Microsoft accounts or Microsoft Entra ID (work/school) accounts** with **silent SSO** — using the account already signed in to Windows, with no browser prompt — use [MSAL.NET with the Web Account Manager (WAM) broker](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam) instead. Web Account Manager also provides Windows Hello integration and conditional access support that OAuth2Manager does not.
+
 ## OAuth2Manager API in Windows App SDK
 
 The **OAuth2Manager** API for Windows App SDK provides a streamlined solution that meets the expectations of developers. It offers seamless OAuth 2.0 capabilities with full feature parity across all Windows platforms supported by Windows App SDK. The new API eliminates the need for cumbersome workarounds and simplifies the process of incorporating OAuth 2.0 functionality into desktop apps.
