您应该避免处理用户凭据。有采集由使用OAuth 2.0或OpenID的连接得到令牌，而不直接处理凭据减轻A的用户凭据时严重的安全隐患。另外，如果你有你自己的凭证收集用户界面，那么你可能会在未来发生故障，如果多因素认证开启时发现的迹象。在这种情况下，更多的信息可能需要比你正在收集的用户，例如一次性密码验证。如果允许的Azure AD至present通过OAuth 2.0或OpenID的连接认证经验，那么你是从所采用的特定的认证方法绝缘。收集用户的Azure AD证书是要避免的，如果在所有可能的一种不好的做法。

You should avoid handling the users credentials. There are serious security implications when collecting a users credentials that are mitigated by using OAuth 2.0 or OpenID Connect to get a token without directly handling the credentials. Also, if you have your own credential collection UI then you may find that sign in fails in the future if multi-factor authentication is turned on. In that case, more information may be necessary to authenticate the user than you are collecting, a one time password for instance. If you allow Azure AD to present the authentication experience via OAuth 2.0 or OpenID Connect, then you are insulated from the specific authentication method being employed. Collecting the users Azure AD credentials is a bad practice to be avoided if at all possible.

我没有对确切的情况足够的细节，有信心，下面的示例应用，但它至少提供了一个良好的起点。此示例演示如何创建一个调用REST API则可以调用尽可能以最安全的方式是Azure的资源原生应用。

I don't have enough detail on the exact scenario to be confident that the following sample applies, but it will at least provide a good starting point. This sample shows how to create a native app that calls a REST API that can then call an Azure resource in the safest way possible.

https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet

您可以找到很多在这里等样品，可用于构建您的特定情况的解决方案的。

You can find lots of other samples here that can be used to construct a solution for your particular scenario.

https://github.com/AzureADSamples

如果你提供一些更详细的我可以给更具体的指导。

If you provide some more detail I can give more specific guidance.