Developers – Learn how to bring data from Hotmail, Messenger, and SkyDrive to your mobile apps

Developers – Learn how to bring data from Hotmail, Messenger, and SkyDrive to your mobile apps

  • Comments 12
  • Likes

With the recent release of our developer platform we’ve made it easy for developers on modern mobile platforms such as Windows Phone, Android, and iOS to easily integrate the ability for users to access their information such as contacts and photos from Hotmail, Messenger, and SkyDrive in their favorite mobile apps and devices.

We’ve streamlined the process for doing this in the following ways:

  • Lightweight application setup process which requires no server-side code.
  • Mobile optimized sign-in and user consent experiences
  • Providing code samples which illustrate the key steps in building a mobile application that access a user’s cloud data

Lightweight application setup process

One key thing we learned from our previous releases is that developers of mobile applications often do not have web services backing their applications. This means that any process we had that requires an application to communicate with our various authorization and web service end points would need to be enabled for client-side applications.

Today, our registration process at is extremely lightweight. The only information required to create an application is the name and language of the application, as shown below:

Registration at

Once you click I accept, you are provided with a client ID and client secret.

Those familiar with OAuth 2.0 may notice that a step appears to be missing: providing the URL the user is redirected to after they have successfully logged in and granted access to your application to access their data. This step is now optional. Web-based applications can still provide this data on our application management site.

Mobile and desktop applications that do not have a website that the user can be redirected to should instead use as their redirect URL when making OAuth 2.0 authorization requests. This URL should not be provided as the redirect URL for the mobile application in the application management site since it will be rejected.

Mobile optimized sign-in and user consent experiences

As mentioned in my previous blog post, we’ve built mobile optimized user experiences for users signing in and granting permission to applications to access their data.

We’ve created a code sample which shows how to access a user’s SkyDrive photo albums from Windows Phone and is available to download from the MSDN code sample gallery. The code sample shows the key steps an application has to go through to sign in the user, get permission to access their data, and then actually access the user’s information as well as the related user experiences.

The process of signing in the user requires the application to construct a URL to our OAuth 2.0 authorization end point and request the appropriate scopes required to access the data the application is interested in. The code looks like this:

/// <summary>
/// The URI for the OAuth service's Authorize endpoint.
/// </summary>
private static readonly string OAuthAuthorizeUri = "";

/// <summary>
/// The list of scopes.
/// </summary>
private string[] scopes = new string[] { "wl.basic", "" };

/// <summary>
/// Build the OAuth URI.
/// </summary>
/// <param name="scopes">The requested scopes.</param>
/// <returns>The OAuth URI.</returns>
private Uri BuildOAuthUri(string[] scopes)
List<string> paramList = new List<string>();
paramList.Add("client_id=" + HttpUtility.UrlEncode(MainPage.ClientId));
paramList.Add("scope=" + HttpUtility.UrlEncode(String.Join(" ", scopes)));
paramList.Add("response_type=" + HttpUtility.UrlEncode("token"));
paramList.Add("display=" + HttpUtility.UrlEncode("touch"));
paramList.Add("redirect_uri=" + HttpUtility.UrlEncode(MainPage.RedirectUri));

UriBuilder authorizeUri = new UriBuilder(MainPage.OAuthAuthorizeUri);
authorizeUri.Query = String.Join("&", paramList.ToArray());
return authorizeUri.Uri;

When the constructed URL is navigated to in a browser, the end user goes through the following user experience. First they are asked to sign in.

Windows Live sign in screen

After signing in, the user is shown a permission dialog where they are asked for consent to grant the application access to their basic information and SkyDrive photos, which the application requested.

"Allow access?" screen

Once the user completes these flows, the application gets back an access token which can then be used in combination with our REST APIs to access the user’s data. It should be noted that the permission granting step only has to occur once, after which the application has access to the user’s data until the user decides to revoke access to their data by visiting our consent management page.

In this particular code sample, the application simply lists the user’s profile information and SkyDrive photo albums.

Profile info and albums

More Code Samples to Come

We’ve gotten a lot of feedback that developers would like to see more code samples that show how to access data from Hotmail, Messenger, and SkyDrive from their favorite programming languages and platforms. Rest assured that your feedback has been heard, and we’re working on providing a larger breadth of code samples as we speak. For now, mobile developers can download the SkyDrive API example from this article to get started.

Thanks again for all the feedback, and please keep it coming.

Dare Obasanjo – Lead Program Manager, Messenger Connect Platform

You must be logged in to comment. Sign in or Join Now
  • This is what I was looking for...awesome....

  • @Joecatskill - I'm not sure if you're asking about accessing your account through the Web UI, or accessing the data through the developer APIs written about in this post.

    Hotmail and SkyDrive both support HTTPS access. It's easy to set up. You can just type into your browser, or you can set your account to always use HTTPS.  You can read about it here:

  • Is there a way to use to use https:\\ to access our windows live accounts? Other sites I go to including twitter and G= are all base on a secure protocol.  I'd be more inclined to use my Live account more if it were. Thanks.

  • You can check out and for a more detailed example of authenticating to WLID via Messenger Connect from Windows Phone

  • @Mike Lowrey

    Ensuring that customers always enter their passwords in Microsoft owned user experiences and always see a consistent consent dialog is an important part of preventing the rise of the password anti-pattern (see for more). Thus there is no way to get around the requirement to go through a web-browser based sign-in and consent experience.

    With regards to needing to go through the authorization code flow on a regular basis to refresh the access token for applications that run run in the background, this is good feedback that we can make this experience better in future releases. Thanks for providing it.

  • Will there be any kind of legacy access in the future where no webbrowser control is needed? I'm interested in developing a call monitor for Windows Media Center but this isn#t able because there is no webbrowser control and the token would expire each hour which would cause the background process to ask the user each hour.

    For me the current api limits the developers possibilities to integrate Windows Live even in MS's own applications and that's kinda depressing.

  • gaurav
    10 Posts


    Great, thanks for replying.

    Earlier, I was trying to get access_token every time using authorization_code.

  • @NextGen Reader

    You can refresh the access token an infinite amount of times [or until the user revokes access from your app].

  • gaurav
    10 Posts


    Thanks for your prompt reply.

    How long can one continue to refresh the access token, since I suppose it will also expire after sometime.


    Btw: I contacted you through twitter also, but you can ignore now.

  • gaurav
    10 Posts


    Thanks for your prompt reply.

    I implemented the exact "Authorization Code Grant Flow" also, but even that stops working after one hour.

    I start getting response "not found" after one hour.


    Btw: I contacted you through twitter also, but you can ignore now.

  • @NextGen Reader

    Using the "wl.offline_access" scope still requires that you have a valid access token. Since access tokens expire in hours this means you need to either re-authenticate the user or use the authorization code flow described at  to refresh the access token.

  • gaurav
    10 Posts

    Hello Dare,

    I'm using "wl.offline_access" scope, but the access token still expires after one hour.

    Any information how to get permanent access?