Windows domain integration with Azure Active Directory (AAD): can AAD authentication token be available for user logged in Windows desktop?

Can Windows domain (users and passwords for the desktop machines) be integrated with Azure Active Directory? The remaining part of my question details how I imagine and understand such integration.

E.g. I am ruminating about this scenario: user logs into her Windows Desktop machine, into particular profile (determined by the Windows domain and her user name in this domain) and starts one of more Windows desktop programs (e.g. WPF, WFC, Delphi, etc.). My question is: can these programs retrieve AAD authentication tokens from some local Windows API call or read it from the registry etc.

Of course, each desktop application can always get AAD authentication token by opening Azure authentication web page, user enters her credentials here and application receives back authentication token. But such scenario required the user to open external web page and enter her credentials and do this for each application and each time when the application is started from her profile.

I wonder - why this is necessary? I user has enough identity to log into Windows domain, then Windows domain can provide AAD authentication token as well, I imagine? And desktop programs can just read this token using some non-visual API and then use another non-visual calls into AAD to get furhter tokens (e.g. authorization or access tokens). In such a way the user has not need to provide additional credentials for the AAD specifically.

That was my main question.

I can imagine a workaround in the case when the No is the answer to my main question about the impossibility of such integration. Maybe we can require that Desktop application opens AAD login form and the Desktop Application collects AAD authentication token, but the next steps are pretty custom: application can store this authentication token in some secure place that is accesible to some开发者_开发知识库 particular set of applications and then each of those applications can use this store authentication token for some time, e.g. for a period of month and the user is not required to log into AAD during this month. I guess that this can work - but is it good practice and does the available expiration policies allow this?

Additional Information Maybe there is pretty simple solution for my case. I presumed that AAD always requires visual/interactive authentication, e.g. that desktop application should open AAD autheantication web page. But maybe things are simple - maybe AAD has API that allows to pass credentials (username, password) and this AAD API can return authentication token without requiring user interaction? Of course, one should specify where to get username, password for this API, but that is another matter that is not part my question. There are multiple alternative to that - maybe one can retrieve domain username/password using Windows API (I guess) or maybe application can use its own desktop forms (without opening web page) for collecting username/password or other credentials.

e.g. Amazon Web services uses OAuth2.0 type authentication and access tokens for its Sales API and AWS allows non-visual (API-only) authentication via username-password, AWS does not require to open web form for authentication.